On January 20, 2025, Co-President Donald Trump signed Executive Order (EO 14158), which established the Department of Government Efficiency (DOGE). Since its creation, and notwithstanding its deeply unserious memeified name and the fact that it’s not even a freaking government department at all, DOGE has come to represent a very serious problem with seemingly limitless and unchecked powers.

I am breaking this up into three parts because it’s long, and people told me it was too long to list as one.

• In Part I, I lay out what DOGE is, and whether DOGE’s band of chaos monkeys are even Federal Employees.

• Part II (this one) explores the Privacy Act of 1974 in more detail, as well as a breakdown of the 12 cases that have been brought against DOGE, the Trump Administration, the various agencies complying with DOGE’s unreasonable requests, and even Elon Musk.

• Part III consists of my analysis, where I essentially lay out why (assuming the rule of law still exists in America) I think DOGE is violating the Privacy Act of 1974 and why it needs to be stopped.

And with that, let’s dig into the law!

A Crash Course on the Privacy Act of 1974

"Federal officials handling personal information are 'bound by the Privacy Act not to disclose any personal information and to take certain precautions to keep personal information confidential.'"1

Like so many privacy laws, the Privacy Act of 1974 was created out of necessity. In the aftermath of the Watergate scandal, Congress discovered that President Nixon had used the powers of the FBI and IRS to spy on political rivals & enemies, and target liberal political groups with unlawful audits and investigations.

As the old saw goes, 'History doesn't repeat itself, but it often rhymes.'

After Nixon's resignation, Congress sought to prevent future Presidents/dictators from weaponizing the full power of the government — and our data. And so, Congress passed, and President Ford signed into law, the Privacy Act of 1974, which established a number of rules and limits governing an agency's 'collection, maintenance, use, and dissemination' or disclosure of 'records' about an 'individual' contained in a 'system of records' maintained by a government agency. Barring 12 exceptions,2 the law prevents agencies from disclosing personal information stored in records, unless the individual provides prior written consent to the disclosure,3 or that disclosure qualifies as a 'routine use' of data for a purpose that is compatible with the reason the information was collected. The Privacy Act also includes strong guardrails against matching records between agencies, or with non-government data. The law applies to both disclosure of records between agencies, or with non-Federal agencies and third parties.

Now that we have the context, let's get to a few key definitions.

Individual § 552a(a)(2)

An individual is "a citizen of the United States or an alien lawfully admitted for permanent residence." There are no additional qualifiers here.

Records § 552a(a)(4)

Records are defined as "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph."

System of Records § 552a(a)(5)

The Act defines a System of Records as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

Routine Use § 552a(a)(7)

A routine use refers to the use of a "record for a purpose which is compatible with the purpose for which it was collected." A routine use must be defined by the relevant agency as part of a Privacy Act Systems of Records Notice (SORNs).4 A SORN is basically the Privacy Act equivalent of a Transparency (or Privacy) Notice.

For example, here's the Government-wide IRS System of Records Notice for IRS 70.001 - Individual Income Tax Returns, Statistics of Income - 80 FR 54063. It was last updated in 2015. As you can see, there are ... a lot of routine uses. Including many mentions of fraud. However, nearly all of these relate to sharing or disclosing data in cases of identity theft & fraud (against the taxpayer) — not as a means to identify larger tax fraud abuses.

Disclosure §552a(b)

Agencies are prohibited from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.”5 This has been interpreted broadly by the courts to include oral disclosures, and 'damaging information' taken from a record and inserted into a new document.6

Further, a disclosure under the Privacy Act “may be either the transfer of a record or the granting of access to a record.”7

As mentioned above, there are twelve exceptions here, but most are inapplicable to DOGE. For example, records may be disclosed to other agencies, or for law enforcement purposes, to comply with a court order, in respect to National Archives, under a FOIA request, or to members of Congress or the Comptroller General. However, some agencies might argue that they were permitted to disclose records in certain cases:

• as part of intra-agency sharing to "officers and employees of the agency" in the performance of their duties (often referred to as the 'need to know' exception); §552a(b)(1)

• for routine use; §552a(b)(3)

• to a recipient who has provided advanced notice when the record is used for statistical purposes, and is in a form 'not individually identifiable.’ §552a(b)(5)

Matching Programs §552a(a)(8) & 552a(o)

A matching program refers to "any computerized comparison of"

• two or more automated systems of records; or

• (i) a system of records with non-Federal records for the purpose of:

  • establishing or verifying the eligibility of, or continuing compliance with statutory and regulatory requirements by, applicants for, recipients or beneficiaries of, participants in, or providers of services with respect to, cash or in kind assistance or payments under Federal benefit programs, or

  • recouping payments or delinquent debts under such Federal benefit programs, or

• (ii) two or more automated Federal personnel or payroll systems of records or a system of Federal personnel or payroll records with non-Federal records.

