As Elon Musk’s so-called Department of Government Efficiency rampages through the US government, its access to sensitive data is alarming federal agencies and Americans who interact with them. In the month since the Trump administration began its purge of federal workers, opponents fighting DOGE in court have been pinning their hopes of stopping the world’s richest man on a 50-year-old law.
In just a few weeks, DOGE staffers have accessed federal employee records at the Office of Personnel Management, government payment data at the Department of the Treasury, data on student loan recipients at the Department of Education, information on disaster victims at the Federal Emergency Management Agency, and vast amounts of employment- and workplace-related data at the Department of Labor. White House staffers are even pressuring the Internal Revenue Service to grant DOGE access to US taxpayer records. The acting head of the Social Security Administration recently resigned rather than give DOGE access to her agency’s reams of sensitive personal data.
More than half a dozen lawsuits are seeking to block DOGE employees from rifling through these vast troves of data. One thing they all have in common: They allege that DOGE’s actions violate the Privacy Act of 1974.
Here’s how a law passed after Watergate could rein in another president whose self-professed zeal for retribution is unnerving constitutional experts.
The Privacy Act is a law that limits how the federal government can collect, use, and share information about US citizens and other people in the United States.
The law’s core features include letting people access government records about them; letting people correct those records if they contain mistakes; requiring agencies to limit information collection, publish lists of records databases, and protect data from hackers; and restricting how agency employees and third parties can access records.
Those restrictions on accessing data are at the heart of the ongoing DOGE saga.
The Privacy Act prohibits an agency from disclosing someone’s records—even within the agency—unless that person approves in writing or the agency meets one of the law’s 12 exceptions. Most of the exceptions deal with fairly specific circumstances, such as congressional oversight, law enforcement investigations, court orders, census work, statistical research, and National Archives preservation. But there are also two broad, vague exceptions: Agencies can share records with their own employees who “have a need for the record in the performance of their duties” or with third parties for “a routine use” (defined as one that is “compatible with the purpose for which [the data] was collected”).
Why Did Congress Pass the Privacy Act?
President Richard Nixon illegally used the powers of the government to investigate, intimidate, and punish his political enemies. He tried to use the IRS to target liberal political groups with audits and scrutiny of their tax exemptions, and he deployed the FBI to spy on and harass his political opponents. After Nixon’s resignation over the Watergate scandal, lawmakers sought to prevent future presidents from weaponizing government power.
“Congress must act before sophisticated new systems of information gathering and retention are developed, and before they produce widespread abuses,” North Carolina Democratic senator Sam Ervin said as he introduced one of the bills that inspired the Privacy Act. “The peculiarity of new complex technologies is that once they go into operation, it is too late to correct our mistakes or supply our oversight.”
After months of congressional wrangling that saw the elimination of Ervin’s proposed independent privacy oversight board, President Gerald Ford signed the Privacy Act into law on December 31, 1974. Ford, who had chaired the Domestic Council Committee on the Right of Privacy that Nixon created during his final months in office, highlighted “the vital need to provide adequate and uniform privacy safeguards for the vast amounts of personal information collected, recorded, and used in our complex society.”
How Is This Relevant Today?
DOGE’s critics—including Democratic lawmakers, federal employee unions, and government watchdog groups—argue that giving the office’s young, controversial, and seemingly largely unvetted staffers access to sensitive government data constitutes a major privacy breach. The incidents represent “the largest and most consequential breach of personal information in US history,” according to John Davisson, a lawyer for the Electronic Privacy Information Center, one of the groups suing to block DOGE’s access.
The Trump administration, meanwhile, says DOGE employees need this data access to accomplish their mission of eliminating wasteful spending and shuttering programs that conflict with President Donald Trump’s agenda. After one federal judge temporarily blocked DOGE’s access to government payment systems, a White House spokesperson called the ruling “absurd and judicial overreach.” Musk targeted the judge on X, saying, “He needs to be impeached NOW!”
Can the Privacy Act Stop DOGE?
It will depend on whether multiple judges agree with the Trump administration’s arguments claiming the law doesn’t prevent DOGE staffers from accessing agencies’ sensitive data.
The government contends that people can only sue agencies under the Privacy Act in one of four scenarios: when an agency refuses to grant someone access to a record about them; when an agency refuses to modify someone’s record as they requested; when an agency fails to keep someone’s record up to date and they experience concrete harm, such as a denial of benefits; or when an agency otherwise violates the law’s requirements in ways that adversely affect someone. It remains to be seen whether judges will determine that DOGE’s access to data adversely affects people.
