DOGE's Plundering of Data Hastens Calls to Tighten Government Privacy Laws

For about a decade, lawmakers in Washington have sought to pass a comprehensive privacy law to prevent commercial platforms from misusing Americans’ data online. Now some in Congress and at the state level are increasingly raising alarm that the federal government is violating Americans’ privacy and calling for laws to prevent such abuse.

Fears about Americans’ data being mishandled have ballooned in the wake of the push by the Elon Musk-formed Department of Government Efficiency, or DOGE, to force federal agencies to hand over sensitive data on United States citizens and residents, including social security numbers and the personal records of millions of federal employees and retirees.

The current law that governs the federal government’s collection and handling of personal data, The Privacy Act of 1974, was enacted in the aftermath of the Watergate scandal partly to address fears of mass government surveillance. But that law needs to be tightened to prevent the types of abuses currently being perpetrated by DOGE, said Rep. Lori Trahan (D-MA), who earlier this year launched an effort to bring those protections into the modern day.

“One resounding theme from” the feedback she has received in her call for public comment “is the need for Congress to fundamentally redesign the Privacy Act, rather than simply performing a surgical, amendatory process,” Trahan said in an email.

“I heard repeatedly that Congress must invest in its own capacity to oversee the privacy activities of the executive branch,” she said. “Congress needs to increase the criminal penalties for violations, expand the range of causes of action, and narrow the statutory exceptions to the Privacy Act that this Administration has exploited.”

The White House did not respond to a request for comment on DOGE’s data practices.

A congressional aide familiar with the effort, speaking on the condition of anonymity to discuss the deliberations, said that Congress could tighten oversight requirements asking federal agencies to more routinely report on the kinds of data they are collecting, how they’re safeguarding that information, and who has access to the data, as opposed to the periodic reports that agencies now provide Congress.

The effort to change the Privacy Act would have to be led by the House Committee on Oversight and Accountability, which has jurisdiction over the law. Trahan plans to release a report outlining her findings and recommendations that could become the basis for building bipartisan support, the aide said.

Trahan isn’t the only one concerned about the federal government potentially violating Americans’ privacy.

Sen. Gary Peters (D-MI), the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, late last month released findings of an investigation by his staff looking into how DOGE "jeopardizes" Americans’ data.

The report found numerous instances of federal agencies being asked to turn in data seemingly in violation of current law.

“Through a series of whistleblower disclosures, staff learned that individuals associated with DOGE have effectively ordered agencies to assist with the creation of databases that can be manipulated with little to no oversight, and which contain highly sensitive personally identifiable information on every American,” the report said.

If those databases are hacked or breached it could “result in the most significant data breach of Americans’ sensitive data in history,” according to the report, with the risk of a data breach with “catastrophic adverse” consequences between 35 and 65 percent.

Separately, Sens. Ron Wyden (D-OR), Ed Markey (D-MA), Jeff Merkley (D-OR) and Chris Van Hollen (D-MD) proposed legislation in March that would amend the Privacy Act to make it easier to sue federal officials over violations.

These privacy concerns are also playing out in court. Groups representing federal employees and retirees sued the Office of Personnel Management (OPM) in February alleging that by disclosing to DOGE the personal details of federal workers, including health records, financial information and information on their families, the federal government violated the Privacy Act.

The US District Court for the Southern District of New York in April rejected the government’s motion to dismiss the lawsuit and issued a preliminary injunction.

The court required OPM to audit which DOGE agents were still working at the office and had access to the personnel records and to outline procedures to safeguard the data.

In a Sept. 30 report to the court, OPM produced the information and also asserted that all the DOGE agents who were given access to data were adequately trained. Mario Trujillo, staff attorney at the Electronic Frontier Foundation (EFF), which is representing the plaintiffs in the case against OPM, said the plaintiffs were awaiting a discovery process to ascertain how DOGE used the data it obtained, whether any staffers made copies of the data and if any data was deleted.

“Our ultimate goal is to ensure that the DOGE agents are kicked out of the OPM systems and that they have deleted any information they may have copied, and put in place cybersecurity measures that plug any holes from this unauthorized disclosure,” Trujillo said.

Alarmed by the federal government’s handling of Americans’ data, some states are moving to either strengthen existing laws or to pass new ones.

In California, privacy advocacy groups including EFF and the Oakland Privacy, a non-profit coalition, backed legislation (AB 1337) earlier this year to amend the state’s Information Practices Act of 1977 — similar to the federal Privacy Act.

The new bill would expand the definition of covered entities to include not only state agencies but also local governments, and would prevent information collected by government entities from being used without consent.

The bill, authored by Assemblymember Chris Ward (D), won approval in the Assembly but stalled in the Senate because of opposition from local governments that raised concerns about some of its definitions and creating more compliance burdens, said Tracy Rosenberg, advocacy director at Oakland Privacy.

The bill’s backers plan to make some modifications and expect to get the backing of the Senate next year, Rosenberg said.

California voters have repeatedly backed laws that strengthen privacy, Rosenberg said. “But now that we are in Trump 2.0, I think it is very much coming home to people what the actual dangers are of poor privacy practices,” she said.

California and other states are also litigating the issue. In July, California led a group of 20 states in filing a lawsuit demanding that the Department of Health and Human Services (HHS) stop sharing information that could be used by Immigration and Customs Enforcement to deport undocumented individuals. In August, a federal judge in California issued an injunction temporarily halting the practice.

In Vermont, state Rep. Monique Priestley (D) said she planned to introduce legislation next year similar to California’s Information Privacy Act with some modifications.

Priestley, who led an effort last year to pass a privacy bill in her state that cleared the legislature but was vetoed by Gov. Phil Scott (R), said in an interview that protecting individuals’ data from commercial entities alone is not enough because government entities also collect significant personal data.

In Connecticut, State Sen. James Maroney (D), who has championed the state’s data privacy legislation, said some lawmakers are interested in extending such protections for data held by government agencies.

“The government does have a lot of sensitive data about our constituents, so I think it’s important for us as states to look at our policies regarding that data and potentially pass laws to strengthen privacy protections,” Maroney said in an interview.