Introductory Remarks

The panel began with introductory remarks delivered virtually by Congresswoman Sara Jacobs, sponsor of the My Body, My Data Act.

The My Body, My Data Act proposes to address some of the risks to reproductive data privacy by 1) requiring that companies only collect the reproductive and sexual health data necessary to perform their services, 2) preventing companies from selling or sharing reproductive and sexual health data, 3) allowing individuals to request deletion of their personal reproductive and sexual health data, and 4) giving individuals the power to sue in the event they believe that their data is being misused under the act.

Professor Nunziato commenced the panel discussion, cautioning that it was important to strike an appropriate balance between the fear and the panic regarding potential criminal liability related to reproductive data post-Dobbs and inspiring greater education on the subject and a call to action.

The Post-Dobbs Legal Landscape Across the States

Professor Sonia Suter then discussed the post-Dobbs legal landscape of abortion law. To date, there are:

Abortion Bans

The nature of the penalties, structure of the laws, and vagueness of the legislative language has largely deterred medical providers from providing abortions. For example, some laws place the burden of proof on the defendant to prove the legality of a performed abortion rather than on the prosecution to prove its illegality. As a result, there are few abortions being performed in states with abortion bans, limiting the number of cases where enforcement methods are challenged and questioned.

States with bans typically threaten sentences of 2-10 years in prison and/or revocation of medical licenses of doctors who perform abortions. On the more severe end of the spectrum, Alabama and Texas legislation threaten up to life in prison. Oklahoma, Texas, Arkansas, and Louisiana impose severe civil and criminal fines as high as $100,000.

The strict bans often have no medical exceptions. While most states allow abortions when a patient’s life is in danger, some states treat this as an affirmative defense, with the burden of proof resting on the defendant provider to show that the patient’s life was in fact in danger. The lack of medical exceptions and uncertainty as to when abortions fall within this exception has led to several cases where medical providers were hesitant to provide care to a patient in need of an abortion until they were on the brink of death.

Civil Bounty Hunter Laws

Civil bounty hunter laws, like the SB8 in Texas, allow individuals to sue others not only for providing an abortion, but for aiding and abetting an abortion. Individuals who did not have actual knowledge, but “should have known” that they were aiding and abetting an abortion, could be civilly liable under these laws. It is unclear whether this might even extend to friends and family aware of a pregnancy or even car share drivers driving a patient to obtain an abortion.

Extraterritorial Application of State Laws

States and their officers are making efforts to extend abortion bans beyond state lines. Idaho’s “abortion trafficking” law makes it a felony to bring minors across state lines for an abortion. The Attorney General in Alabama argues that he can prosecute individuals for providing information to Alabama residents that facilitate abortions out of state. This has chilled Alabama health care providers’ discussion about abortions, even if such discussions occur in states where it is legal.

Sara Geoghegan, Counsel at the Electronic Privacy Information Center, and Professor Suter also observed that even before the Dobbs opinion was released, abortion access has long been an issue, especially for marginalized groups. After Dobbs, the lack of access to reproductive healthcare has become more widespread.

Another concern is the prosecution of women for self-managed abortions. The Nebraska case, now famous for resulting in a criminal conviction supported by Facebook messages between a mother and daughter seeking an abortion, was brought pre-Dobbs, under a law banning abortions at 20 weeks, In addition, women have long been prosecuted for behavior thought to endanger fetuses based on a variety of state statutes, such as child endangerment laws. Such prosecutions have disproportionately targeted low-income women and women of color.

The Limits of Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Reproductive Data

While HIPAA protects privacy information, there are some little known exceptions. HIPAA does not protect health information outside of healthcare providers and their business associates. As Sara Geoghegan noted, there is a massive commercial consumer surveillance system that is mostly not regulated by HIPAA, and therefore can be used to access health data to support prosecutions.

There haven’t been many, if any, cases relating to an abortion ban in conflict with HIPAA. Evidence in the infamous Nebraska case against a mother and daughter seeking an abortion was collected from their personal Facebook messages, which are not subject to HIPAA. In Texas, a husband used text message evidence to sue his wife for obtaining medical abortion pills. In Indiana, an Attorney General attempted but failed to gain access to the medical records of a provider who had provided care to a minor.

