A saliva sample is sent off. Weeks later, results arrive: ancestry, traits, potential health risks. The process feels personal, even intimate. Genetic data is often described as among the most sensitive forms of personal information.
That intuition is not misplaced. But it is incomplete.
Genetic data does not concern only the individual from whom it is obtained. Once analysed and stored—whether by private companies, research institutions, or state authorities—it raises a more complex legal question: not simply what is revealed, but to whom that information, in any meaningful sense, belongs.
Genetic data within existing legal frameworks
European data protection law appears, at first glance, well equipped to address these concerns. Under the General Data Protection Regulation (GDPR), genetic data is expressly classified as a “special category” of personal data (Article 9), subject to heightened protection. Processing is restricted, requiring explicit consent or another specific legal basis.
This classification reflects the distinctive nature of genetic information. DNA can disclose not only current health conditions, but predispositions, inherited traits, and aspects of identity that may not yet be known to the individual concerned. The legal response is therefore deliberately stringent.
Yet this framework rests on an implicit premise: that genetic data, like other forms of personal data, can be meaningfully attributed to a single data subject who is capable of exercising control over it.
It is precisely this premise that becomes unstable.
The relational nature of genetic information
Most forms of personal data are, in a practical sense, individualised. Email addresses, browsing histories, and location data primarily relate to one person. Genetic data does not operate in the same way.
It is inherently shared. A significant portion of an individual’s genetic profile is also present in biological relatives. As a result, the analysis of one person’s DNA can generate information about others—siblings, parents, children—who have neither participated in the process nor consented to it.
This creates a structural tension within data protection law. The GDPR is built around an individualistic model of control, centred on the data subject and their consent. Genetic data disrupts that model. It simultaneously identifies multiple individuals and produces information that extends beyond the person who provided the sample. In such circumstances, a framework grounded in individual consent risks systematically under-protecting those indirectly affected. The difficulty is not merely regulatory; it reflects a mismatch between the architecture of the law and the nature of the data it seeks to govern.
Consent and its limits
Consent occupies a central position within the GDPR (Article 6 and Article 9). It is intended to function as an expression of autonomy: informed, specific, and freely given.
In the context of genetic data, however, its normative reach is limited. An individual may consent to the analysis, storage, and use of their genetic information. That consent may extend to research, data sharing, or even commercial applications, depending on the terms agreed.
What it cannot do is account for the interests of others whose genetic information is indirectly revealed.
A genetic test may disclose hereditary health risks relevant to family members who have not chosen to receive that information. Familial searching techniques used by law enforcement may identify individuals who have never engaged with genetic databases. From a strictly legal perspective, the initial processing may remain valid. From a broader perspective, the adequacy of consent as a regulatory mechanism becomes questionable.
The limits of anonymisation
One response to these concerns is anonymisation. By removing identifying information, genetic data can, in theory, be used without implicating individual privacy.
In practice, this approach encounters significant limitations. Genetic data is inherently identifying. Even where direct identifiers are removed, DNA profiles can often be re-associated with individuals when combined with other datasets. More fundamentally, genetic information continues to reveal insights about biological relatives, regardless of whether a specific individual can be immediately named.
This difficulty has been recognised in case law. In S and Marper v United Kingdom (2008), the European Court of Human Rights held that the retention of DNA profiles by state authorities constituted an interference with the right to respect for private life under Article 8 of the European Convention on Human Rights. The Court emphasised the uniquely sensitive and enduring character of genetic information, noting that it contains far more than mere identifiers. Its capacity to reveal extensive personal and familial data rendered its retention particularly intrusive. The judgment underscores a broader point: genetic data cannot be readily reduced to neutral or effectively anonymous information.
From private data to public infrastructure
The legal challenges become more pronounced as genetic data moves beyond individual testing and enters larger systems.
Law enforcement authorities increasingly rely on genetic databases, including through familial searching techniques. A partial match may identify a relative, thereby narrowing the search to individuals who have never submitted their DNA. Similarly, large-scale biobanks retain genetic data for long-term research, often for purposes that evolve over time.
In these contexts, genetic data functions less as private information and more as a form of infrastructure. It persists, circulates, and acquires new uses. The original conditions under which consent was given become progressively less determinative of how the data is ultimately used.
Rethinking the structure of genetic privacy
The difficulty, at its core, is conceptual. Data protection law is organised around identifiable individuals, discrete acts of consent, and clearly bounded datasets. Genetic data does not conform to these assumptions.
It blurs the boundary between individuals. It extends across time and generations. It produces information that is simultaneously personal and collective.
This raises questions that existing legal frameworks address only partially: whether one individual can meaningfully consent to the exposure of others’ genetic information, how responsibility for shared data should be allocated, and whether privacy can still be understood in purely individual terms.
Conclusion
Genetic privacy does not fit comfortably within the legal categories designed to protect it.
The law recognises genetic data as sensitive, imposes strict conditions on its use, and provides individuals with a degree of control. But those mechanisms are structured around an assumption of individual ownership that genetic information does not fully support.
DNA connects individuals in ways that law struggles to disentangle. It reveals information that extends beyond the person from whom it is obtained. It persists within systems that operate across institutional and national boundaries.
The challenge, therefore, is not simply how to protect genetic data more effectively within existing frameworks. It is whether those frameworks are conceptually adequate for a form of information that is, by its nature, shared.
The question is no longer only how to protect your DNA.
It is how to regulate information that was never exclusively yours to begin with.
Leave a comment