Data, Democracy, and DOGE: The Privacy Act of 1974 and the Legal Battle Over DOGE’s Access to Personal Information

by Katerina Fernandez, Associate Member, University of Cincinnati Law Review Vol. 93

I. Introduction

In recent months, the Department of Government Efficiency (“DOGE”), spearheaded by billionaire entrepreneur Elon Musk, has become the focal point of heated legal and political controversy.[1] Established under an executive order by President Donald Trump which renamed the United States Digital Service, DOGE is tasked with streamlining federal operations and reducing government waste.[2] However, its methods—particularly its unprecedented access to sensitive personal data across multiple federal agencies—have raised significant concerns about privacy, transparency, and potential abuse.[3]

At the heart of this controversy lies the Privacy Act of 1974 (“Privacy Act”), a landmark piece of legislation designed to protect Americans from the federal government’s misuse of their personal information.[4] As DOGE continues to push the boundaries of data access, the Privacy Act has emerged as a critical legal tool for those seeking to curb what they view as government overreach.[5] The Privacy Act establishes strict limitations on how federal agencies can collect, use, and disclose personal information, requiring consent for most data sharing and imposing penalties for unauthorized access.[6] Yet, as DOGE’s critics argue, the agency’s actions—from accessing taxpayer records to student loan data—appear to flout these protections, prompting a wave of lawsuits from states, unions, and advocacy groups.[7] These legal challenges, which now number at least a dozen, hinge on whether DOGE’s data access violates the Privacy Act.

This article explores the legal and constitutional questions raised by DOGE’s data access practices, focusing on the Privacy Act’s role in these disputes. Part II examines the historical context and legislative intent behind the Privacy Act, the executive order that established DOGE, and the arguments presented in the ongoing lawsuits. Part III considers the broader implications of this controversy for the balance between government efficiency and individual privacy rights in the digital age. As the courts grapple with these issues, the outcome of these cases could have far-reaching consequences for how the federal government handles personal data and whether the Privacy Act remains a viable safeguard against executive overreach. Part IV concludes by summarizing the key arguments, reflecting on the broader implications of the legal battles over DOGE’s data access, and offering recommendations for safeguarding privacy rights in an era of rapid technological advancement and executive overreach.

II. Background

A. From Watergate to Data Protection: The Origins and Impact of the Privacy Act of 1974

The Privacy Act of 1974 was born out of a period of profound distrust in government, catalyzed by the Watergate scandal and the revelations of widespread abuse of power by the Nixon administration.[8] During this time, the public discovered the federal government had amassed vast amounts of personal data on American citizens, often without their knowledge or consent, and that this information could be weaponized for political purposes.[9] These abuses underscored the need for legislative safeguards to protect individual privacy and prevent government entities’ misuse of personal information. In response to these concerns, Congress passed the Privacy Act, and President Gerald Ford signed the act into law on December 31, 1974.[10]

Lawmakers during this time were particularly concerned about potential abuses of power arising from centralized access to personal information.[11] The Privacy Act was designed to establish clear boundaries on how federal agencies could collect, maintain, use, and disseminate personal information about individuals.[12] The Privacy Act also reflected a broader recognition of the growing role of technology in government operations.[13] Thus, the Privacy Act was intended to preempt the potential for future misuse of personal data in an era of rapidly advancing information technology.[14]

The Privacy Act prohibits federal agencies from disclosing personal records without the written consent of the individual to whom the records pertain unless the disclosure falls under one of thirteen specific exceptions.[15] These exceptions include circumstances such as law enforcement investigations, congressional oversight, and routine uses that are compatible with the purpose for which the data was collected.[16] Further, the Privacy Act grants individuals the right to access their records, request corrections to inaccurate or incomplete information, and be informed of the purposes for which their data is being collected.[17] Finally, the Privacy Act provides civil and criminal penalties for violations.[18] Individuals may sue federal agencies for damages if they can demonstrate that an agency’s actions failed to comply with the provisions outlined in the act, adversely affecting the individual.[19] Agency employees who knowingly and willfully disclose personal information violating the Privacy Act can face criminal charges, including fines and imprisonment.[20]

In the decades since its passage, the Privacy Act has remained a cornerstone of federal privacy law.[21] Still, its limitations have become increasingly apparent in the face of new technological and administrative challenges.[22] The rise of digital databases, the proliferation of interagency data sharing, and the emergence of entities like DOGE have tested the Privacy Act’s ability to protect individual privacy in a rapidly evolving landscape.[23]