In 2019, there were allegations of HIPAA violations in Missouri, where the State Health Director kept a spreadsheet of menstrual periods of women who visited Planned Parenthood. However, the Health Director argued that this data was part of an investigation into Planned Parenthood, and was not being shared more broadly.

In addition, there are some law enforcement exceptions of HIPAA that would allow, but not require, medical providers to share information with the state about abortions.

Federal Regulatory and Legislative Efforts to Protect Privacy

Amanda Newman, Senior Policy Advisor for Congresswoman Sara Jacobs, and Sara Geoghegan also discussed efforts being taken on the federal level to protect health data that could potentially be used to enforce abortion bans.

First, Congress and the Biden Administration are looking to bolster protections available under HIPAA. For example, the Global Health House Committee is considering strengthening HIPAA protections for health providers as they relate to investigating someone for providing abortion care. There is also a proposed rule by Health and Human Services (“HHS”) to prevent medical records relating to legally provided reproductive care from being given through HIPAA for the purposes of investigating or prosecuting reproductive care. Sara Geoghegan noted that she and the Electronic Privacy Information Center (“EPIC”) filed a comment on this proposed rule, arguing that HIPAA has the authority to extend this to all reproductive care, rather limiting the rule to “legally provided” reproductive care and to heighten the requirement for law enforcements to certify that the prosecution is unrelated to reproductive services.

There are even bills moving through Congress to codify the right to abortion and to protect reproductive data, but they are unlikely to be passed this term.

HHS has investigated a few hospitals for not providing emergency reproductive care. However, there is tension between HHS’s pressure on hospitals to provide emergency reproductive care, and potential criminal liability and negative professional repercussions in states where healthcare providers can only act when a patient’s life is in danger.

The Federal Trade Commission (“FTC”) has also used its authority to investigate and prosecute period and fertility tracking apps (as well as other apps that collect health and other private information) for fraudulently claiming that they do not share users’ information. In 2021, the FTC found Flo, the most popular period tracking app, to be in violation of deceptive trade practices for sharing consumer health data that it explicitly promised would remain private. The FTC has also enacted the Health Breach Notification Rule, which requires apps to notify users when their health data has been breached.

Sara Geoghegan observed that historically, the FTC’s enforcement has not deterred data collection practices by these apps, but rather only deters misrepresentations made by these apps. However, the FTC announced its Commercial Surveillance and Data Security Rulemaking last summer, which could meaningfully limit the collection and use of data and substantially strengthen protections of consumer data.

The Department of Education (“DOE”)has updated its Family Educational Rights and Privacy Act (“FERPA”) guidance to encompass the provision of the public university’s health services to be a part of a student’s educational record. This essentially removes HIPAA protections from student health records, given that the DOE’s guidance indicates that student health records that constitute education records or treatment records under FERPA are not protected under HIPAA.

Professor Suter noted that the Federal Drug Administration (“FDA”) has expanded access to the abortion pill, mifepristone, through the Risk Evaluation and Mitigation Strategy, which ensures that a drug’s benefits are greater than the risks. Through this program, the FDA has allowed access to the pill through10 weeks gestation rather than just 7 weeks, requires fewer doctors visits before approval, and now allows for supervision by non-physician medical providers. The FDA also allowed the mailing of mifepristone and prescribing it via telehealth visits as of 2021. This allows access to mifepristone in states where abortion is banned. However, this approach does run the risk that states with abortion bans would consider the individual taking the pills to be the “agent of the abortion,” in violation of the applicable state laws.

The Fifth Circuit’s recent decisions have pushed back on the FDA’s increased access to mifepristone, by upholding the lower court’s rejection of the FDA’s access expansion attempts. The Supreme Court put a hold on this ruling allowing expanded access to mifepristone and returning the case to the Fifth Circuit for further hearings. If the litigation is resolved in favor of mifepristone’s opposition, FDA approval of mifepristone would still stand, but telehealth visits would no longer be permitted, and access to the pill will only be available for 7 weeks.

Practical Steps To Protect Individuals’ Reproductive Health Data

Genna Fukuda and Clare Burgess, Lead Researchers for the Reproductive Data Privacy Initiative at the Ethical Tech Initiative, discussed how reproductive health data, and data generally, could be used to identify individuals seeking, obtaining, or aiding an abortions. They discussed how these risks can be mitigated using measures set forth in “A Student’s Guide to Reproductive Data Privacy.”

