How Comprehensive Privacy Legislation Can Protect Reproductive Privacy

know about How Comprehensive Privacy Legislation Can Protect Reproductive Privacy

in details

Supreme Court dobbs annulment of the decision Roe vs. Wade has raised concern questions on the state of the jurisprudence of the right to privacy of the Court. However, on a more immediate level, the decision has also triggered deep concern about its impact on the privacy of information of women who abort while living in states that prohibit abortion, as well as others who help them, promote travel to other states, or sell abortion drugs.

With abortion bans in several states taking effect immediately, state prosecutors, or anti-abortion activists, can begin to investigate and prosecute. As they do so, they can search for evidence not only of the targets’ devices and accounts, but also of the wide range of application providers, communications services, advertisers, and data brokers capable of collecting unlimited information today. This type of evidence may include geolocation data that reveals visits to places where abortions are performed and the duration of the visits; data from “femtech” apps and devices showing interruptions in menstrual cycles; web searches for abortion services or help; data or communications with providers or family members about obtaining an abortion; and payment data reflecting purchases of abortion services or medications, among many sources of digital evidence. For example, Fitbit data has already been used to discredit an accusation of rapeso it could be used to discredit a similar exception to abortion restrictions.

In response to dobbs decision, House Speaker Nancy Pelosi (D-Calif.) to write members of the House marking the work on legislation to “[p]Protect the most intimate and personal data of women stored in reproductive health applications”. In anticipation of the decision, Sens. Elizabeth Warren (D-Mass.) and Ron Wyden (D-Ore.) introduced a bill to prevent data brokers from selling health and location data, and Rep. Sara Jacobs (D-Calif.) introduced a My Body, My Data Act to establish privacy protections for “personal reproductive or sexual health information.” Advice to women on covering digital tracks has been abundant.

In light of this, it is worth examining how pending comprehensive privacy legislation would protect this type of information. The bipartisan American Data Protection and Privacy Act (ADPPA) is the most likely vehicle for such legislation, as the Subcommittee on Consumer Protection and Commerce of the House Committee on Energy and Commerce unanimously reported on June 23, 2022, and is expected to take effect. to the full committee for a raise after the July 4th recess. Therefore, the bipartisan ADPPA is by far the bill with the best prospect of passage in this Congress, and the first comprehensive information privacy legislation that has ever existed. none real perspective step.

See also  Title X: Federal contraception program gets new attention after Dobbs

ADPPA would provide material limits on more focused data collection, use, and sharing in lieu of the current anything-goes system, and would provide rights that give individuals greater control over the information that can be linked to them. Women’s health information is a subset of the bill’s “covered data” and would be subject to additional protections as “sensitive data” (as in some other comprehensive privacy bills, including the Comprehensive Privacy Bill). Online Privacy introduced by Sen. Maria Cantwell (D- Wash.). ADPPA would accomplish the essence of the Warren-Wyden and Jacobs bills, and then some.

Under the heading “sensitive data,” the ADPPA includes information about “past, present, or future physical health, mental health, disability, diagnosis, or health care condition or treatment.” Unlike HIPAA, the health information statute that many people are familiar with in the health care context, this coverage applies to everybody such information regardless of whether it is in the hands of a covered provider. That would encompass most of the data of concern as a result of dobbsincluding femtech apps, smartwatches, and web searches, as well as health information and sexual and reproductive health information targeted by the Warren-Wyden and Jacobs bills.

In addition to this important category, the definition of “sensitive data” includes genetic information and biometric information, which can be used as identifiers, and all data about anyone under the age of 17. The latter category would add protection for younger teens. that may be subject to unwanted pregnancies. Sensitive data under ADPPA also includes precise geolocation information, which is a subject of the Warren-Wyden bill.

The definition of covered information includes “derived data”, personal information obtained from analyses, inferences and predictions based on covered personal data. This would cover instances like Target’s famous ad targeting of pregnancy and baby products to a pregnant teenager whose family did not know of her pregnancy.

