Concepts: Anonymized Versus Pseudonymized Data and Your Genetic Privacy

Until recently, when people (often relatives) expressed concerns about DNA testing, genetic genealogy buffs would explain that the tester could remain anonymous, and that their test could be registered under another name; ours, for example.

This means, of course, that since our relative is testing for OUR genealogy addiction, er…hobby, that we would take care of those pesky inquiries and everything else. Not only would they not be bothered, but their identity would never be known to anyone other than us.

Let’s dissect that statement, because in some cases, it’s still partially true – but in other cases, anonymity in DNA testing is no longer possible.

You certainly CAN put your name on someone else’s kit and manage their account for them. There are a variety of ways to accomplish this, depending on the testing vendor you select.

If the DNA testing is either Y or mitochondrial DNA, it’s extremely UNLIKELY, if not impossible, that their Y or mitochondrial DNA is going to uniquely identify them as an individual.

Y and mitochondrial DNA is extremely useful in identifying someone as having descended from an ancestor, or not, but it (probably) won’t identify the tester’s identity to any matching person – at least not without additional information.

If you need a brush-up on the different kinds of DNA and how they can be used for genealogy, please read 4 Kinds of DNA for Genetic Genealogy.

Y and mitochondrial DNA can be used to rule in or rule out specific descendant relationships. In other words, you can unquestionably tell for sure that you are NOT related through a specific line. Conversely, you can sometimes confirm that you are most likely related to someone you match through the direct Y (patrilineal) line for males, and matrilineal mitochondrial line for both males and females. That match could be very distant in time, meaning many generations – even hundreds or thousands of years ago.

However, autosomal DNA, which tests a subset of all of your DNA for the genealogical goal of matching to cousins and confirming ancestors is another matter entirely. Some of the information you discern from autosomal testing includes how closely you match, which effectively predicts a range of relationships to your match.

These matches are much more recent in time and do not reach back into the distant past. The more closely you are related, the more DNA you share, which means that your DNA is identifying your location in the family tree, regardless of the name you put on the test itself.

Now, let’s look at the difference between anonymization and pseudonymization.

It may seem trivial, but it isn’t.

Anonymization vs Pseudonymization

Recently, as a result of the European Union GDPR (General Data Protection Regulation,) we’ve heard a lot about privacy and pseudonymization, which is not the same as anonymized data.

Anonymized data must be entirely stripped of any identifiable information, making it impossible to derive insights on a discreet individual, even by the person or entity who performed the anonymization. In other words, anonymization cannot be reversed under any circumstances.

Given that the purpose of genetic genealogy conflicts with the concept of anonymization, the term pseudonymization is more properly applied to the situation where someone masks or replaces the name of the tester with the goal of hiding the identity of the person who is actually taking the test.

Pseudonymization under GDPR (Article 4(5)) is defined as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of ‘additional information.’”

In reality, pseudonymization is what has been occurring all along, because the tester could always be re-identified by you.

However, and this important, neither anonymization or pseudonymization can be guaranteed to disguise your identity anymore.

Anonymous Isn’t Anonymous Anymore

The situation with autosomal DNA and the expectation of anonymity has changed rather gradually over the past few years, but with tidal wave force recently with the coming-of-age of two related techniques:

  • The increasingly routine identification of biological parents
  • The Buckskin Girl and Golden State Killer cases in which a victim and suspect were identified in April 2018, respectively, by the same methodology used to identify biological parents

Therefore, with autosomal DNA results, meaning the raw data results file ONLY, neither total anonymity or any expectation of pseudonymization is reasonable or possible.

Why?

The reason is very simple.

The size of the data bases of the combined mainstream vendors has reached the point where it’s unusual, at least for US testers, to not have a reasonably close match with a relative that you did not personally test – meaning third cousin or closer. Using a variety of tools, including in-common-with matches and trees, it’s possible to discern or narrow down candidates to be either a biological parent, a crime victim or a suspect.

In essence, the only real difference between genetic genealogy searching, parent searches and victim/suspect searches is motivation. The underlying technique is exactly the same with only a few details that differ based on the goal.

You can read about the process used to identify the Golden State Killer here, and just a few days later, a second case, the Cook/Van Cuylenborg double homicide cold case in Snohomish County, Washington was solved utilizing the following family tree of the suspect whose DNA was utilized and matched the blue and pink cousins.

Provided by the Snohomish County Sheriff

A genealogist discovering those same matches, of course, would be focused on the common ancestors, not contemporary people or generations.

To identify present day individuals, meaning parents, victims or suspects, the researcher identifies the common ancestor and works their way forward in time. The genealogist, on the other hands, is focused on working backwards in time.

All three types of processes, genealogical, parent identification and law enforcement depend on identifying cousins that lead us to common ancestors.

At that point, the only question is whether we continue working backwards (genealogically) or begin working forwards in time from the common ancestors for either parent identification or law enforcement.

Given that the suspect’s or victim’s name or identifying information is not known, their DNA alone, in combination with the DNA of their matches can identify them uniquely (unless they are an identical twin,) or closely enough that targeted testing or non-genetic information will confirm the identification.

Sometimes, people newly testing discover that a parent, sibling or half sibling genetic match is just waiting for them and absolutely no analysis is necessary. You can read about the discovery of the identity of my brother’s biological family here and here.

Therefore, we cannot represent to Uncle Henry, especially when discussing autosomal DNA testing, that he can test and remain anonymous. He can’t. If there is a family secret, known or unknown to Uncle Henry, it’s likely to be exposed utilizing autosomal DNA and may be exposed utilizing either Y or mitochondrial DNA testing.

For the genealogist, this may cause Pavlovian drooling, but Uncle Henry may not be nearly so enthralled.

In Summary

Genealogical methods developed to identify currently living individuals has obsoleted the concept of genetic anonymity. You can see in the pedigree chart example below how the same match, in yellow, can lead to solving any of the three different scenarios we’ve discussed.

Click to enlarge any graphic

If the tester is Uncle Henry, you might discover that his parents weren’t his parents. You also might discover who his real parents were, when your intention was only to confirm your common great-grandparents. So much for that idea.

A match between Henry and a second cousin, in our example above, can also identify someone involved in a law enforcement situation – although today those very few and far between. Testing for law enforcement purposes is prohibited according to the terms and conditions of all 4 major testing vendors; Ancestry, 23andMe, Family Tree DNA and MyHeritage.

Currently law enforcement kits to identify either victims or suspects can be uploaded at GedMatch but only for violent crimes identified as either homicide or sexual assault, per their terms and conditions.

Furthermore, both 23andMe and Ancestry who previously reserved the right to anonymize your genetic information and sell or otherwise utilize that information in aggregated format no longer can do so under the new GDPR legislation without your specific consent. GDPR, while a huge pain in the behind for other reasons has returned the control of the consumer’s DNA to the consumer in these cases.

The loss of anonymity is the inevitable result of this industry maturing. That’s good news for genetic genealogy. It means we now have lots of matches – sometimes more than we can keep up with!

Because of those matches, we know that if we test our DNA, or that of a family member, our DNA plus the common DNA shared with many of our relatives is enough to identify us, or them. That’s not news to genealogists, but it might be to Uncle Henry, so don’t tell him that he can be anonymous anymore.

