Modern Software Experience

2008-02-22

Privacy International

privacy complaint against Ancestry.com

The London based international privacy watchdog Privacy International has filed a complaint with the UK Information Commissioner’s Office about Ancestry.com’s DNA testing service.

request immediate investigation and suspension

Privacy International notes that Ancestry.com is likely in violation of European privacy and data protection laws at a very basic level, because it does not even provide clear information about the service; it appears to us that the practice substantially violates UK Data Protection law and we request that your office institutes an investigation without delay and seek the immediate suspension of the site’s DNA project pending legal review.

obvious questions unanswered

Privacy International provides the substance of the complaint under four headings; data storage, third party use of data, lawful access, impersonisation, legal compliance, ownership and control of data and communications.

Their complaint is a rude wake-up call for those who were lulled into a false sense of security by Ancestry.com’s FAQ. Many fairly obvious questions about privacy protection, data retention, ownership, export of and trading in your data remain entirely unanswered.

violation of European data protection law

Privacy International observes that although Ancestry.com has offices in several European countries and is offering its services through these offices to these countries, the British ancestry.co.uk site does not even mention the EU Data Protection Directive, and that neither Ancestry.com or The Generations Network is listed as certified under the Department of Commerce Safe Harbor program for export of personal data from the EU.

astute questions

Privacy International notes that the FAQ on the DNA section of Ancestry.com is evasive on the point of lawful access to genetic data and genetic material and poses some astute questions.

For example, the Ancestry.com FAQ says that information disclosure may occur as required by law., but whose law? What if the U.S.A. asks for data on U.K. citizens? Ancestry.com’s minimal FAQ does not provide any clarity on these issues.

Another matter is that Ancestry.com is offering the service, but the actual DNA testing is done by another company, Sorensen Genomics. Ancestry.com does not make clear what its contract with Sorensen Genomics is, and what conditions have been imposed upon this business partner.

Just what does Ancestry.com mean when it describes DNA data as transferable asset? That they own it and can sell it to third parties?

Ancestry.com has a matching service, but there is a way to opt out of the matching, and not be informed or have others informed of a match?

What if you want to opt out entirely, and do not want your genetic information stored any longer?

These are good questions to ask of any DNA service, but Ancestry.com’s bad reputation for its less than unblemished business practices record does not serve to mitigate concerns.

paying for your own data

An issue that Privacy International did not raise, but certainly deserves attention, is that it is standard operation practice for Ancestry.com to demand monies for access to data, including user-submitted data, even your own, and that Ancestry.com has never considered offering the possibility to correct, update or delete data a priority. This raises the very real possibility that Ancestry.com will use subscription fees as a roadblock to deter to those who wish to delete their data, so that Ancestry.com can continue to sell access to and services around this data to third parties.

links