Congress Moves to Address Data Privacy Concerns Post-Dobbs

WASHINGTON — The Fourth Amendment Is Not For Sale Act is floating through the House and Senate, taking aim at whether the government should be able to access personal data, such as sensitive health information.

“There’s been a lot of discussion about period-tracking apps and other reproductive health apps, and those do put pregnant people seeking medical care at risk,” said Rebecca Wexler, who serves as faculty co-director at the Berkeley Center for Law & Technology, during a hearing held by the House Committee on the Judiciary on July 19.

“But it’s not only those apps. It’s location information, it’s web search history information, it’s chat messages [and] text messages,” said Wexler.

The Fourth Amendment provides for the reasonable expectation of privacy, but according to Wexler it does not cover current issues posed by modern technology, such as the gray area of privacy protections surrounding social media posting.

In 2018, Carpenter v. United States held that police officers need a warrant to compel cellphone companies to turn over historical cell site information for a seven-day period. 

According to Wexler, the data market is currently valued at $200 billion per year, with data brokers able to collect all kinds of personal information — whether someone is pregnant, trying to lose weight or what medicine they take — consumer data used for marketing materials.

But the use of personal data goes beyond market value, said Wexler. Unencrypted chat messages have already been used by law enforcement to charge one woman who miscarried with feticide and another with murder. 

“The discussions the committee is having now on data privacy are all the more urgent post-Dobbs,” said Wexler. 

In the wake of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v. Wade, which protected a woman’s right to abortion for nearly 50 years, the Department of Health and Human Services issued new privacy guidance on June 29. This uncludes how Health Insurance Portability and Accountability Act privacy requirements will limit access to private medical information relating to abortion and other sexual reproductive health care for HIPAA-covered entities, such as hospitals, clinics and the vendors that assist in providing health care services.

The Fourth Amendment Is Not For Sale Act seeks to close legal loopholes in the Electronic Communications Privacy Act, as well as the Foreign Intelligence Surveillance Act, by which the government buys sensitive and personal data. 

The act would require the government to get a court order to compel data brokers to disclose information, and would prevent law enforcement and intelligence agencies from buying data on people in the U.S. and about Americans abroad.

The Senate bill is led by Sen. Ron Wyden, D-Ore., and the House bill is led by Judiciary Committee Chair Rep. Jerrold Nadler, D-N.Y., along with Rep. Zoe Lofgren, D-Calif.  

Elizabeth Goitein, senior director of the Liberty and National Security Program at Brennan Center for Justice at New York University School of Law, said during the hearing that the bill would prohibit law enforcement or intelligence agencies from purchasing — or otherwise obtaining “in exchange for anything of value” — certain records obtained by third parties in certain ways.

Rep. Jamie Raskin, D-Md., asked Goitein whether it has become a habit of government to be able to purchase data from companies in order to execute warrants or obtain evidence they otherwise would not be able to get.

“It certainly seems that way,” said Goitein.

“The government has been completely non-transparent about this practice. What we know, we know from investigative reporting, from nongovernmental organizations that have done their own investigations, from lawmakers that have asked probing questions. … We have no doubt that this is a widespread practice now among many federal agencies, and state and local agencies as well,” continued Goitein.

HIPAA was established in 1996 to set national standards for protecting sensitive patient health information from being disclosed without a patient’s knowledge or consent.

“HIPAA defines this privacy of personal information. Specifically, it limits law enforcement and everyone else from sharing that data without informing you and without your consent,” said Rep. Darrell Issa, R-Calif., during the hearing. 

Issa probed Goitein about what is really needed — the equivalent of HIPAA for all information — but she noted there are also design flaws in HIPAA’s privacy protections. 

“HIPAA has the advantage of restricting disclosure to nongovernment entities. As well, HIPAA has some of the same drawbacks as some of the other privacy laws, in that it protects only personally identifiable information, and health care providers are selling their data in aggregate, which can then be anonymized,” said Goitein. 

“HIPAA also only covers certain health care institutions and providers. It does not cover, for example, app developers that would acquire some of the same data,” continued Goitein.

Alexa can be reached at [email protected]