What happens when your DNA and Genetic Data goes on the Blockchain?


October 28, 2020

Summary

The battle of legitimate authority and control over genomics[1]data introduces a substantial legal andcomputational burden on data privacy. Consumers are already suing doctors[2], hospitals and data processors to hold them liable for how they offer, interpret and counsel patients about genetic tests. In this article, we introduce one use case, GenoBank.io[3], which aims to protect consumer privacy by engaging stakeholdersat the intersection of privacy law, smart contracts[4] [5]using non-fungible tokens(NFTs)[6] [7]and genomics.

Abstract

This article analyses the mainlegal requirements in the California Consumer ProtectionAct (CCPA),general data protection regulation(GDPR)and the intersections between privacy laws,genomicdataand smart contracts (such as fungible and non-fungible tokens [NFTs]). The CCPA andGDPR lawsimpose several restrictions on the storing, accessing, processing and transferring of personal data. This has generated somechallenges for lawyers, data processorsand business enterprisesengaged in blockchain offerings, especially as they pertain to high-risk data sets such as genomic data. The technical features of NFT, distributed storage and wallets to trace and govern genomic (DNA) datasets will allow data donorsto establish digital ownershipandcontrol in line with privacy laws using ‘programmable privacy smart contracts’.To belegally compliant, the design of blockchain value propositions should include privacy-by-design capabilitiesin the smart contract coding language itself. Thisarticle describes three domains (privacy laws, genomics and NFTs) and begins to explore how data engineers can addressthe challenges of coding privacy laws, the legal requirements into smart contracts. This current approach focuses on NFTs and genomic data requirements whichinclude the selection of genetic metadata borrowing from developing ERC specifications and their programminglogic. Programmableprivacyis a unique way to write and design computer code, which can automatically check the legal compliance of the smart contractin a trust-lessand decentralised way. We exemplify the approachby describing the conceptual value proposition of GenoBank.io, a privacy-preserving genomic data platform.

Introduction

The battle of legitimate authority and control over genomics[1]data introduces a substantial legal andcomputational burden on data privacy.Consumers are already suing doctors[2], hospitals and data processors to hold them liable for how they offer, interpret and counsel patients about genetic tests. In this article, we introduce one use case, GenoBank.io[3], which aims to protect consumer privacy by engaging stakeholdersat the intersection of privacy law, smart contracts[4] [5]using non-fungible tokens(NFTs)[6] [7]and genomics.

There are growing challenges in this complex ecosystem that can only be solved collaboratively[8]. Subject matter experts in all three domains (law, genomics and smart contracts) will be dependent on each other to achieve success and avoid risk. Here, the concepts, interrelationships and the implications of a specific use case in genomics: theimplications of the CaliforniaConsumerPrivacyAct[9][10](CCPA) and the European Union’s generaldataprotectionregulation[11](GDPR) to smart contracts, specifically NFTsin the blockchain[12],are presented. The Consumer Online Privacy Act (COPRA)[13]is also briefly overviewed. Two questions are posed as a starting point for stakeholder collaboration:

  1. The human challenge: How do stakeholders with conflicting interestswork together to ensureprivacy laws protect the most personal, private, and sensitive data[1]derived from biospecimens[14]?
  2. The technology challenge: How can privacy laws be coded[15]into smart contracts to protect high-risk data with strong consent and privacy mechanisms? In other words, how do you embed laws of the physical world into machine code with privacy as the highest value?

There are about 8billion people on the planet and more than 26million[16]have already analysed their DNA. Approximately a million people worldwide have had their whole genome sequenced[17].

So many people have had their DNA sequenced that they have put other people’s privacy at risk.[18]

On the other hand, 99%[14]of the world’s genetic information has yetto be produced. Those global statistics represent billions of dollars in marketplace opportunity[19]and probably an equally large risk[20] [21]in liability. How the opportunities and risks get defined in the next decade will be led by stakeholders working together across domains in law, genomics and technology.

