Roe v Wade and The Erosion of Women’s data privacy

US anti-abortion protest with a protestor holding a 'keep abortion legal' sign aloft
Image by Gayatri Malhorta

The overturning of Roe v Wade by the U.S. Supreme Court on the 24th June this year (2022) has upended women’s reproductive rights in the USA. It is unlikely to end there. As the ripple effects continue to be felt across the States and beyond, serious questions regarding erosion of women’s privacy are being raised. Google search histories, location and financial data, and third-party medical app data may all be used to persecute women who choose to terminate their pregnancy, with instances including even women whose pregnancies may have been naturally lost. The answers to these privacy questions posit a deeply unsettling future for women in America and the use of their personal data.


Personal Data In A Post-Roe World

Since the Supreme Court ruled that the constitution of the United States granted the right to an abortion in 1973, the abortion debate has often been an aggressive point of division in American society. Individuals who have attended planned parenthood clinics (where abortion procedures can be conducted) in the USA (as well as those who work in them) have often had to face a gauntlet of protestors, regularly receiving abuse and threats of violence. In 2009 George Tiller, a physician known to be one of the few doctors who performed ‘late-term abortions’ was murdered at his Church by an anti-abortion extremist.

The rhetoric (and follow throughs) of violence against abortion providers and seekers has acted as a deterrent for many even before the abolition of Roe v Wade. However, it has largely been assumed that physical anonymity can provided a degree of safety.

Personal data collection practices have changed this.

In a Vice report it was discovered that until May 2022 anyone could buy the data of clients of over 600 planned parenthood sites for as little as $160. The information these data sets contained included approximate patient addresses (indicated by where the individual’s phone ‘slept’ at night), income bracket, the time spent at clinic, as well as places attended before and afterwards. This information was collected by third party applications by a company called SafeGraph on attendees’ mobile devices.

Whilst the Health Insurance Portability and Accountability Act (HIPAA) ensures the protection of medical records and protected health information (PHI) by healthcare facilities, researchers and anyone doing business with healthcare operations, it does not cover third party applications or tech companies. Post-Roe, Google announced plans to delete location history for users who have visited abortion clinics, but independent testing been suggested that these changes can be easily circumvented.

The Effect of 'Femtech'

The effects of Roe v Wade on privacy may further be compounded by the growth of ‘Femtech’ and Health tech applications.

The term ‘Femtech’ has been coined to describe technology that focuses on women’s health. This includes period-tracking apps, fertility tracking and solutions, as well as pregnancy tracking apps. It is a booming industry that has recorded rapid growth; Global Market Insights (GMI) has projected a market value of $65.3 billion by 2027. Femtech applications are also one of the most downloaded sectors on young women’s devices and their reach is expanding across the globe as the market develops. Indeed, their level of use may soon be similar to that of social media applications amongst young people.

The information that these applications contain is often significantly different and more sensitive than that which is contained on other applications. Under the GDPR, medical and health data are classified as special category data – a subset of personal data that has been deemed more sensitive (and therefore a more significant risk if lost) to the data subject it is collected from. Whilst the GDPR’s jurisdiction does not extend to the USA, the special nature of medical data are reflected in the existence of the HIPAA, one of the few federal personal data protection regulations that that USA has in place.

However, in a recent survey it was found that nearly 90% of top 23 women’s health apps in the US share data with third parties. Moreover only 50% request the user’s permission to do so. It is therefore likely that vast swathes of sensitive information related to women’s health is being shared and sold by these apps without users being aware of this.

In India, the Femtech app MAYA was reported to data protection authority in 2019 for sharing reproductive health data with Facebook for targeted advertising. It should be noted that since the revocation of Roe v Wade several Femtech companies (such as Flo Health and Clue) have issued public statements reassuring their users of their safety.

As the use of technology grows across all areas of life, privacy and health data are being intrinsically entangled with our digital footprint. For women this digital footprint may well be used against them.

The Weaponisation of Personal Data

Unfortunately, the weaponization of their own personal data against women has recent precedent in the case of Latice Fisher.

In 2017, Latice Fisher was charged with secondary murder after the stillborn birth of her new-born child. Prosecutors claimed that she caused the foetus’ death despite the Mississippi State Medical examiner’s office concluding that there was ‘no identifiable evidence of external or internal traumatic injury that would have contributed to the death.’ Evidence provided by the prosecution focussed on included her online search history, which included queries on how to induce a miscarriage and how to buy abortion pills online. There was no evidence that she had taken these pills.

Although Fisher was eventually acquitted, the collection of internet search history and text messages to provide evidence of intent to end a pregnancy was used to prosecute Purvi Patel, an Indiana woman for ‘feticide.’ She was found guilty and sentenced to 20 years in prison, although this conviction was later overturned.

These examples are shocking, but not outliers.

Government agencies and law enforcement agencies regularly subpoena data records, including search history and location data, during investigations. With the removal of the right to abortion, many anti-abortion state legislatures immediately passed ‘trigger laws’ which immediately banned almost all forms of abortion. State law enforcement, if choosing to prosecute individuals who they believe may have deliberately terminated their pregnancy, will likely seek to use the internet histories of suspects as well as location data, purchase histories and other forms of personal data to build their case. They may even request data from third party applications such as Facebook who reserve the right to pass the information on to law enforcement.

