Privacy and data protection in the wake of Dobbs

The United States was rocked by last summer’s U.S. Supreme Court (SCOTUS) ruling in Dobbs v. Jackson Women’s Health Organization, a landmark decision overruling both Roe v. Wade and Planned Parenthood v. Casey. While I expect much political discourse to continue, this article focuses on the direct implications for privacy and data protection regarding abortion.

What is “Privacy”?

It is important to understand what privacy is and how it is defined before determining what protecting privacy in the context of abortion may require. While the scope of privacy is wide-ranging, at its core, privacy is a dignitary right focused on knowledge someone may or may not possess about a person.

Regarding our U.S. Constitution, there is no recognized right to privacy. Several states do have a right to privacy in their constitutions, though whether this state right will be legally interpreted to protect access to abortion remains to be seen. Definitions get muddy here as privacy becomes enmeshed with concepts of freedom and liberty that are emboldened by the constitution.

The Dobbs majority points out a distinction between privacy and liberty: “As to precedent, citing a broad array of cases, the Court found support for a constitutional ‘right of personal privacy.’ But Roe conflated the right to shield information from disclosure and to make and implement important personal decisions without governmental interference.”

There are various definitions for what privacy is and isn’t — none of which have helped as a legal concept.

Privacy ≠ Data Protection

These muddied definitions end up causing more confusion as to what “privacy” really means. One place this rings true is the ease with which we throw around the term “privacy” vs. “data protection.” While data protection stems from the right to privacy, it focuses on the data to ensure it has been fairly processed — from collection, use, storage, dissemination, retention, deletion, and more.

Most “privacy” regulations that have been enacted or are up for discussion in the last several decades are focused on data protection. Even new comprehensive state privacy laws focus on “consumer rights.” At their core, these laws are not meant to protect one’s dignitary right to privacy but instead protect a type of data associated with a person.

Data Protection & Reproductive Rights

So how does the current U.S. data protection landscape help (or potentially harm) people seeking access to reproductive healthcare?

We can start by acknowledging that data is a byproduct of our information society. Security expert Bruce Schneir stated, “everything we do leaves a data shadow, and that shadow is under constant surveillance.” This surveillance occurs not just with governmental actors but also with tech corporations — big and small — that process data on a mass scale. These “technology intermediaries” must comply with law enforcement requests for information under statutory and constitutional law (which, in this case, could be used by states with restrictive abortion laws and “bounty hunter” programs). For instance, Planned Parenthood, one of the main providers of abortion care, must be mindful of its data practices — as third-party cookie pixels were discovered on their web scheduler, which could subsequently be used for law enforcement purposes.

Tech corporations can design their services with built-in encryption, limited analytics, minimization, and anonymization capabilities, making it harder for law enforcement to obtain data. However, with no clear requirement to do so, we are at the mercy of whether they choose to practice “data protection by design.”

Healthcare

As abortion is tied up with healthcare, we start by looking at our health laws. The U.S. has the HIPAA Privacy Rule, which governs how Protected Health Information (PHI) is processed. Disclosing PHI requires informed consent, except in certain circumstances, such as providing information to law enforcement. Following Dobbs, the U.S. Department of Health and Human Services (HHS) issued guidance that unless a state law “expressly requires” reporting on certain health conditions, the HIPAA exemption for disclosure to law enforcement would not apply.

In addition, to be in scope for HIPAA, this PHI must be governed by “Covered Entities” — this includes doctors’ offices and hospitals, insurance companies, and employer health care plans, but currently excludes commercial health services like period tracking apps. There’s concern that evidence of missing a period documented through such apps could be subpoenaed and used to bolster a case against someone suspected of an illegal abortion. The data from these apps are also frequently shared with third parties — as a recent study pointed out. And unfortunately, popular period tracking apps have been dinged for data protection failures. Some are launching features like “anonymous mode” that removes one’s identity from the fertility data. Other apps still have no explicit requirement for law enforcement to provide a signed warrant or subpoena before data is disclosed in their public-facing privacy policies.

Location Services

Period tracking apps are not the only major data point regarding reproductive health care. Another one is location. The data protection challenges around location services have been well documented — from domestic violence/stalking to covert tracking on social networking apps that have been used to surveil protestors at public rallies. Several lawmakers have inquired into such services, e.g., how Meta provides “sensitive” private user data for state criminal investigations.

In 2017, an adtech agency in Massachusetts agreed to stop using geofencing technology to target women entering abortion clinics with prolife advertisements on their smartphones. This has simultaneously created legal uncertainty for abortion providers that would like to use location technology but are concerned this would be considered “aiding and abetting” an abortion. In a post-Dobbs world, there is a high likelihood that geofencing advertising will not only increase around abortion clinics but that the use of “geofencing warrants” (the use of location data to identify people near a crime scene at a specific time) will also increase.

Data Brokers & Third Parties

These issues only become more complicated when we realize that data points around health and location can be compiled to create a profile that may interest law enforcement. Following the draft leak of Dobbs, Vice discovered that SafeGraph, a company leveraging geographical data to create trend insights, directly used data related to abortion visits. For under $200, data could be purchased on how often, for how long, and where people went following a visit to a Planned Parenthood clinic — potentially bypassing the need for a warrant or subpoena.

Safegraph and similar firms have since pledged to stop selling location data of people who visit abortion clinics, though this has not stopped house lawmakers from launching a formal investigation into how health data is processed by data brokers and period tracking apps.

There’s Nothing New Under the Sun

It says in the Book of Ecclesiastes that “there is nothing new under the sun.” This phrase from the Old Testament applies to privacy and data protection in the context of reproductive rights. Looking back at the recent (and ongoing) pandemic, heated conversations have focused on how our data is processed. This is nothing new, from mobile location tracking for COVID exposure to whether testing positive for the virus is protected under HIPAA to how to handle vaccination status.

So, where does this leave us with data and our reproductive rights? Despite calls to codify “intimate privacy as a civil right,” the Biden Administration’s Executive Order to protect sensitive data, the Federal Trade Commission’s inquiry into “commercial surveillance” activities and Congressional proposals to prohibit data brokers from sharing health location data, the likely impact is minimal. Even the potential for federal privacy law is limited. There’s no clear answer as to how this will all play out, but hopefully, these issues won’t fall by the wayside.

The overturning of Roe v. Wade may have sparked a real urgency to upgrade the technologies and legal system we depend on. And while a constitutional “right to privacy” may be a dreamer’s folly, responsible data protection that’s practiced by tech corporations and codified through our nation’s laws could be a real possibility in our future.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.