The bottom line: The Privacy Act of 1974 was written for a world of file cabinets. Rep. Lori Trahan's 68-page reform blueprint argues the law is fundamentally broken, and DOGE just proved it. Her fix: kill the loopholes, add real penalties, and extend protections to everyone the government collects data on.
Perfect Timing
On February 17, 2026, Rep. Lori Trahan (D-Mass.) released what might be the most significant federal privacy reform proposal in years [1]. Her 68-page staff report, "Privacy, Trust, and Effective Government," reads like an autopsy of a law that died somewhere around the time we stopped using fax machines.
The timing wasn't an accident.
For months, DOGE has been ransacking federal databases with all the subtlety of a smash-and-grab. Treasury. Consumer Financial Protection Bureau. Office of Personnel Management. The National Labor Relations Board. Social Security.
Each time, the Privacy Act was supposed to stop them. Each time, it didn't.
Why the Privacy Act Failed
The law's problem isn't that it's weak. It's that it's Swiss cheese.
Congress passed the Privacy Act in 1974, right after Watergate. Nixon had weaponized federal databases against political enemies. The fix seemed obvious: limit how the government collects, uses, and shares personal information.
Fifty years later, the exceptions have swallowed the rule.
"The Privacy Act was written for a world of file cabinets and mainframe computers, not one defined by cloud storage, data brokers, and AI," Trahan said [2].
Here's what's broken:
- The "routine use" exception: Agencies can share your data for any purpose they've declared "routine" in the Federal Register. It's the catch-all that catches everything.
- The "need-to-know" loophole: Anyone within an agency who claims they need data can get it. DOGE engineers claimed they needed access. They got it.
- Citizens only: The law protects U.S. citizens and lawful permanent residents. Everyone else? Open season.
- No real penalties: Violations carry minimal consequences. Sue the government? Good luck proving "intentional or willful" misconduct: the standard is nearly impossible to meet.
- Data brokers don't count: Agencies bypass internal rules by buying data from commercial brokers. Same information, different source, no protections. It's the same data broker loophole that lets the government buy what it can't legally collect.
DOGE: The Stress Test
If anyone needed proof the Privacy Act is broken, DOGE delivered.
In January 2026, DOGE engineers accessed Social Security Administration systems containing the NUMIDENT database, records for nearly every American alive, including SSNs, birth dates, birthplaces, and parents' names [3]. A whistleblower alleges one engineer copied data to a personal thumb drive and claimed to retain "God-level" access even after leaving DOGE. It fits a wider pattern of DOGE mishandling Social Security data.
The SSA Inspector General is investigating. SSA's spokesman called the allegation "false," but investigators told lawmakers they're still trying to determine what was accessed and whether copies exist outside government control [4].
That's the system working as designed. Kind of. Slowly. After the fact.
Meanwhile, Sen. Gary Peters' investigation found DOGE effectively ordered agencies to help create databases "that can be manipulated with little to no oversight." His staff concluded a breach could result in "the most significant data breach of Americans' sensitive data in history," with 35-65% odds of catastrophic consequences [5].
Those aren't acceptable odds for data covering hundreds of millions of people.
Trahan's 10-Point Fix
The blueprint isn't just diagnosis. It's prescription. Trahan's ten recommendations [6]:
- Strengthen limits on sensitive data: Tighter restrictions on collecting and using SSNs, health records, financial information, and biometrics.
- Improve transparency: Force agencies to actually tell people what data they hold and how they use it.
- Real enforcement: Increase penalties. Make violations hurt.
- Protect everyone: Extend protections beyond citizens and permanent residents.
- Kill the "need-to-know" exception: Replace it with something that actually limits access.
- Kill the "routine use" exception: This is the big one. The loophole agencies drive trucks through.
- Oversight entity: Create legislative oversight or empower GAO to actually audit compliance.
- Resource privacy officers: Chief Privacy Officers at agencies need staff, budget, and authority.
- Regulate data brokers: Close the commercial data backdoor. If agencies can't collect it directly, they shouldn't buy it either.
- Expand civil remedies: Recognize privacy harms beyond just monetary damage. Let people sue for the violation itself.
The report recommends shifting from "system-centric" to "purpose-centric" regulation, meaning rules based on what data is used for, not where it's stored. That would prevent agencies from laundering data through different systems to avoid restrictions.
Building Support
Trahan isn't alone. Sen. Ron Wyden (D-Ore.) and Sen. Ed Markey (D-Mass.) introduced separate legislation in March targeting Privacy Act enforcement [7]. Their bill would make it easier to sue federal officials who violate privacy rules.
Rep. Jamie Raskin (D-Md.) has been filing Privacy Act requests against DOGE itself, trying to force disclosure of what data they've accessed. So far, no federal court has explicitly ruled on DOGE's obligations under the law, but that's coming.
At the state level, California's AB 1337 would strengthen the Information Practices Act and extend protections to local governments. Vermont and Connecticut are exploring similar measures.
The question is whether Republicans will engage. Trahan is pitching this as bipartisan. Her report went through extensive public comment and avoids partisan language. But reform means limiting executive power, and that's a harder sell when your party controls the executive.
What Happens Next
Nothing, probably. At least not fast.
Privacy Act reform requires legislation. That means committee hearings, markups, floor votes, and a president's signature. None of that happens without bipartisan buy-in, and right now the administration is the one exploiting the loopholes.
But the blueprint matters because it shifts the conversation. This isn't privacy advocates making broad claims about government overreach. It's a detailed, 68-page analysis of exactly how the law fails, complete with specific fixes and a framework for getting there.
DOGE made the problem visible. Trahan's report makes the solution concrete.
Whether Congress acts depends on whether voters care. And whether the next DOGE scandal (there will be more) forces the issue.
What You Can Do
The Privacy Act gives you a few rights. Use them:
- File Privacy Act requests: You can ask federal agencies what records they hold about you. It's not FOIA. It's specifically for your personal data. Start with USA.gov's guide.
- Contact your representatives: Trahan's office has a full copy of the report. Read it. Reference it when you write.
- Watch the DOGE investigations: The SSA Inspector General probe has a congressional deadline of March 26. Results could shape the reform debate.
- Support state-level reforms: California, Vermont, and Connecticut are moving. Your state might be next.
Sources
- Rep. Trahan - Privacy Act Report Announcement
- Nextgov - Lawmaker pitches blueprint for post-DOGE privacy overhaul
- Washington Post - DOGE member took Social Security data on a thumb drive
- Federal News Network - Social Security watchdog opens probe
- TechPolicy.Press - DOGE's Plundering of Data Hastens Calls to Tighten Government Privacy Laws
- Full Report PDF - Privacy, Trust, and Effective Government
- FedScoop - House Democrat wants to modernize privacy law
Published: March 15, 2026