Critically, §552a(o) restricts the use of matching programs to disclosures made between the source agency, recipient agencies, or non-Federal agencies for use in a computer matching program. Non-Federal agencies generally refer to state or local government agencies, not random fly-bys. The law is silent on whether recipients who do not qualify as a recipient agency or a non-Federal agency can participate in a matching program.

To disclose records as part of a lawful matching program, a written agreement between the source & recipient agencies and/or non-Federal agencies must be in place. The matching agreement must specify the purpose and legal authority for conducting the matching program, the justification and anticipated results, a description of the records that will be matched, and procedures for notice, data retention, verification, security controls, etc.

However, under §552a(a)(8)(B)(v), an agency can only match personnel records if

the purpose of the match is not to take any adverse financial, personnel, disciplinary, or other adverse action against Federal personnel.

Similarly, under §552a(p), no agency or non-Federal agency may

suspend, terminate, reduce, or make a final denial of any financial assistance or payment under a Federal benefit program to such individual, or take other adverse action against such individual, as a result of information produced by such matching program until …

• the agency has independently verified the information or the Data Integrity Board of an agency8, determines that the information is limited to the benefits paid and there's a high degree of confidence that the information provided is accurate;

• i. the individual receives a notice from the agency containing a statement of its findings and the opportunity to contest the findings; and
  ii. they fail to respond within the time period specified (e.g., 30 days). §552a(p)(1). Independent verification requires an 'investigation and confirmation of specific information' that is the basis for the adverse action.

Consent

The Privacy Act does not specify that written consent is required. However, courts have found that consent, at a minimum, should be explicit.9 OMB Guidelines also state that “the consent provision [is] not intended to permit a blanket or open-ended consent clause, i.e., one which would permit the agency to disclose a record without limit.”10 Whether DOGE's use of records to, for example, train AI models or engage in batch firings via automation, will be a legal and factual question for courts to decide.

Accountability, Transparency, & Individual Rights

Like other privacy laws, there are accounting and transparency obligations under §552a(c) (e) & (f), and limited data subject rights (access & correction) under §552a(d).11 The list is long and exhaustive, so I will summarize the most relevant sections.

Accountability

The rules for what agencies must account for in terms of disclosure of records are extensive. The same goes for agency SORN requirements, and the rulemaking process generally.

Notably, under §552a(e)(5), agencies must maintain accurate, relevant, timely, and complete records. Agencies also may not maintain records "describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity." §552a(e)(7)

Rules of conduct and use must be established, and "appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual" must be in place. §552a(e)(9) & (10)

Transparency

The information that must be shared in a SORN is spelled out in §552a(e)(4). It includes details about the agency and the agency official responsible for the system of records, the name and location of the system, categories of individuals whose records are maintained, the categories of records, routine uses, the policies and practices of the agency, individual notifications, and how they can exercise their rights. §552a(e)(4).

Agencies must provide at least 30 days' notice if they intend to add or change routine uses, or engage in a matching program with a non-Federal agency. §552a(e)(11) & (12). Additionally, this information must be published in the Federal Register.

Any "significant changes" that an agency proposes to establish or make to a system of records or a matching program requires notice to the Committee on Government Operations of he House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget in order to permit an evaluation of the probable or potential effect of such proposal on the privacy or other rights of individuals. §552a(r)

Individual Rights

Finally, the Privacy Act also provides individuals with access to information about them, and the ability to correct any records that are inaccurate, and to request a review if the agency refuses to correct any alleged inaccuracies (§552a(d)(1-5). Agencies must also limit what information they collect or disclose, and provide information on the databases where records reside, and the purposes of the databases generally.

