The second Trump administration, which started in January 2025, has not yet directly targeted data privacy in the United States or prioritized its regulation. However, a number of the administration’s actions have sparked significant concerns.
Politicians, privacy experts, citizens, and foreign governments have serious questions and are demanding answers about access to and protection of the personal data of millions of US citizens, as well as individuals residing in other countries that are users or customers of US-based companies.
Potential violations of existing privacy laws are being tracked, and a number of lawsuits have also been filed.
Concerns beyond US borders include the ongoing viability of adequacy agreements governing international data transfers, e.g. the EU-U.S. Data Privacy Framework. If it is struck down — as its predecessors were — it could affect regulators, organizations, and individuals around the world.
We look at the data privacy-related effects of some executive orders to date as well as the executively created “Department of Government Efficiency” (DOGE). Who is working for it? What is it doing? What data has its workers been accessing? We’ll discuss what this administration’s term may mean for Americans’ data privacy, international flow of data, and decisions that businesses and governments may need to make to maintain their privacy standards.
What is the Department of Government Efficiency (DOGE)?
Many of the current concerns about data privacy center around the Department of Government Efficiency (DOGE).
DOGE was established by executive order in January 2025, headed by billionaire businessman Elon Musk. He and the administration initially downplayed Musk’s role as somewhat unofficial and temporary, however, he has been declared by a number of courts to be the de facto leader/administrator of DOGE.
The department was created from the little known U.S. Digital Service, though several dozen of the Service’s previous employees were terminated when Trump took office.
DOGE’s stated goal is to reduce waste in federal spending, as well as abuse and fraud in government operations. Trump noted that Musk would have “full and prompt access to all unclassified agency records, software systems and IT systems.”
At least part of DOGE claims to be a temporary entity meant to terminate 18 months after its establishment, on July 4, 2026.
Issues with DOGE management and staffing
Musk is not a government employee, nor are those DOGE workers in his employ. These individuals have not gone through the usual processes for gaining government clearance that are required in order to access sensitive systems or information.
DOGE workers have not been sourced from existing government departments, and many are actually private sector employees of other companies Musk runs, such as SpaceX. DOGE workers who have received media attention have also come from software engineering roles with no relation to or experience in cybersecurity or data privacy.
These Musk employees working for DOGE are allegedly unpaid and expected to serve six-month stints in the department, classified as “special government employees”, before returning to their regular jobs.
Beyond DOGE and throughout the Trump administration, by executive order the President has granted temporary six-month security clearances to incoming White House officials.
These people also have not completed the usually required vetting process needed to gain access to sensitive and classified information and have never been assessed for security vulnerabilities.
Issues with DOGE activities, transparency, and disclosure
Many concerns and some lawsuits filed to date relate to Musk’s actual role and to government systems being accessed by DOGE workers, which has been found by a federal judge to be a likely violation of the Appointments Clause of the US Constitution.
Musk has promised transparency in DOGE’s activities, which in practice has largely manifested in the form of tweets by Musk on the social media platform X (formerly Twitter), which he owns.
Additionally, President Trump tried to exempt DOGE from public disclosure rules under the Freedom of Information Act by making it a temporary agency. A federal judge has since denied this attempt and ordered the release of documents.
DOGE access to sensitive personal information
Musk’s employees working for DOGE have allegedly gained access to a variety of federal government systems and databases across many departments.
These contain sensitive information on departmental operations and hundreds of millions of American citizens and government employees, for functions ranging from student financial aid to nuclear weapons programs. These departments include:
- Department of the Treasury (USDT)
- Department of Education (DE)
- Department of Energy (DOE)
- Department of Labor (DOL)
- Department of Health and Human Services (HHS)
- Office of Personnel Management (OPM)
- Internal Revenue Service (IRS)
- U.S. Agency for International Development (USAID)
- Centers for Disease Control and Prevention (CDC)
- Centers for Medicare & Medicaid Services (CMS)
- National Oceanic and Atmospheric Administration (NOAA)
- Federal Aviation Administration (FAA)
- Consumer Financial Protection Bureau (CFPB)
- Small Business Administration (SBA)
Musk’s DOGE workers have allegedly accessed sensitive information on many millions of American citizens, businesses, and government workers in likely violation of privacy laws.
