Excerpted from a Biometric Update Blog by Anthony Kimery
Democratic Rep. Lori Trahan this week released a sweeping report arguing that the decades old Privacy Act of 1974, once a landmark safeguard against government overreach, is now structurally incapable of protecting Americans in an era defined by cloud computing, data brokers, and AI.
“Over fifty years later, privacy pessimism, cynicism, and fatalism predominate,” the report warns.
The 68-page report was developed after Trahan issued a Request for Information (RFI) in March 2025 seeking public input on how to update the foundational federal privacy law.
Trahan frames the report as deliberately bipartisan and bicameral in scope. The executive summary states that its recommendations are designed “to make responsible data processing easier and irresponsible data processing impossible.”
Drawing on responses from civil organizations, former federal officials, industry stakeholders, and privacy advocates, the report lays out a detailed legislative roadmap aimed at overhauling how the federal government collects, processes, shares, and oversees personal data.
“The Privacy Act was written for a world of file cabinets and mainframe computers, not one defined by cloud storage, data brokers, and AI,” Trahan said in a statement accompanying the report’s release. “Americans should be able to trust that their personal information is handled responsibly by their government.”
Enacted in the aftermath of Watergate and revelations of illegal domestic surveillance by the Federal Bureau of Investigation, the Privacy Act of 1974 established rules governing federal agencies’ collection, maintenance, use, and disclosure of personal information.
“For all of their prescience, the Privacy Act’s authors did not, and could not, design a law capable of handling transformational technologies like artificial intelligence. Nor could they have accounted for the aggrandizing nature of the modern imperial presidency,” Trahan said in the report’s foreword.
“For these reasons and more, Congress must modernize the Privacy Act,” Trahan said.
In its response to the RFI, the Electronic Privacy Information Center (EPIC) applauded Trahan “for taking steps to protect Americans’ privacy and constitutional rights against current and future abuses,” adding that “aspects of the Privacy Act have become outdated due to technological advances and increasingly ineffective in the face of deliberate agency defiance.”
The Leadership Conference on Civil and Human Rights said in its response to the RFI that “the need to update the Privacy Act has never been more pressing. Elon Musk and the so-called Department of Government Efficiency (DOGE) have accessed, collected, and combined previously secure federally-held data.”
“Their actions threaten the privacy of individuals’ sensitive personal information held by the government and the laws Congress passed to protect that data,” the group added.
While Congress has passed related statutes over the decades, including the Computer Matching and Privacy Protection Act and the E Government Act, the core structure of the Privacy Act itself has not undergone comprehensive reform.
The report’s executive summary is blunt about the consequences. The Privacy Act, it states, “is doubtless failing … the protections it ostensibly affords to individuals do not account for emerging technology or expanding executive power, and its outmoded regulatory framework hamstrings good, effective, and accountable governance.”
Recent incidents, including unauthorized data exfiltration at the Department of Treasury and Social Security Administration by DOGE, and expanded surveillance activities by the Department of Homeland Security, have exposed what the report calls “deep vulnerabilities” in the statute’s structure.
Trahan said she “was horrified by the brazen violations to our privacy perpetrated in the name of combatting waste, fraud, abuse and modernizing information technology systems. Unvetted political appointees were gaining access to, and – as whistleblowers bravely revealed – exfiltrating reams of Americans’ personal data with impunity.”
Trahan said, “these efforts jeopardized individual privacy and elevated cybersecurity risks to critical government systems. Exhaustive congressional investigations are surely in order.”
At the heart of the blueprint is a conceptual shift away from what the report describes as a “system-centric” privacy model toward one that is “purpose-centric.”
Under current law, the Privacy Act’s requirements hinge on whether information is contained in a “system of records,” a term defined by how data is retrieved rather than how it is used.
The report argues that this retrieval-based model is ill suited to modern data flows in which records move across databases, are queried through natural language interfaces, and are combined through algorithmic tools.
For the full story, please click here.