On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.
Dobbs Undoes Decades of Supreme Court Precedent Regarding Privacy
The U.S. Constitution contains no express right to privacy; however, before Dobbs, the Court found that the right derived from other protections, such as Fourth Amendment restrictions on unreasonable searches, Fifth Amendment right to remain silent, and Fourteenth Amendment protections for due process.
In Roe v. Wade, the Court recognized a privacy interest in abortion, applying the right to privacy established in Griswold v. Connecticut, which struck down a Connecticut law restricting access to contraception. Griswold laid the foundation not just for protecting reproductive health, but also for safeguarding other rights that were grounded in the basic idea of an unwritten constitutional right to personal privacy and autonomy, including the right to engage in same-sex relationships (Lawrence v. Texas) and the right to marry, regardless of sex (Obergefell v. Hodges) or race (Loving v. Virginia). Just as the Constitution does not reference abortion or even privacy, it does not explicitly address rights related to marriage, procreation, contraception, family relationships, child rearing, or even education. As such, a post-Dobbs Court could conceivably overturn precedent protecting any one of those rights if it finds that they are not “deeply rooted in this Nation’s history and tradition” and “implicit in the concept of ordered liberty.”
In the months since the Dobbs decision was issued, abortion bans have proliferated in states across the country, but there has been a push to codify abortion protections, with President Biden recently vowing that, if the Democratic Party wins sufficient majorities in Congress in the upcoming midterm elections, the first bill he will send to Capitol Hill will codify Roe v. Wade. Although the Biden administration cannot prevent states from banning abortion, it has issued two executive orders on abortion access and patient privacy and released an interim final rule that will allow the Department of Veterans Affairs (VA) to provide veterans and their dependents abortion care in certain situations. These executive order protections, however, could be easily reversed by future administrations.
Digital Privacy in a Post-Roe Era
The inevitable future battles over reproductive rights will unquestionably involve data. The practice of collecting information from personal devices, apps, and websites has historically come under scrutiny with respect to the subsequent disclosure of that information to other companies, usually for advertising purposes. Disclosure of personal information to government and law enforcement officials by sale or through legal process has developed alongside the advertising ecosystem. However, in the immediate aftermath of Dobbs, the potential for consumer data being transferred to the government has been particularly scrutinized. The Dobbs decision has generated concerns that sensitive consumer data—e.g., geolocation, browsing and search history, online payments, and communications—could enable third parties, through use of mandatory criminal process or otherwise, to infer a woman’s pregnancy status and could reveal if she has considered traveling out of state to terminate a pregnancy.
Anonymization is one step that businesses may take to help prevent such exposure-sensitive data, but even anonymization may not offer sufficient protection if individuals can be easily reidentified using other demographic attributes. Businesses can further avoid such exposure by limiting, where reasonably practical, the amount of data they collect and store so that there is not a stash of sensitive locational or biometric data should authorities seek that information. Legislators and others have called on private tech companies to do just that. In response to intensified pressure from reproductive rights activists, Google announced it will delete location information when it detects a person has visited an abortion clinic or other sensitive location. Additionally, some privacy advocates have proposed that tech companies offer clearer and more genuine opt-out opportunities so that consumers can choose not to have their data collected and to offer clear, unambiguous notices of data collection and sharing policies.
In response to uncertainty and fear following the Dobbs opinion, the U.S. Department of Health and Human Services Office of Civil Rights issued guidance in July on how and when the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) permits disclosure of patients’ personal health information. Additionally, following the Dobbs decision, the FTC vowed to use its authority to protect consumers against illegal use and sharing of highly sensitive data. In August, the FTC filed a lawsuit against the data broker Kochava Inc. for selling geolocation data from hundreds of millions of cell phones that can be used to trace the movements of individuals to and from sensitive locations, including reproductive health clinics.
Implications for a Comprehensive National Privacy Legislation
Even before the Dobbs decision, the push for federal consumer data privacy protection experienced some momentum, and the Court’s ruling has only further invigorated this movement. Bills relating to data privacy have been proposed in both chambers of Congress.
Senators Warren, Wyden, Murray, Whitehouse, and Sanders introduced the Health and Location Data Protection Act, which would ban the sale or transfer of location and health data. While law enforcement could still gain access to data collected by private companies through personal devices by seeking subpoenas, court orders, or warrants, the law, if passed, would compel law enforcement to at least go through those lengthier constitutional processes of obtaining those orders or warrants, processes that provide some oversight of law enforcement discretion.
In the House, the proposed American Data Privacy and Protection Act (ADPPA) would give the FTC authority to regulate and enforce how companies can use sensitive health data. The bill focuses on “data minimization,” insisting companies not collect more data than they reasonably need for an enumerated permitted purpose, rather than relying on the familiar model of “informed consent.” The ADPPA’s advance to House consideration marks the first time a comprehensive privacy bill reached a full chamber vote in either the House or the Senate. While the ADPPA did not move forward before the full House of Representatives in September, it is not dead yet. Additionally, more narrowly tailored legislation has also been proposed to protect reproductive health data by limiting its collection or transfer.
Until federal legislation is implemented, privacy protection in the U.S. largely exists at the state level. The Californian Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), was the first comprehensive state privacy law and provides California residents with rights regarding how businesses process their personal information. Similar GDPR-inspired privacy laws have since passed in Virginia, Colorado, Utah, and Connecticut and will come into effect in 2023. Legislative bodies in several other states are currently considering similar comprehensive privacy bills. We are closely tracking developments in these states. Subscribe to www.RopesDataphiles.com for these and other updates.