Inevitable problems will arise if companies do not address the form and function of their technology solutions to face international and local data-privacy laws[22] [23],especially in the field of genomics. To create a fair and more secure marketplace for genetic information, privacy laws can be applied to the use of blockchain with NFTs(a type of smart contract). To helpmitigate the gaps and challenges,stakeholders can also work together in transdisciplinary[24]ways that begin to create a common language[25]of understanding across the three domains of privacy laws, genomics and smart contracts. This article is a preliminary effort towards one of the much-needed stakeholder conversations and collaborations. This is a long-term endeavour where lawyers,data processors, genomic researchers and data subjects can define, together, what data practices and governance will be in the future

At the intersection of the three domains, business enterprise is beginning to address this challenge by engineering various iterations of privacy-by-design offers and more specifically by engineering privacy by blockchain design[26][27]. In the latter, solutions can be GDPR compliant and also include additional legal privacy requirements with strategic smart contract terms and conditions. These new business models are helping to raise data protection levels and aim to give back data ownership to individuals. Specifically, one such enterprise, GenoBank.io, has focused on bringing smart contracts such as NFTs that combine unique value-added architectures to the privacy-by-design proposition for genomic data. Details are shared later; first, we introduce the primary concepts of the three domains.

Three domains: collaboration required

Privacy laws

The European Union’s GDPR went into effect on 25May2018 and a similar law in California, the world’s fifth largest economy, theCCPA, went into effect on 1January2020. The newest privacy legislation from the U.S. Congress is COPRA, a Federal Bill aimed at protecting the privacy of consumers online at the national level. If this Bill crosses the finish line in the future,it would finally strengthen the Federal Trade Commission’s ability to enforce digital privacy protections. But other similar Bills introduced in the past havenever made it. Regardless, international and local privacy laws are keeping many privacy and security officers awake at night. Those concerns will not be alleviated unless stakeholders work together on how to address the requirements and specifications for policy and practice.

A few legal experts have coined the CCPA law as ‘GDPR Lite’. But others suggest the CCPA is not Lite[28]at all and there is much more to do with the CCPA than previously believed. Some privacy lawyers say that companies who have already addressed the requirements of the GDPR have a lot moreto prepare in order to address the higher requirements in the CCPA. The CCPA intends to provide California residents with the rights to:

  1. know what personal data is being collected,
  2. know whether it is being sold or disclosed and to whom,
  3. refuse the sale of their personal data, 4.access their personal data,
  4. request a business delete any personal data,
  5. and not be discriminated against for exercising their privacy rights.

These six essential rights are part of the new CCPA challenges that privacy lawyers, technologists, genomic researchers and data processors are faced with today. The new law also sets penalties of $2,500–$7,500 per violation[23]and a private right of action to individuals affected by a breach caused by a lack of reasonable security measures. Due to the provision of statutory damages, the risk of litigation[29]is very significant. Under the CCPA, an entity qualifying as a ‘business’must also provideseven protections. For example, business must provide disclosures regarding the sale of personal information collected from or about covered consumers (id. § 1798.110(a), an opt-in requirement before selling a minor’s personal information (id. § 1798.120(c), the ability for covered consumers to access and/or delete personal information collected from or about them (id. §§ 1798.105), and must also implement measures topreventdiscrimination against consumers who exercise their rights under the CCPA (id. § 1798.125)among others.

A few of theconditions required by the CCPA suggest a substantially different way of doing businessand a higher threshold for data governance than has been required previously. The lawalso expands upon whatpersonal information is and howit is used by businesses.

Under the CCPA,personal data (identifiers, geolocation, internetactivity, education and employment information among others) also includes biometric information. Biometric information is defined as‘an individual’s physiological, biological, or behavioural characteristics, including deoxyribonucleic acid (DNA), that can be used singly or in combination with other identifying data, to establish identify’[9].Examples such asimagery of the iris, retina, fingerprint, face, hand, palm, voice recordings, keystroke patterns, exercise data, gait patterns and even sleepare protected by the law.

Businesses should take heed, if personal or biometric data are gathered by a company, without notice, it is still considered private personal information and subject to legal protection. These new considerations on what kind of data and under what conditions the data are protected under the law sets a higher bar for data governance.