Some of this information includes:
- Tax, income, and banking information
- Social Security (including information on retirees and family members, and people with disabilities)
- Personnel records
- Union memberships
- Medical and biological information
- Citizenship and immigration status and information about migrant children
- Payroll for federal employees
These kinds of data are protected under multiple state and federal laws, and are categorized as sensitive under many privacy laws, which requires restrictions for collection, use, and access to such data, along with additional security measures.
Musk has argued that access to these systems is necessary to identify and eliminate fraud and waste, and that at least some of the access is read-only. Senior government IT personnel who pushed back against granting Musk and his workers access to these systems were reportedly removed from their roles.
Stuart Stevens, a former Republican strategist, has called the DOGE takeover of the Treasury’s systems “the most significant data leak in cyber history.” He also noted that “private individuals in the data business now have access to your Social Security information.”
However, on April 7, 2025 a federal appeals panel paused an order that had restricted DOGE access to large amounts of sensitive personal data from three federal agencies, including the OPM, once again potentially giving the department wide access to a great deal of potentially sensitive information.
The Center for Democracy and Technology has released a fact sheet addressing DOGE and government data privacy.
AI use with sensitive personal information
Dozens of inquiries about DOGE use of AI tools have been sent by the House Oversight Committee. There are concerns that the AI software used is third-party, has not been vetted, and lacks oversight, especially given the sensitivity of the alleged data inputs.
The goal of using AI tools is reportedly to streamline and automate government operations. Whether the use of such tools is legal, exactly what data is included, and what steps have been taken to safeguard it remains unknown.
There are also concerns that the personal information could be used for functions unrelated to delivering government services without consent or oversight. One example mentioned would be to train Grok, Musk’s own proprietary AI model.
Federal agencies are required to follow strict protocols in vetting and use of AI software, chiefly through the Federal Risk and Authorization Management Program, which ensures such tools are properly assessed for security risks. Reportedly, none of this has been done.
The Advancing American Artificial Intelligence Act also requires federal agencies to “prepare and maintain an inventory of the artificial intelligence use cases of the agency,” as well as “make agency inventories available to the public.” According to reports, this has not been done either.
Potential regulatory violations and legal challenges relating to data privacy
The Privacy Act of 1974 has been referenced in over a dozen lawsuits filed against the Trump administration and various departments to date. The Privacy Act restricts government agencies’ sharing of private information with unauthorized entities without the consent of citizens.
Other potentially implicated federal regulations meant to protect the privacy and security of individuals and their personal information from unauthorized disclosures may include the Computer Fraud and Abuse Act, Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Americans with Disabilities Act (ADA), and others.
The Senate Intelligence Committee sent a letter to the White House that said, “No information has been provided to Congress or the public as to who has been formally hired under DOGE, under what authority or regulations DOGE is operating, or how DOGE is vetting and monitoring its staff and representatives before providing them seemingly unfettered access to classified materials and Americans’ personal information.”
The letter posted 22 questions to which the senators are seeking answers, and also expressed concerns about cybersecurity for federal systems and networks. It noted, “Such unregulated practices with our government’s most sensitive networks render Americans’ personal and financial information, and our classified national secrets, vulnerable to ransomware and cyber-attacks by criminals and foreign adversaries.”
A DOGE advisor claimed in a post on the X platform that DOGE has not accessed any classified information without proper security clearances. The White House Press Secretary stated that Trump, Musk, and the DOGE workers were “going to look at the receipts of this federal government and ensure its [sic] accountable to American taxpayers. That’s all that is happening here.”
Pending lawsuits
Dozens of lawsuits have been filed over actions undertaken by Musk’s DOGE workers and other Trump administration representatives. We will highlight a small sample of these lawsuits.
Over 100 federal employees and labour unions have filed lawsuits that question DOGE authority to access their personal information, with some preliminary success. Arguments focus on a lack of oversight and transparency in the procedures that allowed such access, as well as the risk of misuse of the data.
Another lawsuit filed by two Office of Personnel Management employees (OPM is functionally the HR department for the US federal government) alleges that an “unauthorized commercial server” — officially called the Government-Wide Email System — was connected to the agency’s network in order to email the federal workforce.
The complaint is looking to obtain a preliminary injunction against the use of the system, and claims that DOGE is sidestepping federal law by not conducting the necessary privacy impact assessment (PIA). It also claims that the server, along with other connected systems, is retaining information about all federal employees.