You can pseudonymize accounts to some extent by masking Uncle Henry’s name or using your name. Managing accounts for the same reasons of convenience that you always did is just fine! We just need to explain the current privacy situation to Uncle Henry when asking permission to test or to upload his raw data file to GedMatch (or anyplace else,) because ultimately, Uncle Henry’s DNA leads to Uncle Henry, no matter whose name is on the account.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

GDPR – Birthing the 100 Pound Baby

GDPR – General Data Protection Regulation – Today’s the day of deliverance – May 25th. GDPR is finally enacted after MONTHS and MONTHS of agony.

Believe me, to those of us in the field, the GD does NOT stand for General Data – it stands for Gol Danged or something much, MUCH stronger.

And speaking of stronger, when I’m really stressed, I do one of three things:

  • Buy a bauble commensurate with my level of misery
  • Eat dark chocolate
  • Drink

In extreme cases, all three.

Actually, if you know me, you know I don’t drink. So item number 3 is really, REALLY a distant 3rd- – and I’m on my third bottle of wine this week. Good thing I only like muscato wine, ice wine and my rightful Irish legacy, Guinness.

I actually prefer to quilt, because you can stress-quilt wearing baubles and eating chocolate, but if you drink while quilting, your seams will be crooked as a dog’s hind leg.

So, how do you like my new GDPR-size blue bauble flanked by support “staff”?

Yes, it’s been one horrid, awful, miserable, give-me-a-case-of-wine and buy-chocolate-in-bulk six months or so.

Did I mention that it’s been horrid?

I equate dealing with GDPR to giving birth. Not being pregnant, mind you – just the miserable giving birth part – like being in labor for let’s say – 9 months or so. Then delivering a really ugly 100 pound baby that not even a mother can love. Not to mention, I broke my foot during this time too – and no, it wasn’t kicking anyone or anything. AND I was stone cold sober, at a quilt retreat.

For those of you who don’t know, I have 30+ years of technology consulting experience. While I’m “semi-retired,” I’m not entirely retired and I’ve spent the last many months wrestling with this monster known as GDPR. I’m glad to report that my clients are ready, but no one emerged unscarred. I have crooked-seam quilts that I’m claiming are a new art form, am walking like peg-leg the pirate in a very “special” shoe and I’ve gained 5 “chocolate” pounds.

Wonder why I haven’t been doing many DNA reports? Well – now you know!

I have tried, really tried, to maintain a positive outlook – but as the date has approached and I’ve seen how much we are cumulatively losing in the genetic genealogy community – any semblance of a positive perspective has disappeared.

You can read my GDPR articles:

Making it even worse are the hollow assurances of individuals on social media saying that “everything will be alright” because GDPR is really no big deal, or worse yet that people are “scaremongering.”

So, let me be extremely candid and not sugarcoat anything, because after being in GDPR-labor for several months, I have absolutely not one shred of patience left whatsoever.

What Is This Behemoth and Why Do I Care?

GDPR, was enacted by 28 EU member countries referred to as “states” to regulate information privacy. In and of itself, there is nothing wrong with that, and given the Facebook Cambridge Analytics fiasco and others, it’s much needed.

However, and this is a huge HOWEVER, the way this regulation was written and implemented is not only a massive overreach in regulation, it’s vague, poorly written and almost impossible to comply with. In many cases, there are no standards or definitions included and where there are, they are often draconian, misinformed or outdated in nature.

Furthermore, GDPR is enforced by the unnamed and unknown commissioners of the 28 different “member states” at their sole discretion – including how to leverage fines up to and including 20 million Euro or 4% of a company’s gross worldwide revenue – whichever is MORE.

And no, there is no, absolutely no indication of how that fine will be decided, the steps or processes, or if the penalty will be imposed based on the severity of the infraction or the size of the organization or individual.

How, you wonder, is the process of an investigation set in motion? By a malcontent complaining.

Now that malcontent may well be justified (read about Equifax breach here and here, and the Facebook fiasco here) or the malcontent might be someone who is simply vindictive – or someplace inbetween. Regardless, the person or company on the receiving end of the complaint is then obligated to defend themselves, to PROVE the malcontent is inaccurate or the fines can be levied at the discretion of the unnamed commissioner. Yes, the burden of proof is on the company, not the complainer.

There is no court involved, no appeal process – nothing.

Are these regulators going to make examples of people or companies? Is this a cash grab by the EU member states? Will there be GDPR chasers, like ambulance chasers? Who knows? I don’t, but it’s clearly a huge risk with zero, zip case law yet. Which is exactly why smaller entities are folding.

How does someone even defend themselves? They would hire a lawyer, of course. Know what lawyers that understand GDPR are charging right now?

I can tell you, from direct, personal experience. $1000/per hour, billable by the minute. So if you do manage to avoid the fines, your legal defense will bankrupt you instead. Well, that’s certainly a win!

Now you understand why several small businesses have closed their electronic doors, blogs have disappeared and some sites are blocking all EU IP addresses. Better safe than sorry, but not terribly conducive to genealogical sharing.

Not only that, the GDPR regulation is not just moving forward from May 25th into the future, it’s retroactive, meaning it applies not just to new sales but to any database worldwide that contains data of an EU resident. The more information, or the more openly they shared, the more difficult GDPR was to implement. Hence, many have closed.

How can you tell if someone is an EU resident from a gmail address, for example? You can’t. So as a business or even a blogger, you are left in the position of not knowing which individuals this regulation might apply to – so if you want to stay in business, or stay safe and NOT attract the notice of the EU commissioners who have the ability to function as GDPR fine-levying Gods – you must comply.

For those of you thinking that GDPR can’t be enforced in the US – maybe, and maybe not. How would we know before lawsuits are filed? And at $1000 an hour, who among us can afford to find out.

Raise your hands please…

Waiting….

Waiting…

I see no hands.

But GDPR created a solution for that too – because non-EU companies that function in Europe MUST appoint a European Representative – who absorbs some of the risk of non-compliance so that the EU commissioners know who to reach out to in order to get their hands on you.

Care to guess how much this service costs? Well, just start running that attorney’s per hour meter rapidly – and this has to be paid YEARLY – forever.

Now, care to guess ultimately who will pay for all of this?

Yes, YOU, the consumer – whether you live in the EU or not.

Sometimes I try to spare my readers from the under-the-hood nitty gritty – but this time, you really do need to know so that you can appreciate what vendors have dealt with to revamp their businesses and internal processes. Otherwise, we as a community stood to lose genetic genealogy and that would have been a mind-numbing tragedy.

What Does Comply Mean?

Some people are being very dismissive of GDPR, or hyper-critical of companies who are trying to change their products, features and websites to become compliant. It’s worth noting here that none of the major companies or vendors are EU companies.

Here’s an example of an e-mail update I received today from a US company:

After nearly two years of hard work and preparation, we are ready for May 25 — the start of “GDPR” in Europe. More than 500 employees from across our company have helped meet more than 1,500 project milestones.

The General Data Protection Regulation is a sweeping set of new and enhanced rules in the European Union. It covers how companies treat the personal data of customers and employees. Specifically, it makes sure an individual’s rights are enforced, personal data is inventoried, breaches are reported promptly, and privacy is baked into all products.

