Privacy Laws Are Outmoded. Here’s How To Update Them

When I joined Palantir in 2010 to cofound its Privacy and Civil Liberties Engineering team, the proliferation of Internet services and post-9/11 acknowledgement of intelligence failures signaled imminent updates to America’s data privacy laws. If you had asked me then whether the Privacy Act of 1974, our nation’s anchor legislation for overseeing the government’s use of personal information, was ripe for an update, I’d have speculated that “it’s surely coming any day now.” Over a decade and a half later, I’m still waiting in dismay.

In 2026, we are living through transformative technological changes. Frontier software and artificial intelligence systems rely on massive troves of data and incorporate analytical practices that could not have been conceived even a few years ago. Americans generate more data on their smartphones in a day than the entire federal government possessed in 1974.

More critically, that data exists in forms the Privacy Act could not have foreseen. Today, it is well known that multiple sets of anonymized data can be used to re-identify individuals whose data should remain protected. In other words, one cannot effectively protect individual privacy rights without competently addressing the challenges raised by expansive (and growing) data collection and aggregation.

The law hasn’t kept pace with these technical realities, and this gap impacts every American. More than ever before, as a privacy professional working on cutting-edge software systems, I believe privacy reform is urgently needed to address the concerns of Americans – spanning the political spectrum – who have lost trust in public sector institutions to ensure their privacy rights emanate from constitutional and legislative protections. Fortunately, there are several common-sense reforms that could serve as a basis for modernizing the Privacy Act and restoring this broken trust.

First, Congress must craft a law which recognizes a new definition of personal data as it manifests in modern software systems. The law ought to move away from the narrow and antiquated concept of “record” laid out in the Privacy Act to encompass a spectrum of data forms from individual to aggregate data. For example, this definition ought to account for two types of data that a federal agency may rely on in a SIM swap investigation: individual data like names and Social Security numbers of the victims as well as aggregated location data that may be purchased from third party providers and used to track down fraudster locations. Each serves a distinct investigative purpose and each carries different privacy considerations for which law enforcement should be required to account.

Second, Congress should mandate clear modern data standards for federal agencies. Data should be accurate, access must be controlled and effectively logged, agencies should collect only what they need, and they should keep it only as long as necessary. These measures, which build upon established and generally accepted Fair Information Practice Principles (FIPPs), provide a stable foundation for guiding the adoption of Privacy Enhancing Technologies (PETs) that technically support the protection of individual rights.

Third, and perhaps most importantly, to ensure privacy rights are respected by agencies, Congress must be able to seamlessly audit federal agencies. When agencies are asked what data they store or have analyzed, the answer shouldn’t take months. Modern systems can – and should – be able to provide answers to Congress in hours or days. If an agency can quickly show what data it holds, who accessed it, and why, the same capabilities that enable timely and effective oversight will also contribute to a restoration of public trust through demonstrated accountability.

These suggested reforms are evolutionary, not revolutionary. They build on what works in the 1974 Act and adapts its principles to answer modern challenges. We won’t be starting from scratch in delivering on these priorities, either, as serious reform efforts have been proposed within the last several years. Data privacy reform in the federal government will also act as the foundation for Congress to meaningfully govern data-intensive advanced AI systems. Legislative reform is essential, but implementation will require partnership between Congress, agencies, and the technology companies that build the systems upon which government relies.

Effective government and robust privacy protections must go hand in hand. The question isn’t whether to modernize the Privacy Act and other protections, but when will Congress finally act. It is time for the federal government to enshrine stronger oversight, clearer accountability, and higher technical standards for how it collects, stores, and uses Americans’ data. If lawmakers are serious about reform, we’re ready to help build that future.