Taking genomics personal

In autumn 2007 three companies offering personal genome information services – 23andMe, deCODEme, and Navigenics (www.23andme.com; www.decodeme.com; www.navigenics.com) – opened their virtual doors to customers in the US, Canada, and most European countries. Since then, a considerable number of so-called ‘early spitters’ have seized the opportunity to receive their individual whole-genome polymorphism data (based on the analysis of ∼600 000 to one million SNPs) for fees currently ranging between US$399 and as much as US$2500. Users can access their personal disease susceptibility and ancestry information through the internet, and also utilize social networking tools to join forces with fellow risk group members: Genetic testing meets Facebook. More recently, Google, which has invested in both 23andMe and Navigenics, launched a tool for individuals to store health records online and hopes to eventually expand its activities, including its search capabilities, to the genetic testing market. Just how far this trend toward storing individual health and genetic information online will go and to what extent it will affect the provision of healthcare services is yet unclear.

Few key differences make personal genomics services stand out from ‘classical’ genetic testing: First, they are offered directly to consumers over the web and are thereby initiated directly by consumers, outside of a defined clinical context and often without the involvement of a healthcare provider. Second, rather than focusing on selected genes or traits, these genomics services examine and inform customers about huge amounts of genetic information which might be meaningless in most part today but in the future could turn out to be highly informative for a large range of clinical, physical and behavioral traits.

Concerns regarding the clinical utility of the information conveyed to customers, however, were raised almost instantly after the launch of these services1, 2 soon followed by warnings in editorials by NEJM3 and EJHG4 against the unintended consequences of a proliferation of the direct-to-consumer (DTC) whole-genome testing business. Indeed, for most cases so far reported, the contribution of polymorphic genetic loci adds only 10 to 40% of disease risk compared with the general population.5 Yet, as new information on genotype/phenotype correlations can be expected to start coming from the Personal Genome Project6 and similar extensive genotype/phenotype datasets such as the Norwegian Mother and Child Cohort,7 the predictive value of combined disease risk may become substantially larger for certain combinations of ‘risk’ alleles.

However, for the early adopters of personal genomics services posting their experiences with 23andMe and deCODEme in weblogs, disease susceptibilities are not all it is about: rather than being driven by deep concern about their future health, they seem to be also motivated by intellectual curiosity. Among the early adopters of personal genomics services this curiosity is sometimes coupled with what has been called ‘informational exhibitionism:’ the willingness to share access to one's personal genomics information on weblogs and internet forums. 23andMe and deCODEme seem to target mostly those groups: healthy, well-off individuals curious to learn more about ‘who they are.’ Navigenics, on the other hand, seems to cater to a more cautious clientele, offering genetic counseling on a routine basis, and also storing their customers’ DNA for potential future re-analysis if new genetic loci are found to be relevant for disease risks; they also charge more for their services. Should regulators protect individuals from their own curiosity? Or would that amount to an undue paternalistic act and an infringement of individuals’ right to know, or even stifle the ‘healthcare of the future’8, 9 as the people behind commercial personal genomics companies argue? The answer may depend on the companies themselves: their commercial models, long-term strategies and goals, and forms of self-regulation they may or may not choose to impose upon themselves.

Recreation, information, or diagnostics? The status of whole-genome information

Whether DTC marketing of whole-genome testing services is legal is still unclear in many countries. In Europe, DTC genetic tests may be banned by the Additional Protocol to the European Convention on Human Rights and Biomedicine, concerning Genetic Testing for Health Purposes (the Additional Protocol) (http://conventions.coe.int/Treaty/EN/Treaties/Html/203.htm). Under the Additional Protocol genetic tests for health purposes may only be performed under ‘individualised medical supervision.’10 The Additional Protocol, however, needs to be signed and ratified by Member States in order for it to enter into force, a process that may take several years. Even if ratified, it could be argued that the genetic tests offered by 23andMe and the like are not for health purposes, and therefore are not subject to the Additional Protocol and the limitations it entails.11

