Cracking cold cases wide open with ancestry DNA databases – is it legal in Australia?

GSK DNA final

Golden State Killer nabbed through ancestral DNA

On the 26th of April 2018, Californian police announced that they had captured one of the most notorious serial killers and rapists in American history: the Golden State Killer. 72 year old, Joseph James DeAngelo (recent arrest photo and 1970s offender sketch above) was arrested and accused of at least 12 home invasion murders, over 50 rapes and more than 100 burglaries in various towns in California between 1974 to 1986.

In the late 1990s, DNA advancements enabled police from different Californian areas to conclude that the criminals known as the ‘East Area Rapist’ in the Sacramento area (active from June 1976 to July 1979), and the ‘Original Night Stalker’  in Santa Barbara County (active from October 1979 to May 1986), were in fact the same man who had simply spread his offending around California. This prolific offender was subsequently dubbed the ‘Golden State Killer’.

In the days that followed the arrest of DeAngelo, it emerged that Californian detectives had finally been able to crack the case after they uploaded the serial killer’s DNA (taken from crime scene materials of his cold case attacks) into a genealogy website. Once the DNA was uploaded onto the genealogy website, the police were able to determine that the DNA profile matched a particular family group based in the California area – and that the DNA could come from one of three men who were of a similar age group in that family tree.

Once the police had narrowed the DNA to three potential men in one family, they then began to investigate and follow these individuals to assess whether their personal histories aligned with any of the patterns of attacks. One particular man, Joseph DeAngelo, a former police officer, became the main focus of the police suspicions. After tailing him for some time, the police managed to take samples of DeAngelo’s DNA from his car door, as well as a second sample from a tissue he discarded in the rubbish and was left outside his home. The result of those samples was a match to the Golden State Killer’s DNA, and the police proceeded to arrest DeAngelo. The Golden State Killer was finally captured because his third or fourth cousin had been curious enough to upload their DNA into an ancestry website.

The Golden State Killer was finally captured because his third or fourth cousin had been curious enough to upload their DNA into an ancestry website.

Ancestry websites distance themselves from police 

Interestingly, since it became public that DeAngelo was captured through the DNA available on a genealogy website, popular home DNA testing sites such as and were quick to claim that it was not their websites which assisted with tracking the killer. It has been confirmed that the website which facilitated the match was ‘GEDmatch’ – an open-source genealogy website that allows user to voluntarily share genetic profiles for free. GEDMatch has no legal restrictions on the upload or use of the ‘open source’ DNA data it stores. GEDMatch operators confirmed they were not aware of the police using the website, but confirmed that police were entitled to freely use the open DNA database.


At first glance, you may think that ancestry DNA websites would want to herald their involvement or ability to assist with cracking such an infamous cold case. But the reticence of these websites to admit involvement is due to the uneasy privacy concerns of people whose DNA is uploaded into these online forums. Most people who uploaded their DNA into these websites did so to find out whether they were descended from the vikings, or to know where exactly their great grandparents were born, and did not anticipate that DNA would be stored in perpetuity to be accessed by police. DeAngelo’s story has made it clear that even if you have never spat into a test tube and sent it off to Silicon Valley for analysis, if  your cousin or aunt has uploaded their DNA and filled out the family tree, then your familial DNA profile may now be available online for authorities to search.

What are the legal guidelines to the use of DNA on genealogy websites?

So what exactly are the limits on the use and disclosure of DNA on these ancestry websites? Are they required to give up your DNA to police?  I thought this is a pertinent time to look at the legal issues surrounding DNA on ancestry websites and how that DNA can be used by police, government bodies and third parties.

Who can access your DNA after you upload?

RelativesDNAThe ancestry website encourages the public to upload their DNA to learn about their family history and learn ‘the places that make you’.  One of the other features of the site is that once your DNA is uploaded, you can choose to share your DNA with other 23andMe customers, meaning that you can find relatives you never knew about all over the world. This website allows you to then communicate with these people via a messaging service and connect with those that share your DNA.