If someone tries to convince you that GDPR compliance is no big deal, they are either grossly uninformed about GDPR itself or don’t have any idea about the magnitude of the ramifications of GDPR on entities from large corporations down to (some) volunteers. Some people have opined that if the companies were “taking care of their customers’ data,” they wouldn’t have to do anything and “would have nothing to worry about in the first place.” That’s blatantly wrong.

For starters, every company had to undergo a specific compliance evaluation process, which was far from easy because GDPR doesn’t just tell you THAT you have to protect information, in some cases they specify how – keeping e-mails in a separate database for example. Data bases aren’t necessarily designed in that manner, nor is that the best solution for security or performance – not to mention genetic genealogy is about sharing.

However, if a company doesn’t comply and someone complains,they have to undergo an audit. If found out of compliance, they’re liable for a potentially astronomical fine by an unknown commissioner (each country has their own) who may or may not have a clue about technology or in this case, genetic genealogy and how it’s utilized.

I’ve made a list of a FEW of the GDPR requirements. Also, keep in mind, many of the requirements tell you in general terms what they want, but there are no examples of what they consider adequate, so you just have to guess and if an issue arises, the data commissioner gets to decide if you guessed correctly.

If not, you’ll get to pay up!

I have included the GDPR citation in the table below, so you can check for yourself if you think I’ve just made this up and am, well, scaremongering. In fact you can read the entire document here and here with the added schedules AND, if that’s not enough, you can then read the UK version here with explanatory notes available separately. Yes, it’s hundreds of pages of pure misery but if you have insomnia, it, guaranteed, will cure you immediately. Hey, there has to be a silver lining someplace.

I’ve briefly listed the requirement, summarized unless in quotes, and the reference citation from the first linked document above, published in the “Official Journal of the European Union.” So, your mission, should you choose to accept it, is to correlate the requirements of the first, second and third documents, together, and figure out how to resolve any conflicts. Good luck! Start now and you’ll exit the maze, dazed and confused, sometime around late summer😊

You will quickly see that I’m neither over-reacting nor making this up.

In the following table, a controller is the primary entity working with information. For genetic genealogy, that would be a DNA testing company or a third party vendor. A processor is any other entity, which could be a lab doing the actual processing, a third party working with a vendor or project administrators who also “process” information.

Processing is defined basically as anything you do with someone’s information:

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;…

A controller is defined in L119/33 article 4.7 and a processor in L119/33 article 4.8.

GDPR Requirement Reference/Comment
“This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not and regardless of whether the controller is in the EU or not.” L119/32 article 3.1, 3.2, 3.3 – This EU document’s effects are worldwide.

L119/4 item 22

Controllers must carry out a GDPR “data protection impact” assessment that includes mapping data flow and security and must be able to demonstrate compliance with GDPR. L119.50 article 28.4

L119/14 item 74

L119/16 item 84

L119/16 item 83

Consent must be given by a clear affirmative action for each thing consented to and everything processed. Silence, pre-selected boxes or inactivity is not consent. L119/6 item 32 – I actually like this, but if you’re irritated by being asked to reconsent or reconfirm, this is why. As a business or person “processing” information, you must be able to PROVE they gave informed consent.
You must explain to the person how they gave consent for what you are doing with their information and be able to demonstrate that in fact, they did consent. L119/7 item 39
Person must be not suffer negative consequences for not granting consent. L119/8 item 43
Information must be concise, east to understand and easily accessible. L119/11 item 58 – Actually, as a consumer I love this requirement because too many companies hid behind verbiage that was impossible to understand without a law degree.
Person has right to be forgotten, or to correct data, and processor must comply or respond within one month. Furthermore, the controller (the main entity processing information) must inform any secondary processors, who also must comply. L119/11 item 59 – If you’re wondering why FTDNA suggests that administrators remove any data they’ve put on any site about FTDNA customers who leave projects, within 30 days, this answers your question.

L119/13 item 66

L119/5 item 29

L119.12 item 65

Person must be informed when data is transferred between entities, especially to entities outside of the EU. L119/12 item 61
Person can request any information held about themselves. L119/13 item 68, L119/45 article 20

L119/45 article 20

Any controller/processor outside of the EU must designate an EU representative who “will cooperate with a supervisory authority with regard to any action taken to ensure compliance with this regulation. The designated representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor.” L119/15 item 80, also L119/48 article 27.1 – Yep, just try to find someone in the EU willing to do this. Costs are astronomical.

 

Processors must be bound to controllers by contract and must delete data when finished processing and GDPR requirements of controller must be passed on to processors. L119/16 item 81 – This is probably why the Family Tree DNA administrators must sign the new agreement and are instructed to delete project member information when members leave projects.

L119.50 article 28.4

Controllers and processors must maintain records of processing and make those records available on demand to the supervisory authority. L119/16 item 82
Processors must adhere to an approved code of conduct. L119.50 article 28.5 – And no, in case you were wondering, there is no suggestion about that code of conduct.
Required security includes pseudonymisation and encryption of personal data, assessing risks of disclosure, loss, alternation, adherence to approved codes of conduct and prohibits keeping e-mail address in same file as test results. L119/51/52 article 32 inclusive
ʺSensitive processingʺ means processing of personal data revealing racial or ethnic origin (and other things)…or processing genetic data for the purpose of uniquely identifying an individual. HL Bill 66: Chapter 2 Principles 7a/b
Some personal data is considered “sensitive” including any that reveals…racial or ethnic origin. L119/10 item 51

L119.12 item 65

Volunteers are not excluded because they are not paid. L119.5 item 23
Does not apply to dead people or research for genealogy. L119/30 item 160 – Don’t get excited. Genetics is considered in a special category of sensitive information.

L119/5 item 27

Does not apply to individuals in a purely personal or household activity with no connection to a professional or commercial activity…but does apply to controllers or processors which provide the means for processing personal data. L119/3 item 18 – Ironic isn’t it that the very document that requires straightforward non-legal understandable language is so vague and uses confusing language subject to very different interpretation.
Information must be pseudonymized and additional information for attributing the information to a specific individual must be kept separate. L119/5 item 29
Person must be able to withdraw consent as easily as it was given. L119/5 item 29

L119.37 article 7.3

Personal data breaches must be reported within 72 hours if the breach is determined to be damaging to the rights and freedoms of the individuals and communicate to the people affected that a data breach has occurred. L119.50 article 28.4

L119/16 item 85

L119/6 item 86

Must hire or assign a data protection officer focused on GDPR. L119/55 article 37-39 inclusive, also L119/34 item 4.17, also 119/15 #80
“Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.” L119/81 article 82.4
“Non-compliance with an order by the supervisory authority as referred to in Article 58(2) shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.” 119/83 article 83.6, also HL Bill 66 page 83 #150

119/82 article 83.4

L119/27 items 146-150

Criminal penalties and liability are discussed along with individuals’ right to compensation. L119/81 article 82 inclusive

Over these next few days and weeks, when we’re tempted to be critical or impatient with a genetic genealogy vendor who has made changes instead of closing up shop and throwing in the proverbial towel – let’s try to be patient, grateful and cognizant of their effort. They have collectively been slaving away in the hot kitchen now for many months, trying to get ready to birth this 100 pound baby, while smiling, with as little disruption as possible to the rest of us.

