The My Body, My Data Act was announced by California Democrat Congresswoman Sara Jacobs on June 2nd, 2022. Introduced in the House of Representatives on June 16th, it has a clear mandate: to create the first national standards in the United States for the protection of a person’s personal reproductive health data.
It emerges from a lacuna of protections preventing personal reproductive health data from being shared, received, or stored by third parties in the United States. Personal reproductive health data includes fertility data collected by apps tracking periods. Personal data collected while searching for reproductive services also remains unprotected, as does data collected by pregnancy and abortion centres.
Why should this kind of data be legislatively protected at all? Generally speaking, there’s the fact that health data is highly sensitive—and can be used by third parties to harm individual interests. ‘A person’s health data may be bought by advertisers who may target them with medicines or treatments relevant to their health, irrespective of how harmful these ‘solutions’ might be,’ explains Anushka Jain, Associate Policy Counsel (Surveillance & Transparency) at the Internet Freedom Foundation, speaking to MediaNama. ‘It’s also useful for insurance companies—once they know a person has a specific affliction, their coverage charges may go up. That’s why it’s important to protect all kinds of health data, and this is why we see a higher degree of protection for it across jurisdictions. Its sale to third parties has the potential to affect people’s well-being and living standards.’
As Jacobs’ press release notes, reproductive health data is particularly relevant given recent developments in abortion rights in the United States. On June 24th, the Supreme Court of the United States overturned its landmark 1973 Judgment, Roe v Wade. With this move, abortions are no longer a constitutional right held under the Right to Privacy.
Now, as many as 26 States in the US are likely to ban abortions, or severely restrict them. In the process, these States are also likely to increase surveillance of citizens seeking information on the now criminalised practice online. ‘Anti-abortion states now have highly sophisticated 21st-century technology to enforce bans,’ says Will Owen, Communications Manager at the Surveillance Technology Oversight Project (S.T.O.P.), in conversation with MediaNama. ‘We fear they will use all surveillance technologies possible to criminalise people seeking essential abortion care and medically accurate information about reproductive health.’
Why it matters: Legislation like the My Body, My Data Act offers some data privacy and protection for those seeking information on abortions that are banned within their jurisdictions—it may enhance the overarching Right to Privacy that June 24th’s Judgment partially chipped away at. It also highlights America’s ‘patchwork’ approach to data protection, where issue-specific privacy laws are tabled as and when new technology-related harms arise. These piecemeal approaches to data privacy may be important to consider against the backdrop of India’s rapidly digitising healthcare sector—like the US, its rise is also happening in the absence of a national data protection law.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our daily newsletter with a free read of the day to experience MediaNama in a whole new way.
The Bottom Line: Limiting the Collection of Personal Reproductive Data
The broad provisions of the My Body, My Data Act include limiting the personal reproductive health data collected, used, or retained by a service. This means companies can only collect as much data as is needed to deliver their product seamlessly to a consumer. To that end, it also demands that entities collecting this data clearly outline how they collect and use this data in their privacy policies.
For consumers, it puts forth additional protections, such as allowing them to access and view their personal reproductive health data, or to even delete it. It creates a ‘private right of action’, for individuals to hold potential violators accountable.
The Act suggests that the Federal Trade Commission (FTC)—the United States’ competition regulator—be tasked with developing regulations to implement the statute. It also includes a ‘non-pre-emption clause’. What this means: the Act is a benchmark, or base standard for how to protect sensitive health data. States can choose to protect consumer privacy through more enhanced measures, should they want to.
The Act is currently endorsed by the Electronic Frontier Foundation, Planned Parenthood, and the National Abortion Federation, among other pro-abortion groups.
Congresswoman Jacobs previously co-sponsored the Women’s Health Protection Act, passed by the House of Representatives (the lower house of the US Congress) in 2021. A federal legislation, it aims to codify the Roe v Wade Judgment, and protect abortion rights across the US. An extension of this privacy conversation, the protections mentioned in the My Body, My Data Act speak to the vast ways in which personal health data is used to surveil women.
The Increasing Threats Posed By An Innocuous Google Search or Clinic Visit
The surveillance of women seeking abortions is a pernicious issue in the United States—and has consistently taken place, even when Roe v Wade was in force.
S.T.O.P.’s ‘Pregnancy Panopticon’ report notes that anti-abortion activists have been known to identify and film abortion seekers and providers, with some even tracking the license plates of cars visiting abortion clinics. In 2015, prosecutors in Georgia convicted Purvi Patel of foeticide (among other charges), for taking abortion drugs. The evidence they used against her included texts to a friend regarding her pregnancy, and search histories and payment receipts for abortion pills. Geofencing technologies have also been used in Massachusetts—they trigger anti-abortion ads on the phones of patients visiting abortion clinics. In 2019, the Missouri Health Department admitted to keeping a spreadsheet filled with the names of Planned Parenthood patients, as well as the dates of their last period. Data brokers also sell granular datasets on people visiting abortion clinics.
This data on an individual’s search histories, location, and purchase histories appear to be key pieces of evidence for prosecutors detecting whether someone has had an abortion—or is even thinking of having one. This is information the tech companies like Google, Meta, and Amazon regularly collect for their own business endeavours—post-June 24th, Silicon Valley executives are now bracing for a future where law enforcement agencies request this data for anti-abortion investigations. Perhaps partially responding to these concerns, Google announced on July 1st that it will delete location history data for people who have visited, among other places, fertility and abortion clinics.