It apears that 23andMe uses the ‘opt in’ or consent model as the basis for enabling people to connect with their extended relatives through DNA profiles. Having said this, I know of at least one of my own relatives who submitted their DNA sample to this website and had no idea that they had ‘opted in’ to connect with relatives, so were somewhat surprised to receive emails from strangers with a 20% DNA match. Putting this experience to one side, you are apparently given the choice as to whether you want to open the Pandora’s Box of allowing your 5th cousins in Dubbo or Dunedin to know who you are.

I was surprised to discover that 23andMe allows people to submit DNA on behalf of their children: ‘if he or she gives assent to participate and a parent or legal guardian authorises‘ the test to be conducted.  I would query whether children could ever really give informed consent or ‘assent’ to such testing, which forever records their DNA online. A lawyer friend who practices regularly in the Children’s Court, commented to me that this sort of genetic testing may start to be used in that jurisdiction, where it is a regular unknown as to who are the actual genetic parents, grandparents or relatives, of children in foster care. It is not uncommon in that jurisdiction to have individuals, unknown to a child, claim to be blood relatives of the child, and the court is often left in the difficult position of attempting to determine the actual familial network.’s Privacy Statement appears to have the broadest terms on which it will provide your DNA to legal or regulatory authorities, stating that it may share your information if they “believe it is reasonably necessary” to comply with valid legal processes (pursuant to subpoenas, warrants, etc), or to protect the rights, property or safety of Ancestry and its employees or users. Put simply, has the broad and subjective power to release your DNA to police if they believe you pose a safety risk to the community.

Put simply, has the broad and subjective power to release your DNA to police if they believe you pose a safety risk to the community.

The 23andMe Privacy Statement  makes clear that it will give customers’ DNA to police if required to do so by law. At clause 4(e) of the Privacy Statement, it states that the personal information collected about you may be disclosed to third parties (government or police) pursuant to ‘laws, regulations, judicial or government subpoenas, warrants or orders‘ including concerning ‘national security or law enforcement requirements’.

“23andMe will preserve and disclose any and all information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary…”

Users of the website are encouraged to consent to their DNA being used by ‘researchers’, through the ’23andMe Research’ program. If they provide this consent, their DNA can be provided to third party ‘research collaborators’ outside of 23andMe, in a de-identified form. Precisely who the ‘research collaborators’ are is unknown, as the website only provides examples of some of the research it is involved with. More than 80% of 23andMe’s customers have agreed to be involved in the 23and Me Research program.

The topics that are included in the research are incredibly broad, and specifically include ‘potentially sensitive topics such as sexual orientation, illicit drug use or other illegal behaviour..’ It is therefore possible that a research collaborator could be approved to examine 23andMe DNA databases for criminality trends or DNA markers for illegal behaviour – without requiring a warrant or court order.

23andMe has admitted that its research collaborations include research institutions that pay for access to the genetic data. This means that 23andMe is selling the genetic material that people upload, for the purpose of research. I recently wrote about the research data scandal concerning Cambridge Analytica and Facebook, a drama which highlighted the concerns surrounding websites providing customers’ personal data to third parties for purported ‘research’ purposes.

Put simply, the terms of use of these websites provide various ways in which government or law enforcement may be able to access individuals or their relatives DNA for the purpose of criminal investigations. Whilst these websites may have disclaimed involvement in the Golden State Killer case, it is entirely possible for their databases to be used by police to solve such crimes going forward.

The power of voluntary DNA databases to assist with solving cold cases may just be the beginning of a huge development in crime technology.

European Union Personal Data Protections apply

23andMe states that it complies with the recent EU data protection laws set out in the General Data Protection Regulation (GDPR), which came into force on 25 May 2018. The GDPR protects the use of “personal data” which is any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or a factor connected to their physical, physiological, geneticmental, economic, cultural or social identity. Controllers and processors of personal data are required to implement appropriate technical and organisational measures to protect the personal data. The GDPR allows for enormous fines if companies fall foul of their obligations.