Remedies

The Privacy Act allows for both civil and criminal penalties. There are a few possible grounds under §552a(g)(1)(A-D):

• If an agency does not comply with an individual rights access OR a correction request;

• If an agency fails to maintain an accurate, relevant, timely & complete record and an adverse determination is made "relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record";

• If an agency fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.

Should a court determine that the agency has willfully or intentionally violated the Privacy Act, it can order the government to pay the prevailing plaintiff(s) no less than $1,000, along with reasonable attorneys' fees and litigation costs. Finally, there are some criminal penalties for willful disclosure by officers or employees of an agency under §552a(i), including fines and misdemeanor conviction. But, let's be honest here: there’s no way the Justice Department is going to pursue a criminal action.

Below is a list of current Privacy Act-related cases brought against the agencies, DOGE, the Administration, Trump & Musk pertaining to DOGE activities.

Timeline of DOGE Privacy Act Lawsuits

As of March 1, 2025, Just Security has identified 95 federal lawsuits brought against the Administration. Of those, 24 include privacy-related concerns against the Administration generally, 24 specifically relate to DOGE, and 12 touch on the Privacy Act specifically in relation to DOGE. Lawsuits have named DOGE, Trump and the Administration, individual agencies, and even Elon Musk personally.

Alliance for Retired Americans v. Scott Bessent et al (Case No. 1:25-cv-00313, D.D.C.) Filed: February 3, 2025

Summary: A group of retirees sued Scott Bessent and the Treasury Department for granting access to sensitive personal and financial information to DOGE-affiliated individuals. On Feb. 6, 2025, the parties in the suit proposed an order that Judge Colleen Kollar-Kotelly adopted. It limits access to Treasury Department payment records and systems to two SGEs in the Department with “read-only” access, other employees with need-to-know access, and individuals who are already entitled to access the records under statute.

Legal challenges:

• Administrative Procedure Act, 5 U.S.C. § 706(2)(A) & (C) (contrary to law, arbitrary & capricious, & in excess of statutory authority).

• Internal Revenue Code, 26 U.S.C. § 6013 (confidentiality requirements - "“[r]eturns and return information shall be confidential,” and cannot be disclosed by a federal officer and employee unless authorized by statute).

• Privacy Act

  • 5 U.S.C. § 552a(b) (the Privacy Act prohibits the disclosure of a record about an individual to any person or another agency unless “the individual to whom the record pertains” consents or a statutory exception applies).

  • 5 U.S.C. § 552a(e)(4) & (e)(11) (Agency must prepare a notice in the Federal Register “publish in the Federal Register notice of any new use or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency."

New York et al v. Donald J. Trump (Case No. 1:25-cv-01144-JAV, S.D.N.Y.), Filed: February 7, 2025

Summary: 19 State Attorneys General initiated a joint lawsuit in the U.S. District Court for the Southern District of New York contesting, amongst other things, Elon Musk's authority to access sensitive Treasury Department data, and the agency's failure to conduct a privacy impact assessment.

On February 21, Judge Jeanette A. Vargas issued a restraining order and limited preliminary injunction, preventing Treasury Department officials from granting access to DOGE-affiliated individuals. The court noted that “a real possibility exists that sensitive information has already been shared outside of the Treasury Department, in potential violation of federal law.”

The Treasury Department handles the disbursement of roughly $5.5 trillion in federal payments each year to states, localities, grantees, and importantly for Privacy Act purposes, individual beneficiaries of government programs.

Legal challenges:

• 5 U.S.C. § 706(2) (exceeding statutory authority, specifically in the context of providing access and disclosure of the BFS system)

  • The Agency Action exceeds Defendants’ authority under the statutes that govern the collection, storage, handling, and disclosure of PII and confidential financial information because it grants payment system access to political appointees and special government employees and/or for unauthorized purposes.

  • The Agency Action also exceeds Defendants’ authority under the statutes that govern the collection, storage, handling, and disclosure of PII and confidential financial information because it permits payment systems to be accessed on non-government third-party servers.

AFL-CIO v. Dep’t of Labor (Case No. 1:25-cv-00339, D.D.C.), Filed: February 5, 2025

Summary: DOGE sought access to internal information systems maintained by the DoL, HHS, CFPB, and OMB. Plaintiffs sued, arguing that DOGE's access violated multiple laws, including the Privacy Act and the Federal Information Security Modernization Act (FISMA), as they lacked statutory authority. The 69-page complaint is wide-reaching, and includes details from government officials on the breadth and depth of DOGE's access to data & threats to terminate government employees who did not comply.

