By Ashley Emery
Reproductive freedom and data privacy are inextricably linked – especially amid the heightened threats of abortion and pregnancy surveillance and criminalization in the aftermath of the Dobbs vs. Jackson Women’s Health Organization decision. In order to ensure pregnant people can exercise full autonomy over their bodies and lives on their own terms and without fear of criminalization, data privacy protections are urgently needed.
With 26 states that have banned or are likely to ban abortion, bans on travel for abortion cropping up in states and localities across the country, and vigilante abortion bans actively incentivizing private citizens to sue anyone who “aids and abets” abortion care, law enforcement and other individuals are empowered to pursue evidence against people seeking, facilitating, and providing reproductive care. While data in health care system records is certainly vulnerable to being misused in this context, so too is the growing body of data gleaned from smartphones, apps, and internet activity. This digital footprint increasingly serves as the body of evidence that police, prosecutors, and civil litigants can deploy – and already have – to penalize people’s exercise of bodily autonomy.
While people have long been subject to criminalization related to pregnancy – especially Black women and brown women, low-income women, and other members of historically marginalized communities – Dobbs has intensified concerns and confusion about data privacy and safeguarding personal information from potential prosecution. Improper disclosures, reckless trades, and invasive harvesting of personal data alongside a string of lawsuits, investigations, and charges related to abortion in the last few years have borne out this anxiety and stress for women and pregnant people, especially. Whether subpoenaed, sold, or scooped up in a digital dragnet, electronic data can be used to arrest and imprison pregnant people, their doctors, and loved ones who assist them with seeking abortion care.
Post-Dobbs Landscape for Reproductive Health Data Privacy
In the first year after Dobbs, at least 210 pregnant people faced criminal charges for conduct associated with pregnancy, abortion, pregnancy loss, or birth. Right now, state authorities may be able to weaponize abortion bans, “personhood” laws that grant fetuses legal rights and protections, and a range of other criminal statues (such as those for child abuse and endangerment, murder and homicide, and fetal harm) to investigate and prosecute people for their reproductive health decisions and pregnancy outcomes. Law enforcement officials can use electronic data to try to establish intent and as evidence of civil or criminal liability in legal proceedings against people for seeking or helping someone else obtain abortion care or in cases of stillbirths and miscarriages. And as pregnant people increasingly rely on telemedicine and out-of-state travel for reproductive health care because of abortion bans, law enforcement will increasingly rely on digital information to track pregnant people and build cases against them.
Some federal protections restrict disclosure of different types of data: certain health information is protected under the Health Insurance Portability and Accountability Act (HIPAA), and telecommunications information under the Stored Communications Act. Both laws, however, have had loopholes that allow data to be turned over to law enforcement. In fact, one of the driving forces for criminalization related to pregnancy status or outcomes has been health care providers unnecessarily reporting their patients to law enforcement, especially amidst confusion over reporting obligations under HIPAA’s law enforcement exception. In response, the Department of Health and Human Services (HHS) recently finalized the HIPAA Privacy Rule to Support Reproductive Health Care Privacy to prohibit the use or disclosure of protected health information for the purpose of investigating or criminalizing anyone for lawful reproductive health care. This means that HIPAA-covered entities like doctors are barred from complying with law enforcement requests and legal process – including court orders, subpoenas, and warrants – if officials are seeking health data from medical records to prosecute someone for seeking, assisting with, or providing lawful reproductive care.
While these changes should lessen the risk of patients being reported to law enforcement and better protect people who are forced to travel to receive care because of state abortion bans, it does not address the totality of the data flow of reproductive health information to law enforcement and external litigants. Vast quantities of data collected by devices and applications about our health – including personal information that could reveal health conditions or medical history – fall outside the scope of HIPAA. Location data showing a person traveled to or drove someone to an out-of-state abortion clinic, phone records and other communications, and web browsing data revealing attempts to get information about pregnancy termination or buy medication abortion pills are just some of the myriad data points that can be tracked down and weaponized in legal proceedings.
Digital Surveillance Supercharges Risk of Abortion Criminalization
Cell phone companies, internet service providers, social media platforms, and app developers collect, analyze, and hold onto extensive personal information about people. This can include their communications; location data; internet search histories; and health data from menstruation, ovulation, and pregnancy tracking apps. Many companies’ privacy policies allow them to capture, own, and remotely store people’s personal data, making it potentially vulnerable to subpoena or breach. With apps that store data locally on a user’s device, law enforcement theoretically has to clear a higher bar to access that information via warrant. But if law enforcement can demonstrate probable cause when investigating or pursuing charges against someone for abortion care, they can obtain a warrant allowing them to search through people’s emails and text messages, location history, and other personal information.
