GINA, Big Data, and the Future of Employee Privacy.

• Author: Areheart, Bradley A.
• Position: Genetic Information Nondiscrimination Act of 2008

FEATURE CONTENTS INTRODUCTION 713 I. GINA IN THEORY 715 A. A Brief Introduction to GINA 716 B. GINA's Purpose 718 1. Background Information 718 a. Rise of Genetic Information 719 b. The American Health-Insurance System 720 2. Congress's Intent in Passing GINA 722 3. GINA's Idiosyncratic Protections 724 a. Limited Scope 724 b. Narrow Protected Status 725 c. Prohibited Conduct 727 d. Broad Exceptions 728 II. GINA IN PRACTICE 730 A. GINA's First Ten Years 730 1. GINA's Statutory Terms 732 2. Common GINA Claims 738 3. Challenges in Proving Violations 742 B. GINA as a Failure 745 1. GINA Is Ineffective 745 a. Lack of Awareness 746 b. Limited Scope 748 c. Narrow Protected Status 748 2. GINA Is Unnecessary 750 C. GINA as a Success 751 1. Court Interpretations of GINA as a Privacy Protection 752 2. EEOC Interpretations of GINA as a Privacy Protection 753 III. GINA'S LEGACY 755 A. Modern Privacy Landscape in a World of Big Data 755 1. Big Data and the Threat to Employee Privacy 756 a. The Value of Employee Data 756 b. Big Data as a Growing Threat to Privacy 757 c. Big Data in Employment 759 2. Non-GINA Protections for Employee Privacy 761 a. Wo r k p l a c e Pr iv a c y L aw 761 b. Americans with Disabilities Act 763 B. GINA as a Blueprint for Employee-Privacy Protection 764 1. Genetic-Information Nondiscrimination 764 2. Lessons from GINA's First Ten Years 766 a. Lack of Awareness 766 b. Limited Scope 767 c. Narrow Protected Status 768 3. Taking a Cue from GINA 769 a. Protecting Recognized Antidiscrimination Classes 770 b. Protecting Sensitive Information 771 4. Counterarguments and Qualifications 773 a. Benefits of Disclosure 773 b. Traditional Antidiscrimination Classes 776 c. Nature of Big Data 777 d. A Practical Limitation 778 C. Implications 779 1. Intrinsic and Extrinsic Privacy Harms 779 2. Antisubordination 781 CONCLUSION 782 APPENDIX: FACTS, CLAIMS, AND BASES FOR RESOLUTION IN FEDERAL CASES WITH PLAUSIBLE GINA CLAIMS 783 INTRODUCTION

Workers of the future may enjoy little to no privacy on the job. A recent article in the Economist describes Humanyze, a data-analytics firm that is using its algorithmic approach to human resources on its own employees. (1) Workers at Humanyze wear identification badges that monitor their every move. The devices include microphones that pick up conversations, Bluetooth and infrared sensors that track location, and an accelerometer that records movement. (2) That data is cross-referenced with employees' calendars, emails, and other personal information. (3) The reports generated from this data include a surprisingly intimate amount of detail, including how much time an employee spends with members of the same sex, her level of physical activity, and the amount of time she spends speaking versus listening. (4)

The head of Humanyze sees these practices as smart business. He explains, "[e]very aspect of business is becoming more data-driven. There's no reason the people side of business shouldn't be the same." (5) However, employees may not share that sentiment. One employee of the software firm Workday, which also offers predictive data, quipped, "[t]his company knows much more about me than my family does." (6) This sentiment is increasingly common among workers. A recent study in the United Kingdom revealed that most respondents believed that their bosses were spying on them, and two-thirds thought that the increasing amount of worker surveillance made possible by technology would lead to distrust and discrimination. (7)

Stories like these give people more reason to be concerned with their privacy than ever before. New technology, sometimes called "big data," offers the opportunity to aggregate and cross-reference information to gain access to some of our most intimate secrets, including our disease risks, our reproductive choices, and information regarding our personal relationships. Employers might be particularly interested in snooping into their employees' private lives. Data analytics could reveal which employees are more likely to get sick, which employees are more likely to take parental leave, and which employees are more likely to be under stress at home. At present, the law offers few legal protections against this land of prying. We propose that the Genetic Information Nondiscrimination Act (GINA), (8) an idiosyncratic federal antidiscrimination law, might provide an unexpected pathway for navigating the growing challenges presented by big data.

