Data PrivacyGenetic Data Privacy Risks in with Focus on Embryonic Gene Editing

INTRODUCTION

The emergence of gene-edited embryos, often dubbed “designer babies”, has brought genetic privacy into the spotlight. Beyond ethical and social issues, the dilemma surrounding embryonic genetic data is a significant concern now. Globally, people are growing increasingly aware and concerned about how their personal information is being collected and used, especially when it comes to  sensitive personal data concerning biometric, genetics, and DNA.

When genetic data is leaked, it is not just about passwords or emails, it is about lifelong health risks, family connections, and traits that can never be changed. In the context of “designer babies”, where genetic data is gathered even before birth, the implications become even more serious.

As genetic editing techniques such as Clustered Regularly Interspaced Short Palindromic Repeats (hereinafter referred to as “CRISPR”) -associated protein 9 (hereinafter referred to as “Cas9”) advance, enabling pre‑implantation selection or modification of embryos, genetic data becomes entwined with lifelong identity markers. The question that arises is that are the existing data privacy laws and privacy frameworks adequate to protect genetic data? The legal system has not yet caught up with the pace of biotechnology, creating a data privacy challenge with profound implications for individuals, families, and the society overall.

UNDERSTANDING THE CONCEPT

The term ‘designer baby’ refers to a child whose genes have been deliberately selected or modified, typically before birth, to include desired traits or eliminate undesirable ones. This is made possible by advanced technologies like CRISPR-Cas9 which allow scientists to modify DNA sequences with high precision.

Although the current scientific use is largely focused on preventing genetic disorders, the concept of enhancing physical appearance, intelligence, or athletic ability has pushed the boundaries of both ethics and the law. To create a designer baby, pre-implantation genetic diagnosis (hereinafter referred to as the “PGD”) is often used. This involves screening embryos created via in vitro fertilization (hereinafter referred to as “IVF”) for specific genetic markers before implantation. In more advanced cases, gene-editing tools may be applied to alter the DNA directly.

The vast amount of genetic data collected, stored, and potentially shared, makes this process unique. The data includes the embryo’s complete genome, a map that reveals not only the child’s health prospects but also information about their ancestry, disease risks, and inherited traits.

Because genetic data is uniquely identifiable and permanent, it raises serious concerns about data privacy, consent, and long-term storage, particularly when collected before the individual is even born. A 2018 study by National Library of Medicine demonstrated that just 2% of a population’s genetic data is sufficient to identify nearly anyone through familial matching.

People are increasingly choosing particular genetic features for personal reasons such as prevention from genetic diseases, reduced medical cost, increase in life expectancy, etc. Legal and ethical concerns about the extent to which science should influence human existence are brought up by technologies such as gene-editing tools.

DATA PRIVACY CONCERNS IN GENETIC ENGINEERING

The rise of genetic engineering has brought forward serious concerns related to data privacy. Genetic data is not only deeply personal but also permanent and predictive. It can reveal information about an individual’s health, identity, and biological relationships, making it one of the most sensitive forms of data. It raises the following concerns:

1. Absence of Principal’s Consent: One of the ethical concerns is lack of the data principal’s consent. During the process, genetic data is collected and used even before birth. The unborn child cannot give his/her consent, yet their most intimate biological information is recorded, stored, and sometimes even shared. This raises serious ethical and legal concerns about autonomy and privacy.
2. Exposure of Familial Data: Genetic data is inherently shared among biological relatives. A privacy breach involving one individual’s genetic information can inadvertently expose sensitive data about their parents, siblings, and extended family members. This makes data security not only an individual issue but a familial one.
3. Discrimination Risks: There is a growing fear that genetic data may be used to discriminate against individuals in areas such as employment, insurance, or education. If genetic predispositions to certain diseases or conditions are accessed without regulation, it could lead to biased decision-making and social inequality.
4. Inadequate Data Security: Many fertility clinics, biotech companies, and digital health platforms store genetic data electronically. This makes them vulnerable to cyberattacks, unauthorized access, and leaks. In 2023, a massive data breach at 23andMe, one of the biggest genetic testing companies exposed the personal genetic profiles of nearly 9 million users.
5. Commercial Use without Consent: Genetic data has significant commercial value for pharmaceutical research, biotech innovation, and marketing. In the absence of strong data protection laws, there is a real danger that this data can be sold, shared, or monetized without the individual’s knowledge or consent.