The newest privacy law proposed at the federal level may extend consumer protections even further. It was introducedby Senators Cantwell, Schatz, Klobuchar and Markey on 26 November 2019. COPRA is written to provide consumers with foundational data-privacy rights, creating strong oversight mechanismsand establishing meaningful enforcement of the same. This new legislation, as introduced, suggests that companies must not collect more information than they The JBBA | Volume 3 | Issue 2| 2020 PublishedOpen Access under the CC-­‐‑BY 4.0 License3‘reasonably’need to function. COPRA is tremendously ground-breakingas proposed[30]and could, if passed, create the need for substantial liability and risk resource allocation in the future. The basic tenets of this new lawincludeextended data-privacy rights(Title I), augmented oversight and responsibility(Title II) including a section on digital content forgeriesand some added legal traction with Title III that adds miscellaneous sections on enforcement, civil penalties, authorisation of appropriations and severability among others.

The following genomic and digital dataare consideredbiometric informationthat is to be protected online by the COPRA:

  1. fingerprints
  2. voice prints
  3. iris or retina scans
  4. facial scans or templates
  5. deoxyribonucleic acid (DNA) information
  6. gait

Similar to CCPA,gait isalsoincluded;a person’s mannerof walking isprotected biometricinformation. Excluded are writing samples, written signatures, photographs, voice recordingsand demographic data. Also excluded are physical characteristics such as height, weight, hair colour andeye colour, provided that such data is not usedfor the purpose of identifying an individual’s unique biological, physical or physiological characteristics.

COPRA would gofurther than past laws,in that it defines the terms ‘collect’and ‘collection’to mean buying, renting, gathering, obtaining, receiving, accessing or otherwise acquiring covered data by any means, including by passively or actively observing the individual’s behaviour.The CCPA and COPRA are huge shifts in regulation and data governancetowards protecting the rights of consumers as opposed to allowing any collection and use of consumer data for a company’s own benefits.

Implications

All laws[31]are meant to protect general safety and ensure our rights as citizens against abuses by other people, by organisations, and by the government itself. Laws do this by requiring specific behaviours and prohibiting others. The CCPA as enacted will ‘nudge’[32]and require companies to act differently. If enacted,COPRA, as the next-generationregulation,will push the ‘nudging’further. As privacy lawyers, data processors, genomic researchers and DNA donors consider a path forward, we suggest stakeholders collaborate on how to manage the opportunities and risksto balance public and private interests.It is inevitable that the implementation of the CCPA (enacted law)will bring about drastic challenges to companies and developers using the blockchain,especially in regard to genomics.

Genomics

Genomics[33] [34]is a domain within genetics that concerns the sequencing and analysis of an organism’s genome. It is an is an interdisciplinary field of biology focusing on the structure, function, evolution, mapping and editing of genomes. Experts in genomics seek to complete DNA sequences beyond just partial analyses in order to perform genetic mapping that can help understand disease. A genome is a completeset of DNAsincluding all genes in one organism. Due to the highly sensitive nature in the uniqueness of genomic data, privacy requirements are complex transaction-laden systems with layers of health information that need both legal and computational privacy protection. Privacy protections are only beginning to gain solid ground in the United States and have yet to be fully realised.

Next-generation sequencing and genome editing havehelped to make medicine more precise and efficient, especially regardingdisease diagnostics and treatment. But the rapid development can only be realised by the aggregation and analysis of people’s genomic and health dataat scale. Efficient processing of very large-scale genomic data sets creates risk in the marketplace of biometric information. For the most part, DNA donors have been left powerless[35] [36]without any control over their own personalgenetic profiles, essentially left without sovereignty. Data sovereignty is the concept that information,which has been converted and stored in binary digital form,is subject to the laws of the country in which it is located.TheCCPA, Health Insurance Portability and Accountability Act (HIPAA)[37]and the Genetic Information Non-discrimination Act (GINA) [38]are the first set of laws in the United States that arebeginning toprovide protection and sovereignty. But theglobal warsover genetic information[39][40]have only just begun and casehistories, in the United Statesfor example, reflect the struggles thatthe private and public sectors continue to have with gaps and challenges to the four corners of the law.