ADPPA protects all personal information by requiring that the collection, use, and sharing be “limited, necessary, and proportionate” for the delivery of requested services and products or communication reasonably expected by individuals, and permits specific uses, such as order fulfillment. , billing, security and maintenance and improvement of services. For sensitive data, it also prohibits sharing personal information with third parties, such as advertisers and data brokers, without the express and affirmative consent of individuals. And if such data is shared, it may not be processed beyond the purposes for which consent was given.

See also  Health App Providers May Have Confidentiality Obligations Under State Law | Manatt, Phelps & Phillips, LLP

Some have argued that women should get rid of apps or devices that monitor menstrual cycles and all their data. ADPPA proposes some means to control such information. It would give people rights to access data linked or linkable to them (free of charge at least twice a year) and delete it. It also requires a means for individuals to withdraw previously provided consent and opt out of targeted advertising and data transfers to third parties, providing some control over online tracking or data aggregation that could be revealing, as in the case of Target.

The protections covering the collection, use, and sharing of personal information in the ADPPA would allow compliance with federal, state, local, and tribal legal requirements. This means that even sensitive information is not immune from legal process by law enforcement. The Electronic Communications Privacy Act (ECPA) provides significant restrictions, particularly for the stored contents of electronic communications, although a widely followed court decision imposing a warrant requirement has never been codified into law. nor adopted by the Supreme Court. Law enforcement access implies a different legal regime and privacy debate about what restrictions should be placed on such processes, either generally or for health information.

However, the protection proposed in ADPPA should reduce the volume of data in private hands available through legal process, as well as freely available to law enforcement (or vigilante bounty hunters) through commercial sources, on the web, or through mobile devices. monitoring and behavior online. It would also give covered entities a legal basis to refuse to provide information simply because a police officer or prosecutor requests it and, as the law later enacted, should override the latitude in ECPA for non-government entities to obtain data that they are not content. or metadata, about electronic communications.

See also  Parliaments promote the health of women, children and adolescents in times of COVID-19

ADPPA also extends civil rights protections to processing of personal information that discriminates on the basis of protected classes, including discrimination “on the basis of sex.” Along with provisions requiring companies to assess and mitigate “privacy risks” and test algorithms, these protections should raise awareness of the impact of data use on women.

Senator Maria Cantwell’s majority staff on the Senate Committee on Commerce, Science and Transportation sent a note to members arguing that the ADPPA does not adequately protect women’s reproductive information because restrictions on private lawsuits will make it difficult for women to sue for violations. The basic scope of private rights of action in the ADPPA and a Cantwell draft are similar, but the ADPPA right would not be available until four years after the effective date of the law and subject to very specific requirements of notice and pleadings that could bar some claims. ADPPA also does less to limit mandatory arbitration clauses and class action waivers on privacy claims.

These litigation restrictions do not alter the significant changes that ADPPA would make to existing information ecosystems. If the House passes ADPPA, Senator Cantwell and Senate Democrats should think long and hard about whether they want to stand in the way of enacting far-reaching privacy protections covering sexual and reproductive health information over claim limits. There are aspects of the ADPAA that can be improved, but the main differences between the negotiators have room for compromise. Four years leaves room to bring forward the date lawsuits can begin, while allowing ample time to adjust to compliance. There are many different ways to limit lawsuits (some suggested in our 2020 report on ways to close privacy bill gaps). And both bills place some limits on pre-dispute arbitration waivers as they moved away from polar all-or-nothing positions in 2019.

At the end of the day, as with gun legislation, it will be better to do something than leave a system unrestricted, and ADPPA would do much more for data privacy than the new gun law would do for gun safety. And instead of requiring specific legislation, the risk to women’s health and healthcare information adds urgency to the opportunity for a baseline of protection for the personal information of every woman, man and child in the United States. .