These issues shows the need for strong legal safeguards. A comprehensive legal framework should govern how genetic data is collected, processed, stored, and protected. Without proper regulation, the misuse of genetic data could undermine individual rights and public trust in emerging genetic technologies.

LEGAL REGULATIONS GOVERNING GENETIC DATA IN INDIA

India lacks a dedicated law governing genetic testing, embryo editing, or bioethics in human reproduction though India has made initial strides in regulating personal data with the introduction of the Digital Personal Data Protection Act, 2023 (referred to as the “DPDPA”). The DPDPA imposes obligations on data fiduciaries, which are entities collecting or processing personal data, to ensure that digital personal data is collected only for lawful purposes, and is used fairly and stored. DPDPA also mandates that data must be deleted once its purpose has been fulfilled, unless retention is legally required.

However, while the DPDPA lays a foundational framework, it does not specifically address sensitive personal data such as genetic data. For example, in the case of designer babies or pre-natal gene editing, consent is typically provided by parents or guardians on behalf of the unborn child. The DPDPA does not clarify how such proxy consent should be regulated or whether the child, once born, can later exercise rights over their own genetic data.

Further, the DPDPA provides a broad exemption under Section 17(2)(b), allowing processing of digital personal data for scientific or statistical research without obtaining consent from the Data Principal, who is an individual to whom the data relates, for purpose limitation or storage limitation. This has raised concerns, especially in the context of genetic testing, where long-term data storage is common.

For prohibition on the sale and transfer of gametes & embryos, the Assisted Reproductive Technology (Regulation) (hereinafter referred to as the “ART”) Act, 2021 is the legislature in India that regulates the fertility treatments and ensures ethical practices where reproduction is done with some assistance. Gametes, zygotes, and embryos cannot be sold, used, or transferred to anybody inside or outside of India directly or indirectly. Selecting embryos based on their genetic characteristics is prohibited in India due to the ART’s limitations on the purchase and sale of human genes, gametes, and embryos.

WAY FORWARD

India is currently at a formative stage in regulating genetic modification in human reproduction, but the growing global discourse around gene editing and designer babies is likely to influence the development of a future legal framework. As technologies like CRISPR become more accessible, there is an urgent need for specific legislation to govern human genetic engineering, particularly concerning embryo editing and pre-implantation genetic diagnosis.

While the DPDPA,  provides a foundation for protecting genetic data as sensitive personal information, it does not address critical issues such as consent for unborn children, ownership of genetic data and data storage for long periods of time. In the coming years, India may introduce a dedicated law on bioethics and reproductive genetics that outlines permissible boundaries, enforces strict consent mechanisms, and establishes regulatory oversight.

There is also a strong case for forming a statutory body to monitor and license gene editing practices, ensuring that any use of such technologies aligns with ethical standards and public interest. As societal concerns about genetic discrimination and eugenics grow, Indian laws will likely incorporate cultural, ethical, and human rights safeguards to strike a balance between innovation and individual dignity. The future of gene-edited embryos in India rests on proactive, inclusive, and globally-aligned policymaking.

AMLEGALS REMARKS

The concept of designer babies presents a complex intersection of science, ethics, and law. While the potential to eliminate genetic disorders and improve human health is remarkable, it comes with unprecedented risks to data privacy, autonomy, and societal equity.

India, like many countries, is still developing its regulatory framework to keep pace with these innovations. A proactive approach, grounded in constitutional values and international best practices, is essential. The future of genetic engineering must be guided not only by technological capability but also by ethical responsibility and legal clarity to ensure protection of individual rights across generations.

-Team AMLEGALS assisted by Ms. Khushi Jain (Intern)

For any queries or feedback, feel free to reach out to rohit.lalwani@amlegals.com or mridusha.guha@amlegals.com