B. DOGE: A Bold Step Toward Government Modernization or a Privacy Nightmare?

DOGE was created through Executive Order 14158 (“Executive Order”), signed on January 20, 2025,[24] as part of President Donald Trump’s broader agenda to overhaul the federal government by cutting waste and improving efficiency.[25] The Executive Order explicitly states that DOGE aims to “modernize Federal technology and software to maximize governmental efficiency and productivity.”[26] The Executive Order established the United States DOGE Service, a rebranded version of the United States Digital Service (“USDS”),[27] which was placed under the President’s Executive Office.[28] Unlike the USDS, which was structured as a traditional government initiative with employees hired under standard civil service rules,[29] DOGE operates under a distinct framework. The Executive Order designates DOGE as part of the President’s Executive Office rather than as a federal agency, exempting its employees from many statutory requirements governing traditional agency employment, such as competitive hiring processes, standard pay scales, and civil service protections.[30] While USDS employees were typically hired as civil servants or through limited-term appointments within federal agencies, DOGE staff appear to function more like contractors or special consultants working under executive authority rather than within the confines of federal agency structures.[31]

The Executive Order establishing DOGE provides the legal basis for its operations, but it also raises questions about its compliance with existing privacy laws, particularly the Privacy Act.[32] The Executive Order addresses these concerns by requiring DOGE to adhere to “rigorous data protection standards.”[33] However, the Executive Order also overrides any prior executive orders or regulations that might hinder DOGE’s access to agency records and systems.[34] This has led to accusations that DOGE operates with minimal oversight and transparency, potentially undermining the Privacy Act’s safeguards.[35] For example, the Executive Order states that agency heads must provide DOGE with “full and prompt access” to unclassified records and IT systems,[36] which critics argue could lead to unauthorized access to sensitive personal data.[37] While the Executive Order frames DOGE as a necessary step toward modernizing federal operations, its broad access to sensitive data raises significant concerns about the potential for abuse and the erosion of privacy protections. 

C. The Legal Fallout of DOGE’s Data Access

In just two months, DOGE’s expansive data access has prompted lawsuits from states, unions, and advocacy groups, alleging that its actions violate the Privacy Act and other federal privacy laws.[38] These lawsuits argue that DOGE’s access to sensitive data—such as taxpayer records, student loan information, and federal employee records—constitutes an unlawful disclosure of personal information under the Privacy Act.[39] Plaintiffs have also raised concerns about the lack of transparency surrounding DOGE’s operations, noting that even government attorneys defending DOGE in court have been unable to explain how the agency uses and secures the data it accesses.[40]

In cases such as AFL-CIO v. DOL,[41] Electronic Privacy Information Center. v. U.S. OPM (“EPIC”),[42] and University of California Student Association v. Carter (“UCSA”), plaintiffs sought temporary restraining orders (“TROs”) against the access of sensitive systems and sharing of personal data by DOGE.[43] In each case, the courts denied the TROs,[44] finding that plaintiffs failed to show irreparable harm or did not demonstrate a substantial likelihood of success on the merits.[45] Despite denying the TRO, the courts left open the possibility of further litigation. In AFL-CIO, the court questioned whether DOGE qualifies as an “agency” under the Economy Act of 1932. In EPIC, the court seemed receptive to the plaintiffs providing more concrete evidence of misuse.[46]

In AFT v. Bessent, the American Federation of Teachers (“AFT”) and other labor organizations, along with individual plaintiffs, also sought a TRO to prevent the Department of Education, the Office of Personnel Management (“OPM”), and the Department of the Treasury from granting DOGE affiliates access to systems containing personally identifiable information.[47] Here, the court partially granted the TRO, enjoining the Department of Education and OPM from disclosing the information to DOGE affiliates who lacked a demonstrated need for the information.[48] The court found that the plaintiffs had shown a likelihood of success in their claim that the agencies violated the Privacy Act by granting broad access to sensitive records without adequate justification.[49] The court also emphasized the irreparable harm posed by the unauthorized disclosure of personal information, particularly given the risk of identity theft and other privacy violations.[50]

Even more recently, in Citizens for Responsibility and Ethics in Washington (“CREW”) v. U.S. DOGE Service, a court found that DOGE’s refusal to process Freedom of Information Act (“FOIA”) requests based on its claimed exemption from FOIA obligations was likely unlawful.[51] These requests, filed by CREW, would compel the USDS to provide organizational charts, communications between USDS personnel, and any memoranda, directives, or policies regarding changes to the operations of the USDS after the Executive Order.[52] The court rejected DOGE’s argument that it functions purely within the President’s Executive Office and is thus exempt.[53] The court-mandated record preservation highlighted concerns that DOGE personnel used encrypted messaging apps to avoid oversight—a practice that could implicate the Federal Records Act.[54]

These cases underscore the tension between the government’s efforts to modernize and streamline federal operations through DOGE and the privacy protections enshrined in the Privacy Act. The cases raise important questions about the scope of the Privacy Act’s protections, particularly in interagency details and the sharing of sensitive data with personnel who may not be directly employed by the agency maintaining the records. The courts’ decisions in these cases reflect a cautious approach to granting injunctive relief, mainly where the alleged harms are speculative or where the defendants have implemented safeguards to protect the data. However, the cases also highlight the potential for significant privacy violations when DOGE employees may not have a clear need for the data or may not be subject to the same level of oversight as traditional agency employees access sensitive personal information. As DOGE continues to expand its role in federal operations, these cases will likely serve as important precedents in the ongoing debate over the balance between government efficiency and individual privacy rights.

III. Discussion

The Trump administration has defended DOGE’s actions by arguing that its employees are authorized to access sensitive data under the Executive Order and that their activities fall within the Privacy Act’s exceptions for “routine use” and “need to know.”[55] However, critics contend that DOGE’s access goes beyond what is permissible under the law, particularly given the lack of public notice or consent for data sharing.[56] This section will examine the key legal arguments surrounding DOGE’s data access, including whether executive orders can override statutory privacy protections, the extent to which DOGE’s actions violate the Privacy Act, and the agency’s legal status as a successor to the USDS. Additionally, this section will explore broader concerns regarding transparency, oversight, and constitutional implications, such as potential violations of Fourth Amendment protections against unlawful government surveillance. Ultimately, these issues raise fundamental questions about the balance between government efficiency and individual privacy rights, the role of the judiciary in checking executive power, and whether legislative reforms are necessary to modernize the Privacy Act in the face of rapidly evolving digital governance.

A. Analyzing Key Legal Battles Over DOGE’s Data Access

The cases challenging DOGE’s access to sensitive federal data systems raise critical questions about balancing government efficiency and individual privacy rights. Central to these disputes are three key arguments advanced by DOGE and the federal agencies: (1) DOGE employees are authorized under executive orders to access sensitive data;[57] (2) DOGE’s actions do not constitute a data breach under the Privacy Act;[58] and (3) DOGE, as the successor to the USDS, has technical permission to access government systems.[59] While these arguments provide a legal foundation for DOGE’s operations, they are not without significant flaws and raise broader concerns about accountability, transparency, and the scope of executive authority.

1. DOGE Employees are Authorized under Executive Orders to Access Sensitive Data

DOGE’s authority to access sensitive data is rooted in the Executive Order, which mandates that agency heads grant DOGE “full and prompt access to all unclassified agency records, software systems, and IT systems.”[60] In AFL-CIO, the courts accepted this argument, finding that as federal employees detailed to other agencies, DOGE personnel likely had a legitimate need to access records under the Privacy Act’s “need-to-know” exception.[61] However, relying on executive orders as a blanket authorization for DOGE’s actions is problematic.

First, executive orders cannot override statutory protections like those enshrined in the Privacy Act.[62] The Privacy Act explicitly prohibits the disclosure of personal records without consent or a statutory exception.[63] There is no indication that the affected individuals have provided consent—unless one were to argue, implausibly, that the President can unilaterally consent on behalf of every American. Likewise, no apparent statutory exception would justify such a disclosure under existing law. Unless Congress affirmatively enacts a new statutory exception to accommodate the Executive Order, the Privacy Act’s protections remain in full force. Given these constraints, the executive order’s broad mandate appears insufficient to satisfy the Privacy Act’s requirements, further underscoring DOGE’s action’s legal vulnerability.

Second, the Executive Order’s language is vague, leaving room for interpretation about the scope of DOGE’s access and the safeguards required to protect sensitive data. This ambiguity raises concerns about potential overreach, particularly given the lack of clear oversight mechanisms to ensure that DOGE personnel access data only for legitimate purposes. In such circumstances, the question arises whether the courts should afford greater deference to the executive branch or the legislature. On the one hand, courts often defer to the executive in national security and administrative enforcement, recognizing the executive’s expertise and operational discretion.[64] On the other hand, greater deference to the legislature may be warranted here, as statutory safeguards such as the Privacy Act reflect the will of the people’s elected representatives and serve as a check on executive authority. Ultimately, in these cases, the courts’ deference to executive authority risks undermining the Privacy Act’s core purpose: to protect individuals from unwarranted government intrusion into their personal lives.[65]

2. DOGE’s Actions Do Not Constitute a Data Breach Under the Privacy Act

Another recurring argument in these cases is that DOGE’s access to sensitive data is not a data breach under the Privacy Act.[66] While these findings are fact-specific, interpreting a “data breach” under the Privacy Act breaks traditional interpretations. The Privacy Act defines disclosure as the transfer of a record or the granting of access to a record, and courts have consistently held that unauthorized access to personal information, even within the government, can constitute a data breach.[67] This broader interpretation aligns with the Privacy Act’s purpose of protecting individuals from unwarranted government intrusion, regardless of whether the intrusion results in tangible harm.

Furthermore, the argument that DOGE’s actions do not constitute a data breach ignores clear evidence of misuse.[68] As revealed in a recent report, a DOGE staffer posted potentially classified government data—including sensitive geospatial information and algorithms used to evaluate internal employee records—on a public GitHub repository.[69] This blatant exposure of restricted information demonstrates unauthorized access and reckless mishandling of sensitive government data. Given these facts, it is evident that DOGE personnel have actively misused the data, reinforcing the urgent need for robust safeguards and stricter legal constraints on DOGE’s access and handling of sensitive information.

3. DOGE, as the Successor of the USDS, Has Technical Permission to Access Government Systems

Finally, DOGE’s establishment as the successor to the USDS is cited as a justification for its access to government systems.[70] This argument is based on the premise that USDS was created to modernize federal technology, and that DOGE is continuing this mission under a new name. However, this justification is flawed. First, the legal status of USDS and DOGE as “agencies” is far from settled. As the court in AFL-CIO noted, there is limited case law on the definition of an agency.[71] Moreover, as the court states in AFL-CIO, the “USDS becomes, in [the USDS’s] view, a Goldilocks entity: not an agency when it is burdensome but an agency when it is convenient.”^[72] This has further muddied the waters, as the USDS itself does not seem intent on either confirming or denying its status as an agency. Despite this, the court in AFL-CIO found that the USDS likely constitutes an agency.^[73] Additionally, the court in CREW found that the USDS is likely subject to FOIA, despite the insistence of DOGE’s attorneys that it does not constitute an agency and is therefore exempt.[74] Following these decisions, it seems that the courts appear to be creating a consensus that the USDS, and by extension, DOGE, do constitute a government agency. 

Even if DOGE is considered an agency under the Economy Act, that does not automatically grant it carte blanche to access sensitive data. The Privacy Act requires that a legitimate need justify any disclosure of personal records, and the courts have consistently held that broad, indiscriminate access to sensitive data violates this requirement.[75] Lastly, the argument that DOGE has technical permission to access government systems ignores the wider implications of its actions.[76] Allowing DOGE to access sensitive data without clear legal justification or robust safeguards undermines these protections and erodes public trust in the government’s ability to protect personal information.

B. Today: Balancing Innovation and Oversight

As courts grapple with the challenges surrounding DOGE’s access to data and the need to balance those interests with individuals’ privacy concerns, the broader implications of DOGE’s operations extend beyond immediate legal disputes.[77] These issues touch on the adequacy of the Privacy Act in the face of evolving technology, the inherent tension between government efficiency and privacy protections, and the growing concerns over transparency and accountability in federal data practices.[78] The legal challenges posed by DOGE’s data access are emblematic of a more extensive debate over the boundaries of government power in the digital age and the necessity of updating privacy laws to reflect modern technological realities.[79]

The Privacy Act was enacted in a pre-digital era, long before the advent of modern data-sharing technologies and interagency collaborations that characterize today’s federal operations. DOGE supporters contend that DOGE personnel, as federal employees detailed to other agencies, have a legitimate need to access records to fulfill their mission of modernizing government operations.[80] However, this argument is complicated by the Privacy Act’s explicit prohibitions against unauthorized disclosures and the principle that individuals retain control over their personal information.[81] Whether the executive order’s broad mandate satisfies these requirements remains an open question, particularly given that executive orders do not carry the same statutory force as congressional legislation.

These concerns include whether DOGE’s operations comport with constitutional protections, particularly those enshrined in the Fourth Amendment.[82] The Fourth Amendment protects individuals from unreasonable searches and seizures, and courts have increasingly recognized that the government’s collection and use of personal data can implicate these constitutional rights.[83] The Privacy Act provides statutory protections, but the Fourth Amendment offers additional safeguards against government overreach.[84] DOGE’s expansive access to sensitive data, often without clear justification or robust oversight, risks violating these constitutional protections.[85]

The Executive Order’s vague language leaves room for interpretation regarding the scope of DOGE’s access and the safeguards required to protect sensitive data, raising concerns about potential overreach.[86] The lawsuits challenging DOGE’s data access have underscored the opacity surrounding the agency’s operations, with plaintiffs arguing that even government attorneys defending DOGE in court have struggled to articulate how the agency uses and secures the data it accesses.[87] This lack of transparency undermines public trust in the government’s ability to protect personal information and raises fundamental questions about the adequacy of existing oversight mechanisms.[88] Without apparent legal justification or robust safeguards, DOGE’s actions risk eroding the Privacy Act’s protections and setting a dangerous precedent for future executive actions.

Compounding these challenges is whether the Privacy Act remains an effective tool for safeguarding personal privacy in an era of rapid technological change. While the Privacy Act has served as a cornerstone of federal privacy law, its limitations have become increasingly apparent with the rise of digital databases, the proliferation of interagency data sharing, and the emergence of nontraditional entities like DOGE. These developments have tested the Privacy Act’s ability to ensure meaningful privacy protections. The Privacy Act was designed for a bureaucratic landscape that did not anticipate today’s interconnected digital environment, and its framework may be ill-equipped to address contemporary risks such as large-scale data breaches, algorithmic decision-making, and artificial intelligence-driven government functions.

C. Strengthening Privacy Protections in the Digital Age: Legislative Reforms to Curb Executive Overreach

Considering these challenges, legislative reforms may be necessary to modernize the Privacy Act and establish clearer data access, transparency, and oversight guidelines. While the Privacy Act of 1974 remains foundational for protecting individual privacy, its limitations in the modern digital era have become increasingly apparent. Congress should enact key reforms to modernize privacy safeguards and ensure they keep pace with technological advancements.

One potential reform is updating the Privacy Act to reflect modern data-sharing practices. Initially designed for an era of manual record-keeping, the Privacy Act does not adequately regulate today’s rapid interagency data transfers. Congress should define and limit interagency data sharing, requiring explicit consent from individuals except in cases of compelling public interest. Stricter guidelines should also be established to prevent agencies from abusing the “routine use” exception as a broad justification for data sharing.

The controversy surrounding DOGE highlights how executive orders can override statutory privacy protections. While executive orders serve a legitimate function, they should not circumvent existing privacy laws. To prevent overreach, Congress should require that executive orders related to data access undergo congressional review before taking effect. Additionally, an independent Privacy and Data Protection Commission could oversee their implementation to ensure compliance with statutory protections.

DOGE and its predecessor, USDS, operate in a legal gray area due to ambiguities in the Privacy Act’s definition of a “federal agency.” Congress should clarify this definition to include or exclude entities created by executive order with access to federal data, ensuring they are subject to the same privacy protections and oversight mechanisms as traditional agencies.

Transparency and accountability are also significant concerns. DOGE’s broad access to sensitive data lacks robust oversight, eroding public trust. Congress should mandate transparency in federal data access practices by requiring agencies to publish detailed reports and maintain a public registry of entities with access to sensitive data. Stronger data protection measures should also be implemented, including encryption and access controls.

Finally, the government’s data collection practices increasingly implicate Fourth Amendment protections against unreasonable searches. Congress should enact legislation applying these protections to digital data, requiring warrants for access to sensitive information like location data and digital communications. Emerging technologies like facial recognition and AI should also be subject to strict oversight to safeguard individual privacy. Litigants challenging government overreach in this area should strategically pursue claims by emphasizing the evolving nature of privacy expectations in the digital age, drawing on Supreme Court precedents recognizing the need to extend constitutional protections to modern technology.[89] They should also seek to establish standing by demonstrating concrete harm from warrantless data collection and advocate for judicial interpretations that reinforce robust privacy rights in an era of rapid technological advancement.

