Elon Musk’s DOGE Is Being Sued Under the Privacy Act: What to Know
Credit to Author: Eric Geller| Date: Tue, 18 Feb 2025 21:50:14 +0000
As Elon Musk’s so-called Department of Government Efficiency rampages through the US government, its access to sensitive data is alarming federal agencies and Americans who interact with them. In the month since the Trump administration began its purge of federal workers, opponents fighting DOGE in court have been pinning their hopes of stopping the world’s richest man on a 50-year-old law.
In just a few weeks, DOGE staffers have accessed federal employee records at the Office of Personnel Management, government payment data at the Department of the Treasury, data on student loan recipients at the Department of Education, information on disaster victims at the Federal Emergency Management Agency, and vast amounts of employment- and workplace-related data at the Department of Labor. White House staffers are even pressuring the Internal Revenue Service to grant DOGE access to US taxpayer records. The acting head of the Social Security Administration recently resigned rather than give DOGE access to her agency’s reams of sensitive personal data.
More than half a dozen lawsuits are seeking to block DOGE employees from rifling through these vast troves of data. One thing they all have in common: They allege that DOGE’s actions violate the Privacy Act of 1974.
Here’s how a law passed after Watergate could rein in another president whose self-professed zeal for retribution is unnerving constitutional experts.
The Privacy Act is a law that limits how the federal government can collect, use, and share information about US citizens and other people in the United States.
The law’s core features include letting people access government records about them; letting people correct those records if they contain mistakes; requiring agencies to limit information collection, publish lists of records databases, and protect data from hackers; and restricting how agency employees and third parties can access records.
Those restrictions on accessing data are at the heart of the ongoing DOGE saga.
The Privacy Act prohibits an agency from disclosing someone’s records—even within the agency—unless that person approves in writing or the agency meets one of the law’s 12 exceptions. Most of the exceptions deal with fairly specific circumstances, such as congressional oversight, law enforcement investigations, court orders, census work, statistical research, and National Archives preservation. But there are also two broad, vague exceptions: Agencies can share records with their own employees who “have a need for the record in the performance of their duties” or with third parties for “a routine use” (defined as one that is “compatible with the purpose for which [the data] was collected”).
President Richard Nixon illegally used the powers of the government to investigate, intimidate, and punish his political enemies. He tried to use the IRS to target liberal political groups with audits and scrutiny of their tax exemptions, and he deployed the FBI to spy on and harass his political opponents. After Nixon’s resignation over the Watergate scandal, lawmakers sought to prevent future presidents from weaponizing government power.
“Congress must act before sophisticated new systems of information gathering and retention are developed, and before they produce widespread abuses,” North Carolina Democratic senator Sam Ervin said as he introduced one of the bills that inspired the Privacy Act. “The peculiarity of new complex technologies is that once they go into operation, it is too late to correct our mistakes or supply our oversight.”
After months of congressional wrangling that saw the elimination of Ervin’s proposed independent privacy oversight board, President Gerald Ford signed the Privacy Act into law on December 31, 1974. Ford, who had chaired the Domestic Council Committee on the Right of Privacy that Nixon created during his final months in office, highlighted “the vital need to provide adequate and uniform privacy safeguards for the vast amounts of personal information collected, recorded, and used in our complex society.”
DOGE’s critics—including Democratic lawmakers, federal employee unions, and government watchdog groups—argue that giving the office’s young, controversial, and seemingly largely unvetted staffers access to sensitive government data constitutes a major privacy breach. The incidents represent “the largest and most consequential breach of personal information in US history,” according to John Davisson, a lawyer for the Electronic Privacy Information Center, one of the groups suing to block DOGE’s access.
The Trump administration, meanwhile, says DOGE employees need this data access to accomplish their mission of eliminating wasteful spending and shuttering programs that conflict with President Donald Trump’s agenda. After one federal judge temporarily blocked DOGE’s access to government payment systems, a White House spokesperson called the ruling “absurd and judicial overreach.” Musk targeted the judge on X, saying, “He needs to be impeached NOW!”
It will depend on whether multiple judges agree with the Trump administration’s arguments claiming the law doesn’t prevent DOGE staffers from accessing agencies’ sensitive data.
The government contends that people can only sue agencies under the Privacy Act in one of four scenarios: when an agency refuses to grant someone access to a record about them; when an agency refuses to modify someone’s record as they requested; when an agency fails to keep someone’s record up to date and they experience concrete harm, such as a denial of benefits; or when an agency otherwise violates the law’s requirements in ways that adversely affect someone. It remains to be seen whether judges will determine that DOGE’s access to data adversely affects people.
Agencies have also argued that they aren’t violating the Privacy Act because DOGE’s activities fall under the law’s “routine use” and “need to know” exceptions. In a court filing responding to one legal challenge, the Treasury Department said that DOGE personnel were accessing the data to identify potentially improper payments “in furtherance of [their] duties” as directed by Trump (triggering the “need to know” exception) and that sharing this information with other agencies fell under one of the “routine uses” that the agency had previously disclosed as required by the Privacy Act.
The strength of that argument rests on how judges weigh two questions: whether the DOGE personnel accessing each agency’s data are employees of those agencies, and whether the two exceptions apply to the situations in which they accessed and shared the data.
There are at least eight lawsuits against the Trump administration over DOGE’s access to federal data, and all of them rely at least in part on the Privacy Act.
In the state AGs case, a judge quickly issued a temporary restraining order restricting access to all Treasury systems storing sensitive personal and financial data. The case has since been assigned on a permanent basis to a different judge, who adjusted the order slightly after the Trump administration objected to its restrictions on political appointees. A status hearing took place on February 14.
In the EPIC case, the organization has asked the judge for a temporary restraining order blocking further DOGE access to certain Treasury and OPM systems. A status hearing will be held on February 21.
In the UC students case, the Department of Education is arguing, among other things, that the students haven’t shown any harm; that the Privacy Act only allows courts to pause agency actions in two situations not applicable here; and that the DOGE staffers are Education Department employees allowed to access the data. On February 17, a judge denied the students’ motion for a temporary restraining order, saying they had not suffered “irreparable injury.”
In the Labor, HHS, and CFPB case, the judge rejected the plaintiffs’ request for a temporary restraining order, saying they failed to demonstrate the likely success of their arguments about the Privacy Act and other laws. But he also questioned whether DOGE staffers were employees of the agencies whose data they were accessing—a crucial question for a Privacy Act case.
In the Treasury case, the unions and ARA have asked for a temporary restraining order, but Treasury is making many of the same arguments as the Education Department, including that the Privacy Act can’t be used to pause DOGE staffers’ access to data and invoking the need-to-know and routine-use exception. The judge in the case has temporarily limited access to Treasury’s payment system while weighing the plaintiffs’ request for a restraining order. A hearing is scheduled for February 24.
The AFGE, NTEU, and class-action lawsuits haven’t proceeded beyond the filing of initial complaints.