If the federal government outside of the IRS wants access to taxpayer data, it must prove the need, protect the data, and make the use transparent. Right now, none of that is happening.
The Elon Musk-led Department of Government Efficiency is seeking expanded access to the IRS’s most sensitive databases, claiming it wants to root out fraud and streamline oversight. But granting access without strict limits risks undermining the privacy protections that should undergird US tax law.
Third-party access to taxpayer data may sound like a hypothetical threat, but Sweden offers a concrete warning. There, the national tax agency is facing a lawsuit for sharing taxpayer information—from income and real estate ownership to personal identification numbers—with data brokers and marketers.
Despite strong European privacy laws, the Swedish tax authority seems to have justified the practice as a matter of constitutional transparency, illustrating how even well-intentioned principles can enable erosion of individual rights. Noble pretense doesn’t help taxpayers when privacy is treated more like an administrative inconvenience than a priority.
DOGE’s nominal goal is to root out “waste, fraud, and abuse” across federal programs. And the initiative has pushed for access to the IRS Integrated Data Retrieval System, or IDRS, a tightly controlled database that contains the financial and personal records of tax filers.
Those in favor of a systemwide review of potential taxpayer abuse might argue that access to data is necessary, but there doesn’t seem to be a good policy rationale applicable to individualized data. Evidence of systemic fraud would be apparent at a more abstract level than in individual returns. Program-level fraud detection can be achieved at the program level, and granting additional access carries major risks. The more people or agencies gain entry into the IRS’s data systems, the higher the likelihood of accidental breaches or intentional misuse.
DOGE staffers already have partial access to refund-related data through the Treasury Department’s Bureau of Fiscal Service, and the pursuit of the IDRS suggests an appetite for deeper, more granular insight into individual tax records. There doesn’t appear to be any clear public safeguards outlining what DOGE could or couldn’t do with the data if it gains access.
Across the Atlantic, Sweden’s tax authority is confronting a legal, and potential reputational, crisis over how it manages and monetizes taxpayer data. At the center of the controversy is the Statens personadressregister, or state personal address register—a database maintained by the tax authority that contains personal data on Swedish taxpayers.
Under current Swedish law, private companies can access this information for marketing, verification, or other related uses. These uses include a yearly calendar of individual Swedish citizen incomes, top earners organized by municipality, and the 100 highest earners in the country. If the accusations are true, it would mean the Swedish tax authority is selling taxpayer data on the open market in the name of transparency.
Austrian-based privacy advocacy group noyb (an acronym for “none of your business”) sued the agency, citing a ruling from Sweden’s Supreme Court. That ruling made it clear that when data risks being processed in a way that contravenes the European Union’s General Data Protection Regulation, public access must be restricted.
The tax authority has defended its data sharing under Sweden’s constitutional commitment to transparency, but the ruling shows that government transparency can’t justify sharing personal data if that data is likely to be misused.
A constitutional ideal gave cover to a practice that undermined data protections Sweden helped enshrine in EU law, despite that Sweden was itself the first country in the world to pass a national data protection law when it passed the Data Act of 1973.
But how do democratic governments reconcile the value of transparency and oversight with the right to data privacy? This issue is particularly thorny for data that comes from government records historically thought of as private, such as tax returns and other sensitive state records.
In Sweden, the tension is at the constitutional level. In the US, Section 6103 of the tax code makes it a felony to disclose taxpayer information without proper authorization. DOGE’s push to access IDRS raises questions about whether internal access, which could increase the risk of third-party exposure or political misuse, amounts to disclosure.
The US and Swedish stories diverge when it comes to the latter’s requirement to reconcile EU data rights with domestic law—there is no such oversight in the US. When access to taxpayer data is expanded without strict safeguards, taxpayer privacy rights are only as strong as the next judicial or administrative decision.
Sweden’s case, meanwhile, offers a reminder that good intentions, opaque procedures, and noble-sounding justifications can be liabilities. The country’s tax administration didn’t set out to commodify sensitive personal data on its citizens, but by failing to restrict access, that is effectively what it did.
The US should learn from that example before taxpayer data becomes a casualty of administrative overreach. Section 6103 protects taxpayer data for a reason: It contains sensitive information that shouldn’t be disclosed to any entity until expanded access has been rigorously scrutinized, comes with enforceable purpose limitations, and leaves clear audit trails.
The lesson isn’t just about data misuse—it’s about institutional design, too. When a government agency operates without strict limitations and pursues a broad, imprecise mandate such as eliminating waste, fraud, and abuse, that agency’s structure increases the odds of privacy violations.
That’s where DOGE stands today. Regardless of its stated goals, it either lacks the internal guardrails to safely handle taxpayer data or hasn’t informed taxpayers that those guardrails have been built. As it’s structured, DOGE shouldn’t gain access to the IDRS database or any individualized taxpayer data at all.
If the federal government truly believes waste and fraud run rampant in the tax system, it can spend the time, money, and political capital to build the right oversight architecture. Until then, access to the IRS’s most sensitive systems should remain tightly restricted. Accountability is important, but it shouldn’t come at the expense of taxpayer privacy.
Andrew Leahey is a tax and technology attorney, principal at Hunter Creek Consulting, and practice professor at Drexel Kline School of Law. Follow him on Mastodon at @andrew@esq.social
Read More Technically Speaking
To contact the editors responsible for this story:
Learn more about Bloomberg Tax or Log In to keep reading:
Learn About Bloomberg Tax
From research to software to news, find what you need to stay ahead.
Already a subscriber?
Log in to keep reading or access research tools.