With newer and stronger privacy laws, the government is approximatingprudence [41]and protection for the general safety and security of its citizens. But technology providers can go further. The lingering gaps in regulation add persuasive motivation to ethical technology leaders to move beyond the minimal requirements of the law towards ethical best practices[42][43]. Working together with regulators on ethical data governance and understanding,they can provide a value proposition that both protects the consumer and provides a marketplace competitive advantage. One does not have to exclude the other. Rapid developments in the aggregation and analysis of people’s genomic and health data at scale canbenefit individuals, the public and theprivate sectorssimultaneously.

The new laws imposed and the plethora of lawsuits that businesses are enduring indicate, from the individual’s perspective, that theCCPA and the like maynotgo far enough, yet,to protect an individual’s biometric data[39] [44]. From the enterprise perspective, the risk of liabilityfrom intended, unintended and even derivative attempts ataggregationof de-identified biometric data to identifiabledatabasesshould beat least one reason to borrow from the spirit of the law and its legal premise to create privacy-by-design solutionswith grit. Using NFTs for genomics data may give both the individual and the enterprise a way to work together on balancing disparate, indeed often conflicting interests. The use of NFTs to address this challenge will be explained shortly.

Blockchain

A blockchain[45]is a time-stamped series of records (like a record in a spreadsheet but written only once) that is managed by a cluster of computers not owned by any single entity. Blocks of data (i.e. block) aresecured and bound to each other like a chain using cryptographic principles such as confidentiality, authentication, integrity and non-repudiation[46]. All data stored on the blockchain havea common history available to all network participants. With this mechanism, the chances of fraudulent activity or duplications is eliminated without the need of third-party intermediaries[47].

Otherwise known as a distributed public ledger[48][49], a blockchain tracks assets and transaction records so that each data block contains a unique hash ‘tag’(digital fingerprint/signature) and time-stamped batches of recent transactions plus a hash of the previous block[50]. Each record with an encrypted digital signature proving its authenticity in the blockchain is tamper proof and cannot be changed. Blockchain and smart contracts can help counter problems such as imbalances in data control, information islands, data tampering, theft, abuse, data leaking, grey data transactions and missing records[50]. As with other technologies, blockchain has augmented[51]its bandwidth and expanded its capacity.

There are four [52]generations of current blockchainsacross many industries[53]worldwide[54]. The use casesexpand daily inhealthcare[55][56]. On top of privacy laws nudging new business behaviour, in the healthcare space, providers are already answering strong calls to give easy access and control of personal healthcare records to the patient. But a review of the usage of blockchain technology in healthcare reveals that a patient’s sovereignty, privacy and security[57]is not the most prevalent focinecessarily. The vast majority of blockchain applications in healthcare have been implemented to address interoperability and the substantial siloed data structures among diverse organisations. This is why decentralised, immutable ledgerslike the blockchain provide more portable, interoperable mechanismsfor the correct processing and secure sharing of data [21] [58] [59].

To share medical data, and moreimportantly highly sensitive genomic data securely, it is required that parties agree on the structure and semantics of data sharing[50]. Again, the human challenge tousing technology optimally is represented here. Taking full advantage of the promise blockchain and smart contracts offer to computational genomics[1][43] [60]is a fit-for-purpose that should be taken seriouslyby collaboratingat domain intersections. Implementing privacy laws in the genomic data ecosystem is also a socio-technical challenge, not just a technicalone. Furthermore, the maturity of the blockchain field is timely now in consideration of the greater need to manage vast quantitiesand different kinds of data (e.g. biobanking and biometric data) that require inviolable privacy parameters[59][61]. Although many blockchain applications are still in conceptual stages testing various aspects of the technology,these more complex requirements for security demonstrate a need for the added transparency, confidentiality and programmable privacy in smart contracts[61] [62].

Self-executing computer protocols such as smart contracts execute agreementsbased on computer algorithms between two or more parties while creating an indisputable record of transactions associated with granting and revoking access[63]to a data (cryptocurrency) wallet. To ensure control,data transactions are signed by the ownerusing aprivate key[1] [64]. Private keys arecreated when userscreate an account (crypto data wallet) on any Web3 decentralised platform. A crypto data wallet usually has two main purposes. The first is to be able to easily share your public address through the internet and second to securely store the corresponding private key(s). Private keys can be encrypted or unencrypted as decided by the level of security offered by the blockchain platform.