In the United States, where most of the companies offering such services are based, the legal status of these companies is also not clear. At the federal level only a minimal amount of oversight is offered over laboratories that conduct genetic testing, and at the state level only about half of the states in the United States prohibit or limit DTC marketing of genetic testing.12 Regulators from New York and California, two of the states that limit DTC testing, have warned in recent months 23andMe, Navigenics, and additional companies providing the technological tools for whole-genome testing that DTC marketing of medically relevant tests may be illegal. The companies were told that a license and the involvement of the patients’ physicians are required and received ‘cease and desist’ letters from the public health departments in both states.13 The companies, in response, insisted that the services they provide are in compliance with state laws and continued to offer their services (http://blog.wired.com/wiredscience/2008/06/23andme-were-no.html; http://www.bioarraynews.com/issues/8_26/features/147747-1.html). Both deCODEme and 23andMe contest that the information they provide to individuals is of educational character only; on their websites, they clearly state that the information provided is not to be seen as medical advice. Navigenics even encourages potential customers to talk to a genetic counselor of their choice before they purchase the service.

This round of highly publicized legal battle ended recently when both 23andMe and Navigenics received a license from the state of California. The license was granted to them after they adhered to the requirement to have a physician involved in the process of ordering the test.14 However, genetic counseling is still not part of the testing and the delivery of its results to consumers, a concern discussed in several recent commentaries and editorials3, 4, 5 (but which is beyond the scope of the current article). Shortly after receiving the license, 23andMe drastically lowered the cost of the test it offers from US$999 to just US$399.15 One is left wondering if the recent price reduction is the result of ‘technological advancements’ as proclaimed by the company, or their wish to rapidly increase their customer base for building up the comprehensive genotype/phenotype datasets needed for their planned activities.

One may also wonder if, aside from the dispute over the quality and utility of such personal genomics testing,16 such services should be allowed to proliferate and do business on a global level without any public oversight. Such oversight is needed with regard to two main issues: whose DNA is being tested, and who has access to the information retrieved from it. What kind of regulatory framework can assure that customers send in and have access only to their own DNA samples (or samples of individuals in their legal custody, such as their children's), and not to the DNA of third parties about whom they would like to gain genetic information? In the United States, until recently relevant regulation was found primarily at the state, rather than the federal level, with only few states requiring consent prior to performing genetic tests and having specific penalties for genetic privacy violations (see: genetic information: legal issues relating to discrimination and privacy http://www.ncsl.org/programs/health/genetics/prt.htm). The enactment of the Genetic Information Non-discrimination Act (GINA) provides protection to genetic information in the federal level, but it protects primarily from employment and insurance discrimination based on genetic testing.17

One would expect that providers of personal genomics services, avoiding the risk of damaging their reputation and loosing their clientele, would also strive to ensure that unintended consequences do not materialize. Although all three companies, 23andMe, deCODEme, and Navigenics, inform consumers that with their online purchase of the service they also confirm that the submitted DNA sample is their own (or that they are authorized to submit it), this information is ‘buried’ in the small print of the service agreement and informed consent sections of their web sites. The following scenarios outlined below for illustrative purposes, albeit being somewhat extreme, are not impossible under the existing framework:

First, consider a politician looking to disqualify a rival candidate from winning an electoral race by gaining access and sending her DNA sample for analysis by a personal genomics provider, and later ‘leaking’ information about that rival candidate's genetic predisposition for a particular mental or personality disorder. It could be argued that in such matters the public interest overrides the candidate's right to privacy, but what about the responsibility of the company to ensure that this does not happen? Or, consider an attorney looking to defend a client charged with sexual assault by providing ‘genetic evidence’ on promiscuous behavioral traits18 of the crime victim. Next, consider someone secretly testing the DNA of several partners before deciding with whom to conceive a child, looking for a ‘genetic match’ and specific desired traits in the child or rather for a partner who is most likely to remain physically and mentally healthy. Indeed, every commercial niche seems to find an eager entrepreneur: the Swiss company GenePartner (http://www.genepartner.com/) will help you find the ‘perfect match’ based on your DNA analysis, for a promotional fee of just US$199 (until the end of 2008) and a saliva sample. Finally, consider a national security alert enabling police to access the databases of personal genomics providers in a global hunt for first-degree family members of a terror activist – an action leading to the interrogation of citizens who happened to share some genetic relatedness with the hunted subject's family. Privacy interests might also be compromised in the event that a personal genetics company decides to sell its database, containing genotypic and phenotypic information of its customers (potentially along with identifying information such as customers birthdates or zip codes), to a third party. In such cases, personal information might be transferred to a company and/or a country with less strict privacy protection mechanisms. Should customers be notified and be given the opportunity to have their personal information removed from the database in such situations?

