By: Katie LePage

On June 24, 2022, the United States Supreme Court (SCOTUS) declared through its decision in Dobbs v. Jackson’s Women Health Organization that abortion is no longer a fundamental Constitutional right.  Without a federal data privacy law in place, the Dobbs decision raises serious concerns about how women’s personal data, such as menstrual apps, web browser history, and location, could be used to prosecute abortion-seeking women in abortion banned states.  Although attempts have been made at the federal level to pass a comprehensive data privacy law, it is unlikely that any law would be passed until 2023 at the earliest.  Companies that handle user data need to take initiative and implement enhanced privacy protections to help prepare for the data privacy implications that will result from the Dobbs decision.

Before Roe was overturned, various countries have taken steps to enact data privacy legislation to ensure users have control over their personal data.  The United States, however, has yet to pass one comprehensive federal law that governs privacy of all types of data.  There are currently only five states that have enacted privacy laws governing how companies can collect, share, and store user data.  This means that users who reside in the remaining 45 states have no control over their personal data, allowing companies to sell and share their personal data without their consent.  These companies have no obligation to notify a user if their data has been hacked or breached.  In today’s day and age, an individual’s personal information will continue to be subjected to abuse and remain vulnerable to hackers until action is taken.

In the 1973 landmark case Roe v. Wade, SCOTUS held that the right to privacy includes the decision to have an abortion, declaring the right to bodily autonomy a fundamental right.  Prior to Roe, women who wished to terminate an unplanned pregnancy needed to travel to a state where abortion was legal or perform the procedure themselves.  If a woman couldn’t afford to travel out of state for an abortion, drastic measures would be taken to terminate the pregnancy, including: throwing themselves down the stairs, hitting themselves with a meat pulverizer, sleeping in the snow, swallowing gunpowder, or inserting leeches into their vagina.  The decision in Roe didn’t give women access to obtain an abortion, it gave them access to safe abortions.

On May 3, 2022, a draft of the Dobbs decision was leaked to the public, holding that abortions are no longer a fundamental right under the Constitution.  There are 26 states that are certain or likely to ban abortion after the Dobbs decision.  Thirteen of those states have trigger laws, allowing abortion bans to take effect as soon as Roe was overturned.  Finally, a number of these states passed laws that reward private citizens who successfully sue anyone who aids or abets an abortion.  The passage of these laws, combined with the lack of any federal data privacy laws, introduce the frightening possibility of state law enforcement obtaining women’s personal data to prosecute those seeking abortions in states where it is now illegal.

The data privacy implications that will result from the Dobbs decision are severe as they empower law enforcement to abuse women’s personal and reproductive data to identify and prosecute those who have received an abortion in states where it is now illegal.  In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed with the intent to protect sensitive health information from being disclosed without a patient’s consent or knowledge.  As a result of the Dobbs decision, health information that was once protected information under HIPAA, now provides certain exemptions for covered entities to disclose personal health information to law enforcement agencies without the patient’s consent.  Some of the exemptions require disclosure of personal health information to comply with court orders, laws that require healthcare providers to report violent injuries such as gunshot or stab wounds, or require providers to alert law enforcement when there is suspicion that a death resulted from criminal conduct.  It is important to note that HIPAA only protects health information from covered entities.  That means any health information stored on personal devices such as phones or computers, is not protected.  As a result, health information can now be obtained through menstrual apps, web browser history, or even location tracking.  While there are steps an individual can take to better protect themselves from companies that sell or share their private information, it is nearly impossible to keep information on a laptop or phone private.  The best way for an individual to protect private health information is to refrain from storing that information on personal devices.

While it is possible for a person to refrain from storing personal information on their phone or computer, this solution does not really address the privacy issue created by the Dobbs decision and the corresponding state abortion laws.  Law enforcement agencies can retrieve data collected from period-tracking apps to obtain information about a woman’s menstrual cycle, such as if she missed a period or if she could be pregnant.  While these circumstances alone may not be enough to conclude that someone is seeking or already obtained an abortion, this information, in combination with other personal data, could be enough to press charges.  Law enforcement agencies can access your web browser history and sift through search queries for anything indicating an intent to get an abortion.  Additionally, law enforcement can collect location tracking data to determine if someone has been to an abortion clinic or obtain phone records to look for calls made to abortion clinics.

What can be done to protect women’s personal and reproductive data?  A comprehensive federal data privacy legislation is a good first step.  Legislative efforts are already underway to codify data privacy protections.  In June of 2022, a draft bill of the American Data Privacy and Protection Act (ADPPA) was scheduled to be introduced to the House.  While the ADPPA shows significant promise by being the first federal privacy law to gain bipartisan, bicameral support, efforts stalled in the House due to concerns about state preemptions and other potential modifications to the bill.  Even if the ADPPA is enacted, most of the law would not go into effect until 180 days after enactment.  A separate piece of legislation drafted in response to the Dobbs decision and in efforts to better protect reproductive data is the My Body, My Data Act, which was introduced to Congress in June of 2022.  The bill would prohibit entities from collecting, using, or disclosing personal reproductive or sexual health information unless they obtain consent from the individual or if strictly necessary to provide a requested service.

While the government is clearly trying to protect women’s personal and reproductive information, these bills are unlikely to become law until 2023 at the earliest.  In the interim, the most effective way to protect women’s personal and reproductive information falls on the companies that directly handle personal data.  As only five states require compliance with data privacy laws and principles, it falls on the companies located in the remaining 45 states to take the initiative to minimize the risk of disclosing sensitive data by enhancing their data security policies and procedures.

There are various ways that companies can better protect women’s personal and reproductive information.  The first would be implementing a data privacy policy, which informs users how and why the company is collecting their information and should be easily accessible for all users.  Companies can also enact policies to minimize the amount of data they collect from users and how long they store that data.  When companies with data minimization policies respond to court orders requesting user data, they cannot provide information they do not have, effectively protecting women’s personal and reproductive information.  Google implemented a data minimization policy a week after the release of the Dobbs decision.  This major policy change will automatically delete records of Google users’ visits to sensitive locations, such as abortion clinics.

It is abundantly clear that SCOTUS’s decision in Dobbs, declaring that abortions are no longer classified as a fundamental right in the Constitution, has detrimental effects on the future of women’s personal and reproductive data.  With the unknown fate of the ADPPA and the My Body, My Data Act, women’s personal and reproductive information remain vulnerable to abuse by state law enforcement agencies.  The best way to protect this information is for the companies that handle user data to implement data security policies and procedures so that women’s personal and reproductive data could have immediate protection until the government is able to pass a federal privacy law.

 

Student Bio: Katie LePage is a second-year full time student at Suffolk University Law School.  She is a staff writer on the Journal of High Technology Law.  Katie is a graduate from Stonehill College, where she received a Bachelor of Arts Degree in Criminology, with a minor in Sociology.

Disclaimer: The views expressed in this blog are the views of the author alone and do not represent the views of JHTL or Suffolk University Law School.