The main idea behind using a crypto datawallet for genomic data is to introduce a novel alternative for users to regain data sovereignty with the support of privacy laws.Data wallets will enable data subjects to become data custodians while interacting with a genomic data processor (labs or researchers, for example) without losing any control or ownership. Unlike when companies such as 23&Me sell an ancestry and health reportto a specific consumer,they claim ownership and establish control over a consumer’s genomic data. In contrast, a DNA data wallet allows users to temporarily grant access to a genomic data processor so they can execute an interpretation algorithm or otheranalyses. These analyses aregoverned by a smart contract that can be programmedto destroyor delete any digital computer instance that was created during the data processing for privacypurposes.

In other words, all instances of virtual machining can be deleted or destroyed by the terms and conditions of the smart contracts selected. This would be an equivalent to self-serving a consumer’sright to be forgotten as a data subject/owner in GDPR and CCPA terms,respectively. There is no need for the data owner to keep a copy of the analytics or algorithms used for a report and there is no need for 23&Me to keep a copy of the data owner’s DNA. Both parties are satisfied and protected. There is no justification or reason for the data owner to keep any IP from the data processor and no justification for the processor to keep a copy of the data owner’sDNA. Then by integrating the terms and conditions of privacy laws into smart contracts with the specifications of NFTs,we suggest this combination of programmable privacy could be a novel and valuable form of next-generation privacy-preserving[65]technology.

This could dramaticallychange the status quo of data custodianship. Currently,the reality is data ownersgive away their rights, theircustody and ownership to their DNA data or sell itfor cents on the dollar[66] [67]. We argue crypto data wallets in combination with smart contracts, using NFTs,can disrupt the status quo of data ownership and governance.

All together,these mechanisms can facilitate a CCPA and GDPR compliant data management system by encoding in the smart contract a set of rules that ensure privacy for consumer-sensitive data. In essence, smart contractsprovide better security performance than traditional contract law because they are encoded and written in such a way that they guaranteethe execution of explicitly specified conditions[5] [44].

Risks

With broad opportunities come many risks. Inherent in any technology innovation is the absence of time and conditions that help stress test the boundaries of any new applications. Here, two primary risks with these smart contracts will be addressedin the limited time and space allowed. One is the potentialthat private keys are lost or mishandled. The second is the security and privacy risks wh

According to Chainalysis,19% of cryptocurrency holders lost digital assets due to mismanaged digital wallets and keys[68]. But the market has already responded by offering new private key recovery solutions,both for custodial and non-custodial authorisations. One such service is the Squarelink platform. For now, it is the only purenon-custodial private key recovery platform.Others rely on custodial key-management services like Amazon Cognito, for example[69]. Another mitigation scheme for lost keys and wallet access is known as secure attribute-based signatures that support multiple authorities for expanded authorised access[70]. Attribute-based signatures are also being explored and tested still. As to how to address the issue of risk when data is at rest or in transit, the maintenance of encryption, authorisation and authentication during both data states are absolutely crucial and possiblewith proxy re-encryption (PRE) schemes[71]. Data transit can also be limited through distributed storagegovernance. Asexplained earlier in the 23&Me example, software analysis can be ‘brought to the data’rather thansoftware or algorithmsprocessing data from a corporate owned machine[72].

One configurationof data storage, for example, is private IPFSnodes hostingDNA data fora single owner[56]. IPFS is the new alternative to corporate controlled data storage. In other words, IPFS is controlled by a community of developers similar to Bitcoin where the data repositories are only owned by the creators of content that also hold the private keys. Data owners can allow trusted third-­‐‑party validators and otherauthorised custodians[60] [61]. Using PRE layers such as Nucypher, consumers can securely share encrypted data without sharing theirprivate key[73]. PREserves as a means for delegating decryption rights, opening upapplications that require delegated access to encrypted data(whether genomic or otherwise)[71].