This last issue also raises the question of ownership regarding both genotypic and phenotypic information stored in the database. Who owns the information? The company that retrieved the information, or the individual who wished to explore and investigate her genetic makeup? DeCODEme, in its otherwise very clear and comprehensive section titled ‘service agreement and informed consent’ (http://www.decodeme.com/information/service_agreement), does not mention ownership at all; 23andMe, in its ‘terms of service’ section (https://www.23andme.com/about/tos/) emphasizes its ownership of the saliva sample submitted by its customers, whereas specifically not claiming ownership of other materials provided by its customers (such as postings on its website). The customers, however, are responsible to protect and enforce their rights, including their right to privacy, in the submissions they provide. Navigenics, in a section titled ‘Our policy regarding gene patents,’ (http://www.navigenics.com/policies/GenePatents/) merely programmatically mentions that ‘you own your genome,’ an ambiguous statement that does not clarify much on who has ownership rights in the sample sent to them.

The consequences of having a legal title are considerable: if the sample and information retrieved from it are considered the property of the company collecting and storing it, then the company is free to treat it as any other commodity, including selling or transferring the information to third parties, a troubling outcome that many consumers may not be aware of. One possible way to prevent this is by defining the holders of genetic information to be ‘trustees’ of the information which they hold.19 A trustee is one who has a legal title to property that he holds in trust for the benefit of another and owes a fiduciary duty to that beneficiary. In the genetic context it could be especially appropriate to adopt a trustee model as it would apply greater restrictions and responsibilities as to the safekeeping of the genetic information collected and stored by companies offering DTC genetic tests. Adopting a trustee model would, for example, place limitations on the transferability of the information collected and on future disclosures in the absence of the consent of the client.

A call for self-regulation

The regulation of genetic testing and counseling services has been addressed on numerous issues related to monogenic20 or polygenic21 disorders. The broad scope of personal genetic information supplied by these new companies, along with yet unknown potential for disclosing physical and behavioral traits about identifiable individuals, calls for reconsideration about what exactly should be regulated and to what extent. Some subscribe to the notion that regulators should interfere as little as possible in health-related commercial initiatives, arguing that reduced red tape will foster better healthcare; all we need to do is ‘let the market forces play.’22 On the other hand, it could be argued that we have now reached a point where regulatory action is needed to minimize negative unintended consequences in general and risks to personal privacy in particular.

Whose sample?

As shown above, at present, commercial personal genomics services – while requiring customers to confirm that they have the legal authority to submit the samples – do not explicitly warn potential customers of the possible (legal and otherwise) effects if they submit another person's DNA for analysis. Although 23andMe does mention the option of sending ‘your child's sample’ and even notifies its clients that the kit is not optimized for infants and toddlers under the age of three, customers may purchase up to five kits per order and are not required to provide any proof or statement that the extra samples are indeed from minor(s) in their custody. In that regard, 23andMe asks its clients on their ‘consent and legal agreement’ page (https://www.23andme.com/about/consent/) to confirm that ‘You are guaranteeing that the sample you provide is your saliva; if you are completing this consent form on behalf of a person for whom you have legal authorization, you are confirming that the sample provided will be the sample of that person.’ The informed consent required by deCODEme takes it one step further by including the statement that ‘either you are the owner of the sample or have full authority of the owner or subject of the sample to submit the sample for processing.’ Yet, these consent forms are visible on screen only once the registration process has begun. Furthermore, the above citations seem to ‘hide’ inside piles of legal language, disclaimers and ‘small print’ and not, as one would expect, be clearly highlighted on the introductory notes explaining the nature of the services. A fine and simple way for increasing customers’ awareness against sending another person’s DNA sample may be to require a signed statement – to be sent along with the DNA sample – confirming that the sample is their own or from a child in their custody. Yet, none of the companies discussed here take this simple measure.

