‘Strict Liability for Genetic Privacy Violations in the Age of Big Data’ by Benjamin Sundholm in (2019) 49
The University of Memphis Law Review 760
comments
The ethical issues implicated by the misuse of genetic information have been smoldering for over half a century, and the age of big data has turned them into a five-alarm fire. In recent years, medical researchers and commercial enterprises have been using technological advancements to develop a variety of innovative ways to use genetic information. For example, it is becoming increasingly common for people to learn more about their health and family history by paying direct-to-consumer (“DTC”) companies to analyze their genetic data. DTC companies store the results of these tests electronically and often share them with pharmaceutical companies conducting medical research on some of the world’s most serious diseases. The research conducted with this data could yield tremendous benefits, but it also raises very serious privacy concerns. This is so because although DTC companies remove a significant amount of personal information from the genetic data shared with third parties, some personal characteristics—e.g., age, sex, birthplace, and more—must remain attached to the genetic sample for it to be useful in medical studies. As researchers have demonstrated, the identity of “supposedly anonymous genetic samples” can be revealed relatively easily
Many people would not be alarmed if secure medical laboratories used their semi-anonymized genetic data, but the reality is far more concerning. Hackers frequently attack large dossiers of health information, like those maintained by DTC companies, because such information is very valuable on the black market and guarded by low levels of security. If this genetic information is sold to unauthorized parties, used as blackmail, or held for ransom, the autonomy of the individuals associated with the genetic data could be significantly harmed.
Although only a few once recognized these and other risks posed by the pervasive use of genetic data in a variety of contexts, awareness of this issue is now on the rise. During a press conference in November 2017, U.S. Senate Minority Leader Chuck Schumer acknowledged that there is a real risk that the genetic information of DTC companies’ customers could be misused. Many agree with Senator Schumer. Included among the list of those concerned about this issue are several academics who believe tort law should be used to protect the interest people have in ensuring that their genetic information remains private. One of tort law’s two primary goals is to deter risky behavior. The other primary goal is to compensate people who have been injured by the actions of others. The tort of invasion of privacy has been identified as an appropriate tool to accomplish these goals and address the misuse of genetic information.
This Article acknowledges that the tort of invasion of privacy is an appropriate vehicle for addressing genetic privacy violations. But if tort law is to accomplish this goal in the age of big data, the doctrine must undergo a bit of a facelift. This is so because the current state of tort law imposes doctrinal barriers on genetic privacy plaintiffs. Although these barriers can take several forms, a common theme underpins them: plaintiffs are permitted to receive compensation only when imposing liability succeeds in deterring future acts of that kind. As a result of these barriers, plaintiffs cannot receive compensation if imposing liability on the actor causing their injury would not accomplish a greater level of deterrence. This reality is unacceptable, and it must be addressed.
The solution I propose is to circumvent these doctrinal barriers. Holding those routinely attending to genetic data strictly liable for any and all actions that cause genetic privacy violations can accomplish this goal. A strict liability regime will ensure that victims of genetic privacy violations are not faced with the sort of insurmountable doctrinal barriers currently afflicting tort law. Strict liability will also provide deterrence against risky behavior. This Article will defend my proposal by proceeding in five parts.
Part II provides a brief overview of how technological advancements are rapidly increasing threats to the confidentiality of people’s genomic information. Part III explains how doctrinal barriers prohibit victims of genetic privacy violations from receiving compensation for their injuries, and Part IV illustrates how these barriers prevent victims of these genetic privacy violations from receiving compensation for their genetic data’s misuse. Part V suggests that a strict liability regime can avoid the aforementioned encumbrances, provide compensation for victims of genetic privacy violations, and adequately deter risky behavior. Part VI identifies a few challenges available to critics of this Article’s proposal and details how those objections are laid to rest.