One configurationof data storage, for example, is private IPFSnodes hostingDNA data fora single owner[56]. IPFS is the new alternative to corporate controlled data storage. In other words, IPFS is controlled by a community of developers similar to Bitcoin where the data repositories are only owned by the creators of content that also hold the private keys. Data owners can allow trusted third-­‐‑party validators and otherauthorised custodians[60] [61]. Using PRE layers such as Nucypher, consumers can securely share encrypted data without sharing theirprivate key[73]. PREserves as a means for delegating decryption rights, opening upapplications that require delegated access to encrypted data(whether genomic or otherwise)[71].

By augmenting who gets access in these kinds of configurations,authorised custodiansmay be optionally established over time without compromising either the security or the integrity of the dataand the data owner. Essentially PRE helps data owners share a secret with minimal risks to the secret or secret keeper [74]. Risks are thereby minimised more adequately within these frameworks as opposed to what is in existence in legacy healthcare and genomic data silos. The data owner can essentially rent out their data never losing control over it. Next,we explain how NFTs,specifically on top of these crypto privacy-preserving[65]offerings,create additional valuefor highly sensitiveand scarce datalike genomic data in the context of adhering to privacy laws.

Non-fungible tokens (smart contracts)

Gamers were first attracted to NFTsbecause they could represent the collectible creatures called CryptoKitties[75]. NFTs are now used by crypto artists, blockchain games and countless other users to ensure digital scarcity and ownership. NFTsare tokens mintedon blockchains that are irreplaceable and individually unique[76] [77]. In contrast,fungible tokens refer to something that can easily be replaced by something identical and is interchangeable. A dollar bill is an example of a fungible item. If you were to lend a dollar, it wouldn’t matter what dollar nor what fungible token representing it was returned. Non-fungible means that no other asset or representative token is exactly like it. This is both relevant and similar to the representation, form and functionof genomic data. The NFTdesign is especially advantageous for managing the rights and ownership of highly scarce and unique assets, both on and off the blockchain.

In this same way, we believe using NFTs will assist in making genomics data portable beyond the specified solution across multiple environments, while still allowing for strong governance and control by the genomic dataowner or authorised custodian. Thus, we identify the use of NFTs to represent individual user genomes.Unlike traditional cryptocurrency or ledger-­‐‑based tokens, NFTs are not interchangeable–carrying theirown information or other attributes that make them irreplaceable. NFTs on the Ethereum Blockchain are governed by two specifications known as ERC-­‐‑721 and ERC-­‐‑1155[7] [78]. Additional Ethereum Request for Comments (ERCs)show developmental growth that may represent more robust specifications in genomics data use cases.See Table 1.

ERC-­‐‑721 defines a minimum interface written in Solidity[79]that allows unique tokens to be managed, owned and traded[78]. It does not mandate a standard for token metadata or restrict adding supplemental functions for genomics payloads. In the proposed solution, ERC-­‐‑721 are used to store references to genomic material and searchable metadata attributes.Whereas ERC-­‐‑721 mandates a unique token contract for each token created, ERC-­‐‑1155 may be more efficient to create and bundle token transactions.ERC-­‐‑1155 can beused to meter requests for genomic data and ensure that no user has more than their share of resources commuted to perform work in the data processors environment.

ERC-­‐‑1155 provides additional flexibility over ERC-­‐‑721 by creating flexible, re-­‐‑configurable orexhaustible tokens. Alternatively, the ERC-­‐‑998 extension to ERC-­‐‑721 is still in draft butoffers the idea of NFTcollections such as parent, child and family DNA collections. The ERC-998 and future ERCs are developmentally better iterations on past ERCs with other limitations such as inefficient transfer capability, array length and inability to get token IDs[79]. But as illustrated in Table 1,in ERCXXX, GenoBank.io is targeting the development of a future more robust solution specificationto the challenges at the intersection of privacy laws, genomics and smart contracts.