The regulatory framework

In the realm of law, even the newly enacted US GINA does not provide sufficient safeguards when it comes to DTC genetic testing. After a decade-long struggle, GINA has recently passed both the US House and Senate and in May 2008 has been signed into law by the President of the United States of America.23 The Act is designed to assure that individuals will not risk discrimination based on disease risks derived from genetic information when seeking health insurance or employment.24 Supporters of GINA hailed it to be the first major civil rights act of the 21st Century whereas others argue it still does not provide sufficient protection.17 In Europe, the Convention on Human Rights and Biomedicine limits the ability to yield predictive genetic tests (tests for the diagnosis of a genetic disorder or a disease predisposition or susceptibility) only to health or health-related research reasons and even then the testing must be subject to genetic counseling.25 The additional protocol concerning genetic testing further requires that genetic testing on a minor who does not have the capacity to consent will be deferred until such capacity is attained, unless the test is detrimental for her health or well being, in which case postponing the test will not be in the minor's best interest.26 Also, a recent draft (April 2008) on biobanks prepared by the Organisation for Economic Co-operation and Development (OECD) (http://www.oecd.org/dataoecd/61/29/37647338.pdf) gives special attention to inclusion of DNA samples from minors and suggests special precautions for assuring their interests.

Self-regulation

As a first workable step, we call upon commercial enterprises offering DTC whole-genome testing to self-regulate their activities.27 For example, these companies may coordinate their activities through an ‘Association of Personal Genome Service Providers’ whose members must adhere to self-imposed guidelines or ‘Best Practices’ including steps for assuring the protection of customers’ privacy. Such ‘Best Practices’ are to be devised, agreed upon and followed by the association itself. Reportedly, several DTC companies including 23andMe and Navigenics declared that they plan to launch discussions in collaboration with the Personalized Medicine Coalition (PMC) (http://www.personalizedmedicinecoalition.org) to ‘devise their own voluntary standards’ that will ‘promote integrity among competitors’ (http://www.time.com/time/health/article/0,8599,1825539,00.html). In the United Kingdom, the Human Genetics Commission also intends to promote the development of a ‘code of practice’ for DTC genetic testing enterprises. The OECD should also be proactive in this field and issue recommendations for the DTC personal genomics business and its governance in OECD member states.

The advantages of self-regulation over formal government regulation include speed and simplicity, and as stated above, its implementation could be monitored by an organization or association established by the personal genomics industry itself, thereby avoiding a need for public funding – an issue which often delays the implementation of new public oversight agencies. Best practices guidelines self-regulated by the personal genomics industry may include, among other things, adoption of the trustee model with respect to ownership of personal genomic and phenotypic information. Self-regulation should also include adding clear and visible (eg, highlighted and boxed) warnings on the companies’ websites against sending another person's DNA. Another measure which should be considered is to require from customers a signed statement – to be sent along with the DNA sample – in which they confirm that the DNA sample is either their own or from a minor in their custody. Another key aspect of self-regulation for DTC personal genomics services would require customers to sign a statement confirming that they have consulted their primary healthcare provider prior to ordering a test related to health information and that a healthcare professional with knowledge in clinical genetics will be available to consult them about the forthcoming test results. This latter aspect is discussed in great detail in a recent document issued by the Secretary's Advisory Committee on Genetics, Health, and Society (SACGHS) of the US Department of Health and Human Services.28 However, instead of making concrete policy recommendations the committee merely declared that in the case of DTC genetic tests ‘there is a greater need to ensure that information about tests is complete and reliable.’ This rather vague statement will need to be followed, sooner or later, by distinct and specific guidelines.

