Written by Haim Ravia and Dotan Hammer
This client update discusses the recommended approach for companies looking to minimize their processing of information indicative of abortion which may be a concern to women given its sensitivity and risk of unintended exposure.
As virtually everyone has already heard, the Supreme Court of the United States recently reversed its historic holdings in Roe v. Wade (1973) and Planned Parenthood v. Casey (1992). In the June decision of Dobbs v. Jackson Women’s Health Organization, the Court held that the Constitution of the United States does not confer on women a right to abortion and left the matter open to state-level legislation and regulation. As a result, a growing number of states in the U.S. are at different stages of establishing laws that criminalize abortions, for the health practitioners that perform abortions and, potentially, the woman that undergo them.
Digital platforms as exposable data sources
As enforcement of state laws that proscribe abortions gears up, some are concerned that the states will target digital platforms with court orders, court-ordered warrants, subpoenas or a summons. Those legal instruments could compel platforms to produce the information they store or otherwise have access to that may be indicative of a proscribed abortion.
Amid these concerns, Google recently published a blog post announcing that it will soon implement a data deletion policy: if Google systems identify that a Google account holder has visited places of particular sensitivity such as abortion clinics and fertility centers, Google will proactively delete these location history entries from the user’s account. Once information ceases to exist, it can no longer be seized by law enforcement agencies. Other Internet giants have followed suit.
The U.S. Department of Health and Human Services (HHS) also issued guidance on the HIPAA Privacy Rule and its applicability to disclosures of information relating to reproductive health care. According to the guidance, entities subject to HIPAA should only disclose information to authorities when it is required by “a mandate contained in law that compels an entity to make a use or disclosure of [health information] and that is enforceable in a court of law”.
Finally, the President of the United States recently signed an Executive Order on Protecting Access to Reproductive Healthcare Services. Among other matters, the Order encourages the FTC and directs the Secretary of HHS to consider actions to “strengthen the protection of sensitive information related to reproductive healthcare services”. It also directs the Secretary of HHS to “consider actions to educate consumers on how best to protect their health privacy and limit the collection and sharing of their sensitive health-related information”.
Data minimization as a guiding principle
Depending on the social values they wish to support, some small and medium-sized platforms may also desire to advocate for women’s access to abortion care by taking steps designed to ensure that they do not jeopardize women’s privacy if they are served with orders or warrants to produce information indicative of abortions. If this is the policy you wish to implement, we recommend the following steps:
- Map out the information you collect that may potentially expose those performing or undergoing abortions if that information were to be available to law enforcement. This will typically include location based data.
- To the greatest extent possible, redesign your platform to refrain from the outset from collecting such information. This approach is preferable to merely deleting the data after-the-fact because data collected and later deleted attracts greater legal liability than data that was never collected in the first place.
- Where that is not possible, carefully design and establish a periodic and frequent data deletion schedule to discard data automatically and irretrievably. Be sure to do so in such a way that –
- Does not require using or processing any other sensitive information; and
- Neither the resulting absence of data in the database nor the system logs recording the deletion, would shine the light on instances of abortion.
We are available to assist with any questions regarding the topic discussed in this client update.
Haim Ravia HRavia@PearlCohen.com, Dotan Hammer DHammer@PearlCohen.com
Cyber, Privacy & Copyright Practice Group