The arbitrary ways in which the government applies the “routine use” exemption have been drawing criticism since at least 1977, when a blue-ribbon commission established by Congress reported that federal law enforcement agencies were creating “broad-worded routine uses,” while other agencies were engaged in “quid pro quo” arrangements—crafting their own novel “routine uses,” as long as other agencies joined in doing the same.
Nearly a decade later, Congress’s own group of assessors would find that “routine use” had become a “catch-all exemption” to the law.
In an effort to stem the overuse of this exemption, the bill introduced by the Democratic senators includes a new stipulation that, combined with enhanced minimization requirements, would require any “routine use” of private data to be both “appropriate” and “reasonably necessary,” providing a hook for potential plaintiffs in lawsuits against government offenders down the road. Meanwhile, agencies would be required to make publicly known “any purpose” for which a Privacy Act record might actually be employed.
Cody Venzke, a senior policy counsel at the American Civil Liberties Union (ACLU), notes that the bill would also hand Americans the right to sue states and municipalities, while expanding the right of action to include violations that could reasonably lead to harms. “Watching the courts and how they’ve handled the whole variety of suits filed under the Privacy Act, it’s been frustrating to see them not necessary take the data harms seriously or recognize the potential eventual harms that could come to be,” he says. Another major change, he adds, is that the bill expands who’s actually covered under the Privacy Act from merely citizens and legal residents to virtually anyone physically inside the United States—aligning the law more firmly with current federal statutes limiting the reach of the government’s most powerful surveillance tools.
In another key provision, the bill further seeks to rein in the government’s use of so-called “computer matching,” a process whereby a person’s private records are cross-referenced across two agencies, helping the government draw new inferences it couldn’t by examining each record alone. This was a loophole that Congress previously acknowledged in 1988, the first time it amended the Privacy Act, requiring agencies to enter into written agreements before engaging in matching, and to calculate how matching might impact an individual’s rights.
The changes imposed under the Democrats’ new bill would merely extend these protections to different record systems held by a single agency. To wit, the Internal Revenue Service (IRS) has one system that contains records on “erroneous tax refunds,” while another holds data on the “seizure and sale of real property.” These changes would ensure the restrictions on matching still apply, even though both systems are controlled by the IRS. What’s more, while the restrictions on matching do not currently extend to “statistical projects,” they would under the new text, if the project’s purpose might impact the individuals’ “rights, benefits, or privileges.” Or—in the case of federal employees—result in any “financial, personnel, or disciplinary action.”
The Privacy Act currently imposes rather meager criminal fines (no more than $5,000) against government employees who knowingly disclose Americans’ private records to anyone ineligible to receive them. The Democrats’ bill introduces a fine of up to $250,000, as well as the possibility of imprisonment, for anyone who leaks records “for commercial advantage, personal gain, or malicious harm.”
The bill has been endorsed by the Electronic Privacy Information Center (EPIC) and Public Citizen, two civil liberties nonprofits that are both engaged in active litigation against DOGE.
“Over 50 years ago, Congress passed the Privacy Act to protect the public against the exploitation and misuse of their personal information held by the government,” Markey says in a statement. “Today, with Elon Musk and the DOGE team recklessly seeking to access Americans’ sensitive data, it’s time to bring this law into the digital age.”