I know we are all frustrated, but until we’ve walked that proverbial mile, we really have no idea what they’ve been through. From my experiences, I can tell you it was bloody painful.

Vendors’ GDPR compliance is much like an iceberg with a smiley face stuck on top. You’re only seeing the tippy top of the effort involved and it’s an entirely different picture underneath where everyone has been rowing like crazy.

Design By Committee

If you are thinking to yourself that this regulation looks a lot like it was designed by a committee, you’re right, it was. That negotiation process took 4 years, and the regulation took effect another 2 years later – meaning today.

Glory halleluiah, the birthing is FINALLY over, and the baby looks a lot like a….camel.

Huh?

What?

A camel?

Have you heard the analogy that a camel is a horse designed by a committee?

The idea was sound, but the outcome was not at all what was intended or expected. Indeed, the law of unintended consequences. GDPR’s effect on genetic genealogy certainly fits that bill.

In fact, here’s our new a-mazing GDPR horse.

For another perspective, head on over and read what Judy Russell, The Legal Genealogist has to say on the matter.

Now, for me, back to genealogy – a much needed respite!

GDPR, DNAeXplain and DNA-Explained.com

GDPR, the General Data Protection Regulation enacted by the European Union as of May 25, 2018 is upon us. It’s important because GDPR applies to information held or processed about any European Union resident, and I know many of my customers and blog followers live in the EU or UK.

I recently wrote about GDPR in these articles:

GDPR sets forth both rights of individuals as to the processing and storage of their information and responsibilities of processors.

DNAeXplain.com and DNA-Explained.com are a genetic genealogy consulting business and associated blog, respectively, located in the United States and owned by Roberta Estes. You’re receiving this notification because you are a blog follower or subscriber to explain how I process and/or handle your information.

The DNAeXplain Website

Customers can place orders on the DNAeXplain website for Y DNA and Mitochondrial DNA Personalized Reports, along with consultations. The website itself does not collect any information about customers other than payment information which is processed through our shopping cart at PayPal, including credit card transactions. DNAeXplain is never in receipt of your financial or credit card information. We can process a refund through PayPal, subject to their terms and conditions, through a unique PayPal issued transaction ID, but PayPal is the sole recipient of your payment/financial information.

Please refer to the Paypal Privacy Policy here.

DNAeXplain only receives notification confirmation from PayPal that you have made a purchase, the amount paid, for what item and your e-mail address that you used when making the purchase to enable us to communicate with you.

Reports and Consulting Information

The customer must provide enough information to DNAeXplain in order to complete the purchased report or answer the question(s) posed in the consultation. This is accomplished through e-mail communication.

This information exchange is completely private and is not shared either publicly or privately outside of DNAeXplain. The completed report is subsequently e-mailed only to the purchaser of record.

GDPR requires me to explain how you have granted consent for me to process your information and when processing starts and stops. You grant consent when you purchase a Personalized DNA Report or when you purchase consulting and subsequently provide me with the information necessary to write the report or answer your questions. I begin processing your information when I answer your questions or begin your report, and I’m finished processing your information when I finish the report or the consultation. I’m sure you’ve already figured that out, but I’m required to tell you.

Completed reports are retained by DNAeXplain for some time after completion in case a customer misplaces their report and requests a replacement of the original. Although we will attempt to provide a replacement of the original report, at no cost, we do not guarantee availability beyond 30 days after delivery. Industry standard backup and security procedures are in place to protect customer information.

Customers may request the deletion of all reports and correspondence by sending an e-mail to roberta@dnaexplain.com and customer information will be entirely deleted within 30 days, except for the customer purchase record which we are required by law to maintain for accounting purposes.

The DNA-Explained.com Blog

You may simply be reading an article on the http://www.dna-explained.com blog, or you may be a subscriber.

DNA-Explained.com utilizes WordPress.com as our blogging platform, without any additional plugins like JetPack or others mentioned on the WordPress Resource site, here.

WordPress is owned by AUTOMATTIC. Their privacy notice for WordPress bloggers  explains more about WordPress and how AUTOMATTIC uses information.

AUTOMATTIC’s privacy policy for visitors to their users’ sites (DNA-Explained.com in this case) is available here.

Comments made to the blog are public and are shown publicly if approved along with the name you use to comment, but not your e-mail or any other identifying information. Some comments may be caught by the blog’s spam filter, and others may not be approved, but once approved and displayed, comments are visible publicly.

You may request to be notified of comments to blog articles, and if you do, you will receive notifications from WordPress, not from DNA-Explained directly.

You may unsubscribe at any time by clicking unsubscribe at the bottom of any e-mail notification or you may unsubscribe by managing your subscriptions at WordPress.

Your e-mail address used to subscribe to the blog is available to me, the blog owner, at WordPress and in each comment notification, along with your IP address and website, if you are commenting through your own website. I do not store or otherwise utilize your e-mail or other identifying information, with the exception of occasionally replying to a commenter personally. In some cases, if personal information is exposed within a comment, I reply to the commenter privately and do not approve the comment. I delete all comment notifications immediately upon approving or otherwise processing the comment.

If a comment contains any type of threatening, emergency or potentially harmful verbiage, towards me, the commenter themselves or another commenter, I will retain the comment and identifying information and report to the proper authorities without delay.

I do not share, sell or otherwise utilize your personal information.

You may request deletion of all of your personal information from the blog and from WordPress by contacting me at Roberta@dnaexplain.com or WordPress directly at privacypolicyupdates@automattic.com.

Have you contacted me and WordPress both and you’re still unhappy? EU residents have the right to make a complaint to a government supervisory authority. I know that’s not going to happen, but I have to tell you just the same!

Housekeeping

This information lives permanently on the Privacy tab on the DNA-Explained blog. In fact, it’s already there. Please refer to that location for updates and future developments.

World Families Network, Ysearch and Mitosearch Bite the Dust – Thanks So Much GDPR

It’s a sad month.

The core foundation of genetic genealogy is sharing.

GDPR is NOT about sharing easily, and the GDPR hoops are onerous, to be charitable. I wrote about GDPR in the articles GDPR – It’s a Train and It’s a Comin’ and Common Sense and GDPR.

One might say GDPR is at cross purposes with genealogy. It probably wasn’t intended that way, but so far, we’ve lost several resources due to GDPR, and it’s still not here yet.

Add to the death list World Families Network, Ysearch and Mitosearch.

The cost of GDPR compliance, necessary attorney fees along with with the risk of the horrific fines of up to 4 million Euro is just too much for a small business or a non-profit. Additionally, non-EU businesses are required to retain a European Representative company that agrees to absorb some level of the risk for non-compliance. Try finding a company to do that. Not to mention the pain-in-the-butt-factor of the hoops that they would have to jump through if so much as one person complained. Bottom line – not worth it.

Thanks so much GDPR.

World Families Network

Terry Barton, founder of World Families Network, a Y DNA project management company that consists primarily of Terry and his wife, sent an e-mail to the administrators of the projects they host saying that WFN is retiring and shutting down on May 23rd, two days before the GDPR date.