Clearly, State governments have the power to penalise abortion seekers through increasingly sophisticated data analysis and data requests from companies. ‘We’re becoming more cognisant of these gendered privacy risks because of how data collection is changing—[with more types of apps and services cropping up] it’s become increasingly invasive and diverse,’ argues Jain. ‘People are now more aware that these risks [raised by services that collect fertility data] are unique.’
In anticipation of such risks, the week after the Supreme Court’s recent Judgment saw hordes of American women uninstalling fertility tracker apps from their phones for this same reason. Apps have been forced to come forward to assure users that their data will be encrypted and protected—others have introduced ‘anonymous’ modes, where users can still track their fertility health while removing their personal information from the app.
However, only rigorous analyses of privacy policies and data sharing practices can tell a user if they’re safe while using a fertility app or not—which may often be a time-consuming process, if not an intellectually challenging one. ‘Bolstering privacy rights and encouraging individuals to use digital defence tactics to protect their reproductive health data are essential harm reduction measures,’ says Owen [emphasis added].
That’s why reformed technology policy becomes important—it introduces structural safeguards that protect consumers, instead of asking them to trust an app by themselves. Many such changes have been proposed in the US—the My Body, My Data Act is only one among them.
Protecting Personal Health Data: a ‘Fiduciary Responsibility of Congress’?
The protection of women’s data, or personal reproductive data, doesn’t appear to be a particular concern in American data protection policies—which is why we’re now seeing a spate of legislation seeking to protect it, and women, in light of the overturning of Roe v Wade. ‘There’s a lot of legislative patchwork that’s happening in the US,’ says Jain. ‘Unlike the European Union, there is no overarching data protection law in force which minimises data storage or protects privacy—so these many laws being introduced attempt to individually stem the harms that are emerging [with the rise of data collection and privacy risks].’
Critically, the My Body, My Data Act seeks to protect personal reproductive health data which is not ‘currently protected’ by the Health Insurance Portability and Accountability Act, 1996 (HIPAA)—a federal law protecting the privacy of sensitive health data. This includes data collected by ‘collected by apps, cell phones, and search engines.’
Reports suggest that except for the health data shared between consumers and insurance providers, data collected by health apps typically doesn’t fall under the protections of HIPAA. Privacy experts told VERIFY that as tracking fertility or personal health are non-billed medical services, they are not considered ‘health data’ as defined by the Act.
In a separate appeal, Washington Democrat Congresswoman Suzan DelBene also urged the government in May to enact strong consumer privacy standards to address the wide range of personal health data harms that the lapsing of Roe v Wade brings up. DelBene is a co-sponsor of the Information Transparency and Personal Data Control Act—which aims to instate this consumer protection mechanism at the federal level.
A month later, barely ten days ahead of the Supreme Court’s decision, Massachusetts Democrat Senator Elizabeth Warren introduced the Health and Location Data Protection Act. Couched in the abortion surveillance fears arising from the Court’s verdict, the legislation is blunt in its approach: it simply bans the sale and transfer of sensitive health and location data by data brokers.
‘Beyond solely reproductive health decisions, our location data can reveal so much about us, such as where we protest and where we worship,’ says Owen. ‘The Health and Location Data Protection Act recognizes that the multibillion-dollar data broker industry must be stopped from selling our most private information now more than ever to protect pregnant people and all communities targeted by over-policing and surveillance abuses, including BIPOC, Muslim, immigrant, and LGBTQ+ communities.’
Insights For India
America’s piecemeal approach may be important to consider in India’s digital health sector. Sensitive data protection rules have done little to stem leaks of health data in India—a situation possibly exacerbated by the absence of a robust, inclusive national data protection law.
As MediaNama has previously reported, India is a ‘land of [data] leaks,’—sensitive health data of 12.5 million pregnant women was left unprotected by the health department of a north Indian State in 2019, while 2018 saw the Andhra Pradesh government wantonly leak health data pertaining to individuals’ reproductive health, ambulance requests, pharmacy purchases, and abortions. In 2019, the fertility tracking app Maya, with 7 million downloads at the time, shared sensitive reproductive health data with Facebook.
However, right now, ‘there’s no protection for data in India,’ says Jain, referring to the long-pending enactment of the Personal Data Protection Bill. ‘So, in general, we are dependent on the largesse of companies and how they choose to protect our privacy. When it comes to protecting health data, we do have the sensitive personal data Rules, which lay out devising privacy policies and other protection measures [such as consensual data collection and processing by ‘body corporates’]. But again, they only apply to the private sector, not the government, and lack sufficient enforcement mechanisms.’
- Health IDs To Be Based On KYC, Data Localisation Required: What Is The New Health Data Management Policy?
- The Data Protection Bill 2021: A Missed Health Opportunity
- Rethinking Consent And Privacy In Biometric Data Collection – #PrivacyNama2021
- ‘Sharing Personal Data With Insurance, Pharma Companies Violates Data Protection Bill’: CPI(M) On Health Data Management Policy
- Health Department Of Northern State Exposed Data Of 12.5 Million Pregnant Women