Data Privacy Risks in a Potential Post- Roe v. Wade World – By Kewa Jiang

On May 3, 2022, Politico published a leaked copy of the Supreme Court’s draft opinion in the abortion rights case of Dobbs v. Jackson Women’s Health Organization. In the draft opinion, lead author Justice Samuel Alito explicitly states, “We hold that Roe and Casey must be overruled” and that “It is time to heed the Constitution and return the issue of abortion to the people’s elected representatives.” In the weeks since the publication of the draft opinion, privacy professionals and advocates are raising concerns about how collected data may be used to penalize women who may seek or consider an abortion.

mHealth Apps and Data Tracking

There is currently an array of mobile health apps (mHealth apps) available that collect a trove of highly Personal Health Information (PHI) about their users. Oftentimes the data collected is not protected under the Health Insurance Portability and Accountability Act (HIPAA) because the app companies are not considered covered entities. But, based on the information provided by the users, the data may be used to track when a user has their menstrual cycle, when they become pregnant, or if they end a pregnancy. One area of concern in a potential post-Roe world is that such data can be “subpoenaed or sold to a third party — could be used to suggest that someone has had or is considering an abortion.”

This can be especially troubling in states with existing stringent abortion laws orabortion trigger laws that would effectively ban abortions if Roe and Casey are officially overturned. Representative Suzan DelBene (D-Washington) also worried that “law enforcement officials or even community members could purchase and abuse this data to target women seeking an abortion and medical professionals providing them.” The possible acquisition and use of data by private citizens is especially troubling given Texas’ SB 8, also known as the Texas Heartbeat Act. The Act is to be “enforced through private civil actions[,]” which the Department of Justice states essentially “deputized ordinary citizens to serve as bounty hunters.”

These concerns about collection, use, and sale of data are particularly salient in light of the Federal Trade Commission (FTC) enforcement actions against Flo Health, Inc. Flo is a mobile app that allows users to track menstrual and fertility cycles and has 43 million active users. The FTC alleged that Flo “handed users’ health information out to numerous third parties,” such as data analytics companies and marketing firms. When Flo shared users’ information they “took no action to limit what these companies could do with the users’ information.” Flo ultimately settled with the FTC under a consent order which included a list of requirements the company must follow. One provision of note is that Flo was required to instruct third parties to destroy any health information they received.

Use of Other Data Collection Sources: Geolocation and Search History 

            mHealth apps are not the only source of data that has the ability to track if or when a woman may be seeking an abortion. There is a vast array of mobile apps that use precise geolocation that have nothing to do with health yet may have the ability to reveal if a user is at a medical clinic that provides abortions. For instance, digital maps, rideshare services, and social media platforms can all collect data on the precise geolocation of its users. The very smartphone on which all these apps reside is also one of the greatest sources of precise geolocation information.

Given the wealth of information, law enforcement may issue a geofence warrant to a search engine company, such as Google, to obtain information about individuals in a particular area. If abortion is banned or even criminalized in some states, geofence warrants may be used to identify people who were in or around clinics that provide abortion services. Besides geolocation data, many search engines collect search history that can be incredibly telling if an individual is considering or seeking an abortion. Search history data, like health data, may be sold and used by third parties.

Effects of Proposed European Union Regulation on Scanning Direct Messages

On the heels of the leaked Supreme Court draft opinion, the European Union released its proposed regulation aimed at protecting children against abuse, sexual exploitation, or “grooming” behavior online. Some companies currently scan its users’ direct messages to detect any potential child sexual abuse material (CSAM). But the proposed regulationwould greatly expand the scope of such scans to the point that some privacy experts believe would “seriously undermine (and perhaps even break) end-to-end encryption.” If enacted, the EU regulation would affect all companies that conduct business in Europe, such as many American tech companies. As a result, the data and messages of American users would also be subject to the expanded scans.

            In a potential post-Roe world where states may criminalize abortions as homicide or child abuse, privacy experts worry the proposed EU regulation may be co-opted to scan for messages about abortions. In extending the definition of child abuse to encompass abortion, it would broaden the scope of the scans conducted by direct messaging platforms. Law enforcement may also be empowered to request such data from companies in order to prosecute individuals seeking abortions.

Looking Ahead

            While the draft opinion is not official, the Supreme Court may issue its final opinion in June. Until then, the possibility of a post-Roe world raises numerous data privacy concerns. These concerns are not only relevant to abortion rights but also highlights the pervading issues around data regulation and consumer control of their own information.