Future of Data Privacy

Privacy professionals will face a complicated legal landscape after the Supreme Court releases its opinion in Dobbs v. Jackson Women’s Health Organization. Based on the cornerstone of legal precedent, what used to be an established constitutional right to abortion has been struck down by the highest court in the United States.   

Amid these uncertain times, privacy professionals must brace for the impact this judicial decision will have on their organizations and how it might affect federal and state privacy laws.

Our Masters Degree in Cybersecurity and Data Privacy strives to prepare non-lawyers with a foundational knowledge of the American legal system. In a previous article, we explained that three branches of the government share the powers to enact, approve, and interpret laws. Today, we will turn to Dobbs v. Jackson as the perfect vehicle to discuss legal precedent as a source of rights and obligations. 

Inter saxum et locum durum

“Inter saxum et locum durum” is Latin for “between a rock and a hard place,” the phrase that most accurately describes the current situation of legal and privacy professionals trying to balance the sudden shift that Dobbs v. Jackson created. 

As far back as the Federalist Papers, there are mentions of the importance of upholding legal precedents. Stare decisis, Latin for “let the decision stand,” is a cornerstone of our judicial system. Some scholars theorize that judges embraced the doctrine to shield themselves from outside attacks and legitimize judicial power. For instance, when the plaintiffs in Dobbs v. Jackson contested the constitutionality of a Mississippi law that prohibited abortions after the fifteenth week of pregnancy, they argued that the law was unconstitutional under the precedent set in Roe v. Wade

Dobbs v. Jackson – Stare decisis interrupted 

Contrary to expectations, the decision from Roe v. Wade didn’t stand (a chance) in judge Alito’s court. We had a glimpse of this outcome when a draft of the court’s opinion was released prematurely. In 1973 when the case was decided, the court in Roe v. Wade held that people had a constitutional right to abortion, implied in the right to privacy that springs from the First, Fourth, Fifth, Ninth, and Fourteenth amendments of the United States Constitution. Over the years, the doctrine has suffered changes and restrictions. It was already a controversial decision because there isn’t an explicit mention in the United States Constitution of the right to privacy or abortion.

Judge Alito drafted the majority opinion in Dobbs and expressly defended the majority’s reversal of Roe and the line of later decisions that affirmed it:

“We hold that Roe and Casey must be overruled. The Constitution makes no reference to abortion, and no such right is implicitly protected by any constitutional provision, including the one on which the defenders of Roe and Casey now chiefly rely—the Due Process Clause of the Fourteenth Amendment. That provision has been held to guarantee some rights that are not mentioned in the Constitution, but any such right must be “deeply rooted in this Nation’s history and tradition” and “implicit in the concept of ordered liberty.”

This ratio decidendi, or rationale for the decision, leads the court to the following conclusion: “given that procuring an abortion is not a fundamental constitutional right, it follows that the States may regulate abortion for legitimate reasons.”

Adding more patches to the quilt of privacy laws

As privacy pros, we are familiar with the expression that there is a patchwork of laws regulating data privacy in the United States. There is no overarching data privacy law; instead, privacy in the U.S. consists of a web of industry-specific regulations, state laws and self-regulatory frameworks, which intersect with each other most of the time.

Dobbs further complicates that picture for two reasons: (1) it calls into question the long-standing principle that the U.S. constitution recgonizes some privacy rights via other provisions; and (2) it creates immediate practical privacy issues related to the enforcement of state abortion restrictions, that already are emerging. 

Congressional Reaction

Calls to codify Roe v. Wade into brand-new legislation came from all directions, including the Executive Branch.  Changes in federal legislation will take time and are uncertain in the current political climate. As we learned when discussing the journey of the American Data Privacy and Protection Act (ADPPA), enacting and approving laws is an arduous task.

ADPPA and Dobbs

The Supreme Court’s decision to leave regulation of abortion to the states may have repercussions on the American Data Privacy Protection Act. Per The Washington Post, there is increasing concern that the privacy protections for women in the ADPPA won’t be sufficient Post-Dobbs. The decision also threatens the already fragile consensus over the subject of preemption. People are worried that if a weak ADPPA preempts state privacy laws, abortion protections in progressive states will be undermined.  

Another concern with the proposed federal privacy bill is the waiting period in the private right of action clause. If the ADPAA passes unchanged, injured data subjects whose reproductive information might be disclosed and monetized by apps or data brokers will have to wait four years to sue them. 

Would it be a good move to introduce changes to the bill to strengthen privacy protections for people seeking abortions? The ADPPA has made great strides toward becoming law, but that support could split along party lines with a subject so polarizing as abortion.  

HIPAA and Disclosures to Law Enforcement

Because procuring a safe abortion is a medical matter, privacy professionals in the healthcare industry must be aware of the challenges the decision will bring to their organizations. A considerable consequence of Dobbs v. Jackson is that most states prohibiting abortion classify the act of performing an abortion as a felony. HIPAA expressly permits disclosure of otherwise protected health information where necessary to investigate a crime. Dobbs raises difficult questions about how healthcare organizations will apply the so-called “crime investigations” exception. 

HIPAA’s Privacy Rule prohibit unauthorized disclosure of individually identifiable health information, called protected health information or PHI, held by most health care providers, health plans, and their business associates.  

There are exceptions to this rule, where law enforcement could procure the release of PHI to prosecute patients or health practitioners in states where abortion is criminalized. The following exceptions to the Privacy Rule may apply:

  1. To prevent or lessen a serious and imminent threat to the health or safety of an individual or the public–if state law forbids abortions because the fetus is an individual at conception, this exception could apply.
  2. To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity.
  3. To comply with a court order or court-ordered warrant, a subpoena, or summons. 

HIPAA does not preempt state laws that add more stringent requirements. Privacy professionals should familiarize themselves with these exceptions and consult with their legal counsel before volunteering patients’ PHI when presented with a court order.

Executive Action

So far, we have discussed various tracks. Congress could turn the once-Constitutional right to abortion into law. They could reinforce existing statutes to include privacy protections. Other routes could lead privacy professionals to anticipate using existing legal mechanisms and be ready to contest them. All these routes are uncertain, some of which we might never see. To get a glimpse into the future areas of concern regarding privacy post-Dobbs, we should turn to the Executive Order issued by President Joe Biden.    

Seeking information about reproductive health will generate data that could be used as evidence in a criminal case. For example, visiting an abortion clinic’s website, checking its address on google maps, buying a plane ticket, or the geolocation information from our smartphones can paint a vivid picture of probable cause.  

The Biden administration is anticipating that patients’ internet browsing information could be at stake. To counteract deceptive and unfair practices around that kind of information, the White House has implemented guidelines through the Executive Order’s Fact Sheet stating the need to protect the privacy of patients and their access to accurate information. In addition, the President has mandated that the Chair of the Federal Trade Commission consider taking steps to protect consumers’ privacy when seeking information about and providing reproductive health care services.  

The FTC’s involvement should warn privacy professionals that deceptive and unfair practices around browsing history collection will subsequently be on their radar. Companies must be aware of the data they are collecting, and if and how they are sharing it with third parties. Always line up your practices with your privacy notices to prevent the FTC’s enforcement actions.