Government oversight

The SACGHS committee also notes in this context that ‘it is difficult to put forward initiatives to address these issues, as there is no one agency that has oversight responsibility for all of them. It is very important that all public and private entities referenced in this report explicitly identify and address privacy concerns that are within their purview.’ We concur with this conclusion, which has become even more pressing along with the recent proliferation of personal genomics companies: it is indeed the role of consumer and genetic watchdog organizations, professional genetics organizations, and public bodies concerned with healthcare quality assurance to raise awareness of the threats to genetic privacy inherent in whole-genome genetic testing services marketed over the internet. In addition, however, government agencies should oversee these activities. The Food and Drug Administration (FDA) and Federal Trade Commission (FTC), for example, should take an active role in monitoring the personal genomics business in the United States. The FDA should inspect the quality and accuracy of DTC personal genomics tests whereas the FTC should provide oversight over the accuracy of advertized claims made by companies offering these tests.29 Thus far, neither agency has exercised or expanded its authority in this context, albeit the FTC is, according to a recent report,30 investigating this area. Further down the road, once the clinical validity and societal consequences of personal genomics are better understood, it might be desirable to have a single government agency (a new agency, or a new unit within an existing agency for reducing operating costs) responsible for oversight over all aspects of personal genomics testing. Having one specific agency supervising such testing will hopefully prevent overlaps, prevent issues from falling through potential cracks, and will ensure that the DTC personal genomics business is receiving the appropriate supervision it requires, something that presently does not take place.

A European perspective

Assuring governance oversight over DTC genetic testing could be more problematic in Europe, where diagnostics are regulated at the member state level and not at the European Union level, as done by the European Medicines Agency (EMEA) for medicines. Applicable legislation in Europe, where available, differs from state to state, providing patchy protection and creating a complex body of law.31 The existence of watchdog organizations like GeneWatch in the United Kingdom provides additional oversight but they too have warned against the lack of supervision and regulation on genetic tests and recommended that a new body will be established to ensure the evaluation of laboratory diagnostic tests.32 Thus, in Europe it might take a complete overhaul of the diagnostics regulatory process, possibly moving it from the member state level to a new unit created within EMEA, before such central oversight of genetic testing including DTC tests can be foreseen,33 although signing and ratifying the Additional Protocol would be a step in the right direction.

A global perspective

The personal genomics business knows no boundaries: clients may send their DNA to the providers by courier from numerous countries. With this in mind having harmonized and coherent guidelines and oversight would serve for the best. Self-regulated best practices adopted by the DTC personal genomics industry could promote this goal, whereas government regulatory bodies outside the European Union and the United States are likely to look up to and follow steps taken by agencies regulating the personal genomics business in these countries. One may therefore expect that self-regulation together with governance of the personal genomics business in the European Union and the United States will have an impact beyond their boundaries, thereby reducing imparities in the quality and ethical standards of the DTC personal genomics business globally.

The recent enacting of the long-awaited GINA in the United States, joining the ranks of other countries, including France, Austria, and Israel, which have already enacted similar genetic privacy laws, protects their citizens against misuse of their personal genetic information by employers and healthcare providers. However, we live in a global village. Concerns remain that such sensitive personal information may in the wrong hands cause individual harm.

Looking forward

We believe that at this time, when the DTC personal genomics industry is still shaping, the most practical way forward would be for the industry to self-regulate its activities by establishing best practices guidelines including guidelines assuring the privacy of consumers and third parties. Notwithstanding, in the longer run public oversight would be needed which could best be achieved through the creation of a specific personal genomics unit within the existing national agencies: a new dedicated unit within EMEA for the European Union, and within the FDA for the US. Alternative options of building entirely new agencies might be too costly, and it may take many years for them to achieve the same level of public trust enjoyed by EMEA and the FDA.

Although ‘free-market forces’ will be among the decisive factors about the success or failure of such DTC personal genomics and health databasing services, we call upon national regulators and international organizations such as the OECD to consider carefully through which means undesired effects including privacy risks could best be avoided. Yet, as this young industry is rapidly evolving and the spectrum of its societal impact is still unclear, meaning that such regulation may take several years to implement, urgent interim steps must meanwhile be taken (see Box 1). These include self-regulation and the establishment of best practices guidelines, potentially coordinated through a dedicated association of the DTC personal genomics providers.