Elon Musk’s DOGE Is Being Sued Under the Privacy Act: What to Know

After months of congressional wrangling that saw the elimination of Ervin’s proposed independent privacy oversight board, President Gerald Ford signed the Privacy Act into law on December 31, 1974. Ford, who had chaired the Domestic Council Committee on the Right of Privacy that Nixon created during his final months in office, highlighted “the vital need to provide adequate and uniform privacy safeguards for the vast amounts of personal information collected, recorded, and used in our complex society.”

How Is This Relevant Today?

DOGE’s critics—including Democratic lawmakers, federal employee unions, and government watchdog groups—argue that giving the office’s young, controversial, and seemingly largely unvetted staffers access to sensitive government data constitutes a major privacy breach. The incidents represent “the largest and most consequential breach of personal information in US history,” according to John Davissona lawyer for the Electronic Privacy Information Center, one of the groups suing to block DOGE’s access.

The Trump administration, meanwhile, says DOGE employees need this data access to accomplish their mission of eliminating wasteful spending and shuttering programs that conflict with President Donald Trump’s agenda. After one federal judge temporarily blocked DOGE’s access to government payment systems, a White House spokesperson called the ruling “absurd and judicial overreach.” Musk targeted the judge on X, saying, “He needs to be impeached NOW!”

Can the Privacy Act Stop DOGE?

It will depend on whether multiple judges agree with the Trump administration’s arguments claiming the law doesn’t prevent DOGE staffers from accessing agencies’ sensitive data.

The government contends that people can only sue agencies under the Privacy Act in one of four scenarios: when an agency refuses to grant someone access to a record about them; when an agency refuses to modify someone’s record as they requested; when an agency fails to keep someone’s record up to date and they experience concrete harm, such as a denial of benefits; or when an agency otherwise violates the law’s requirements in ways that adversely affect someone. It remains to be seen whether judges will determine that DOGE’s access to data adversely affects people.

Agencies have also argued that they aren’t violating the Privacy Act because DOGE’s activities fall under the law’s “routine use” and “need to know” exceptions. In a court filing responding to one legal challenge, the Treasury Department said that DOGE personnel were accessing the data to identify potentially improper payments “in furtherance of (their) duties” as directed by Trump (triggering the “need to know” exception) and that sharing this information with other agencies fell under one of the “routine uses” that the agency had previously disclosed as required by the Privacy Act.

The strength of that argument rests on how judges weigh two questions: whether the DOGE personnel accessing each agency’s data are employees of those agencies, and whether the two exceptions apply to the situations in which they accessed and shared the data.

Who’s Using the Privacy Act to Sue DOGE?

There are at least eight lawsuits against the Trump administration over DOGE’s access to federal data, and all of them rely at least in part on the Privacy Act.

1. The American Federation of Government Employees, the Association of Administrative Law Judges, and more than 100 current and former federal workers are suing DOGE, Musk, and the Office of Personnel Management over what they claim is OPM’s illegal decision to give DOGE staffers access to a federal employee database, alleging that DOGE staffers “lack a lawful and legitimate need for such access.”
2. The Electronic Privacy Information Centeron behalf of an unnamed federal worker, is suing OPM, DOGE, and the Department of the Treasury for allegedly giving DOGE access to OPM’s personal database and Treasury’s payment system “for purposes impermissible under the Privacy Act.”
3. The University of California Student Association is suing the Department of Education for allegedly turning over student data to DOGE staffers who are not, in the language of the Privacy Act, “employees who have a need for the records in the performance of their duties.”
4. Six government labor unions, two nonprofit groups, and the think tank Economic Policy Institute are suing the departments of Labor and Health and Human Services, the Consumer Financial Protection Bureau, and DOGE to prevent the office from accessing a wide range of data, including federal workers’ wage-theft complaints and injury reports, for purposes allegedly “inconsistent with the Privacy Act.”
5. Two government labor unions and the advocacy group Alliance for Retired Americans are suing Treasury for allegedly giving DOGE access to Americans’ tax returns in alleged violation of both the Privacy Act and the Internal Revenue Service’s own special rules.
6. The National Treasury Employees Union is suing Acting CFPB director Russell Vought for giving information about CFPB employees to DOGE staffers, alleging their status as “special government employees” places them outside the CFPB and thus outside the Privacy Act’s need-to-know exception.
7. Nineteen state attorneys general are suing Trump and Treasury over DOGE’s access to federal payment systems, arguing that because “many of the DOGE members given access to (the system) were not employees of Treasury,” that constitutes “a violation of the Privacy Act.”
8. Six Americans are suing the Treasury and DOGE over what they describe as breaches of the sensitive personal data they gave the government while filing tax returns, applying for student loans, requesting disability payments, and receiving retirement benefits.

Where Do These Cases Stand?

In the state AGs case, a judge quickly issued a temporary restraining order restricting access to all Treasury systems storing sensitive personal and financial data. The case has since been assigned on a permanent basis to a different judge, who adjusted the order slightly after the Trump administration objected to its restrictions on political appointees. A status hearing took place on February 14.

In the EPIC casethe organization has asked the judge for a temporary restraining order blocking further DOGE access to certain Treasury and OPM systems. A status hearing will be held on February 21.