Impact on Data Privacy
The Evolution of Privacy Rights in a Post-Roe World
Digital platforms and other companies maintaining any personal or health information that relates to pregnancy or obtaining abortion are subject to new enforcement and operational challenges following the ruling in Dobbs v. Jackson Women's Health Organization. If a company maintains any individually identifiable information that can be used as proof of termination of a pregnancy, the company could be required to provide that information in response to subpoenas from law enforcement agencies seeking to prosecute the abortion, depending upon how that information is used and maintained.
"Vast quantities of identifiable health information increasingly reside in digital technologies used by individual consumers and health care entities."
Assess and Examine
The U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization has put a new spotlight on a wide variety of companies that maintain customer data that can, by itself or combined with additional data maintained by other companies, be used to support a prosecution of anti-abortion cases.
In the wake of the Dobbs decision, which overturned Roe v. Wade, any organization or digital platform that maintains data on its customers (e.g., vast quantities of identifiable health information increasingly reside in digital technologies used by individual consumers and health care entities) that could be used to build a case that an abortion was illegally obtained or provided is advised to evaluate how it collects, stores, and uses data; how its privacy policies address the disclosure of data pursuant to law enforcement requests (e.g., subpoenas or warrants); and how to respond to customer inquiries and concerns that the data is subject to this new risk of disclosure.
Evaluate state and federal privacy law.
Laws governing data privacy are rapidly evolving at the state and federal levels. Organizations dealing with identifiable health information are often regulated by the Health Information Portability and Accountability Act (HIPAA) on the federal level and a wide array of state laws. The Dobbs decision impacts the privacy of protected health information under HIPAA as well as many other types of data that may relate to abortion, whether or not health related. The Dobbs decision also affects a wide array of companies that may have data relevant to law enforcement efforts under a state abortion law. Further, it is likely that companies maintaining non-health-related data may be impacted if such data can be combined with other data to support prosecutors pursuing a conviction under anti-abortion laws. These companies are well advised to evaluate the data they collect, whether and to what extent that data is necessary to their business, and what the options are for handling and encrypting that data to minimize the likelihood that it could be demanded in a law enforcement proceeding.
Certain states are increasing privacy protections in a post-Roe world. Thus, corporate decisions should also factor in state data protection laws proposed or passed in response to Dobbs that protect some of the potentially relevant information. A recent example can be found in Connecticut, which passed the Reproductive Freedom Defense Act, designed to protect HIPAA-covered entities and individuals from liability related to reproductive health services legally performed in Connecticut but that may be illegal elsewhere.
“Certain states are increasing privacy protections in a post-Roe world.”
Review Compliance Standards
Organizations should do the following:
- Consider additional measures that you may take to manage personal information gathering, maintenance, and use to avoid or minimize liability and involvement in civil and criminal matters.
- Review the content of your website terms and conditions and privacy policies in light of any changes in data collection and management. This may include developing consumer-facing materials explaining applicable protections for reproductive health data.
- Consider future cybersecurity concerns, such as cyber criminals holding personal information related to reproductive health services at ransom.
- Consider whether to engage legislators in passing state data protection laws to help shape the legislation governing the types of data that will be protected and/or the purpose for the use of that data.
The team at Epstein Becker Green is well suited to assist your organization with addressing these matters and ensuring compliance.