The Supreme Court’s decision last June to reverse Roe v. Wade sparked new worries that the massive amount of digital health and location data that companies collect could provide a deep well of evidence for states seeking to track and potentially arrest anyone seeking or receiving an abortion.
Some of those fears have been realized. After the Supreme Court’s Dobbs decision overturning a constitutional right to abortion, news surfaced that Nebraska police served Facebook’s parent company Meta a search warrant for messages that turned out to be related to an illegal abortion. In March, a Texas man filed a civil lawsuit against three women he alleges helped his wife obtain an abortion. The lawsuit cited unencrypted text messages.
But even though the ruling ushered in urgent pleas from advocacy groups and many lawmakers for legislation to safeguard reproductive health data that can be easily obtained by data brokers or law enforcement, there remains little movement in Washington to pass legislation to strengthen U.S. privacy protections.
“I do think that there is a greater awareness now,” Rep. Sara Jacobs, D-Calif., told CyberScoop. “As a young person, I think it’s taken Congress too long to catch up with the American people in understanding these vulnerabilities.”
Jacobs, who introduced the “My Body My Data Act” last year is one of the lawmakers who has led the conversation about reproductive and sexual health privacy in the wake of Dobbs. The legislation limits the reproductive and sexual health data that entities can collect and protects personal data such as cellphone data and search engine history not currently covered by the landmark health data protection law, the Health Insurance Portability and Accountability Act of 1996.
Jacobs reintroduced the legislation in May with 91 cosponsors in the House and 13 sponsors in the Senate. She is still seeking privacy-minded Republicans to co-sponsor the legislation but acknowledged the difficulty in getting bipartisan support.
“The fact of the matter is this isn’t just about abortion,” said Jacobs. “It’s all sexual and reproductive health data. So if you’re a 70-year-old, Republican man who doesn’t want your wife to know you’re searching about gonorrhea on Google this does protect you, too.”
Rep. Anna Eshoo, D-Calif., a co-sponsor of the bill, said that while Republicans aren’t going to take up the bill “it’s important to build support for these policies so that the minute that we take over the majority that we’re ready to go.”
The legislation has gained the support of a number of civil liberties and reproductive rights groups. “With the GOP dead set on criminalizing abortion, it is critical that we do everything we can to protect the data and privacy of those seeking and providing care. We’ve seen our champions at the federal and state levels spring into action to do so, including U.S. Representative Sara Jacobs … or California state Assemblymember Rebecca Bauer-Kahan’s AB 254—which ensures the privacy of individuals when they use apps and websites that provide reproductive health services,” NARAL Pro-Choice America Communications Director Ally Boguhn wrote to CyberScoop in an email.
Where Washington has seen more success in protecting reproductive health data is in regulatory action helmed by the White House. For instance, President Biden last summer signed an executive order tasking the Federal Trade Commission and the Department of Health and Human Services with protecting abortion services. In April, HHS proposed a rule that would strengthen existing privacy protections under the Health Insurance Portability and Accountability Act by prohibiting healthcare providers from disclosing reproductive healthcare data investigating an individual for a legal abortion. Last week, 24 state attorneys general threw their support behind the proposed rule.
States with pro-choice leadership have also pushed through a cohort of laws around reproductive health, such as shield laws in New York, Washington and California barring entities from sharing data about legal abortions with states conducting criminal investigations into the behavior. California lawmakers are also seeking to ban reverse search warrants that could ensnare abortion seekers, as CyberScoop first reported.
“So far, we haven’t seen indicators that these types of shield laws have actually proved necessary… but we expect it is certainly just a matter of time before they do,” said Jake Laperruque, deputy director at the Security and Surveillance Project for the Center For Democracy & Technology.
Experts note that there could be several reasons there haven’t been more high-profile cases of digital evidence showing up in abortion criminal cases. One is that companies that receive law enforcement requests are often subject to an initial gag order. Secondly, abortion-related investigations may not be explicitly labeled and may instead be charged as a crime like murder or child endangerment.
Even with some strides by states and the Biden administration, without Congress to codify abortion and privacy rights, many state and agency protections fall short. For instance, the HIPAA rulemaking only applies to states where abortion is legal. Applying the protections all states would take an act of Congress. Rep. Jacobs and Eshoo’s Secure Access for Essential Reproductive (SAFER) Health Act, which served as a model for the HIPAA rule, would apply to all reproductive health information regardless of local laws.
Democrats in both chambers are expected to force a vote on legislation protecting access to abortion nationally ahead of the Dobbs anniversary.
Moreover, legislative solutions tailored to health data ignore a world of data that can also be used to incriminate abortion-seekers, such as private messages and geolocation history. Protecting other forms of metadata requires more comprehensive federal privacy legislation. After Dobbs, many civil society groups redoubled support of the American Data Privacy and Protection Act, comprehensive privacy legislation that passed out of its House committee last summer but has yet to be reintroduced this year. Eshoo and Rep. Zoe Lofgren, D-Calif., introduced their own comprehensive privacy legislation, the Online Privacy Act, in April.
“ADPPA would go a long way to not only raise the bar for protections around sensitive data, including health data,” Andrew Crawford, senior policy counsel on the Privacy and Data Project at CDT, told CyberScoop. “Our approach to data privacy burdens the consumer far too much and does not place much of a burden requirement on companies to act as responsible stewards.”
Crawford, who recently released with CDT a guide for best practices for companies to protect reproductive health data, says that the private sector also plays an important role in protecting consumers. Concerns about reproductive health privacy have put pressure on companies to take steps to reduce harm. For instance, Google last summer promised to stop collecting users’ location data for visit to reproductive health clinics. Fertility and reproductive tracking apps at the center of new fears also responded with new privacy modes, such as Flo’s anonymous mode which allows users to track on the app without sharing data like their name or IP address.
Crawford emphasized that any company that collects information like location data could find itself on the receiving end of a law enforcement request and that the kinds of protections that CDT is pushing apply to every company.
“We would like folks to embrace these best practices right now and they don’t necessarily need legislation to do it,” said Crawford.
Lawmakers aren’t giving up, however. “I think together with my colleagues we have built legislative products that are worthy of the support of members but most importantly they would be laws that would fully protect women in our country given the Dobbs decision,” Eshoo told CyberScoop. “It’s a different era. It’s a different time.”
The post A year after Dobbs, federal privacy legislation to protect abortion seekers remains stalled appeared first on CyberScoop.