Since its inception over a century ago, International Women’s Day has been centered on the fight for equal rights and opportunities for women.  The United Nations’ theme for International Women’s Day 2023 is “DigitALL—Innovation and Technology for Gender Equality,” underscoring the foundational role of technology and data policies in achieving justice and equity for the world’s women – and CIPL could not agree more.
 
We have much work to do. Gender inequities have been present from the earliest days of privacy’s conception in  European and European-inspired legal systems. As Eva Blum-Dumontet noted at a March 6 Global Privacy Assembly Dialogue on Integrating a Gender Perspective into Privacy and Data Privacy, privacy was historically linked to property rights, from which women and minority groups were often systematically excluded.[1] Numerous privacy harms continue to fall disproportionately on women:

• Women are far and away the most frequent victims of “intimate privacy” violations, as privacy scholar Danielle Citron noted in her 2022 book The Fight for Privacy:

Around the world, women are victims of nonconsenual pornography at higher rates than men; gay and bisexual men are at greater risk than heterosexual men; and gay and bisexual women may be at the greatest risk of all… Of the thousands of sites specializing in nonconsensual pornography, 98% of the photos are of women, and not because women are taking and sharing more nude selfies than men are.

• Women are disproportionately exposed to data privacy risks associated with increasingly popular online health apps and related services; Citron notes that women and girls use them 75 percent more than men and boys. [2] These services are receiving increased scrutiny from regulators and enforcement authorities for failing to keep data safe and deceiving customers about their data practices.[3]
• In the United States, concerns about the privacy and security of women’s reproductive health data have increased in the wake of the U.S. Supreme Court’s Dobbs decision finding that the right to an abortion is not protected under the U.S. Constitution.[4]  In Florida, the governing body for high school sports recently attempted to make questions on female students’ menstrual cycles on its medical forms mandatory – this was dropped after an outcry over privacy concerns.

Data practices can also have disproportionate impacts on women beyond privacy. As we shared in our recent article on combating data-intensive racial injustice, facial recognition technology is especially prone to errors with respect to dark-skinned women. And AI tools meant to aid employers’ recruiting efforts have been shown to carry biases against women candidates. To ensure that data practices advance gender justice, organizations must ensure diverse representation at their inception in the teams designing data-intensive products and applications.
 
Organizations must also adopt and implement accountability frameworks through which they actively assess and mitigate risks to individuals, provide transparency on their practices to stakeholders, and monitor and verify for effectiveness on an ongoing basis.  It is essential that accountability frameworks explicitly incorporate into their risk assessments screening for disproportionate impacts on women. It is equally important to have gender- (and otherwise) diverse teams involved in carrying out these risk assessments to recognise and mitigate harmful gender-based risks and impacts.
 
 
Figure 1. The CIPL Accountability Framework

​
Source: CIPL
 
 
Legislation can also help advance just data policies for women. In the United States, CIPL has been advocating for comprehensive federal privacy legislation. The Brookings Institution’s Cam Kerry notes that when crafted well, such legislation can play at least as strong a role in protecting women’s privacy as more narrowly-focused bills.
 
The road still left to travel to greater justice and equity for women—across our societies, and with respect to data practices specifically—remains a long one. But responsible data practices, and frameworks and policies to support their adoption, are essential to help us complete the journey.


[1] GPA, “Urgent to Promote Measures to Eradicate Violations of the Right to Privacy in the Digital Age, Which Affect Women”, posted on Twitter at: https://twitter.com/PrivacyAssembly/status/1632978081185931264?s=20. 

[2] Danielle Citron, The Fight for Privacy, 2022, xvi and 14 .

[3] See, for example, the recent Federal Trade Commission action against BetterHelp: FTC to Ban BetterHelp from Revealing Consumers’ Data, Including Sensitive Mental Health Information, to Facebook and Others for Targeted Advertising | Federal Trade Commission

[4] Anya Prince, “Reproductive Health Surveillance,” Boston College Law Review (forthcoming), Reproductive Health Surveillance by Anya Prince :: SSRN
​

​For those eager to see Congress pass comprehensive federal privacy legislation, the March 1 hearing of the House Energy and Commerce Committee's Data, Innovation, and Commerce Subcommittee provided grounds for cautious optimism. As in the previous Congress, it was striking to see Republican and Democratic members share concerns about the impacts on individuals and organizations in the absence of a federal privacy law, and the need to pass one expeditiously.  At the same time, members' comments revealed enduring differences on hot-button issues such as preemption and private right of action, even as many members and the witnesses expressed appreciation for the painstaking compromises that enabled the Energy and Commerce Committee to vote for the American Data Privacy and Protection Act (ADPPA) by a vote of 53-2 in the 117th Congress. The momentum for legislation appears real even if the timing for introduction of a new bill remains uncertain.
 
CIPL shares the view that comprehensive federal privacy legislation is an urgent priority for the United States. The U.S. is an outlier in not having a comprehensive privacy law. The lack of such federal privacy legislation undermines Americans' trust in the digital economy and leaves them vulnerable to a range of economic, physical, reputational, psychological, and other harms. It also risks undermining U.S. leadership in the digital economy. The emergence of a patchwork of state privacy laws in the absence of a federal standard raises compliance costs, placing an especially acute burden on small businesses. It also creates barriers to innovation and digital progress as businesses face different rules for their products and services across different states, while Americans are left with inconsistent protections depending on where they live.
 
CIPL has published a series of papers since 2019 outlining priorities for U.S. privacy legislation. Any new federal privacy bill should have the overarching goal of fully enabling the digital economy and society while also protecting individuals’ privacy and other important rights and interests.  To further these dual objectives, it should include a foundation of organizational accountability for risk-based, responsible data practices; a core set of data subject rights; and a commitment to fostering interoperability with existing data protection regimes:

1. Organizational accountability. Any new federal law should require organizations to adopt and implement comprehensive accountability frameworks through which they assess and mitigate risks to individuals, provide transparency on their practices to stakeholders, and monitor and verify for effectiveness. 
2. Risk-based approach. Organizations should be required to assess risks associated with their uses of personal data, while enabling them to calibrate measures of protection in accordance with the level of risk. Risk assessments should explicitly account for the risks of harms associated with bias and discrimination, as CIPL re-emphasized in a recent article.
3. Individual empowerment without overreliance on notice and consent. As in the EU's GDPR and privacy laws in U.S. states, data subjects should enjoy a core set of rights. However, the law should seek to avoid overwhelming consumers with choices, and instead place greater responsibility on organizations to be accountable for data protection and security. It should also provide flexibility for legitimate uses of data that do not harm individuals.
4. Global Interoperability.  Lawmakers can reduce compliance burdens on organizations and foster continued U.S. leadership in the digital economy by harmonizing new U.S. federal privacy legislation with existing laws around the world, where possible and appropriate. There will naturally be differences in terminology and approaches in light of countries' unique historical experiences and legal traditions. Drawing on multilateral principles to which the U.S. has already agreed, like the OECD Privacy Framework, the APEC Privacy Framework, and schemes like the Global Cross-Border Privacy Rules (CBPR) Forum can help.

 
In addition, no comprehensive federal legislation will advance unless lawmakers reach agreement—and compromise, where necessary—on challenging but important issues such as preemption and private right of action. It will also be essential that the law has clear and strong protections for minors, given the bipartisan consensus on the urgency of doing more to keep kids safe online.
 
The road ahead will not be easy, but the success of the last Congress’s Energy and Commerce Committee in reaching agreement on a bill that enjoyed broad bipartisan support gives reason to hope that this Congress can do the same - and perhaps even move a bill that meets the needs of the modern digital economy and society across the finish line.