Roe v Wade and US data privacy - the time for action is now

As the UK lays out its latest three year strategy around data protection, in the US the long running debate around data privacy regulation has received a boost from the Supreme Court’s controversial striking down of Roe v Wade.

As individual US states impose their own laws around access to abortion services, there has been much concern about the role that tech will play in the years to come. While abortion itself is falls under the protection of the HIPAA (Health Insurance Portability and Accountability Act) federal-level patient confidentiality law, this will almost certainly be challenged by a number of state legislatures as being in direct conflict with their new-found disclosure rules.

In a bid to provide some level of additional protection, President Joe Biden last week signed off on an Executive Order (EO) focusing on where federal resources will be used in any such future conflicts, with the order stating:

Eliminating the right recognized in Roe has already had and will continue to have devastating implications for women’s health and public health more broadly. Access to reproductive healthcare services is now threatened for millions of Americans, and especially for those who live in States that are banning or severely restricting abortion care.  Women’s health clinics are being forced to close — including clinics that offer other preventive healthcare services such as contraception — leaving many communities without access to critical reproductive healthcare services.  Women seeking abortion care — especially those in low-income, rural, and other underserved communities — now have to travel to jurisdictions where services remain legal notwithstanding the cost or risks.

In the face of this health crisis, the Federal Government is taking action to protect healthcare service delivery and promote access to critical reproductive healthcare services, including abortion.  It remains the policy of my Administration to support women’s right to choose and to protect and defend reproductive rights.  Doing so is essential to justice, equality, and our health, safety, and progress as a Nation.

Which means? 

The EO requires the US Secretary of Health and Human Services to submit a report to the President within 30 days that, among other things, will suggest actions to ensure that personal data privacy protection is afforded to those who seek abortion and other reproductive medical services:

The Secretary of Health and Human Services shall consider actions, including providing guidance under HIPAA and any other statutes as appropriate, to strengthen the protection of sensitive information related to reproductive healthcare services and bolster patient-provider confidentiality.

Specifically it cites:

Actions, as appropriate and consistent with applicable law, to ensure the safety of patients, providers, and third parties, and to protect the security of clinics (including mobile clinics), pharmacies, and other entities providing, dispensing, or delivering reproductive and related healthcare services.

And with some states intent on clamping down even on access to information relating to abortion, the Attorney General will be joining forces with the Secretary for Health and Human Services to come up with ways “to educate consumers on how best to protect their health privacy and limit the collection and sharing of their sensitive health-related information.”  

Other actions

The order also calls on the Federal Trade Commission (FTC) to “to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.” For its part the Commission looks set to step up to the mark.

In a blog post published after Biden’s EO was signed, Kristin Cohen, Acting Associate Director, FTC Division of Privacy & Identity Protection, cites what she calls “a particularly sensitive subset at the intersection of location and health: information related to personal reproductive matters”.

The post goes on to highlight key considerations that organizations need to think about when collecting confidential information, including health data. These include claims of data anonymization to placate concerns, a practice that is “often deceptive”, according to Cohen:

Companies may try to placate consumers’ privacy concerns by claiming they anonymize or aggregate data. Firms making claims about anonymization should be on guard that these claims can be a deceptive trade practice and violate the FTC Act when untrue. Significant research has shown that “anonymized” data can often be re-identified, especially in the context of location data. One set of researchers demonstrated that, in some instances, it was possible to uniquely identify 95% of a dataset of 1.5 million individuals using four location points with timestamps. Companies that make false claims about anonymization can expect to hear from the FTC. 

Cohen also airs concerns about so-called data brokers:

The next stop in the murky marketplace may be data aggregators and brokers – companies that collect information from multiple sources and then sell access to it (or analyses derived from it) to marketers, researchers, and even government agencies. These companies often build profiles about consumers and draw inferences about them based on the places they have visited. The amount of information they collect is staggering…In many instances, data aggregators and brokers have no interaction with consumers or the apps they’re using. So people are left in the dark about how companies are profiting from their personal information.

The US Congress has already begun taking its own data-centric actions in the wake of the Roe v Wade ruling, with a House Oversight Committee focusing on the role of data brokers and producers of period tracking apps. The Committee has written to a number of key platform providers asking for statements of their data collection and staring policies, by next week, stating:

The collection of sensitive data could pose serious threats to those seeking reproductive care as well as to providers of such care, not only by facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence. Geographic data collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital bread crumbs revealing interest in an abortion.

My take

Many tech firms have been among those companies that have committed to support employees in being able to access out-of-state reproductive healthcare services. That’s good to know. But the privacy issue is one that can’t just be ignored. Earlier this month, Google announced that location histories on Android smartphones that have been close to an abortion clinic or similar establishments would be automatically deleted. Other big tech firms have been less vocal to date on whether they will be taking equivalent actions.  Expedient silence is not going to be a sustainable position.