Legal challenges:

• 5 U.S.C. § 706(2)(A), (C), (D)

• 5 U.S.C. § 552a(b) (disclosure)

• Actions ultra vires

University of California Student Ass’n v. Carter et al (Case No. 1:25-cv-00354), Filed: February 7, 2025

Summary: Plaintiff is a nonprofit public benefit association representing 230,000 undergraduate student members. They sued the DoE and its acting Secretary, arguing that individuals affiliated with DOGE had unlawfully accessed sensitive federal student loan aid information, in violation of the Privacy Act and the Internal Revenue Code. The plaintiffs moved for a temporary restraining order, which was denied on February 17. Judge Randolph Moss rejected the TRO request on the grounds that mere "access" to data by individuals not authorized to view it does not create an irreparable injury on its own.

Legal challenges:

• Multiple violations of 5 U.S.C. § 706(2)(A) (C) (contrary to law, and Privacy Act violations, as well as breach of confidentiality under the Internal Revenue Code, 26 U.S.C. § 6013)

National Treasury Employees Union v. Russell Vought (Case No. 1:25-cv-00380, D.D.C.), Filed: February 9, 2025

Summary: At least three DOGE SGEs were added to the CFPB's staff and email directories as "senior advisers" and granted access to non-classified systems, including employee information without an articulated exception under the Privacy Act and CFPB regulations.

Legal challenges:

• 5 U.S.C. § 706(2)(A) (C) (contrary to law, in violation of CFPB regulations and 5 U.S.C. § 552a(b) (disclosure))

American Federation of Teachers et al v. Bessent et al (Case No. 8:25-cv-00430, D. Md.), Filed: February 10, 2025

Summary: Plaintiffs sued alleging that the Treasury Department, OPM, and DoE provided DOGE SGEs with access to private citizens' sensitive personal information, which is unlawful under the APA and the Privacy Act. On Feb. 24, the court granted a TRO enjoining the DoE and OPM from disclosing sensitive information to any DOGE affiliates. The court denied the motion for a TRO against Treasury officials on the basis that a preliminary injunction against Treasury has already been granted in a related case.

Legal challenges:

• 5 U.S.C. § 706(2)(A) (C) (contrary to law, in violation of 5 U.S.C. § 552a(b) (disclosure)

• Failure by the agencies to protect the sensitive data on their systems 5 U.S.C. §552a(e)(1).

Electronic Privacy Information Center v. U.S. Office of Personnel Management (Case No. 1:25-cv-00255, E.D.V.A.), Filed: February 10, 2025

Summary: The Electronic Privacy Information Center (EPIC) representing an anonymous government employee, filed a suit alleging that DOGE's access to Treasury systems and transmission of Treasury records containing personal information, violated the plaintiff's right to privacy, the Fifth Amendment right to informational privacy, and puts the plaintiff and others at risk of identity theft and financial crimes.

Legal challenges:

• 5 U.S.C. § 704 (unlawful agency action under FISMA, failure to comply with statutorily-mandated security protections (44 U.S.C. §§ 3554(a)(1)–(2))

• 5 U.S.C. 552a(b) & 552a(o) (disclosure and matching)

• 26 U.S.C. § 6103 (willful or grossly negligent unauthorized disclosure)

• Fifth Amendment (violation of right to informational privacy)

• Actions ultra vires

American Federation of Government Employees, et al. v. Office of Personnel Management et al (Case No. 1:25-cv-01237, S.D.N.Y), Filed: February 11, 2025

Summary: Plaintiffs, current and former federal employees, sued the OPM, IRS, and SSA, alleging that the agencies unlawfully gave DOGE administrator-level access to OPM & SSA information systems and disclosed sensitive personal and employment records of tens of millions of government employees and their family members, including SSNs, race/ethnicity, national origin & disability information, job performance, health records, etc. They also claim that the SSA unlawfully permitted DOGE defendants with access to tax return information.

Legal challenges:

• 5 U.S.C. §§ 706(2)(A), (C) (unlawful, arbitrary & capricious action under the Internal Revenue Code, 26 U.S.C. §§6103, 7213A, and separately the Social Security Act, 42 U.S.C. § 902)

• 5 U.S.C. §§ 706(2)(A), (C) (unlawful, arbitrary & capricious action in violation of FISMA, 44 U.S.C. § 3554, due to lack of security protections).

