Lawmakers look at data privacy in post-Dobbs world
Personal health data collected via apps, other technology becomes subject of congressional scrutiny in the aftermath of Roe reversal
Latice Fisher of Mississippi experienced a stillbirth and was charged with second-degree murder when investigators unearthed online searches on how to buy misoprostol, an abortion drug.
Celeste Burgess, a Nebraska teen, now has a felony charge on her record for disposal of a fetus after an abortion. Facebook messages between Burgess and her mother served as a linchpin in the case.
Both cases occurred before the Supreme Court’s 2022 decision to overturn Roe v. Wade.
Now, with states individually implementing a patchwork of laws restricting or permitting abortion, advocates such as Corynne McSherry, the legal director at the Electronic Frontier Foundation, a nonprofit that advocates for data privacy, worry that personal data will become yet another front in the post-Dobbs war, with those cases providing “a kind of template” for what’s to come.
With nearly a quarter of states banning or restricting abortion, McSherry said there are limited guardrails protecting data from law enforcement during an abortion investigation. “Our privacy laws, especially at the federal level, are just pathetically out of date,” McSherry said.
Even before the Supreme Court’s June 2022 Dobbs v. Jackson Women’s Health Organization decision, abortion prosecution was not a new phenomenon: According to Pregnancy Justice, there were 1,396 criminal arrests for pregnancy-related cases between Jan. 1, 2006, and June 23, 2022.
The organization defines those cases as when a pregnant person is arrested for reasons related to their pregnancy or when terms of bail, sentencing or probation are tightened because they become pregnant after being charged with an unrelated crime.
In the wake of Dobbs, said Andrew Crawford, senior counsel on privacy and data for the Center for Democracy and Technology, “I definitely think there’s potential for it to increase a lot.”
Congressional efforts
Hawaii Sen. Mazie K. Hirono and California Rep. Sara Jacobs are part of a coalition of Democrats hoping to overhaul current privacy laws to give consumers more agency over their personal data, including the right to delete their information. Together they introduced companion bills in the House and Senate that would limit the retention, collection and disclosure of personal reproductive and sexual health data by entities that are not covered by HIPAA — a privacy law that applies only to health care providers, health plans and health care clearinghouses.
“People should not have to worry about being surveilled or prosecuted simply for providing or seeking reproductive health care,” Hirono said in a statement to CQ Roll Call.
The measure would allow individuals to bring civil action against regulated entities for privacy violations.
“Like millions of young people, I use a period tracking app — and the information in these apps along with fertility tracking apps, search history, location data, and so much more can be collected, shared, and sold without our consent, and even used to investigate and prosecute legal cases,” Jacobs said in a press release.
The bill has gained support from the Electronic Frontier Foundation, the Center for Democracy and Technology and other reproductive rights organizations, but no action has been taken on the bill in the Senate.
And it’s unlikely that the measure will be taken up in the Republican-held House, meaning for now, consumers will have to rely on existing protections.
“Currently, though, there are few protections to prevent individuals’ reproductive health data from being weaponized against them or being disclosed to third parties — exposing patients and providers to potential surveillance and possible prosecution,” Hirono said in the statement.
For Fisher and Burgess, federal legislation comes too late: Fisher, who was charged in 2017, served jail time before the case eventually was dismissed. Burgess was sentenced to 90 days in jail and two years’ probation.
HHS weighs in
In April, the Department of Health and Human Services and Office for Civil Rights issued a notice of proposed rule-making to make changes to HIPAA that would prevent protected information from being disclosed to prosecute or sue an individual, doctor or other involved party regarding reproductive health care services, including abortion.
While the proposed changes to HIPAA would protect personal health information, it would apply only to entities that are required to comply with HIPAA, such as doctors and insurers. And there are certain circumstances in which health data would not be protected, such as if the patient opts to move their health information onto a third-party platform like a smartphone app.
“HIPAA is very unique in that the privacy protections don’t attach to the data itself, but they kick in based on what type of entity holds the data,” Crawford said. “The burden falls entirely on the consumer.”
This means that people seeking abortion services need to be more careful about their data, advocates say. Social media and text messages are not a safe channel to discuss sensitive information.
“There’s communications that you may have with your friends or your family and about your health that might be collected or subpoenaed or sought out through a warrant process,” McSherry said. She recommends using encrypted messaging apps.
There are several types of data that are vulnerable during an abortion investigation. Law enforcement has an arsenal of tools that they can use to obtain personal data like geofence and keyword warrants.
Geofence warrants can be used to require companies like Google or Apple to identify every device from an area near an abortion clinic during a specified time.
Keyword warrants work similarly — police can compel tech companies to provide the identities of people who searched certain phrases like “abortion” or “mifepristone.”
Neither type of warrant requires the police to have a suspect, and the warrants can be used to reverse engineer an abortion investigation.
McSherry argues that such warrants are “overbroad” and unconstitutional because they violate the Fourth Amendment, which prohibits “unreasonable” searches and seizures.
“There’s a few things people can do to better protect themselves and their data,” Crawford said. “Sometimes it’s as simple as not bringing your smartphone with you if you’re potentially going to a sensitive location, like a reproductive health clinic.”
Consumers can also turn off personalized advertisements, use private browsers and review privacy policies for apps. However, Crawford acknowledged that reviewing such policies can be a “very unrealistic process.”
But the burden to determine what is safe or unsafe does not always fall on the consumer.
In 2021, the Federal Trade Commission intervened when it was discovered that the popular period tracking app Flo Health shared health data with marketing and analytics firms without its users’ consent. The resulting settlement prohibited Flo from misrepresenting how it collects, maintains, uses or discloses any collected data.
The FTC released an article stating that Flo and other health data settlements “make clear that practices like that may run afoul the FTC Act if they violate privacy promises or if the company fails to get consumers’ affirmative express consent for the disclosure of sensitive health information.”