Unvetted and insufficiently secured third-party software and systems can also pose risks from malware; enable loss, damage, or theft; access by malicious external parties, and more.
The OPM claims that PIAs are only required for systems dealing with public information, and that theirs only maintains federal government employees’ names, email addresses, and responses to the system’s mass emails.
Another lawsuit targets the Department of the Treasury for allegedly providing DOGE staff with “access to highly sensitive information about taxpayers and others who send and receive payments from the government, including allegations of violations of privacy protections that were enacted in the 1970s as well as Internal Revenue Service Code.”
That lawsuit was filed by the American Federation of Government Employees, the Alliance for Retired Americans, and the Service Employees International Union.
There have already been preliminary rulings finding likely violations of the Privacy Act and temporary restraining orders against DOGE accessing sensitive information, though these cases will take some time to work their way through the courts, and additional lawsuits are quite possible.
Federal vs. state governments and data privacy
The United States does not have a federal data privacy law, but over 20 states have passed their own regulations. These laws are designed to protect the privacy and data of state residents, which could include sensitive information being accessed by DOGE workers and others. These laws also work with, and in some areas defer to, relevant federal laws, like HIPAA and the GLBA.
Activities in the federal government could be in violation of state-level regulatory requirements and privacy rights. Over a dozen Democrat state attorneys have filed a lawsuit to block further DOGE access to sensitive federal government systems and Americans’ personal data.
International data transfers and implications for existing adequacy agreements
The actions by DOGE workers and others in the Trump administration have also raised concerns about data privacy and security beyond the state level and US borders. International data agreements have also come into question.
The Privacy and Civil Liberties Oversight Board
On 29 January 2025, Bloomberg reported that the Trump administration dismissed the chairperson and two Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB), threatening whether it can effectively function. When or if replacements will be appointed remains unclear.
The PCLOB is an independent body responsible for ensuring transparency and accountability in US surveillance practices. The Board plays a key role with the EU-U.S. Data Privacy Framework that has been in place between the EU and US since 2023.
The EU has significantly relied on the PCLOB to ensure that the US adequately protects personal data, and to address any complaints from EU residents about misuse of their data. The EU and US have different approaches to data privacy frameworks, with the EU and laws like the General Data Protection Regulation (GDPR) being more stringent.
Big tech platforms, international data transfers, and data privacy
The world’s largest tech companies — among them Google, Meta, Apple, and Microsoft — have global operations, and the US-based ones regularly transfer data internationally to data centers in the United States.
The US government’s access to data from such transfers has long been a point of contention with EU authorities. The US government and law enforcement agencies request twice as much user data from big tech companies as the EU does.
With the PCLOB’s oversight role in serious question, including its ability to independently oversee personal data protection and address complaints, the future of the EU-U.S. Data Privacy Framework and transatlantic data transfers are in jeopardy.
If no new PCLOB members are appointed, or if new appointees do not restore confidence in the Board’s ability to function, the future of the Framework, which itself is a replacement for previous agreements that were struck down, remains in question.
The future of data privacy under the Trump administration
US government operations, security and privacy concerns, and legal challenges continue to change rapidly, and likely will for some time. The effects may be confined to the US, but there is a strong chance that international agreements and business operations may also be affected.
Balancing ongoing government operations with optimizing efficiency, robust data security, and privacy protections is complex, and there will always be tensions.
Streamlining processes and operations has definitely been an expressed priority of this administration, but it needs to be done with a focus on security and privacy regulations and policies. To date, however, it has prompted significant concerns and challenges inside and outside of the government.
Those affected by the changes — inside and outside of the government — have rights under the law, including rights to transparency in knowing what is happening, how, what data of theirs is affected, and who is making changes.
In the meantime, US companies can reinforce their commitment to protecting privacy and users’ data, and be transparent about their data processing and respect for privacy rights.
A clear and comprehensive privacy policy, consent management platform, and real consent choices are key tools for building privacy-led organizations and trusted, long-term customer relationships.
The information presented in this article is provided for educational purposes only. Engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations when evaluating solutions is always recommended. This information is accurate based on these publicly available sources as of the date of publication. Details about products, features, pricing, etc. may change over time.
