Johana Bhuiyan 

Health data privacy post-Roe: can our information be used against us?

The patchwork of federal, state and company protections remains hard to navigate a year after the Dobbs decision
  
  

Clue period tracking app on a phone.
The period tracking app Clue has committed to never handing over user data to any government authority. Photograph: Piotr Swat/Alamy

The supreme court’s decision to overturn federal abortion protections last year sent shock waves throughout the US. Suddenly, an individual choice that was once legally sanctioned was at risk of becoming the subject of criminal investigations in many states across the country.

As public attention turned to such prosecutions, major tech companies faced questions over the ways they collect and store users’ data amid concerns it could be used in abortion-related investigations. In August 2022, Facebook came under scrutiny after it was revealed law enforcement in Nebraska was prosecuting a mother and daughter for seeking and aiding an unlawful abortion in a case that was partly based on Facebook messages.

Major firms like Google and smaller period-tracking apps made commitments to protecting data that could be tied to reproductive care. Legislative efforts to regulate companies that buy and sell data and protect health-related data gained new momentum. And states like California introduced shield laws that prohibited companies that operate in the state from sharing health data with out-of-state agencies in response to abortion-related investigations.

Although privacy regulations on both the state and federal level have strengthened since the court’s ruling in Dobbs, some of that initial momentum has died down in the last year, several experts say. In the meantime, as renewed efforts to push a federal privacy framework progress slowly, individuals are left to make sense of how the patchwork of new state laws and existing federal laws may or may not protect their data.

“Individuals should not have to fear prosecution or criminalization, and the onus should not be on them to understand how to limit the collection, use, transfer and retention of their personal information,” said Sara Geoghegan, legal counsel at the public interest research center the Electronic Privacy Information Center (Epic). “But unfortunately, that is the legal reality that we find ourselves in.”

Here’s the status of data privacy one year post-Dobbs:

Federal

The US does not have a comprehensive federal privacy law that dictates how and when tech companies can collect, store or share your personal data, despite intense efforts to pass such legislation.

There was some hope 2022 would be the year Congress would vote on the American Data Privacy and Protection Act (ADPPA) – ambitious legislation that would limit companies to only collect, use, retain and transfer personal information that is “reasonably necessary” for the original purpose it was collected for. The bill did not make it to the floor of the Senate or the House, but it still has broad support and there are new efforts to push it forward.

In the meantime, several federal agencies are considering rules that would provide some level of data protection. The Department of Health and Human Services is looking at updating the Health Insurance Portability and Accountability Act (Hipaa) to introduce more privacy protections for information related to reproductive care. The update would prohibit the disclosure of personal health information in response to any investigation into any person seeking, obtaining, providing or facilitating “lawful” reproductive health care. Privacy organizations, including Epic and the Center for Democracy and Technology (CDT), have commended the proposed changes, though they have argued the rules could be stronger. The rules as proposed will only prohibit the disclosure of health information in relation to abortions that are considered legal or “lawful” which Epic says is unnecessarily limiting and creates potentially harmful ambiguity. CDT has also argued the rules should require law enforcement to get a court-ordered warrant to retrieve any personal health information.

The Federal Trade Commission (FTC) is also considering rules that could curb law enforcement access to health data and has started accepting comments on whether and how the agency should issue rules that would limit commercial surveillance. “The growing digitization of our economy – coupled with business models that can incentivize endless hoovering up of sensitive user data and a vast expansion of how this data is used – means that potentially unlawful practices may be prevalent,” the chair of the FTC, Lina Khan, said in 2022.

States

In states where abortion is illegal, it is unlikely there will be privacy policies enacted to protect health data. But several states where abortion remains legal have moved quickly to limit access to data that could incriminate someone seeking abortion when sought after by an out-of-state agency.

Many of those state-level efforts have focused specifically on health data or abortion-specific investigations. New York has passed a law that prohibits state agencies or officials from cooperating with out-of-state investigations into healthcare providers who prescribe and send abortion pills to people in states where it is illegal.

California has prohibited any company that is incorporated or has its principal executive offices in the state from providing records that are in California to law enforcement from another state in response to abortion-related investigations. The requirement that the records be stored in California data centers is cause for some confusion, according to CDT, but it will probably be hashed out in litigation.

Experts have argued that while such laws are useful, they may not be sufficient protection for those seeking abortions because police and law enforcement often ask for other types of data to prosecute abortions, such as Facebook messages or location data.

To that end, Washington state passed the broadest protections in the US, with the My Health, My Data Act. The law prohibits the collection and sharing of health data without consent but also creates so-called “geofences” around healthcare providers. That means that companies that do business in the state or provide services that target state residents cannot collect or use geofence location data to identify or surface ads to someone who is seeking or providing healthcare services. The law also requires out-of-state agencies to attest, under penalty of perjury, that they are not seeking information on a Washington resident in relation to the individual accessing or providing healthcare services that are legal in the state.

Experts are also eyeing several proposals being considered in California. A bill introduced by the assemblymember Mia Bonta would ban reverse search warrants like keyword search and geofence warrants from both out-of-state and in-state agencies. Both are broad legal requests that help police create a suspect list rather than ask for additional evidence on a specific target or person. Bonta’s bill had the support of Google and tech advocacy groups, but law enforcement groups such as the California District Attorneys Association have forced Bonta to narrow the focus of the bill to investigations specifically related to reproductive and gender-affirming care. Even with the more narrow focus, the bill only narrowly passed through the assembly and now faces an uncertain future in the state senate.

Companies

In lieu of a federal privacy regulation, the simplest way for people to be protected against their data being used against them is if tech companies do not collect or store that data in an accessible way.

But barring an unlikely industry shift away from collecting data, companies have made various commitments to protecting health and other data that can be deemed “sensitive” or used to prosecute unlawful abortions.

Some companies, including Apple and Meta, have moved to encrypt their data in more meaningful ways so that only the sender and recipient have access to it.

The period tracking app Clue, which is based in Germany and regulated under GDPR, has committed to never handing over user data to any government authority. Meta and other firms such as Disney have offered to cover travel expenses for employees seeking abortions. Google, for its part, has agreed to delete any entries for visits to locations that are deemed “sensitive” such as reproductive care clinics.

But some of these commitments have not provided sufficient protections. As the Guardian first reported in November 2022, Google stored several visits and mapped routes to and around Planned Parenthood locations despite its promises to delete them. Even without that location information, those seeking abortions in places where it is illegal remain vulnerable. For example, searches for Planned Parenthood and other abortion-related searches also remain stored in the company’s activity logs.

“Time and again, we’ve seen that protecting one small type of personal information has failed us and left us vulnerable to such great harms that, until we have general comprehensive privacy protections, we will be continued to be harmed by these invasive commercial systems,” Geoghegan of Epic said.

 

Leave a Comment

Required fields are marked *

*

*