Critically, persons in the EU have a legally recognised ‘right to be forgotten’. This entitles EU citizens to request to have data about themselves removed from a database, if the reason for the data being collected has passed. The GDPR recognises this right and enables consumers to request data collectors to delete their personal information after the consented use of the information has expired.

What privacy protections apply to Australian users of ancestry DNA websites?

Although 23andMe states that it complies with the GDPR, it is not clear whether 23andMe applies the GDPR protections to consumers using their website from outside of Europe, such as Australia. Technically the GDPR imposes obligations on companies when they deal with European consumers, but not when they deal with non-European consumers.

Australian law does not recognise the European ‘right to be forgotten’.  So it is unclear whether Australians would be afforded this right by such a website, if they were to request their data be erased from a DNA ancestry website. Even if you could erase your own DNA profile from such a website, you could still be identifiable through the DNA profiles of your relatives that remain on a website along with the family tree.

In Australia, the federal Privacy Act 1988 protects the use of ‘personal information’ by government and private sector organisations or individuals who collect, store, use or disclose personal information. Critically, the Australian Law Reform Commission and Australian Health Ethics Committee has released a guide which found that the Privacy Act definition of ‘personal information’ does not include genetic samples, because apparently samples are not in and of themselves ‘information’. The Australian Law Reform Commission (ALRC) agrees that the Privacy Act may not include genetic samples.

However, in Victoria, the Office of the Privacy Commissioner has stated that it considers personal information in the Victorian Information Privacy Act 2000 (Vic) to apply to DNA samples. Although there may be a lack of coverage to genetic samples, it seems clear that any genetic sample that is labelled with a name or reasonably able to be identified as connected to an individual, will be protected by the National Privacy Principles.

It seems clear that “health information” under s.3 of the Health Records Act 2001 (Victoria) would include DNA profiles on an ancestry website, as it includes “genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or any of his or her descendants“. Under that Act collectors of ‘health information’ must comply with the ‘Health Privacy Principles‘, which require consent to collection and dissemination of the health information. Again, those entities which hold health information are able to disclose that information to a third party:

  • if required to do so by law, or for a law enforcement function – ie. a warrant, subpoena, court order or other law requires it (Principle 2.2(c) & 2.2(j));
  • it is necessary to disclose the information for research in the public interest and consent is impracticable (Principle 2.2(g)); or
  • the disclosure is necessary to prevent a serious threat to an individual’s safety or welfare or a serious threat to public health, safety or welfare. This is likely to be focused on the spread of contagious disease but could conceivably apply to locating a person considered to be a criminal threat to public safety  (Principle 2.2(h)).

Privacy likely to be waived for a crime solving spree

In summary:

  • pursuant to their terms and conditions, DNA Ancestry websites will provide your DNA to police or authorities if they receive or a subject to a warrant, subpoena, court order or legislative requirement which demands production.
  • will release your DNA profile if it believes the release will be reasonably necessary to protect its own company, users or employees – effectively a large section of the community;
  • your genetic samples (left on a tissue or elsewhere) are not considered ‘personal information’ in Australia, but may become ‘personal information’ once they are labelled in a way that may identify you;
  • genetic material such as your DNA is ‘health information’ in Victoria, and any holder of your DNA material is entitled to release health information to law enforcement;  researchers if the release is in the public interest; or if it is necessary to previous a threat to a individual or public health, safety and welfare; and
  • neither the Privacy Act or the Health Records Act provide individuals with the ability to bring a legal claim if their personal information and data protection is breached. There is a complaints process through both Acts, but no direct cause of action to the Australian courts.

Therefore, Australians whose DNA information is accessed and collected through ancestry websites by third party ‘researchers’ or police and government bodies, will be unlikely to have strong grounds for legal complaint.

Watch this space, because the inevitable upside of these ancestry DNA websites is that police may be on the precipice of cracking many ice cold criminal mysteries!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s