Here’s part of the e-mail to WFN administrators from Terry:

We will delete the project sections of the WorldFamilies site on May 23, 2018, so please copy any information that you wish to save. You may wish to make a copy of your Home, Results, Patriarch, Discussion or other project pages. We can provide an empty excel spread sheet with columns preset to copy/paste your results page on request. For the other pages, you may want to copy/paste your info into a Word document. (Note: we won’t be able to “rescue” you if you miss the deadline, so please don’t wait too long.)

The projects hosted at World Families Network (WFN) will revert to their project pages at Family Tree DNA, so all is not lost, BUT, the information on the Patriarch’s pages as well as some of the information on the actual DNA results pages at WFN does not come directly from Family Tree DNA. Some WFN sites are not fed from the Family Tree DNA project pages at all, so fields like “Earliest Ancestor” at WFN may be blank at Family Tree DNA. That, of course, can be remedied, but won’t happen automatically.

Many of the projects managed by WFN were abandoned, meaning they have no administrator. Some have administrators that preferred the WFN format to the Family Tree DNA format. One of the most popular features was the Patriarchs page where lineages of men with the project surname were listed. This feature was put in place before trees were available at Family Tree DNA – but the Patriarchs format serves as a one-glance resource and can be connected to the kit numbers on the DNA pages.

Please, please, please do two things:

  • Visit the WFN surname links here for projects and scan the projects shown with “project site,” meaning they are WFN hosted, to see if any include your ancestral surnames. If SO, visit that WFN project site by clicking the link and record any information relevant to your family.

  • Consider adopting projects relevant to your surname. Most of these projects will need to be spruced up at Family Tree DNA, meaning they will need to be grouped and the Patriarch’s page will need to be copied onto one of the several available project pages at Family Tree DNA. Many of these projects are small and you can easily preserve information. Terry provides a list of orphaned projects here, but I don’t know if it’s current. I would reach out to Family Tree DNA at groups@familytreedna.com about any project listed as having a project site at WFN. Some projects have an administrator listed, but they are no longer active.

For project administrators considering a private website, be aware per the GDPR requirements that you will constantly have to monitor the privacy settings at Family Tree DNA and assure that you are not displaying information for anyone who has selected, or changed their project setting from public to “project only.” Family Tree DNA automatically removes the project members data from a public display when they change settings or leave projects.

Ysearch and Mitosearch

On May 10th, on their Forum, a Family Tree DNA representative announced that Ysearch and Mitosearch will be shut down by month end. These databases were established in 2003 by Family Tree DNA for free, open sharing.

While this announcement doesn’t state that it’s because of GDPR, that correlation probably isn’t coincidence.

These two data bases have been on life support for some time now. They have been less immediately useful since other testing companies stopped Y and mitochondrial DNA testing, meaning that you could see all of your new matches at Family Tree DNA.

One of their biggest benefits, even for Family Tree DNA customers, was that these were the two databases where everyone could compare actual marker values, not just see if they matched and genetic distance.

Unfortunately, Ysearch and Mitosearch were the only locations left for people who uploaded from those now-defunct databases. Of the 219,410 records in the Ysearch database, 25,521 are from sources other than Family Tree DNA.

Originally, there were four public databases. The other two have been gone for some time, with these being the last two resources to go. This is truly a tragedy for the genetic genealogy community, because unlike the WFN departure where the projects are still available at Family Tree DNA – there is no alternative resource to Ysearch and Mitosearch. Gone is gone – especially for the 25,000+ results archived there from companies that are also gone meaning Relative Genetics, Oxford Ancestors, Ancestry’s now defunct Y DNA, Sorenson and others.

Recently, Family Tree DNA fixed the captcha issue, but the sites are still not fully functional. I tried to retrieve information by searching by surname at Ysearch, and the search failed with an error. I don’t know if the problem now is the actual data base or the fact that the site is overwhelmed by people trying to do exactly what I was trying to do.

As someone in the Family Tree DNA forum thread said:
GDPR: The gift from Europe that just keeps on giving.

Thank You

As sad as I am to see both of these resources go, I want to publicly thank Terry and Marilyn Barton for their 14 years of service to the genetic genealogy community and wish them well in their retirement. Hopefully they will have time to solve their own genealogy mysteries now.

I also want to thank Family Tree DNA for establishing both Ysearch and Mitosearch, and maintaining these sites as long as they have. Few companies would have established a platform for their customers to compare results with their competitors’ products which speaks to their early and ongoing commitment to genealogy.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

Common Sense and GDPR

Recently, I wrote an article titled, GDPR – It’s a Train and It’s a Comin’ wherein I discussed exactly what GDPR is, and why companies have to comply or risk massive fines. If you’re thinking of the recent Facebook fiasco right about now, that’s exactly where this type of legislation is focused, and why.

That said, this European legislation affects genetic genealogy in ways that weren’t anticipated and in ways that may require changes on the part of our providers and ourselves. Every company has to comply, meaning all of the companies that provide services if they have any EU or UK clients, so GDPR affects anyone in this industry – vendor, project administrator and/or customer. Needless to say, it affects you too, one way or another.

One of the most difficult aspects of GDPR is that the true effect is unknown. There is no case law yet to unravel the confusion. And yes, there is confusion. Lots of confusion.

There will be life after GDPR, and there will be genetic genealogy too – although it may look a bit different in some ways.

Many vendors have been preparing for some time now, so we have knowingly or unknowingly already seen many changes that were either required or perhaps bumped up the priority list by GDPR legislation.

First and foremost, the companies MUST comply to protect themselves, or we, as their customers who have invested not just in our own tests, but often tests for many family members will suffer greatly. If the companies go out of business – and yes, the GDPR fines are potentially severe enough at 20 million euros to bankrupt companies – we could all be impacted in a devastating fashion.

No matter what pain-in-the-patoot changes the vendors feel required to make, it’s far more preferable to adapt and retain access to our investment and genetic genealogy tools. The alternative isn’t pretty and the vendors aren’t making the changes because they woke up one morning and decided to make our lives (and theirs) difficult – they are making the necessary changes to protect themselves and our investment in their products along with our DNA results.

The four guiding principles of GDPR in combination are:

  • Transparency
  • Simplicity
  • Privacy
  • Consent

I am very grateful to the testing companies for stepping up and taking care of business, even though the “solution” sometimes makes life more inconvenient for me personally. That’s life right now and we just have to suck it up and get used to the changes.

Therefore, those of us who work in various ways with DNA and genetic genealogy, especially the DNA of others, need to be aware of GDPR requirements. I’ve seen a lot of misinformation fueled by fear circulating, so I’d like to discuss what is required, along with what we do and don’t know.

I’m going to say this now and again at the end of this article, so please, please take special note.

In other words, your mileage may vary. Not to mention, it’s certainly possible that I’ve misinterpreted something. You will see a lot of “weasel words” like “seems to be” and “I think,” because in many cases, we really don’t know.

Yes, change is uncomfortable, but I will get through this and so will you. No need to hit the panic button and the sky is not falling although there is some rumbling.

How Do You Work With DNA?

