A series of lawsuits challenging federal agencies’ sharing of Americans’ personal data with Elon Musk’s federal cost-cutting group all have something in common: a 50-year-old privacy statute with little applicable precedent.
In the last week, groups sued the US Labor, Treasury, and Education departments, as well as the Office of Personnel Management and Consumer Financial Protection Bureau, alleging their handing over of individuals’ sensitive data to the Trump administration’s Department of Government Efficiency violates the Privacy Act of 1974.
The Watergate-era law aimed to restore trust in government agencies by restricting how federal bodies can collect, maintain, use, and share Americans’ information. But the Privacy Act has had little play in court over accusations of agencies’ unlawful and willful disclosures of data, leaving open questions about how judges will apply the act’s requirements to agencies’ compliance with DOGE’s demands.
“We can see, potentially, all government agencies being subject to unauthorized access of their systems,” said Ron De Jesus, field chief privacy officer at Transcend. “So it’s incredibly important that these lawsuits are coming because it’s going to force judges to make decisions about Americans and their privacy.”
At least nine complaints filed so far accuse the agencies of unlawfully exposing swaths of personal data to DOGE, including mortgage statements, tax returns, immigration status, and Social Security numbers. Judges have so far split on granting plaintiffs’ requests for temporary restraining orders barring DOGE employees from accessing personal data held by agencies.
Not a ‘Litigator’s Dream’
The Privacy Act is the main law that regulates the public sector’s data practices. It prohibits disclosures of information from agencies’ records systems without consent, with defined exceptions that include when the information is needed for an agency to perform its duties, for routine uses, or to comply with a law enforcement request.
If an agency must share its data, federal bodies can add a new “routine use” of the data only if it’s compatible with the original purpose of collection. Before relying on the exception, they’re required to publish the new use in the Federal Register for public comment.
In a Feb. 9 filing, the government argued that a temporary restraining order limiting “all political appointees” from accessing data from Treasury should be vacated because it limits high-level employees like Treasury Secretary Scott Bessent from doing their job. The government said the order was a “remarkable intrusion” on the executive branch.
It’s “hard to imagine what possibly legitimate reason” DOGE has for accessing agencies’ information, said Adam Pulver, attorney at Public Citizen Litigation Group, the organization representing plaintiffs in suits against the Education and Treasury departments.
The agencies targeted with lawsuits haven’t yet published notices related to the new uses of their data by DOGE, according to Federal Register filings.
Though the law allows private citizens to sue over violations, it hasn’t exactly been a “litigator’s dream,” said Robert Gellman, privacy consultant and former House staffer.
Attorneys have struggled to obtain damages from improper disclosures after a 2012 Supreme Court ruling in FAA v. Cooper curbed the remedies available for Privacy Act violations.
The law is old and wasn’t “done as well as it could have been,” Gellman added.
The US Justice Department, which represents federal agencies in litigation, didn’t immediately respond to a request for comment.
Unprecedented
On Feb. 7, attorneys general from 19 states also sued President Donald Trump, the Department of the Treasury, and Bessent over the department’s “new and dangerous expanded access policy,” noting that their states “have not received even basic information about whether sensitive information is being shared” or “how that information is being used.”
On Feb. 8, District Judge Paul A. Engelmayer found that the states have shown a “likelihood of success” on the merits of their claims, with statutory claims that are “particularly strong.”
The breadth of the alleged disclosures makes these cases novel under the Privacy Act, legal professionals said.
“I can’t remember a time when there’s been such an obvious and well-documented” grant of unfettered access to agencies’ data, said Alan Butler, executive director and president of the Electronic Privacy Information Center, who sued the Treasury Department, OPM, and DOGE. This is an “egregious overreach with respect to a really sensitive federal government database.”
Still, the lack of precedent over agencies’ alleged Privacy Act violations won’t mean judges will be in completely uncharted territory.
“The case law is clear about what is or isn’t permissible,” said Lynn Parker Dupree, leader of Finnegan, Henderson, Farabow, Garrett & Dunner LLP’s privacy practice and former chief privacy officer at the Department of Homeland Security. “So while we have never seen these circumstances,” there is an “understanding” of what is acceptable under exceptions to the law’s consent requirement.
“It will be a matter of applying that case law to these circumstances,” she said.
Agency Status
The status of DOGE as the renamed US Digital Service within the White House will likely play a central role in how judges determine its ability to access federal data. Non-government employees “cannot get information about individuals that is maintained in a Privacy Act system of records,” Gellman said.
If courts find the data was shared with federal employees, it could provide a path for DOGE’s lawful access to data going forward. Still, an after-the-fact notice of a new routine use from the agencies won’t “undo the violations,” Pulver said.
As federal judges across jurisdictions are tasked with applying the law to an unprecedented scenario, the continued multiplication of lawsuits could soon create differing rulings on DOGE’s access to government data—as well as the recourse that plaintiffs’ attorneys will be able to obtain.
“Even if a court stops DOGE from continually accessing these systems, again, they have the information. It’s like a hacker, right? They already have the information,” De Jesus said."We can stop access. We can stop the bleeding. But once it’s bled, the damage has been done.”
To contact the reporter on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Tax or Log In to keep reading:
Learn About Bloomberg Tax
From research to software to news, find what you need to stay ahead.
Already a subscriber?
Log in to keep reading or access research tools.