In this Feature, we argue that one decade after its passage, GINA, which Congress intended primarily as a safeguard against discrimination based on genetic-test results, is better understood as a much-needed protection for employee privacy. In so arguing, we offer three novel contributions. First, we provide an empirical account of all the available cases decided under GINA. Systematically examining all the cases and quantifying both the recurring factual scenarios and the legal issues that have arisen in GINA's first decade allows us to say exactly what the statute is--and is not--accomplishing in the courts.

Second, we use that original case research to establish that in GINA's first ten years, there have been no successful claims filed for discrimination based on genetic-test results. Instead, most of the successful cases under GINA have involved impermissible requests for protected data. GINA, in practical terms, has functioned more as a protection against invasions of privacy than as a protection against discrimination.

While GINA's role as a privacy law is unexpected, it could hardly be better timed. The genetic-testing market has ballooned in recent years because of the FDA's increasing openness to genetic tests that allow consumers to screen their genes for disease risk from the convenience of their own homes. For example, in 2018 the FDA approved the first direct-to-consumer DNA test for three BRCA1/BRCA2 genetic mutations, each of which sharply increases the risk of breast cancer. (9) Meanwhile, the National Institutes of Health (NIH) aims to enroll a million people by 2019 in its Precision Medicine Initiative, (10) a research effort intended to tailor the delivery of health care to a patient's specific genetic makeup and disease profile. (11) And private DNA ancestry databases made headlines in 2018, when law enforcement used that technology to solve a string of decades-old murders. (12) Careful thinking about genetic privacy is now more critical than ever.

Third, we argue that GINA's role as a privacy statute highlights the need for greater employee-privacy measures in general. In particular, GINA's statutory design might well function as a blueprint for additional employment protections. GINA provides an important case study for safeguarding sensitive employee information that could be extended to a whole host of other areas, such as social media profiles, browser searches, and fitness-tracking data.

We tell the story of GINA in three acts. Part I introduces the statute and explains what legislators designed GINA to accomplish. Part II examines the first decade of GINA. We begin with our case-study findings. Next, we turn to the common misreading of GINA as a failure based on its performance in the courts. We argue that the cases decided and settlements reached reveal that GINA is hitting its stride as a privacy statute. Finally, Part III argues that genetic privacy-and privacy in ancillary fields--is more important than ever before and that GINA is precisely the land of protection we need in an age of big data and increasingly invasive technologies. Moreover, GINA provides a conceptual blueprint for protecting employees from discrimination in a variety of other areas. GINA's first ten years reveal that it may be a prototype for future antidiscrimination laws.

1. GINA IN THEORY

   Congress did not design GINA as a broad employee-privacy statute. Rather, it intended to prophylactically address fears about genetic testing by stopping a new form of discrimination before it started. (13) Discrimination based on genetic information was not a widespread social problem when Congress passed GINA. But supporters hoped that GINA might encourage genetic testing by giving people peace of mind about their genetic information. Indeed, Congress crafted the law to deal with the specific risks related to health insurance and employment that could discourage people from seeking genetic testing altogether. This Part introduces GINA's statutory protections and places it in its historical context, explaining why Congress opted to pass an antidiscrimination statute absent a longstanding history of discrimination.

   1. A Brief Introduction to GINA

      Hailed as the first civil rights law of the twenty-first century, GINA protects against discrimination on the basis of genetic information. Congress designed the statute to alleviate people's anxieties about genetic testing by prohibiting health insurers and employers from using genetic-test results and family medical history to discriminate. In this Section, we outline the contours of GINA's protections, discussing the statute's structure and its definitions of genetic information and discrimination.

      The statute has two substantive titles. Title I contains the health-insurance provisions, which prevent insurers from requesting genetic information and from using that information in their underwriting and rating decisions. Title I amends several federal health-insurance statutes to close any gaps in those laws. (14) Because GINA draws from existing legislation, it has no independent enforcement mechanisms for its health-insurance sections. Instead, it relies on the enforcement mechanisms of those underlying laws, most of which have no private right of action. (15) But Title II, which contains GINA's employment provisions, is its own standalone portion of the federal code with an independent private right of action. (16)

      GINA defines statutorily protected genetic information as (1) a...