Image description: a “smart-watch”
FemTech applications [FemTech apps] are committed to the technology-driven enhancement of women’s [users] autonomy in the enjoyment of rights to sexual and reproductive health [SRH Rights] which entails protection of right to privacy. Period and fertility tracking, pregnancy, contraception and sex apps like Clue, Flo, Maya, My Calendar, and Ovia require reproductive and sexual health information to provide such services. In the EU, the General Data Protection Regulation [GDPR] responds to privacy concerns in the utility of FemTech apps with personal data. I will present a rights perspective, with feminist legal interests, on the data privacy practices of FemTech apps’ data-led provision of sexual and reproductive health services [SRH Services]
Research on FemTech apps revealed that most of the widely used apps’ do not follow the GDPR data privacy mandate. FemTech apps circulate sensitive sexual and reproductive heath data to data brokers and companies. The data privacy practices of FemTech apps notably lack the element of consent in the sharing of data when delivering SRH Services. After collection, FemTech apps disseminate users’ personal and sensitive data such as sexual and reproductive health information without fundamental protections. This includes the transmission of sensitive data to third parties for online target advertising without the consent of the relevant user.
Rights-Perspective and Implications
The emerging field of feminist data protection emphasises the protection of personal data as a fundamental right.
The GDPR defines personal data as any information of an identified, or identifiable (combining available information) of a natural person, including information that healthcare professionals hold. Under the GDPR, ’processing’ means collection, transmission and dissemination.
The GDPR also protects personal data of special categories – health information – under Article 9 which prohibits dissemination unless the user explicitly consents. The current privacy practices of majority of FemTech apps do not explicitly require consent from users to disseminate their data. The right to privacy is, therefore, compromised and inconsistent with Article 8 of the European Union Charter of the Fundamental Rights [CFR] which requires users’ consent for transferring data in order to fully realise the right to protection of personal data.
Considering FemTech apps’ SRH Services, Article 8 of the European Convention on Human Rights [ECHR] protects confidentiality in SRH Services for which SRH Rights is implicitly protected as a right to freedom from arbitrary or unlawful interference with one’s private life. States are obliged under the ECHR to regulate industries in order to protect ECHR rights. The GDPR, for instance, is a binding regulatory framework for data privacy. FemTech apps’ non-compliance with the GDPR to implement ‘consent’ in the dissemination of users’ sensitive health data – a special category of personal data – to third parties while providing SRH Services consequently deprives users of their right to privacy. That is, depriving them of full enjoyment of SRH Rights due to the inadequate protection of personal data for SRH Services.
Contrary to the stated objective of FemTech services of empowering users as chief decision-makers in their sexual and reproductive health, the absence of consent undermines the autonomy of users concerning SRH Rights. To promote the rights-holder users’ fundamental right to data privacy, the FemTech apps, which users have begun to rely on for autonomous control over their reproductive and sexual health and well-being, must materially implement the GDPR’s ‘consent’ mandate. Likewise, the feminist legal perspective on data protection asserts the enhancement of consent regimes that concerns the protection of sensitive sexual and reproductive health data.
FemTech apps should, therefore, adopt a rights-based policy that comprehensively implements SRH Rights and data privacy in the provision of the rights-holder users’ SRH Services via personal data-driven technology. This will embody feminist notions of data protection consistent with the GDPR mandate as a rights-based approach that will empower autonomous users whilst ensuring protection of their privacy rights.
Want to learn more?