More than three months have passed since the U.S. Supreme Court rendered its decision to reverse Roe v. Wade and remove the constitutional right to an abortion. Implications for individual privacy rights and data privacy stemming from the decision are clear and continue to be worked through.
But simply working toward a solution won't suffice for arriving at concrete fixes, according to participants in a keynote panel at the opening general session of the IAPP Privacy. Security. Risk. 2022 conference here in Austin, Texas. Whether it be government actions or operational changes by companies and health care providers, panelists stressed the need for swift action to curb the privacy harms that have already come to light and the potential for further proliferation.
"We have a variety of health care issues that are really between a patient and her doctor. But now we're allowing state legislatures and lawyers into an emergency room to make a determination about you, your health and your safety," U.S. Department of Health and Human Services Office for Civil Rights Director Melanie Fontes Rainer said. "As a woman, but as a person, it blows my mind. What else do we treat like that?"
On individual privacy
The Roe v. Wade reversal is merely a "continuation of some practices" concerning the invasion to women's reproductive health privacy, according to Georgetown University Women's Law and Public Policy Fellowship Program Executive Director Jill Morrison, who described the issues pre-dating the Supreme Court's recent decision.
Morrison pointed to prosecutions related to natal safety that took place in the 1990s as the start. More recently in 2021, a Texas law set a bounty for credible, documented reports of individuals receiving or facilitating an abortion outside of the state's six-week ban.
"A woman could have a bounty placed on her if someone could identify the violation. So clearly that included, beyond medical records, things like Uber receipts or text conversations," Morrison said, adding license plates and providers' medical license details as other forms of accessible information to help reporting. "It's opened a wild, wild west that essentially gave vigilantes carte blanche to go after women."
Center for Democracy and Technology President and CEO Alexandra Reeve Givens said the combination of the SCOTUS decision and interconnected laws forces individuals to rethink their personal privacy. She indicated the door is now open for "normalizing surveillance on your neighbors" and to "weaponize data" in an unprecedented manner.
"The ways you're engaging online or the different ways you can communicate with your friends … all of that can be a target now," Givens said. "This moment has helped people wake up to the severity of the consequences of privacy harms. … It's information we're sharing all day, every day in the course of our daily lives and it's information we need to share."
The data privacy fix
For companies, privacy implications from the Dobbs decision come down to the handling of sensitive data, law enforcement access and how best to improve regulation or standards to protect that information. The issue though involves the misconceptions around which data in this context needs to be better protected.
Givens said women's health data is perceived to be the issue, but in fact, companies holding that category of data, including period-tracking and fertility apps, are making necessary changes to privacy notices and practices. She indicated general categories of data that provide points of inference are the trouble spots.
"The weak link is your location data, search history, browsing history, text messages and metadata about who you were texting," Givens said, noting how data brokerage amplifies the issues with these types of data. "There's a little bit of user empowerment necessary, but actually this is a moment for companies to step up to the plate. Customers want them to do it. You don't want to be in the position of handing over sensitive communications between a mother and her child."
Practical steps Givens and CDT are thinking about for companies include "getting smart" about responding to law enforcement warrants for data access along with data minimization principles.
With regulation, Givens mentioned more targeted legislation recently signed in California to limit out-of-state warrants for information as a good starting point. Federal bills, including the proposed Fourth Amendment Is Not For Sale Act and the American Data Privacy and Protection Act, represent both targeted and wide-ranging bills U.S. Congress could pass to address these issues.
OCR Director Rainer discussed the state of play for health providers, which were offered guidance by HHS in June for reproductive health care patient privacy. She said ongoing conversations with doctors and abortion providers first focused on permissible-versus-required disclosures of data, but questions and complaints have evolved since.
"We're continuing to think of additional policy options, whether that be regulatory or additional guidance," Rainer said. "When you get a subpoena (for law enforcement access) it's scary. Just because you don't have to give over the information doesn't necessarily mean that's a decision everyone is equipped to make. … Making sure processes are in place so the first time you're reacting is not when law enforcement is in your lobby is really important."