By: Alex Joel, Senior Project Director and Marina Thornhill, Research Assistant
In the 1970s, a series of scandals involving abuse of government power gripped Washington, D.C. In the wake of Watergate, Senator Sam Ervin, Chairman of the Senate Judiciary Committee, led efforts to protect Americans’ privacy, culminating in the enactment of the Privacy Act of 1974 (Privacy Act). In a legislative history of the Privacy Act, Senator Ervin said:
If we have learned anything in this last year of Watergate, it is that there must be limits upon what the Government can know about each of its citizens. Each time we give up a bit of information about ourselves to the Government, we give up some of our freedom. For the more the Government or any institution knows about us, the more power it has over us. When the Government knows all of our secrets, we stand naked before official power. Stripped of our privacy, we lose our rights and privileges. The Bill of Rights then becomes just so many words.
As explained in the Justice Department’s detailed Overview of the Privacy Act, the Privacy Act embodies what are widely known as the Fair Information Practice Principles (FIPPs) (for more on the FIPPs, see this paper on Privacy Across Borders). According to the Overview’s introduction:
As implemented in the Privacy Act, the FIPPs: allow individuals to determine what records pertaining to them are collected, maintained, used, or disseminated by an agency; require agencies to procure consent before records pertaining to an individual collected for one purpose could be used for other incompatible purposes; afford individuals a right of access to records pertaining to them and to have them corrected if inaccurate; and require agencies to collect such records only for lawful and authorized purposes and safeguard them appropriately. Exceptions from some of these principles are permitted only for important reasons of public policy. Judicial redress is afforded to individuals when an agency fails to comply with access and amendment rights, but only after an internal appeals process fails to correct the problem. Otherwise, liability for damages is afforded in the event of a willful or intentional violation of these rights.
The Overview wraps up its introduction by noting that in the decades since its enactment, “information technologies have expanded in ways that the drafters … could never have imagined… [but] the basic principles of fair information practices as implemented in the Act have continued to do their work maintaining the relationship of trust between the people and their government.”
With that as background for the role the Privacy Act has played in the past fifty years, the Privacy Across Borders team is examining the ongoing debate about whether current efforts to improve government efficiency are consistent with Privacy Act obligations. On January 20, 2025, President Trump issued Executive Order (EO) 14158, which established the Department of Government Efficiency (DOGE), also known as the United States DOGE Service (USDS). Exec. Order No. 14158, 90 Fed. Reg. 8441 § 1, 3(a) (Jan. 20, 2025). The EO created DOGE “to maximize governmental efficiency and productivity.” Id. at § 1. To facilitate this purpose, the EO directs the USDS Administrator to “work with Agency Heads to promote interoperability between agency networks and systems, ensure data integrity, and facilitate responsible data collection and synchronization.” Id. at § 4(a). The EO requires Agency Heads “to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.” Id. at § 4(b).
On March 20, 2025, President Trump followed up on EO 14158 by issuing Executive Order 14243, Stopping Waste, Fraud and Abuse by Eliminating Information Silos. EO14243 calls on Agency Heads to “take all necessary steps, to the maximum extent consistent with law, to ensure … Federal officials designated by the President … have full and prompt access to all unclassified agency records . . . for purposes of pursuing Administration priorities related to the identification and elimination of waste, fraud, and abuse.” Presumably, the phrase “Federal officials designated by the President” includes DOGE officials pursuing their mandate to “maximize government efficiencies and productivity.” To evaluate the implications of EO 14158, it is important to understand its limitation to provide access “to the maximum extent permitted by law.” The law that is directly relevant here is the Privacy Act. See 5 U.S.C. § 552a (b).
Specifically, the Privacy Act prohibits agencies from disclosing records that contain identifying information about individuals “to any person, or to another agency” without the “consent of the individual to whom the records pertains, unless” an exception to said disclosure applies. Id. In addition, the Privacy Act requires agencies to follow certain procedures when collecting, maintaining, and disseminating records. See § 552a (c)–(f). For example, agencies must publish a notice describing in detail the kinds of personal records they maintain and the procedures for individuals to gain access to records about themselves.
In subsequent blog posts, PAB will analyze several questions under the Privacy Act. First, is DOGE an “agency” under the Privacy Act? If it is, DOGE will have certain obligations when collecting, maintaining, and disseminating federal agency records with personal information. See § 552a (c)–(f). Whether DOGE is an agency also determines which exceptions agencies may invoke to comply with the Privacy Act without obtaining the consent of each individual whose information is being disclosed. See § 552a (b).
Second, does the Privacy Act allow agencies to disclose agency records to DOGE? This question will turn in large part on whether providing DOGE with access to records is compatible with the original purpose for which the information was collected. If disclosures are impermissible, then individuals who have been harmed may seek civil remedies. See § 552a (g). On the other hand, if the disclosures are permissible, DOGE will still have to take affirmative action to properly maintain a system of records. See § 552a (e). Finally, PAB will summarize what requirements agencies must follow to engage in a computerized comparison of their automated systems of records with any of DOGE’s automated systems of records. Regardless of DOGE’s agency status under the Privacy Act, if DOGE decides to engage in any computerized comparison of agency records, it will have to take affirmative action to properly maintain the records it obtains. See § 552a (o).