Agencies have also argued that they aren’t violating the Privacy Act because DOGE’s activities fall under the law’s “routine use” and “need to know” exceptions. In a court filing responding to one legal challenge, the Treasury Department said that DOGE personnel were accessing the data to identify potentially improper payments “in furtherance of [their] duties” as directed by Trump (triggering the “need to know” exception) and that sharing this information with other agencies fell under one of the “routine uses” that the agency had previously disclosed as required by the Privacy Act.
The strength of that argument rests on how judges weigh two questions: whether the DOGE personnel accessing each agency’s data are employees of those agencies, and whether the two exceptions apply to the situations in which they accessed and shared the data.
Who’s Using the Privacy Act to Sue DOGE?
There are at least eight lawsuits against the Trump administration over DOGE’s access to federal data, and all of them rely at least in part on the Privacy Act.
- The American Federation of Government Employees, the Association of Administrative Law Judges, and more than 100 current and former federal workers are suing DOGE, Musk, and the Office of Personnel Management over what they claim is OPM’s illegal decision to give DOGE staffers access to a federal employee database, alleging that DOGE staffers “lack a lawful and legitimate need for such access.”
- The Electronic Privacy Information Center, on behalf of an unnamed federal worker, is suing OPM, DOGE, and the Department of the Treasury for allegedly giving DOGE access to OPM’s personal database and Treasury’s payment system “for purposes impermissible under the Privacy Act.”
- The University of California Student Association is suing the Department of Education for allegedly turning over student data to DOGE staffers who are not, in the language of the Privacy Act, “employees who have a need for the records in the performance of their duties.”
- Six government labor unions, two nonprofit groups, and the think tank Economic Policy Institute are suing the departments of Labor and Health and Human Services, the Consumer Financial Protection Bureau, and DOGE to prevent the office from accessing a wide range of data, including federal workers’ wage-theft complaints and injury reports, for purposes allegedly “inconsistent with the Privacy Act.”
- Two government labor unions and the advocacy group Alliance for Retired Americans are suing Treasury for allegedly giving DOGE access to Americans’ tax returns in alleged violation of both the Privacy Act and the Internal Revenue Service’s own special rules.
- The National Treasury Employees Union is suing Acting CFPB director Russell Vought for giving information about CFPB employees to DOGE staffers, alleging their status as “special government employees” places them outside the CFPB and thus outside the Privacy Act’s need-to-know exception.
- Nineteen state attorneys general are suing Trump and Treasury over DOGE’s access to federal payment systems, arguing that because “many of the DOGE members given access to [the system] were not employees of Treasury,” that constitutes “a violation of the Privacy Act.”
- Six Americans are suing the Treasury and DOGE over what they describe as breaches of the sensitive personal data they gave the government while filing tax returns, applying for student loans, requesting disability payments, and receiving retirement benefits.
Where Do These Cases Stand?
In the state AGs case, a judge quickly issued a temporary restraining order restricting access to all Treasury systems storing sensitive personal and financial data. The case has since been assigned on a permanent basis to a different judge, who adjusted the order slightly after the Trump administration objected to its restrictions on political appointees. A status hearing took place on February 14.
In the EPIC case, the organization has asked the judge for a temporary restraining order blocking further DOGE access to certain Treasury and OPM systems. A status hearing will be held on February 21.
In the UC students case, the Department of Education is arguing, among other things, that the students haven’t shown any harm; that the Privacy Act only allows courts to pause agency actions in two situations not applicable here; and that the DOGE staffers are Education Department employees allowed to access the data. On February 17, a judge denied the students’ motion for a temporary restraining order, saying they had not suffered “irreparable injury.”
In the Labor, HHS, and CFPB case, the judge rejected the plaintiffs’ request for a temporary restraining order, saying they failed to demonstrate the likely success of their arguments about the Privacy Act and other laws. But he also questioned whether DOGE staffers were employees of the agencies whose data they were accessing—a crucial question for a Privacy Act case.
In the Treasury case, the unions and ARA have asked for a temporary restraining order, but Treasury is making many of the same arguments as the Education Department, including that the Privacy Act can’t be used to pause DOGE staffers’ access to data and invoking the need-to-know and routine-use exception. The judge in the case has temporarily limited access to Treasury’s payment system while weighing the plaintiffs’ request for a restraining order. A hearing is scheduled for February 24.
The AFGE, NTEU, and class-action lawsuits haven’t proceeded beyond the filing of initial complaints.