Use case

GenoBank.io is the first privacy-preserving personal DNA Kit (patented) that guarantees consumers’complete ownership and control over their DNA.It was founded so that patients can benefit from finding DNA-based clinical trials without risking their identities or control over their data. GenoBank.io is built on an Oasis Lab decentralised cloud infrastructure[80]that allows developers to create Web 3.0 applications where users can own and control their genomic data in a peer-to-peer transaction mode. This offers a high-performing (1000s of transactions per second) confidentialand privacy-preserving NFT[6]execution. Itspurposefuldesign supports rigorous analysis using varioussecurity properties[63] [81]. The DNA crypto walletallows users to purchase biospecimen extraction kits.Biospecimens include biomaterial such as saliva that render DNA andRNA genomic information. After the biospecimen is collected for the specific extraction kit, the user can choose to send the kit to their preferred CLIA Certified Laboratories Sequencing Service[82]for analyses. The biospecimen itself will remain at the CLIA Lab, but the digital data, analyses and any ‘reporting’will be stored in a datawallet repository. The wallet repository is the ‘place’ where genetic data is ‘banked’.The GenoBank.io approach is still developing and refining itselfas a value proposition. But unlike manyexisting options(e.g. LunaDNA, Nebula Genomics, EncrypGen[62] [66]), GenoBank.io offers the DNA donor and data processor a secure platform where they can both ethically and efficiently process genetic datawithout DNA ownerslosing custody or control over their DNA.

Discussion

Over the last 10 years, laws, medicine and technology together with policy makers and regulators (including the United States Food and Drug Administration, FDA) have struggled to establish timely regulation[44] [60]and oversight over the direct to consumer genetic testing (DTC-GT) health market.

The DTC-GT market has pushed the boundaries of how society and the law will manage the value of privacy over profitand what that will look like in data governance practices. To date, companies such as 23andMe and Ancestry, among others[83], have shownan inexhaustible ability and willingness to exchange consumer information (e.g. statistics about raw genetic health risk and ancestry/genealogical data, and genetic data) with third parties[84][35]. But now, even their third-party collaborators are at risk for liability issues because privacy laws like the CCPA are requiring different business behaviour than in the past.

Sharing, selling and reselling DNA data is not unique to companies like 23andMe, Ancestry and GSK[35]. History and the law provide an endless record of people and entities that find highly sensitive information like health and genetics data valuable[8] [83][85]. Analysing millions of people’s genetics alongside their health issues gives big pharma and data processors immense power and innumerable clues on the interplay between genetics andthe conditions leading to untold future profits. Ensuring both the ethical and legal underpinnings of this marketplace may not be the norm now, but it could be in the future.

Platforms such as GenoBank.io can help re-balance the power[86]between stakeholders whereprivacy laws are trying to redress negative outcomes on the publicwith NFTs and programmable privacy.

Conclusion

At the intersection of privacy law, genomics and smart contracts, stakeholders can either help drive or hinder progresstoaddress the balance between public and private interestsmore fairly. Stricter privacy laws are not the only changes coming. Professional engineering and computer software standards are also changing the design and development landscape for technological innovations.

Various professional standards such as the IEEE P7000 series[42]and the new IEEE P2089[87]standard for age appropriate digital services for children and P2418.6[43]–the standard for the framework of distributed ledger technology (DLT) use in healthcare –are all being developed to help address obstacles, gaps and challenges in the digital data marketplace.

In the future, these professional standards exploring the ethical considerations of software engineering could be used in the courts, in conjunction with privacy law to protect consumersand data owners. Standards often add teeth[88]to professional practices that add illustrative strength tolaw. These particular standards aim to integrate ethical guides that are meant to protect consumers from the wild West[89]markets ofthe past. In sum, the public can look forward to future benefits in regulation and standards that will challenge decades of laissez faire interests in the private sector.

The blockchain and smart contracts can be the language that frames new relationships between law,genomic dataand technology. We ask you to collaborate with us and work together to address both the human and the technological challenges in this complex DNA data marketplace. Together,we can develop a better future between stakeholders to reduce litigation risk while making genomic data analysis safer and more private. Blockchain companies with ethical[67] [90] [91]foundations, like GenoBank.io, will be setting themselves apart from others in the market. By offering programmable privacy with NFTsderived from privacy laws’terms and conditions [92], GenoBank.io and stakeholders can help provide at least one novel approach to adding transparency and data owner sovereigntyto the genomic data marketplace.

News & Updates

Get access to the latest insights, tips and trends in genetic research study