You may work with DNA in a variety of ways:

  • Your own results in any or all of the commercial data bases, or a public database like GedMatch
  • Results of family members or friends whose accounts you manage in any of the commercial data bases or at GedMatch
  • Results of Family Tree DNA project members as a project administrator at Family Tree DNA
  • Results of Family Tree DNA project members on a private or third-party website
  • As a search angel helping others as a volunteer
  • As a paid researcher or professional in this field in some capacity

Different Situations

GDPR speaks to a variety of situations, so let’s take a look at some of the provisions and how they might affect you and others.

Dead People

Deceased individuals are explicitly exempted from GDPR.

Volunteers

Volunteers and unpaid individuals are explicitly NOT exempted from GDPR regulations simply because they are volunteers or unpaid. GDPR applies to volunteers and unpaid individuals in the same way as those who are compensated unless other exemptions apply.

Attempting to Uniquely Identify a Person

If you are working with your own DNA results, and only your own results, GDPR probably affects you less than others – unless you are trying to uniquely identify a living person.

GDPR contains the following verbiage:

“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

To me, the most relevant part of this paragraph is, “for the purpose of uniquely identifying a natural person,” because I feel this relates to people searching for unknown biological parents.

Although GDPR does not apply to deceased people, you don’t know if your parent is deceased until you identify them. If the parent has submitted their own DNA for testing, this wouldn’t seem to be an issue, because the parent(s) intentionally, consensually, tested, entering their DNA into a genetic genealogy data base with the intention of matching and being seen by matches. In other words, you don’t have to “do” anything other than test to identify your parent – because that match is already waiting for you.

However, if an individual tests and then subsequently uses DNA results and other tools and techniques with the intention of uniquely identifying the parent, that seems to be “processing” that is prohibited.

I will not be attempting to track down and personally identify any person who could be living today, meaning certainly no one born within the last 100 years. That doesn’t mean I don’t think people searching for birth family shouldn’t test – I think the process of searching after testing could be problematic under GDPR.

Processors vs Controllers

In the GDPR documentation, controllers are very clearly companies doing the DNA tests and making decisions. Processors, however, are people or companies that perform additional functions as determined by the controllers. The definition and relationship of people who do genetic genealogy work is unclear. Certainly no one working on the GDPR legislation considered genetic genealogy whose intention IS to SHARE information.

If one is working with an individual’s DNA in a professional capacity, the argument that the professional is “processing the information” and making decisions about that processing would seem to be pretty convincing, especially if they were uploading information, or working with matches to identify someone.

You be your own judge, but processors are bound in most cases by the same rules as controllers – and controllers are required to be sure that processors know what is expected of them if they are in any way involved in the transfer of information from the controller to the processor. Another category, “third parties” is largely undefined, as are their responsibilities.

To be safe, I’m presuming worst case here, meaning that all regulations apply, because I don’t want to be caught in an uncomfortable or even ugly situation.

GDPR Does Not Apply To

  • GDPR does not apply to “a natural person in the course of a purely personal or household activity and thus with no connection to a commercial activity.”
  • Clearly, the verbiage here suggests that individuals working with family data might not be subject to GDPR, but the verbiage about not uniquely identifying individuals would seem to pertain regardless.
  • Yes, these two provisions might well be in conflict with each other. I have absolutely no idea which would be determined to be accurate nor under what circumstances. Nor do I know how people administering larger projects, such as regional or haplogroup projects would be viewed since their interest is beyond the “household” but is not connected to a commercial activity.

Location

  • While GDPR applies to European residents, you may not be aware that someone is a European resident. I’m going to assume that everyone is a European resident and that way there is no possible mistake.
  • GDPR does not appear to apply to European citizens living outside of the EU/UK.

Anonymization

  • I would suggest that people not represent to others that they can be anonymous in data bases if or when they test. People are being identified daily based on autosomal tests by comparing the trees and genealogy information of who they match, especially related to parent search cases. That “anonymous” cow left the barn long ago.

Permission

Permission, also termed consent in GDPR, was always important, but is now even more so.

  • Do not do anything with anyone’s information, meaning DNA information or other information they have provided without their express WRITTEN permission. I’m viewing e-mail as written permission, but that might not be strong enough, especially not for anyone doing research on behalf of others.
  • People can only give consent for their own information, or the information for someone they have legal authority to given consent for (child, etc.) or someone whose permission they have obtained.
  • You must inform someone whose information you have access to or that they have provided that they have the right to ask for their data to be corrected or removed and of the relevant address where to complain, and how, if they are not happy with a controller or processor.
  • Do not expose anyone’s information, including their GedMatch or Family Tree DNA kit number, on a presentation slide, on Facebook or anyplace else without the person’s explicit permission.

Data

  • GDPR says that one can’t continue to hold data longer than necessary to finish the processing for which the person has agreed.
  • My personal assumption would be that this means that I would delete client reports when they are complete. However, I have in the past kept reports handy, because many clients have asked for a copy, even years later, after losing the original. This also begs the question, relative to DNA and genealogy projects, when is “done?”
  • My interpretation would be that one would need permission to maintain the data or information in any format after you have “finished.” However, as we all know, genealogy is never finished, and our genealogical “best practices” are focused on retaining information, not disposing of it.
  • GDPR isn’t about just genetic data. If other information is gathered, such as through a blog or newsletter, be sure that your usages are GDPR compliant, as are any tools that people utilize for your applications such as blogging platforms, website providers, etc.

Rules

  • Controllers and processors must store contact information separately from “results.” I’m presuming this means in a separate spreadsheet for project administrators and people working with other people’s (genetic) information.
  • Controllers and processors may be required to track when they are “processing” and what they are doing. Fortunately, for Group Project Administrators, Family Tree DNA provides a logging function which will help immensely.
  • If a controller/processor receives a request to provide an individual with all of the information the controller/processor holds on the individual, the processor must comply in a reasonable time – mentioned in the GDPR documentation as within 30 days.
  • Project administrators may want to post a privacy policy on their project website at FTDNA and/or elsewhere, especially if any project information is posted outside of the FTDNA project structure. Your project members will need to know that your project is separate from Family Tree DNA, and that they need to contact you directly for modification/removal of both posted data and anything they have personally sent you.
  • Never release the names or e-mails of project members, or any other individual, without their express consent for every request. I tell the requesting person if they will compose an e-mail, I will simply forward it to the project member they are asking about. That removes the entire issue and leaves it in the hands of the project member.
  • If a personal data breach occurs that results in either loss of or exposure of records, the controller or processor must report the breach within 72 hours to the supervisory authority. However, reporting is not required if the breach is “unlikely to result in risk to the rights and freedoms of natural persons.”

