US lawmaker unveils plan for sweeping overhaul of Privacy Act

Democratic Rep. Lori Trahan this week released a sweeping report arguing that the decades old Privacy Act of 1974, once a landmark safeguard against government overreach, is now structurally incapable of protecting Americans in an era defined by cloud computing, data brokers, and AI.

“Over fifty years later, privacy pessimism, cynicism, and fatalism predominate,” the report warns.

The 68-page report was developed after Trahan issued a Request for Information (RFI) in March 2025 seeking public input on how to update the foundational federal privacy law.

Trahan frames the report as deliberately bipartisan and bicameral in scope. The executive summary states that its recommendations are designed “to make responsible data processing easier and irresponsible data processing impossible.”

Drawing on responses from civil organizations, former federal officials, industry stakeholders, and privacy advocates, the report lays out a detailed legislative roadmap aimed at overhauling how the federal government collects, processes, shares, and oversees personal data.

“The Privacy Act was written for a world of file cabinets and mainframe computers, not one defined by cloud storage, data brokers, and AI,” Trahan said in a statement accompanying the report’s release. “Americans should be able to trust that their personal information is handled responsibly by their government.”

Enacted in the aftermath of Watergate and revelations of illegal domestic surveillance by the Federal Bureau of Investigation, the Privacy Act of 1974 established rules governing federal agencies’ collection, maintenance, use, and disclosure of personal information.

“For all of their prescience, the Privacy Act’s authors did not, and could not, design a law capable of handling transformational technologies like artificial intelligence. Nor could they have accounted for the aggrandizing nature of the modern imperial presidency,” Trahan said in the report’s foreword.

“For these reasons and more, Congress must modernize the Privacy Act,” Trahan said.

In its response to the RFI, the Electronic Privacy Information Center (EPIC) applauded Trahan “for taking steps to protect Americans’ privacy and constitutional rights against current and future abuses,” adding that “aspects of the Privacy Act have become outdated due to technological advances and increasingly ineffective in the face of deliberate agency defiance.”

The Leadership Conference on Civil and Human Rights said in its response to the RFI that “the need to update the Privacy Act has never been more pressing. Elon Musk and the so-called Department of Government Efficiency (DOGE) have accessed, collected, and combined previously secure federally-held data.”

“Their actions threaten the privacy of individuals’ sensitive personal information held by the government and the laws Congress passed to protect that data,” the group added.

While Congress has passed related statutes over the decades, including the Computer Matching and Privacy Protection Act and the E Government Act, the core structure of the Privacy Act itself has not undergone comprehensive reform.

The report’s executive summary is blunt about the consequences. The Privacy Act, it states, “is doubtless failing … the protections it ostensibly affords to individuals do not account for emerging technology or expanding executive power, and its outmoded regulatory framework hamstrings good, effective, and accountable governance.”

Recent incidents, including unauthorized data exfiltration at the Department of Treasury and Social Security Administration by DOGE, and expanded surveillance activities by the Department of Homeland Security, have exposed what the report calls “deep vulnerabilities” in the statute’s structure.

Trahan said she “was horrified by the brazen violations to our privacy perpetrated in the name of combatting waste, fraud, abuse and modernizing information technology systems. Unvetted political appointees were gaining access to, and – as whistleblowers bravely revealed – exfiltrating reams of Americans’ personal data with impunity.”

Trahan said, “these efforts jeopardized individual privacy and elevated cybersecurity risks to critical government systems. Exhaustive congressional investigations are surely in order.”

At the heart of the blueprint is a conceptual shift away from what the report describes as a “system-centric” privacy model toward one that is “purpose-centric.”

Under current law, the Privacy Act’s requirements hinge on whether information is contained in a “system of records,” a term defined by how data is retrieved rather than how it is used.

The report argues that this retrieval-based model is ill suited to modern data flows in which records move across databases, are queried through natural language interfaces, and are combined through algorithmic tools.

The first major recommendation is to modernize key definitions, including “individual,” “record,” “system of records,” and “matching program,” to broaden coverage and support a new regulatory model.