Genna Fukuda broke down the risks into two categories: risks of data usage for those already suspected of having an abortion, and risks for those whose data could help identify them as an individual in the process of seeking or obtaining an abortion. She explained that law enforcement can obtain data via warrants about individuals already suspected of obtaining an abortion. Messaging platforms that do not use end-to-end encryption have copies of users’ messages that can be obtained by law enforcement via warrants. Even if end-to-end encryption is used, she explained, the content of these messages could still be accessed by requesting iCloud or other phone backup storage from the companies that house that data. Location data recording an individual’s whereabouts at a given time can also be requested via warrant.

In addition, Genna Fukuda explained that data can be used by law enforcement to create suspect lists using “reverse warrants.” Geofencing allows for individuals to be identified if they passed through a specific area during a specific time period while sharing their location. Reverse keyword warrants can identify individuals who have used or searched key terms within a given time frame.

These “reverse warrants” are already used by law enforcement to create suspect lists for non-abortion law enforcement purposes. The only protections that currently exist against “reverse warrants” are the privacy policies created by the private companies that house the data. Sara Geoghegan noted, for example, that Google has provided the location data of individuals who passed through a geofence in a criminal matter unrelated to abortion. There are no known cases where suspect lists have been created using these methods in abortion cases, but the spreadsheet of women’s menstrual cycles kept by Missouri’s Health Director suggests that this is not beyond the realm of possibility.

Genna Fukuda noted that the aggregation of data about an individual can support inferences that can create a strong case against an individual for obtaining an abortion, even where evidence is not explicit. Minimizing the data available to law enforcement is therefore an important step to protect against prosecution.

Sara Geoghegan remarked that “incognito mode” is not sufficient data protection in these cases and noted that search engines like DuckDuckGo have stronger protections for browsing history. Using a public computer that does not require a login for access can provide another safer alternative. Shenoted that school accounts and school wifi should be avoided because the administrators of these accounts can potentially view account activity. While observing that individuals should not be required to protect themselves from our massive commercial surveillance system, this is unfortunately our current legal reality in the United States.

Clare Burgess also emphasized the importance of choosing an internet browser based on the information it may make available to Meta Pixels. Many websites use Meta Pixels, which allow Facebook to collect information from these sites, regardless of whether an individual has a Facebook account. In 2022, hundreds of pregnancy crisis centers were found to have Meta Pixels on their websites. Information collected includes where on the website an individual clicked, their reason for visiting the site, and how they were directed to the site (for example, if an individual Googled “abortion care”).

Clare also observed that using virtual private networks (“VPNs”) is a helpful, but not a foolproof, method of protecting data. VPNs prevent browsing information from being subpoenaed from internet providers. However, Clare also noted that some VPNs are more trustworthy than others, and are more effective on computers than phones.

Data brokers are companies that collect and aggregate data on individuals to sell. Law enforcement can therefore purchase data on individuals, without a warrant. Professor Nunziato highlighted that the guide suggests turning off ad identifiers to restrict apps on your phone from sharing information with one another.

Additional Discussion

Audience members raised concerns about the tension between their First Amendment rights to know and convey information across state lines, and abortion bans that criminalize aiding and abetting an abortion. Sara Geoghegan indicated that there are many potential First Amendment issues regarding these laws that have not played out yet. In particular, she noted that reverse keyword warrants may threaten First Amendment rights. Amanda Newman commented that there is a fairly robust argument that data itself is speech, creating a potential tension between a company’s right to share data and individuals’ reproductive data privacy. This tension underlies some of the issues with creating an outright prohibition of all data sharing and makes data minimization an important tool for state and local governments to use, given that minimization does not run into the same issues.

Audience members also asked about responses from the private sector (including the social media companies) to demands for individuals’ reproductive data. Sara Geoghegan took the position that “a pinky promise is not enough” (from a company like Google or Facebook, for example) to protect a consumer from criminalization. For example, she observed that, although Google previously promised that it would not collect location data around abortion clinics, and that it would delete the data after it was no longer necessary, it did not uphold that promise. Furthermore, many private companies like Facebook and Google who house data offer to pay for travel for employees who seek abortion care, but do not meaningfully limit the collection of data in a way that could protect all of their consumers.