The Shared Secret: Does Your Consent Violate Your Family’s Privacy?

As of May 2026, millions of Canadians are navigating a significant legal deadline. They have until June 25 to file claims in the finalized 23andMe Canadian Data Breach Settlement—a multimillion-dollar resolution to one of the most consequential privacy failures in recent history. But as the legal files are closed, a more fundamental question remains: Can a single person’s consent ever truly be ethical when the data being signed away belongs to an entire family tree?

We are taught early on in law school that the individual is the ultimate unit of the law. We draft retainer agreements for individuals, seek informed consent from individuals, and guard the privacy of individuals. However, the 23andMe fallout has exposed this foundational “individualism” as a flawed legal fiction. While a compromised banking password impacts only the account holder, the disclosure of a genomic sequence effectively “outs” the biological secrets of children, siblings, and parents, most of whom never signed a terms-of-service agreement.

There is a growing frustration among Canadians that our legal safeguards are failing to keep pace with corporate data harvesting. While the Supreme Court of Canada’s landmark decision in Reference re Genetic Non-Discrimination Act, 2020 SCC 17 was a victory for human dignity, it focused on preventing discrimination rather than addressing the core issue of relational privacy. In the world of DNA, there is no such thing as a solo act. When the state fails to recognize privacy as a collective right, it doesn’t just leave an individual vulnerable; it leaves an entire biological lineage exposed.

The Myth of Individual Consent

In Canada, our privacy framework, including the Consumer Privacy Protection Act (CPPA) and Ontario’s Personal Health Information Protection Act (PHIPA), is built on the pillar of individual autonomy. The law assumes that a “data subject” is a silo.

However, genomic data is inherently relational. If a participant in a cancer study discovers a BRCA1 mutation, that discovery isn’t just a clinical data point for the patient; it is a high-probability warning for their sister and a 50% coin-flip for their daughter.

Current Canadian law allows the participant to keep that secret or share it. But what about the database itself? When an institution holds that data, they are holding the “shared secrets” of a family tree. As AI-driven re-identification becomes more sophisticated, the “anonymity” we promise participants is wearing thin. We aren’t just managing a patient record; we are managing a family’s digital inheritance.

The Canadian Shield: GNDA and Beyond

Canada took a massive leap forward with the Genetic Non-Discrimination Act (GNDA). It remains one of the world’s most robust protections, making it a criminal offense to require genetic testing or the disclosure of results as a condition for goods and services such as life insurance or even employment.

But the GNDA is a “shield” against discrimination, not a “cloak” for privacy. It doesn’t stop the collection of familial data; it only stops the misuse of it. As researchers, the question isn’t just “Will this person be fired?” but “Does the daughter have a legal right to not know what her father just uploaded to a cloud server?” This is addressed in the TCPS 2 (2022) – Chapter 13, which guides ethical research involving genetics in Canada, yet it still struggles to balance familial interests against individual autonomy.

A Global Perspective: Who is Leading?

The global community is fractured on this issue, but two jurisdictions stand out for their advanced, and often conflicting approaches. In The European Union the GDPR (Recital 34) explicitly classifies genetic data as a “special category” of personal data. European jurisprudence, notably in the landmark case of S. and Marper v. the United Kingdom, has recognized that the retention of genetic samples constitutes a “disproportionate interference” with the right to private life because of the data’s unique ability to reveal a person’s biological lineage and future health.

Iceland is home to the world’s most advanced genomic database project (deCODE). Their Supreme Court provided the “most advanced” ruling on familial privacy in Guðmundsdóttir v. Iceland. The Court ruled that a daughter had the legal standing to prohibit the transfer of her deceased father’s medical records to a commercial database because those records contained information about her hereditary characteristics.

While the EU provides a clearer statutory framework (GDPR), Iceland holds the most advanced judicial recognition that genomic privacy is a “group right.”

The Path Forward: Relational Privacy

Maybe the path forward is focusing on research protocols that account for the familial reach of the data. The use of dynamic consent systems that allow participants to update preferences as the research evolves and, finally viewing institutions not just as “data controllers,” but as stewards who owe a duty of care to the entire biological line.

In our rush to cure disease, a noble and necessary pursuit, we must be careful not to bankrupt the privacy of future generations. DNA is the only record we cannot change and the only one we are forced to share. As lawyers and privacy specialists, our job is to ensure that the “shared secret” of the family remains a choice, not a leak.