For example, the report proposes redefining “individual” to cover all natural persons whose data is processed by the federal government, rather than limiting protections to U.S. citizens and lawful permanent residents.

It also calls for redefining “record” to encompass any personally identifiable information processed by a federal agency, including information that is linkable or can be combined to identify an individual.

In a fully data agnostic framework, the report suggests, the very concept of a “system of records” could become obsolete.

Once definitions are modernized, the report says Congress should embed a new privacy model that segments requirements according to the “relative harm and risk of each purpose,” rather than applying uniform rules across all data systems.

This would allow high risk uses of data, such as eligibility determinations or investigative surveillance, to face stricter scrutiny, while low risk administrative functions would not be burdened by the same compliance regime.

The report also calls for strengthening data minimization standards. Currently, agencies must maintain only information that is “relevant and necessary” to accomplish a statutory or executive purpose.

The blueprint recommends replacing that standard with a requirement that processing be “necessary, proportionate, and limited,” and eliminating the President’s ability to authorize new processing purposes via presidential executive order.

That recommendation reflects concerns raised in the report about recent executive actions directing agencies to consolidate and share data across departments in the name of eliminating waste and fraud.

In the foreword, Trahan references what she describes as “brazen violations” in which political appointees and DOGE gained access to and allegedly exfiltrated sensitive data.

Another major reform area is consent. The Privacy Act generally requires written consent before agencies disclose records, subject to numerous exceptions.

But the report argues that consent has become a “procedural checkbox” that is easily skirted and often meaningless in contexts where individuals have no practical alternative.

Instead, the blueprint recommends narrowing and standardizing exceptions, eliminating broad “need to know” and “routine use” carve outs, and reserving heightened consent requirements for high-risk processing.

Beyond definitions and minimization, the report proposes a significant restructuring of oversight and enforcement.

Among its ten core recommendations are enhancing enforcement by recognizing nonpecuniary privacy harms and authorizing equitable relief; consolidating transparency measures into a machine-readable public inventory; and adopting privacy enhancing technologies to technically enforce governance reforms.

One of the most ambitious proposals would “collocate privacy oversight in the legislative branch … endowing a novel investigative entity with special authority to view telemetry from agency systems and dynamically inspect high-risk data processing.”

“To ensure independent oversight of executive branch privacy activities,” the report says, “Congress should either establish a new legislative branch oversight entity or expand the role of the Government Accountability Office.”

The report says “this entity should have specialized powers related to privacy, including authority to receive automated system telemetry (logs, usage metadata, notice of data outflows) and issue non-binding legal opinions on prospective privacy risks or retrospective harms.”

“Additionally, Congress could subsume the Privacy and Civil Liberties Oversight Board – currently an executive branch agency focused on balancing counterterrorism with privacy and civil liberties – under its new entity to centralize independent privacy expertise.”

The report also calls for Congress establishing “a Chief Privacy Officer (CPO) at every agency. Each CPO should own their agency’s privacy program, report directly to the head of their agency, and possess a requisite background in law and technology.”

“Moreover, the CPO should report regularly to Congress (including the new legislative branch oversight entity) and the public on the agency’s privacy activities and conduct investigations – as needed – in concert with the Inspector General,” the report says.

Whether such sweeping reform can advance in a divided Congress remains uncertain. Comprehensive consumer privacy legislation has repeatedly stalled, and debates over executive authority, immigration enforcement, and interagency data sharing remain politically charged.

Still, the report makes the case that governmental privacy deserves at least as much attention as commercial privacy. As the executive summary argues, “Congress alone can act. Governmental privacy … demands as much – if not more – attention than commercial privacy. Actions by the current administration, particularly in immigration enforcement, underscore the need for Congress to take such a position.”

By positioning Privacy Act modernization as both a defensive measure against abuse, and an affirmative strategy for restoring trust in government, Trahan is staking out a role in what could become one of the next major privacy battles in Washington.

Article Topics

data privacy  |  data protection  |  legislation  |  U.S. Government  |  United States