Of course, googling ‘how to induce an abortion’ is not the same as undertaking the procedure. As Laurie Bertram Roberts, a spokesperson for Latice Fisher, states: “Lots of people Google about abortion and then choose to carry out their pregnancies… thought crimes are not the thing. You are not supposed to be able to be indicted on a charge of what you thought about.”

Fisher spent several weeks in jail before a new Grand Jury acquitted her of all charges. All this whilst still processing the death of her child.

How to Fight Erosion

Countering the potential erosion of data privacy and women’s rights is a mammoth task and one that will require public bodies and private industry to act in concert.

This is an unlikely prospect.

Instead, there are three areas in which additional protections can be implemented to better safeguard women’s data.

Legislative Changes

Changes to legislation would provide the most significant improvements to the protection of women’s data in the USA.

As previously stated, HIPAA does not extend to third-parties or technology companies. The inclusion of these into the legislation would extend protection of sensitive medical data beyond its current limitations. Tighter regulation of the data collection and purchasing activities of major tech companies will also improve protection and develop transparency surrounding these practices.

Recently, democratic lawmakers have asked federal regulators to investigate Apple and Google for deceiving users about data collection techniques. In 2019, the regulators investigated Google for its ‘Project Nightingale’, a deal with Ascension health to gather information on millions of patients.

There has also been talk of attempting to implement stronger federal data protection legislation in the US, although the timeframe and potential progression of this is unknown.

Realistically, legislative changes will not be forthcoming. Stronger protection of women’s data does not suit lawmakers, especially those in staunch anti-abortion states.

Private Industry Changes

Whilst legislative changes are unlikely to be implemented soon, immediate controls to improve the protection of this personal data can be implemented by tech companies themselves.

Since the revocation of Roe v Wade, several businesses have made public statements to reassure women users of the safety of their data. Both Flo Health and Clue’s websites focus on the safety of their user’s personal data, promising to not share this information with any other business. Apple have stated that their devices do not store location data in a format accessible to the company and therefore cannot provide the same ‘geofence’ (location tracking) data that Google can.

However, reassurance must come hand-in-hand with transparency.

Incidents such as the ‘Project Nightingale’ do not instil user confidence in Big Tech. As the data we provide through our online (and even offline) activities grows, transparency surrounding their activities and the conclusions of their processing must be ensured. In 2012, Target’s marketing algorithm realised that a teenage customer was pregnant and started sending coupons for ‘baby-growths and cribs’ to her house.

That was how her family discovered that was pregnant.

The information that these companies have on their data subjects is staggering, and the conclusions that this processing provide can result in significant privacy violations. The ethical responsibilities of these businesses towards their female users must be reflected in their approach to data subject privacy.

Individual Awareness

Ultimately the first defence against this erosion must start at the individual level through developing awareness and tools to aid in the protection of sensitive personal data.

Abortion rights activists have suggested that people in states where abortion is outlawed should try to limit the creation of such data in the first place. One way to do this is through turning off phone location services — or just leaving your phone at home — when seeking reproductive health care. Using more privacy-conscious web browsers such as Brave, Firefox and DuckDuckGo, will also help as well as users reviewing and double-checking their privacy settings.

There are also ways to turn-off ad identifiers on both Apple and Android phones that stop advertisers from being able to track you. For example, Apple will ask you if you wish to be tracked each time you download a new app. For apps you already have, the tracking can be turned off manually in your device’s settings. Users should also check the privacy notice of any Femtech or Health Tech applications that they install to ensure that they are aware of the data sharing that is going on.

Abortion rights activists working in already anti-abortion territories have also provided various examples for personal data protection activities when handling sensitive data. In the Philippines, women’s rights groups and individuals seeking abortions have helped create anonymous groups to provide advice on Facebook, Telegram and Signal. In Poland, where abortion is severely restricted, activists such as ‘Abortions Without Borders’ take extra precautions when processing information and utilise virtual private networks. All communication with the individual undertaking the procedure is deleted once they have completed it, and some groups also provide travel to and pay abortion clinics in other territories directly to ensure that there are no digital records.

The Polish government has sought to fight back against this. This year (2022), they approved measures that require Doctors to create an effective ‘pregnancy register’ using medical data of their patients.

Placing the responsibility for their own protection on women is of course the least ideal scenario. In an ideal world, personal data protection is baked into the applications and internet processes that women in these territories use.

We are not in an ideal world however.

Until a proactive stance is taken by both those who conduct and those who oversea personal data collection the individual approach is the most effective way in which women’s data can stay protected.

A Problem for One is a Problem for All

For women in the United States the attack upon their reproductive rights is not an isolated one.

As we have seen, the right to privacy goes together with the right to control their own body; the deterioration of the latter is going to have significant consequences upon the former. In a statement following the revocation of Roe v Wade, the International Association of Privacy Professionals (IAPP) articulated the thoughts of both women’s and privacy activists: ‘Along with the abolishment of the right to abortion, the decision threatens the right to privacy.’

As women in the USA and other anti-abortion territories face the degradation of their reproductive rights, we must all be alert to the secondary erosion that this is creating. Until public bodies and private industries decide to combat this erosion, we must ensure that awareness is spread surrounding these data tracking activities.

Erosion of individual rights rarely ends where it begins, and the threat to women’s data privacy is a threat to the data privacy of all.  

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article: