On March 20, the Trump administration issued an executive order that dangerously expands the Department of Government Efficiency’s (DOGE) access to data. It looks to eliminate “information silos” that are crucial for protecting privacy and preventing government abuse, and it could lay the groundwork for creating a massive database that combines all sensitive personal data of anyone government agencies hold data on. This is every bit as dangerous and dystopian as it sounds.
The administration is directing all federal agencies to modify or rescind any regulations preventing the sharing of unclassified data and records with other parts of the U.S. government, as well as to ensure “unfettered access” to comprehensive data from all state programs that receive federal funding, including those stored in third-party databases. The aim of this dangerous expansion of data sharing is purportedly to stop “waste, fraud, and abuse” and “eliminate inefficiency.” This builds on months of overreach by DOGE within federal agencies, which has already sparked lawsuits and alarm from privacy experts, advocates, and public servants.
This executive order throws the door open to actions that could violate the U.S. government’s international human rights obligations. In response, Congress should urgently pass legislation to meaningfully protect people’s personal data, including by updating and reforming the Privacy Act – a Watergate era law that limits how the federal government can collect, use, and share information about U.S. citizens and permanent residents.
Expansive interagency sharing of personal data could fuel abuses against vulnerable people and communities who are already being targeted by Trump administration policies, like immigrants, lesbian, gay, bisexual, and transgender (LGBT) people, and student protesters. The personal data held by the government reveals deeply sensitive information, such as people’s immigration status, race, gender identity, sexual orientation, and economic status.
A massive centralized government database could easily be used for a range of abusive purposes, like to discriminate against current federal employees and future job applicants on the basis of their sexual orientation or gender identity, or to facilitate the deportation of immigrants. It could result in people forgoing public services out of fear that their data will be weaponized against them by another federal agency.
But the danger doesn’t stop with those already in the administration’s crosshairs. The removal of barriers keeping private data siloed could allow the government or DOGE to deny federal loans for education or Medicaid benefits based on unrelated or even inaccurate data. It could also facilitate the creation of profiles containing all of the information various agencies hold on every person in the country. Such profiles, combined with social media activity, could facilitate the identification and targeting of people for political reasons, including in the context of elections.
Information silos exist for a reason. Personal data should be collected for a determined, specific, and legitimate purpose, and not used for another purpose without notice or justification, according to the key internationally recognized data protection principle, “purpose limitation.” Sharing data seamlessly across federal or even state agencies in the name of an undefined and unmeasurable goal of efficiency is incompatible with this core data protection principle.
It is also unclear that combining scores of government-held data sources would increase efficiency. Networking data at this large scale creates new risks based on inaccurate and incorrect data. It also presents a national security risk, given the value of such data to foreign adversaries and malicious hackers. Worse yet is that once approved, sharing data in this way will be hard to roll back. Unlinking networked data at this scale to meet national and international standards, or even to get back to where we are now would be a mammoth, complicated task.
The Trump administration’s attempt to repurpose government-held data exposes the inadequacy of U.S. laws to protect the right to privacy under international human rights standards. The United States currently lacks a comprehensive data protection law, leaving private personal data open to abuse by both state and corporate actors.
The Privacy Act does not meet modern data protection needs and for the most part does not protect the data of non-U.S. citizens who lack permanent residency status in the United States. Limiting privacy rights to citizens and permanent residents is inconsistent with international human rights standards, which require states to protect personal data under their control, even when it belongs to foreign nationals.
Nonetheless, the executive order most likely violates what limited data protections exist within the United States. The Privacy Act prohibits changes to rules for data sharing outside of agencies without providing advanced notice and holding public consultations first. The executive order seems to attempt a legally dubious end-run around that process.
Congress should urgently amend and update the Privacy Act to ensure that it offers enduring and effective protection to everyone, regardless of their citizenship status. It should also adopt comprehensive data protection legislation in line with international human rights standards, and require agencies to delete all data that was improperly accessed and shared. Failure to take these steps exposes us all to further abuses.
– Deborah Brown (Bluesky – LinkedIn – X) is Deputy Director for Technology, Rights and Investigations division at Human Rights Watch. Published courtesy of Just Security.