Right to Erasure aka Right to be Forgotten

  • If an individual asks you to delete any information they have previously provided to you, it should be done within 30 days. There is some leeway, but minimally the person can expect timely communication from you.
  • I would think this would be particularly important for project administrators, especially if the project website is maintained outside of the Family Tree DNA structure where the administrator has created a separate website.
  • If a project member changes their privacy setting from a public to a project-only setting, that change is reflected in the project display automatically at Family Tree DNA. If an administrator maintains a separate website, they will need to devise a way to routinely coordinate the privacy settings of project members to reflect new changes. I’m very glad that I don’t maintain any projects outside of the Family Tree DNA structure. It’s still possible to miss some text you’ve put on a separate results page perhaps, but the former project member’s results will automatically be deleted from the project and social media feed, both, by Family Tree DNA.
  • If a person has provided you with any information, and they request you to remove or correct it, do so quickly and thoroughly, within the 30 day window. This applies to both paper and computer files.
  • In GDPR, there is no provision, consideration or discussion of situations where websites become abandoned over time. In my opinion, GDPR never considered a hobby type of environment where someone posting informational content might not have a registered domain name that would disappear if not paid for. Furthermore, information that has been posted to the web in reality cannot be entirely removed given tools like WayBackMachine. Nothing that has been published is ever really “deleted” from the internet or is entirely “forgotten,” regardless of GDPR.
  • Be sure when obsoleting your computer to reformat or destroy your disk drive in a manner in which the data cannot be recovered by the next owner.

Guiding Principles

  • I am not going to be providing any information to anyone about living people as a result of genetic or genealogy research beyond matches provided by a testing company. People can view their own matches for themselves, so that’s not information I need to provide.
  • I am not going to recommend uploading to GedMatch or other “open” platform, should one exist, without a commensurate statement that the data base is open, and anyone whom the person matches and sees their kit number can also see whom they match, along with their ethnicity, etc. I’m personally fine with that scenario, but blanket recommendations to upload to GedMatch don’t take into consideration the informed consent necessary for people unfamiliar with the platform, especially relative to “sensitive information” that can identify someone’s racial makeup or religion.
  • Do not change anyone’s anything unless you have explicit consent. This means not restricting what others can see or do and not making decisions for them unless you have been specifically designated/authorized to do so. Family Tree DNA has a methodology for a tester to explicitly grant a project administrator full access in order for that individual to grant an administrator more than read/view access. Ancestry also has provisions to allow others to manage a kit or share additional information.
  • Do not share anyone else’s GedMatch kit number, especially not in any public forum.
  • Do not add living people to your tree(s) and allow them to be seen publicly without their express consent.
  • Never expose a minor’s information.
  • I would suggest that it is unethical to attempt to “recreate” an autosomal kit representing the DNA of a living person who has declined to DNA test by utilizing the DNA of their other family members, in particular, their children. This does not apply to recreating the DNA profile of deceased family members – only living people who have exercised their right to refuse DNA testing.
  • Do not order, transfer, upgrade or otherwise “process” the DNA of anyone without their permission unless it is your DNA, you are their legal guardian or they have granted you permission to do so.

In essence, kindergarten rules apply – do unto others, treat others respectfully and how you would want to be treated.

There’s a lot we don’t know about how GDPR will be interpreted in the long run. I don’t believe GDPR is targeting people like project administrators, unless they are incredibly negligent or intentionally violate the privacy of others. I suspect that, for the most part, being careful with other people’s information, respectful and perhaps more aware than in the past will keep us all safe.

And yes, I know…all it would really take is that one vindictive bad apple that might make your life miserable – especially given that we really don’t know how genetic genealogists will be viewed under GDPR.

I know the changes within projects at Family Tree DNA have upset some group project administrators, and while I don’t like change any better than the next person, I’m actually grateful that Family Tree DNA has implemented modifications that will prevent me (and others) from making errors in judgement or simply getting too busy to delete someone’s information.

I don’t host any projects outside of the Family Tree DNA framework, and if I did, I would revert at this point to Family Tree DNA hosted projects since they have invested the effort into modifications for GDPR compliance. I think that so long as I stay within their framework, and follow the rules, I should be fine.

If you have personal concerns, I would suggest that you read the GDPR documentation for yourself, view the ISOGGG slide presentation listed below, or contact your own lawyer, because as I said before:

Additional Resources

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to:

GDPR – It’s a Train and It’s a Comin’

In the recent article about Oxford Ancestors shuttering, I briefly mentioned GDPR. I’d like to talk a little more about this today, because you’re going to hear about it, and I’d rather you hear about it from me than from a sky-is-falling perspective.

It might be rainy and there is definitely some thunder and the ground may shake a little, but the sky is not exactly falling. The storm probably isn’t going to be pleasant, however, but we’ll get through it because we have no other choice. And there is life after GDPR, although in the genetic genealogy space, it may look a little different.

And yes, one way or another, it will affect you.

What is GDPR?

GDPR, which is short for General Data Protection Regulation, is a European, meaning both EU and UK, regulation(s) by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU/UK and processing of data of residents of the EU/UK by non-EU/UK companies.

There are actually two similar, but somewhat different regulations, one for the UK and one for the EU’s 28 member states, but the regulations are collectively referred to as the GDPR regulation.

Ok, so far so good.

The regulations are directly enforceable and do not require any individual member government to pass additional legislation.

GDPR was adopted on April 27, 2016, but little notice was taken until the last few months, especially outside of Europe, when the hefty fines drew attention to the enforcement date of May 25, 2018, now just around the corner.

Those hefty fines can range from a written warning for non-intentional noncompliance to a fine of 20 million Euro or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is GREATER. Yea, that’s pretty jaw-dropping.

So, GDPR has teeth and is nothing to be ignored.

Oh, and if you think this is just for EU or UK companies, it isn’t. It applies equally to any company that possesses any data of any EU or UK resident in their data base or files, providing that person isn’t dead. The law excludes dead people and makes some exceptions for law enforcement and other national security types of applications.

Otherwise, it applies to everyone in a global economy – and not just for future sales, but to already existing data for anyone who stores, transmits, sells to or processes data of any EU resident.

What Does GDPR Do?

The intent of GDPR was to strengthen privacy and data protections, but there is little latitude written into this regulation that allows for intentional sharing of data. The presumption throughout the hundreds of pages of lawyer-speak is that data is not intended to be shared, thereby requiring companies to take extraordinary measures to encrypt and anonymize data, even going so far as to force companies to store e-mail addresses separately from any data which could identify the person. Yes, like a name, or address.

Ironic that a regulation that requires vendor language be written in plainly understood simple wording is in and of itself incredibly complex, mandating legal interpretation.

Needless to say, GDPR requirements are playing havoc with every company’s data bases and file structure, because information technology goals have been to simplify and unify, not chop apart and distribute information, requiring a complex network of calls between systems.

Know who loves GDPR? Lawyers and consultants, that’s who!

In the case of intentional sharing, such as genetic genealogy, these regulations are already having unintended consequences through their extremely rigid requirements.

For example, a company must appoint a legal representative in Europe. I am not a lawyer, but my reading of this requirement suggests that European appointed individual (read, lawyer) is absorbing some level of risk and could potentially be fined as a result of their non-European client’s behavior. So tell me, who is going to incur that level of risk for anything approaching a reasonable cost?

One of the concepts implemented in GDPR is the colloquially known “right to be forgotten.” That means that you can request that your data and files be deleted, and the company must comply within a reasonable time.