Even with Fourth Amendment protections against unreasonable searches and seizures by the government, law enforcement can get access to sensitive data involving reproductive health through interpersonal channels, sophisticated surveillance techniques, and data brokers that they can then use to prosecute abortion. Private citizens provide incriminating digital information like social media posts and text messages to tip off police. Dragnet surveillance enables police to access data about a large group of people in order to work backwards and investigate leads or suspects. For example, geofence warrants compel companies to produce information on all the devices located within a geographic area during a specific period of time. Keyword warrants pull data on everyone who has searched for a certain term. In these circumstances, law enforcement can access information about all the people whose digital data shows they spent time near an abortion clinic or looked up information about abortion care online. Facial recognition technology and license plate readers only amplify these threats.
Furthermore, the Data Broker Loophole allows law enforcement to bypass court approval needed to obtain sensitive data and instead buy it from data brokers. Data brokers stockpile and sell troves of electronic information they capture from mobile apps, cookies, social media platforms, public records, internet service providers, and other sources. Even though nineteen states have enacted shield laws to prohibit sensitive data from being disclosed for out-of-state legal proceedings involving reproductive health activities, prosecutors can sidestep both these laws and legal process and simply purchase information from data brokers to build their cases.
All this pervasive digital surveillance erodes our privacy and allows our bodies and lives to be turned over to law enforcement. Fear of government monitoring among pregnant people can isolate them from their communities and support systems, deter them from searching for reproductive health information or care online, drive mistrust between them and their doctors, and have a chilling effect on their ability to effectuate their reproductive decisions. In particular, the climate of fear can impose significant barriers to care and chill autonomous decision-making for Black and brown people, who are already over-surveilled and over-policed. Low-income, Black, and brown women are disproportionately subjected to criminal proceedings arising from their pregnancies. Especially for immigrants and Latinx people who are at risk of deportation, detention, and family separation, government monitoring of abortion and pregnancy further undermines reproductive freedom and increases threats of criminalization. Fear and subjugation of pregnant people and their communities are not only the grim reality that surveillance has facilitated but also the desired outcome of Dobbs and anti-abortion actors.
Next Steps for Strengthening Reproductive Health Privacy
The glaring lack of strong federal data privacy protections leaves people without sufficient guardrails to prevent their personal information from being exploited. That is why it is essential to address gaps in our nation’s privacy laws that jeopardize the freedom to make decisions about whether, when, and how to have children without fear of criminalization. Federal and state governments, as well as the private sector, have a role to play in strengthening privacy protections and mitigating the threat of abortion surveillance and criminalization. Key among legislative solutions at the federal and state level is addressing the pressing issue of warrantless police access to reproductive health information by closing the Data Broker Loophole.
Lawmakers in Congress must also focus on data minimization protections and stopping data disclosures that facilitate tracking and prosecution of abortion and pregnancy. For example, the My Body, My Data Act would create a new national standard to protect reproductive and sexual health data by minimizing personal reproductive health data that is collected and retained by apps and websites so that information is not misused or disclosed. The Reproductive Data Privacy and Protection Act would address gaps in the Stored Communications Act to prevent law enforcement from accessing data related to reproductive and sexual health information for investigating or prosecuting such care. In the states, more legislatures should pass shield laws stopping government officials, state courts, medical entities, and communications service providers from complying with demands for data for out-of-state investigations and prosecutions of reproductive health activities.
Federal agencies can use existing rulemaking authority and initiate enforcement actions to protect pregnant people and mitigate improper handling of reproductive health data. HHS must focus on strong enforcement of the new HIPAA Privacy Rule for Reproductive Health Privacy. The Federal Trade Commission (FTC) must robustly enforce the new Health Breach Notification Rule, which requires entities that manage personal health records but are not subject to HIPAA to notify the FTC and consumers following a breach of personally identifiable health data. FTC must also continue increased consumer protection enforcement with actions against companies for improper reproductive health data disclosures and sales.
To that end, the private sector must reform commercial data practices to protect reproductive health privacy. It is important for companies to take seriously their obligations to protect consumer information and take steps to limit data collection, retention, and sharing in any context not directly necessary to provide services.
Given the heightened risks of surveillance looming over pregnant people post-Dobbs, it is imperative that this constellation of public and private actors take action.
The author would like to thank Shaina Goodman, Erin Mackay, Jaclyn Dean, and Jesse Matton for their contributions.