Advocates Outline Potential Privacy Act Updates for Congress

Trahan in March requested comments on a potential legislative update for the 1974 Privacy Act in response to Elon Musk’s data-collection activities at the Department of Government Efficiency (DOGE) (see 2503180019). Her office extended the Wednesday deadline to May 9.

Multiple groups cited legislation from Sens. Ron Wyden, D-Ore., and Ed Markey, D-Mass., as a good starting point for updating the Privacy Act. Their proposal would narrow the government’s ability to claim exemptions for “routine use” of data, an exemption DOGE critics say the administration is abusing. In addition, it would update definitions for “record,” extending it to cover all personally identifiable information. Moreover, it would extend protections for all people living in the U.S., regardless of immigration status.

The Center for Democracy & Technology said it pushed for many of the provisions included in the Wyden-Markey legislation. “We encourage Rep. Trahan and other members of Congress to look at this proposal as a valuable starting point.”

Trahan’s office said Wednesday it received input from “privacy watchdogs, civil liberty groups, former government technologists, and concerned members of the public."

Trahan on Thursday joined House Oversight Committee ranking member Gerry Connolly, D-Va., in requesting information about potential Privacy Act violations related to DOGE activity at the National Labor Relations Board.

Whistleblower testimony suggests DOGE staffers “may have illegally exfiltrated multiple gigabytes of sensitive data, including the personal information of Americans who reported unfair labor practices,” they wrote. Their actions may have violated the Privacy Act as well as the Federal Information Security Modernization Act, which “requires agency heads to notify Congress of major data breaches,” they said.

Open Technology Institute Senior Policy Analyst Sydney Saubestre said Wednesday what's needed are clearer definitions for Privacy Act terms, stronger safeguards and the integration of privacy-enhancing technologies (PETs) into federal data practices.

OTI in comments also backed the Wyden-Markey bill as a starting point. It would provide “meaningful consequences for violations, limit information sharing to the minimum necessary for a legally authorized purpose and narrow the routine use exception,” said OTI.

It’s not entirely clear how DOGE is handling and sharing sensitive information, Frank Torres, a fellow with the Leadership Conference’s Center for Civil Rights and Technology, told a CDT webinar Thursday. “We still don’t have a good handle on what exactly they’re doing with [the data] or how it’s been protected or if they’ve shared it with others.” Data troves are “very valuable” for commercial entities, he said: Data submitted to the government is often precise and easily traced to individuals, meaning it’s easier to draw inferences and in turn, more valuable than incomplete commercial data.

The Electronic Privacy Information Center in comments to Trahan asked Congress to provide greater vehicles for injunctive relief under the Privacy Act. EPIC noted some DOGE-related litigants have been able to obtain relief under the Administrative Procedure Act (APA), but the APA “presents additional complexities that make it an imperfect cause of action.”

EPIC claimed in its comments that DOGE has gained unlawful access to sensitive and protected data for purposes without a connection to agencies’ original intentions. “In one egregious example, DOGE employees marked approximately 4 million still-living individuals as dead following its baseless claims of rampant Social Security fraud,” said EPIC. “DOGE has also used its illegal access to amass information on federal workers, prompting numerous lawsuits.”

The White House didn’t comment Thursday.

CDT touched on privacy invasion against individuals with unclear immigration status: “Because it is often difficult for federal agencies to determine an individual’s current citizenship or immigration status, which can change over time, a U.S. person’s sensitive information may inadvertently be disclosed or otherwise handled in violation of the Privacy Act.”

CDT Director-Equity in Civic Technology Elizabeth Laird said it’s “difficult to overstate” the level of risk associated with granular, government-collected data. “It’s so comprehensive. It’s data on hundreds of millions of people, and it is the most sensitive information about you,” including social security information, family ties and financial information.