Investigative genetic genealogy is gaining traction as a revolutionary technique for identifying perpetrators of serious crimes. This approach uses DNA data from private genetic genealogy databases, which were initially designed to help people explore their ancestry or assess their genetic predisposition to diseases. The Dutch government is now investigating whether this technique could play a role in criminal investigations. However, significant ethical and legal questions remain to be addressed, among which compliance with EU data protection regulations, according to PhD researcher Taner Kuru from Tilburg University. He calls for regulators to convene stakeholders and develop clearer guidelines.
Investigative genetic genealogy first gained global attention in 2018 when it was used to identify the Golden State Killer in the United States. This novel investigation technique uses the DNA data stored on privately owned genetic genealogy databases, such as GEDmatch and FamilyTreeDNA, to identify perpetrators of serious crimes when searches in the databases governed by law enforcement authorities fail to do so. Since its inception, investigative genetic genealogy has helped solve hundreds of cases worldwide, many of which had been cold for decades.
This success sparked interest also in Europe. Sweden became the first European country to use investigative genetic genealogy, followed by countries such as Norway and France. On the other hand, Denmark passed a law allowing its use only under certain conditions, and discussions about its feasibility are ongoing in the United Kingdom.
In the Netherlands, the Public Prosecutor’s Office and the Netherlands Forensic Institute (NFI) are currently testing investigative genetic genealogy in two cold cases. Meanwhile, the Dutch government is evaluating its ethical, legal, and privacy implications, as outlined in the government program.
Legal challenges under the EU data protection framework
One of the key legal challenges is determining whether and how personal data from private genetic genealogy databases can be used in criminal investigations under EU data protection laws. Taner Kuru points out that there is significant ambiguity around which legal basis should be used for using personal data available on these databases for investigative purposes.
For instance, Sweden relied on Article 10(c) of the EU’s Law Enforcement Directive, which allows sensitive personal data to be processed if it has been "manifestly made public by the data subject". However, Taner argues that this legal basis is unsuitable for several reasons:
- Companies like GEDmatch and FamilyTreeDNA, which allow law enforcement access to their databases, fail to adequately inform their users about the scope and risks of sharing their data with law enforcement;
- The data in these databases cannot be classified as truly "public", and;
- In some cases, the users’ personal data are disclosed to law enforcement against their will.
The need for a robust legal framework
Kuru warns that without a clear and appropriate legal basis, the use of investigative genetic genealogy by law enforcement could face legal challenges and risk eroding public trust-not only in this novel and promising technique but also in law enforcement authorities overall.
To move forward, he asserts, European law enforcement authorities must rely on appropriate EU or national provisions specifically designed for this purpose. However, such a framework is currently missing in many countries, including the Netherlands. Therefore, he urges regulators to convene relevant stakeholders, including law enforcement authorities, companies allowing law enforcement access to their databases, policymakers, data protection authorities, legal experts, civil society organizations, advocacy groups, academics, and researchers, in order to develop clearer guidelines and enhance transparency in the use of this technology.
More details can be found in Taner Kuru’s article published in Computer Law & Security Review (Vol. 56, April 2025): Investigative genetic genealogy in Europe: Why the "manifestly made public by the data subject" legal basis should be avoided .