• Multiple violations of the APA related to the Privacy Act by each named agency:

  • § 552a(b) (disclosure)

  • § 552(a)(o) (matching without an adequate written agreement)

• Violation of the Appointments Clause of the US Constitution (Art II, §2, cl. 2)

• Actions ultra vires

Nemeth-Greenleaf, et al. v. Office of Personnel Management, et al. (Case No. 1:25-cv-00407, D.D.C), Filed: February 11, 2025

Summary: Federal employees from various government departments filed suit against OPM, Treasury, and the EOP, as a proposed class action, alleging that DOGE workers unlawfully access private information from OPM and Treasury databases. The plaintiffs assert that this resulted in the systemic and continuous disclosure of personal, health, and financial information, including birth certificates and background checks.

Legal challenges:

• 5 U.S.C. § 552a(b) (disclosure) & § 552a(e)(10) (failure to maintain appropriate "administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards...")

Gribbon et al. v. Musk (Case No. 1:25-cv-00422, D.D.C.), Filed: February 12, 2025

Summary: Another proposed class action suit, brought by recipients of federal benefits, student loans, and individuals who filed tax returns with the federal government. Amongst other claims, the plaintiffs allege that DOGE personnel and Musk personally, were given full, unfettered access to Treasury and OPM systems without authorization, including tax records and filing information, failed to ensure the security of the class members' private sensitive information. The plaintiffs separately brought a cause of action against Elon Musk personally for alleged violations of the Computer Fraud and Abuse Act, as he lacked the proper credentials & authority for accessing such systems.

Legal challenges:

• 5 U.S.C. § 552a(b) (disclosure) & § 552a(e)(10) (failure to maintain appropriate "administrative, technical, and physical safeguards, due to lack of background checks and failure to meet FISMA obligations).

• Computer Fraud & Abuse Act, 18 U.S.C. § 1030(a)(2) (against Musk based on unlawful access of protected computers, by a person with "the intent to defraud and obtain anything of value.")

Center for Taxpayer Rights v. IRS (Case 1:25-cv-00457, D.D.C), Filed: February 17, 2025

Summary: Plaintiff is an organization who represents a broad range of private individuals and small business owners. They allege that by allowing DOGE staff to access private citizens' tax data, the IRS violated the Tax Reform Act, the Privacy Act, and the APA, in addition to acting ultra vires by causing the unlawful disclosure of the personal data of tens of millions of people.

Legal challenges:

• 26 U.S.C. §§ 6103, 7213A

• 5 U.S.C. § 552a(e)(4) (in relation to not conducting a PIA as required under the E-Government Act of 2002, Pub. L. 107-347, 116 Stat. 2899)

• 5 U.S.C. § 701, et seq. (in relation to violations of 5 U.S.C. § 552a(b) (disclosure) & 552a(a)(o) (matching -- "IRS Defendants have disclosed personal data contained in systems of records controlled by Defendants ... and wrongfully used such data for computer matching without an adequate written agreement.")

• Actions ultra vires

American Federation of State, County and Municipal Employees, AFL-CIO v. Social Security Administration (Case No. 1:25-cv-00596, D. Md.), Filed: February 21, 2025

Summary: This lawsuit challenges DOGE's access to Social Security Administration data and systems. In addition to violations of the Privacy Act, the complaint alleges violations of the Internal Revenue Code, FISMA, the e-Government Act, and the APA. In addition to restraining orders and injunctive relief to stop DOGE staff from accessing and disclosing information, the last two suits also seek disgorgement of records.

Legal challenges:

• 5 U.S.C. §§ 706(2)(A), (C) (Unlawful, Arbitrary and Capricious Agency Action under 26 U.S.C. §§ 6103, 7213A, 44 U.S.C. §§ 3554(a)(1)–(2), and the Social Security Act, 42 U.S.C. § 902)

• 5 U.S.C. §§ 706(2)(A), (C) (Unlawful, Arbitrary and Capricious Agency Action under 5 U.S.C. § 552a(b) and 552a(o) (disclosure & matching))

• 5 U.S.C. § 552a(b) and 552a(o)

• Violation of the Appointments Clause of the US Constitution (Art II, §2, cl. 2)

• Actions ultra vires