However, what does “the right to be forgotten” mean, exactly? Does it mean a company has to delete your public presence? What about their internal files that record that you WERE a customer. What about things like medical records? What about computer backups which are standard operating procedure for any responsible company? What happens when a backup needs to be restored? If the company tracks who was deleted, so they can re-delete them if they have to restore from backup, then the person isn’t deleted in the first place and they are still being tracked – even though the tracking is occurring so the person can be re-forgotten.

Did you follow that? Did it make sense? Did anyone think of these kinds of things?

Oh, and by the way, there is no case law yet, so every single European company and every single non-European company that has any customer base in Europe is scrambling to comply with an incredibly far-reaching and harsh regulation with extremely severe potential consequences.

How many companies do you think can absorb this expenditure? Who do you think will ultimately pay?

Younger people may not remember Y2K, but I assuredly do, and GDPR is Y2K on steroids and with lots of ugly teeth in the form of fines and penalties that Y2K never had. The worse scenario for Y2K was that things would stop working. GDPR can put you out of business in the blink of an eye.

Categories of “Processors”

GDPR defines multiple levels of “processors,” a primary controller and a secondary processor plus vaguely defined categories of “third party” and “joint controller.”

The “controller” is pretty well defined as the company that receives and processes the data or order, and a “processor” is any other entity, including an individual person, who further processes data on behalf of or as a result of the controller.

There appears to be no differentiation between a multi-million-dollar company and one person doing something as a volunteer at home for most requirements – and GDPR specifically says that lack of pay does not exempt someone from GDPR. The one possible exception that exists in that there is an exclusion for organizations employing less than 250 persons, ”unless processing is likely to result in a risk to the rights and freedoms of the data subject.” I’m thinking that just mentioning the word DNA is enough to eliminate this exemption.

Furthermore, GDPR states that controllers and processors must register.

Right about now, you’re probably asking yourself if this means you if you’re managing multiple DNA kits, working with genetic genealogy, either as a volunteer or professionally, or even managing a group project or Facebook group.

The answer to those questions is that but we really don’t know.

ISOGG has prepared a summary page addressing GDPR from the genetic genealogy perspective, here. The ISOGG working group has done an excellent job in summarizing the questions, requirements and potential effects of the legislation in the slide presentation, which I suggest you take the time to view.

This legislation clearly wasn’t written considering this type of industry, meaning DNA shared for genealogical purposes, and there has been no case law yet surrounding GDPR. No one wants to be the first person to discover exactly how this will be interpreted by the courts.

The requirements for controllers and processors are much the same and include very specific requirements for how data can be stored and what must be done in terms of the “right to be forgotten” requests within a reasonable time, generally mentioned as 30 days after the person who owns the data requests to be forgotten. This would clearly apply to some websites and other types of resources used and maintained by the genetic genealogy community. If you are one of the people this could affect, meaning you maintain a website displaying results of some nature, you might want to consider these requirements and how you will comply. Additionally, you are required to have explicitly given consent for every person’s results that are displayed.

For genetic genealogists, who regularly share information through various means, and the companies who enable this technology, GDPR is having what I would very generously call a wet blanket effect.

What’s Happening in the Genetic Genealogy Space?

So far, we’ve seen the following:

  • Oxford Ancestors has announced they are shuttering, although they did not say that their decision has anything to do with GDPR. The timing may be entirely coincidental.
  • Full Genomes Corporation has announced on social media that they are no longer accepting orders from EU or UK customers, stating that “the regulatory cost is too high for a small company” and is “excessive.” I would certainly agree with that. Update; On 3-31-2018 Justin Loe, CEO of Full Genomes says that they “will continue to sell into the EU via manual process.”
  • Ancestry has recently made unpopular decisions relative to requiring separate e-mails to register different accounts, even if the same person is managing multiple DNA kits. Ancestry did not say this had to do with GDPR either, but in reading the GDPR requirements, I can understand why Ancestry felt compelled to make this change.
  • Family Tree DNA recently removed a search feature from their primary business page that allowed the public to search for their ancestors in trees posted to accounts at Family Tree DNA. According to an e-mail sent to project administrators, this change was the result of changes required by GDPR. They too are working on compliance.
  • MyHeritage is as well.
  • I haven’t had an opportunity to speak privately with LivingDNA or 23andMe, but I would presume both are working on compliance. LivingDNA is a UK company.

One of my goals recently when visiting RootsTech was to ask vendors about their GDPR compliance and concerns. That’s the one topic sure to wipe the smile off of everyone’s face, immediately, generally followed by grimaces, groans and eye-rolls until they managed to put their “public face” back on.

In general, vendors said they were moving towards compliance but that it was expensive, difficult and painful – especially given the ambiguity in some of the regulation verbiage. Some expressed concerns that GDPR was only a first step and would be followed by even more painful future regulations. I would presume that any vendor who is not planning to become compliant would not have spent the money to have a booth at RootsTech.

The best news about GDPR is that it requires transparency – in other words, it’s supposed to protect customers from a company selling your anonymized DNA out the back door without your explicitly given consent, for example. However, the general consensus was that any company that wanted to behave in an unethical manner would find a loophole to do so, regardless of GDPR.

In fairness, hurried consumers bring this type of thing on themselves by clicking through the “consent,” or “agree” boxes without reading what they are consenting to. All the GDPR in the world won’t help this. The company may have to disclose, but the consumer doesn’t have to read, although GDPR does attempt to help by forcing you to actively click on agree.

I’m sure we’ll all be hearing more about GDPR in the next few weeks as the deadline looms ever closer.

May 25, 2018

Now you know!

There’s nothing you can do about the effects of GDPR, except hold on tight as the vendors on which we depend do their best to navigate this maze.

Between now and May 25th, and probably for some time thereafter, I promise to be patient and not to complain about glitches in vendors’ systems as they roll out new code as seamlessly as possible.

Gluttons for Punishment

For those of you who are really gluttons for punishment, here are the actual links to the documents themselves. Of course, they are also guaranteed to put you to sleep in about 27 second flat…so a sure cure for insomnia.

_____________________________________________________________________

Standard Disclosure

This standard disclosure appears at the bottom of every article in compliance with the FTC Guidelines.

Hot links are provided to Family Tree DNA, where appropriate. If you wish to purchase one of their products, and you click through one of the links in an article to Family Tree DNA, or on the sidebar of this blog, I receive a small contribution if you make a purchase. Clicking through the link does not affect the price you pay. This affiliate relationship helps to keep this publication, with more than 900 articles about all aspects of genetic genealogy, free for everyone.

I do not accept sponsorship for this blog, nor do I write paid articles, nor do I accept contributions of any type from any vendor in order to review any product, etc. In fact, I pay a premium price to prevent ads from appearing on this blog.

When reviewing products, in most cases, I pay the same price and order in the same way as any other consumer. If not, I state very clearly in the article any special consideration received. In other words, you are reading my opinions as a long-time consumer and consultant in the genetic genealogy field.

I will never link to a product about which I have reservations or qualms, either about the product or about the company offering the product. I only recommend products that I use myself and bring value to the genetic genealogy community. If you wonder why there aren’t more links, that’s why and that’s my commitment to you.

Thank you for your readership, your ongoing support and for purchasing through the affiliate link if you are interested in making a purchase at Family Tree DNA, or one of the affiliate links below:

Affiliate links are limited to: