In April 2025, genetic testing giant 23andMe filed for bankruptcy, with reports revealing that it planned to auction its vast trove of consumer DNA data to pay off its creditors. For millions of users, this news was more than just unsettling. One’s DNA is not just another piece of personal data; rather, it is one’s lifebook, a permanent blueprint of one’s identity, health and ancestry.

With a parallel rise in direct-to-consumer genetic testing companies in India, the country now stands on the precipice of a genetic privacy crisis. Yet its legal framework treats this highly sensitive information no differently from one’s email address or shopping history. 

India’s regulatory silence is not only dangerous and outdated, but especially disheartening in a jurisdiction where the right to privacy and personal dignity are recognised as non-derogable constitutional guarantees.

India’s newly enacted Digital Personal Data Protection (DPDP) Act operates on a notice-and-consent-based framework. However, unlike the European General Data Protection Regulation (GDPR), from which it draws inspiration, the DPDP Act does not carve out a separate category of Sensitive Personal Data, which typically refers to data requiring heightened protection due to its potential to cause harm or discrimination if breached.

This includes information such as health data, sexuality, religious or political beliefs, and, critically, genetic data. By failing to differentiate such categories, the Indian framework overlooks the heightened ethical and privacy risks inherent in the misuse of this information. The risks associated with breaches of genetic data run beyond identifiability, spilling over into the erosion of one’s dignity, personhood and the real possibility of social discrimination, particularly in areas like employment and health insurance.

With the obvious stated, we often overlook the ‘relational nature’ of genetic data. Unlike many other types of personal data, genetic data is not exclusively linked to one data principal; it inherently pertains to several people who share a similar biological architecture.

Illustratively, if I consent to share my genetic data, it doesn’t just reveal information about me, but also potentially exposes health predispositions, hereditary traits, or ancestral markers of my siblings, parents, children and even distant relatives. 

This creates a significant problem for India’s DPDP Act, which defines personal data as data that relates to a single, identifiable individual. However, under a more relational lens, one’s genetic data may also qualify as the personal data of the data principal’s biological relatives, as they too may be directly or indirectly identifiable through its analysis, either in isolation or when combined with other datasets.

This view has also been bolstered by the European Court of Human Rights in S. and Marper v. United Kingdom, where the court reiterated twice that the mere capacity of genetic data to identify biological relationships constitutes a serious interference with the right to private life under Article 8 of the European Convention on Human Rights, a right analogous to the Right to Privacy under Article 21 of the Indian Constitution.

Therefore, genetic privacy, by its very nature, demands a shift from an atomised rights framework to one that recognises shared stakes and collective implications.

Another key issue that emerges with genetic data is the open-ended nature of its potential uses in research. Explaining all possible future applications to a lay data subject in a manner that ensures informed consent is nearly impossible. As a result, participants often end up consenting to vague or broadly worded terms they don’t fully grasp, a phenomenon which is commonly referred to as ‘blanket’ or ‘open’ consent.

This issue becomes even more alarming when applied to indigenous and tribal populations, who are particularly vulnerable to becoming ‘textbook research subjects’, owing to their unique genetic makeups that enable them to resist disease. This vulnerability is exacerbated by the fact that 8.6% of India’s population, or roughly 104 million people, belong to the tribal communities.

These tribal communities have already been included in numerous genomic studies, including those on disease resistance and human migration, without specific guidelines on obtaining meaningful consent. 

India must amend the DPDP Act to explicitly recognise genetic data as a form of Sensitive Personal Data, and research institutions and companies involved in genetic research and processing should be mandatorily notified as Significant Data Fiduciaries (SDFs). This would help with more stringent norms, stronger purpose limitation requirements and stricter penalties for breaches.

Crucially, instead of focusing on a wholesale borrowing of data protection regimes across the globe, India must reflect on its local realities. In a country where modesty and bodily integrity are deeply rooted values, and where one’s genome is often viewed as the extension of one’s personhood, privacy is not merely a legal entitlement but a cultural expectation.

India must therefore adopt a culture-specific data protection framework, one that meaningfully balances its fundamental right to privacy with the advancements of biomedical research.

(The writer is a student at the National Law University, Jodhpur)