Definitions can be messy, especially when they move from dictionaries to law books. Just look at the idea of genetic data and ponder this riddle: When is a medical test result genetic information?
The National Institute of Standards and Technology definition of “genomic information” says it is limited to information based on an individual’s genome, such as a sequence of DNA or the results of genetic testing. Privacy laws broaden the scope of covered data within such a functional definition — perhaps by necessity, to capture the wide variety of personal data types and individualized inferences that may flow from a technology as complex as genetic sequencing. The California Consumer Privacy Act, as amended by California’s Genetic Information Privacy Act, defines “genetic data” as “any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material.”
In contrast, rather than try to write a new definition, Illinois’ GIPA (which one might call the original, or “OG” GIPA) references the Health Insurance Portability and Accountability Act (itself the “OG” federal health privacy law). HIPAA’s definition of genetic information, too long to print here, is both broader and narrower than the California definition, depending on context. For our purposes, it is worth noting that it includes genetic tests of family members of the individual but excludes genetic tests “directly related to a manifested disease, disorder, or pathological condition.”
How do all these diverging definitions manifest in the real world? This week, the Equal Employment Opportunity Commission entered into a conciliation agreement with a dermatology office that had been asking employees for their family members’ COVID-19 testing results. The EEOC determined that this practice violates the Genetic Information Non-Discrimination Act, which generally prohibits employers from requesting, requiring or purchasing genetic information about applicants or employees and their family members. Unsurprisingly, the GINA has its own definition of genetic information. What is surprising is the explicit inclusion as one prong of this definition information about “the manifestation of a disease or disorder in family members” of the employee or applicant. So, when is a medical test result genetic information? When the law says so.
Here's what else I’m tracking:
- The White House announced President Biden will sign an executive order “protecting access to reproductive health care services.” According to the press release, the executive order directs agencies to double down on reproductive health privacy protections under existing laws, including directing:
- The Federal Trade Commission to “consider taking steps to protect consumers’ privacy when seeking information about and provision of reproductive health care services.”
- The Secretary of the Department of Health and Human Services, “in consultation with the Attorney General and Chair of the FTC, to consider options to address deceptive or fraudulent practices, including online, and protect access to accurate information.”
- HHS to “consider additional actions, including under the Health Insurance Portability and Accountability Act (HIPAA), to better protect sensitive information related to reproductive health care.”
- Ireland is one step closer to limiting Meta’s data flows to the U.S., after the DPC sent a draft blocking order to its fellow DPAs for review. As Law360 reports, the continued movement in this case is “dialing up pressure on government officials to finalize” the Trans-Atlantic Data Privacy Framework.
- Speaking of Meta, Protocol reported on the company’s new approach to identity management on its virtual reality hardware products. It appears the company will no longer be requiring a Facebook account in order to access VR products and services. Though at first glance this appears to just be a transition to a new type of profile, called “Meta Horizons,” there are notable policy changes underlying this, including a move away from a “real name” policy and support for multiple Meta accounts (and therefore identities) in the virtual space.
- The Consumer Financial Protection Bureau is hiring “an army of engineers,” according to this Protocol story that showcases the work CFPB Chief Technologist Erie Meyer is doing to build technology expertise in the agency.
- The Smithsonian Institution, as part of its FUTURES exhibition, released an interactive online experience called Your Future Guide. It challenges attendees to think of themselves as solving for future problems — with some interesting tech policy challenges woven into the mix. The exhibition understands that people are more interested in working to create a future they see themselves in. Perhaps there are lessons for privacy policymaking in such an approach.
Under scrutiny:
- Pondera, an algorithmic fraud detection service, is the subject of ongoing research by EPIC, which has been updated and expanded.
- Disney’s adtech services are the subject of a Vice report highlighting the claims about targetability and addressability made by the company.
- The Justice Department is asked to scrutinize its own use of predictive technologies in an EPIC letter, highlighting that the agency is required by executive order to commission a study about biometric information and predictive algorithms in law enforcement before the end of the year, and calling on it to ensure that the study looks inward, among other calls for policy changes.
Upcoming happenings:
- July 13 at 1 p.m. EDT, IAPP hosts a webinar on User Consent in the Digital Age (virtual).
- July 14 at 11 a.m. EDT, IAPP hosts a webinar on The Great Resignation: DSARs, Data Exfiltration and the Costs of Compliance (virtual).
- July 14 at 2 p.m. EDT, IAPP hosts a virtual roundtable on state and local privacy.
Please send feedback, updates and definitional quandaries to cobun@iapp.org.