Interesting point - I highly doubt the suspect was a "prior suspect". But in this case I believe investigators were able to find additional evidence after they matched the DNA. So in Bayesian terms, multiple updates (DNA match + location match + suspect appearance match + other physical evidence) were made to their prior.
Additionally, I think investigators tend to act more carefully in a high profile case than in a typical case, so I expect that they possess some additional conclusive evidence.
It doesn't matter if multiple updated positively confirm the suspect as the perpetrator when the first link in the chain (ill-gotten DNA match) is excluded by the court. This guy will walk.
Will he? I believe this novel use of a private DNA database is so novel that there may not be any governing case law on whether it's a violation of privacy.
The scanned individuals opted in for relative matching. The fact those people were relatives of John Doe is publicly-documented knowledge in birth records and not susceptible to a privacy challenge.
We know states are prohibited from storing biometrics (DNA, fingerprints) of law abiding people for law enforcement purposes. Then it follows they are prohibited to outsource the same to third parties.
Additionally, I think investigators tend to act more carefully in a high profile case than in a typical case, so I expect that they possess some additional conclusive evidence.