Ivan Kairatov is a Biopharma expert with extensive knowledge in technology and innovation within the industry and considerable experience in research and development. Today, we discuss the newly introduced Genomic Data Protection Act (GDPA) and its implications.
Can you explain the main purpose of the Genomic Data Protection Act (GDPA)?
The primary purpose of the GDPA is to regulate the collection, usage, and disclosure of genetic data collected by direct-to-consumer genomic testing companies to protect consumer privacy. This legislation is crucial now due to the rapid advancements in genetic testing technology and the increasing consumer adoption of these services, which in turn raises significant privacy concerns. The GDPA differs from existing laws as it also includes provisions for companies that acquire genomic data and mandates consumer notification in the event of corporate transactions.
Who introduced the GDPA?
The GDPA was introduced by Senators Bill Cassidy (R-LA) and Gary Peters (D-MI). These Senators represent the Republican and Democratic parties, respectively. They had previously introduced a similar bill last year, which ultimately did not progress before Congress adjourned.
What key features does the GDPA include in terms of applicability?
The GDPA applies to any person or entity involved in manufacturing, developing, analyzing, interpreting, collecting, using, maintaining, or disclosing genomic data from direct-to-consumer genomic testing products or services. Notably, it also applies to entities that purchase genomic data from these companies. There are exceptions, notably for healthcare professionals who handle genomic data for medical diagnosis or treatment as defined by the Public Health Service Act.
What is the scope of “genomic data” according to the GDPA?
“Genomic data” under the GDPA encompasses any data resulting from the analysis of a biological sample concerning genomic material, including DNA, RNA, genes, etc., and any derived or inferred information. However, deidentified genomic data used for medical or scientific research under HIPAA guidelines is excluded.
What rights does the GDPA grant to consumers?
Consumers have the right to access their genomic data and delete their accounts, including associated data and biological samples. Companies must provide a “simple and effective mechanism” for exercising these rights. Exceptions to these rights are limited to compliance with legal obligations or court orders.
Are there any exceptions to the consumer rights granted in the GDPA?
Yes, exceptions include situations where deletion would interfere with information subject to legal requirements such as court orders or where retaining data is necessary for compliance with other legal or regulatory requirements.
What requirements does the GDPA impose regarding consumer notice?
Companies must provide clear, conspicuous, and non-misleading notices summarizing consumer rights and specifying that deidentified genomic data may be shared for medical or scientific research under HIPAA.
What does the GDPA require in the event of a corporate transaction involving a direct-to-consumer genomic testing company?
Companies must notify consumers at least 30 days before the transaction is completed, detailing the purchasing entity and how consumers can continue to exercise their rights under the new ownership. If a request is pending during the acquisition, the purchasing entity must honor it.
Does the GDPA preempt state laws relating to genomic data?
The GDPA does not preempt state laws unless there is a direct conflict with its provisions.
How is the GDPA enforced?
Enforcement falls under the FTC’s jurisdiction, categorizing violations as deceptive or unfair trade practices under the FTC Act. The FTC has one year from the enactment to initiate rulemaking related to the GDPA.
Why might the introduction of the GDPA be significant for consumers who use direct-to-consumer genetic testing services?
The introduction of the GDPA is significant as it provides robust privacy protections, ensuring consumers are informed and have control over their genomic data, which is increasingly important given the sensitive nature of this information.
How are consumers’ privacy and data protection addressed in the GDPA?
The GDPA mandates measures to prevent the reidentification of deidentified genomic data, ensuring that companies implement safeguard protocols to protect consumer privacy.
How have states dealt with direct-to-consumer genetic testing companies prior to the introduction of the GDPA?
Several states have enacted their own laws regulating the privacy and use of genetic data collected by direct-to-consumer testing companies. These state laws laid the groundwork for the comprehensive federal regulation proposed by the GDPA.
Do you have any advice for our readers?
My advice to consumers is to stay informed about how their genetic data is being used and protected. As the landscape of genetic testing evolves, understanding your rights and the measures in place to protect your privacy is crucial. Ensure that you utilize your rights to access and manage your genomic data as provided under new regulations like the GDPA.
