Introduction
The New York State Attorney General, along with 18 other states, filed suit against President Donald J. Trump and Secretary of the Treasury Scott Bessent in the United States District Court for the Southern District of New York. At the heart of the lawsuit is the belief:
States have a strong interest in ensuring that they and their residents continue to receive disbursement under these critical federal programs, while also not exposing the private information of millions of Americans to security breaches, misuse, malware, or foreign actors.
Unfortunately, much evidence already exists our data has been exposed in several ways. First, multiple special employees, without proper vetting or training, have read and write access to what the Federal government terms “personally identifiable information (PII)” defined as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.” Second, said employees are feeding data from federal agencies, according to the complaint, to an open-source AI system (Azure). Third, the special employees have failed to notify States about the sharing of information with third parties. The Honorable Paul Engelmayer, on February 8th, issued a temporary restraining order thereby prohibiting anyone but previously authorized civil servants access to citizens’ private data as “the new [DOGE] policy presents of the disclosure of sensitive and confidential information and the heightened risk that the systems in questions will be more vulnerable than before to hacking.”
Among the 19 states taking part in the suit, 9 (California, Colorado, Connecticut, Delaware, Maryland, Minnesota, New Jersey, Oregon, Rhode Island) currently protect their residents data rights. In the New York State Assembly, a bill to “manage and oversee personal data” currently resides in senate and house committees. Two additional states in the suit also have bills in committee (Hawaii and Illinois) and Massachusetts has several(1, 2, 3, 4, 5, and 6) proposed legislative options in both the house and senate. Arizona, Maine, Nevada, North Carolina, Vermont, Wisconsin do not currently have protections for citizens on the books no is there any proposed legislation. Finally, Indiana, Iowa, Kentucky, Montana, Nebraska, New Hampshire, Tennessee, Texas, Utah, and Virginia round out the list for the remaining states with data protection laws; however, they have not, as of yet, come fort to take part in litigation on behalf of their citizenry.
How does this relate to the issue of AI and privacy? Data. As King and Meinhardt succinctly demonstrate in their white paper entitled Rethinking Privacy in the AI Era: Policy Provocations for a Data-Centric World:
The connective tissue between privacy and AI is data: Nearly all forms of AI require large amounts of training data to develop classification or decisional capabilities. Whether or not an AI system processes or renders decisions about individuals, if a system includes personal information, particularly identifiable personal information, as part of its training data, it is likely to be subject – at least in part – to privacy and data protection regulations.(5)
And we do have some protections. Some of the already-existing protections became part of the federal code well before our personal data became so easily portable.
Federal Protections
The Privacy Act of 1974
The Department of Health, Education and Welfare issued the Records, Computers, and the Rights of Citizens: Report of the Secretary’s Advisory Committee on Automated Personal Data Systems in 1973. Their working agenda set forth a series of “Fair Information Practice Principles” which served as a foundation for the 1974 Privacy Act. The protections and requirements established under the current law (5 U.S.C. § 552a) certify that the disclosure of citizens’ data (for President Trump declined this right for foreigners under Section 14 of Executive Order 13768) can only be disclosed to:- Officers and employees working in an agency which maintains the record and they need it as part of their job duties
- Be used as required under Section 552
- Use for “routine use” which means for the purpose compatible to its collection
- The Census Bureau to help carry out a census
- Someone who requested the information and has assured the agency the record is to be used in statistical research and the record will not be individually identifiable
- The National Archives and Records if it has historical value
- Another agency or jurisdiction for civil or criminal law enforcement
- A person demonstrating compelling circumstances that could potentially affect the health of safety of someone
- Congress or potentially any committee or subcommittee
- The Comptroller General
- Answer a court order
- A consumer reporting agency
- Maintaining information about a citizen that is relevant and necessary for the purposes of the agency
- Collecting the information directly from the individual whenever possible and informing the individual why they have said authority, purpose, uses, and potential effects on them
- Verifying the “accuracy, relevance, timeliness, and completeness” of any information collected and shared
- Notcreating any records concerning how a citizen exercises their First Amendment
- Notifying a citizen when their records have been shared
- Creating rules of conduct for how to work with PII and train users in said rules, and
- “Establish[ing] appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained”.
Computer Fraud and Abuse Act of 1986
Under President Regan, the Congress passed the first protections connected to computer usage. The first attempt, however, was so poorly drafted due to concerns about legal redundancy (i.e. the laws currently on the books would provide satisfactory protection and prosecutorial teeth) and government overreach into our lives. The 1984 version had three central elements:- Individuals could be charged with a felony if they used a computer “to obtain classified United States defense or foreign relations information with the intent…such information would be used to harm the United States or to advantage a foreign nation
- It became a misdemeanor to access financial information at a bank, financial institution, or consumer reporting agency
- Finally, one could be charged with a misdemeanor if one used, modified, destroyed, or disclosed information on a computer used on behalf of the business of the United States if said activity “would affect the government’s use of the computer”
E-Government Act of 2002
Before the Federal government began surreptitiously purchasing our data from third-party vendors, the institution understood their citizenry were moving in a digital direction. The U.S. Department of Commerce issued a report entitled A National Online: Howe Americans are Expanding their Use of the Internet in February of 2002. Between October 1997 and September 2001, Internet usage in the United States increased over 30% with more than half of all Americans going online. Due to the increasing digital wanderings of the public, Congress wished to provide leadership and encourage the development of an office of electronic government (e-gov) under the auspices of the Office of Management and Budget. The overarching goal of the E-Government Act of 2002 was to promote and encourage the use of the Internet by citizens and the Federal government alike.Section 208 outlines one of the main contribution of the act — Privacy Impact Assessments (PIA). PIAs aid the decision-making process when considering data privacy risks for new and emerging technologies. A PIA has three specific goals:
- Ensure conformance with applicable legal, regulatory, and policy requirements for privacy
- Determine the risks and effects
- Evaluate protections and alternative processes to mitigate potential privacy risks
The second can be found under Title III of act, also known as Federal Information Security Management Act. Updated and amended in 2014 as the Federal Information Security Modernization Act, the law sets forth three security requirements for our central government’s information systems. To be compliant with the act, all agencies must ensure the confidentiality, integrity, and availability of government information.
Conclusion
As you can see, the United States does have an existing framework of protection of our data in regards to what the Federal government has collected and uses as part of the day-to-day workings of the institution. Unfortunately, President Biden’s Executive Order 14110 which called for more clarity from AI developers as well as privacy protections for our data was revoked by President Trump on January 20, 2025.In my future posts, I will discuss in greater depth the current protections for Americans under state regulations, the EU’s General Data Protection Regulation and Artificial Intelligence Act, and UNESCO’s Guidelines for the Governance of Digital Platforms.
Professor Karen Sichler 