In the wake of Watergate and other abuses by the executive branch, Congress passed the Privacy Act of 1974 to mandate greater transparency into what types of data the government is collecting on the public and how it is able to use that data. DOGE’s actions over the past year have demonstrated the nightmare scenarios the original legislation was meant to prevent; this includes both the negligent handling of sensitive information as well as the targeted pooling of data from different agencies to create a digital Panopticon for the administration to target immigrants or any other populations that it deems a threat.

Blatant violations of the Privacy Act can result in a civil litigation. On the criminal side, it caps out as a misdemeanor with a meager maximum fine of $5000. Instead, the act’s main utility has been in establishing a standard that can be enforced within the Executive Branch and Congressional oversight. However, with an actively malicious OMB and a supine Congress, nobody is minding the shop and the resulting lack of oversight has supercharged the aggressive data collection and exfiltration practices of DOGE.

We’re going to need a new Privacy Act With Teeth. I am not the policy or legislative expert to craft this, but I think it will need to have the following components:

• Stronger penalties for violations. The current penalties could just be factored in as the cost of doing business for those determined to violate the rules.
• Overhauling the opaque division of documentation between Systems of Record Notices (SORNs) and Privacy Impact Assessments (PIAs, mandated by the E-Government Act of 2002) with new combined reporting to more clearly describe what data is being collected by the agency and how it is being used. Include mandates to prevent public documentation from being retroactively written (as happened at OPM for the DOGE email server) or from being removed from public sight entirely (as happened at HHS).
• Creating a new entity to monitor and enforce compliance with privacy and data sharing regulations. Since both Congress and OMB have willfully abdicated their oversight responsibilities, it probably would need to be a separate entity like the US Government Accountability Office. Like the GAO, this agency should also reside in the legislative branch to shield it from interference. It might make sense to also move CISA and some other FISMA-related oversight into this entity as well.
• Creating new regulatory paths and oversight over data-sharing agreements and joining across multiple data sets. The partitions between and even within agencies can be super frustrating at times (for instance, Biden’s means testing for student loan data needed an act of Congress to be authorized to use tax data), but the prospect of a government mandating compulsory data collection (your taxes, etc.) and using that to build up dossiers on the public is why the Privacy Act was created.
• Eliminating the use of private industry and services as a loophole. For instance, agencies that are formally banned from building surveillance databases could still buy from private data brokers. Similarly, using commercial tools or contractors to host data in ways to avoid specific government rules and restrictions should result in severe consequences. It may be necessary to “red team” the rules to identify and eliminate ways in which agencies could actively thwart the intent of the law while still remaining compliant.
• Taking datasets into receivership if they are at risk of being abused outside of their original purpose. This is a highly nebulous idea, but I am wondering how the government can continue to provide services for vulnerable populations while protecting them from having their own data weaponized against them by future administrations – for instance, “Dreamers” who signed up for DACA now risk their addresses being provided to ICE. Deletion is one possibility, but that could be abused to hide wrong-doing and is simply impossible for things like IRS tax records or Social Security data, which is also currently being misused by ICE. What is to be done? Is there a combination of technical and policy changes that could protect against malevolence?
• This agency could also be involved with efforts to enforce any new privacy protections and regulations against industry as well. As we’ve seen with the Consumer Financial Protection Bureau, its protection of the public would face significant industry push back and interference, especially from Silicon Valley, so we would need to ensure it is safe from executive branch interference and Congressional lobbying.
• In the long term, it seems clear that the Constitution also needs a Privacy Amendment, to prevent the Supreme Court from knocking down past precedents built on the notion that public citizens have the right to privacy. But that’s a whole other argument that faces daunting odds of ratification like any amendment.

This turned out to be a longer article than I expected, but our digital privacy feels far more endangered than it did when the Privacy Act was first enacted. What do you think, is there something I’m missing?