IV. Conclusion

The legal battle over DOGE’s access to sensitive federal data presents a fundamental test of the Privacy Act and the limits of executive authority in the digital age. While proponents argue that DOGE’s mission to modernize government technology justifies its broad data access, critics warn that its operations undermine key privacy protections and set a dangerous precedent for unchecked executive power. As lawsuits continue to challenge DOGE’s practices, the courts face the critical task of balancing government efficiency with individual data privacy rights.

Ultimately, this controversy underscores the urgent need to modernize privacy laws to keep pace with technological advancements. The Privacy Act, designed for an era of paper records, now struggles to regulate complex interagency data-sharing networks. Legislative reforms—such as stricter limitations on executive orders, enhanced transparency requirements, and more vigorous enforcement mechanisms—could help restore public confidence in the government’s ability to protect personal information. As federal agencies increasingly rely on digital infrastructure, the outcome of the DOGE lawsuits will shape the future of data privacy in the United States. Whether the Privacy Act remains a robust safeguard against executive overreach or is rendered obsolete by evolving technology will depend on how lawmakers, courts, and policymakers respond to this critical moment in privacy law.

---

[1] See Nik Popli, What DOGE Is Doing Across the Federal Government, Time (Feb. 21, 2025, 1:31 PM EST), https://time.com/7222251/doge-musk-federal-workers-government/ [https://perma.cc/3JUU-34N4].

[2] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[3] See Alfred Ng, The law everyone is suddenly turning to because of DOGE, POLITICO (Mar. 6, 2025, 10:00 AM EST), https://www.politico.com/news/2025/03/06/doge-musk-court-privacy-sensitive-data-00211749 [https://perma.cc/8Y3V-H9YV].

[4] Id.

[5] Id.

[6] 5 U.S.C. § 552a.

[7] Kevin Collier, At least 11 lawsuits are taking on DOGE over data access and privacy laws, NBC News (Feb. 19, 2025, 1:35 PM EST), https://www.nbcnews.com/tech/security/doge-lawsuits-11-cases-musk-group-focus-data-privacy-rcna191695 [https://perma.cc/UQ4K-62Z7].

[8] Eric Geller, The 50-Year-Old Law That Could Stop DOGE in Its Tracks—Maybe, WIRED (Feb. 18, 2025, 4:50 PM), https://www.wired.com/story/privacy-act-doge-lawsuits/ [https://perma.cc/5Q66-JANS].

[9] Id.; President Richard Nixon’s administration used agencies like the Internal Revenue Service and the Federal Bureau of Investigation to target political opponents, conducting audits, surveillance, and harassment campaigns. Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.; During its drafting, Senator Sam Ervin, a key proponent of the legislation, warned, “Congress must act before sophisticated new systems of information gathering and retention are developed, and before they produce widespread abuses.” Id.

[14] See id.

[15] 5 U.S.C. § 552a(b).  

[16] Id.

[17] 5 U.S.C. § 552a(d).

[18] 5 U.S.C. § 552a(g) & (i).

[19] 5 U.S.C. § 552a(g).

[20] 5 U.S.C. § 552a(i).

[21] See Geller, supra note 8.

[22] See Nicole Alvarez, The Privacy Act of 1974 Was Designed To Protect Us From Elon Musk and DOGE, Ctr. Am. Progress (Feb. 21, 2025), https://www.americanprogress.org/article/the-privacy-act-of-1974-was-designed-to-protect-us-from-elon-musk-and-doge/ [https://perma.cc/PB58-MNXQ].

[23] Pam Dixon & Robert Gellman, The Privacy Act Project: Revisiting and Revising the Privacy Act of 1974, Lawfare (May 27, 2021, 8:01 AM), https://www.lawfaremedia.org/article/privacy-act-project-revisiting-and-revising-privacy-act-1974 [https://perma.cc/3AVA-T6JT].

[24] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[25] See Fact Sheet: President Donald J. Trump Works to Remake America’s Federal Workforce, The White House (Feb. 11, 2025), https://www.whitehouse.gov/fact-sheets/2025/02/fact-sheet-president-donald-j-trump-works-to-remake-americas-federal-workforce/ [https://perma.cc/4MHN-AC8S].

[26] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[27] The USDS was established in 2014 by the Obama administration as part of the President’s Executive Office. It was initially launched as a crisis response team to address the troubled rollout of Healthcare.gov and other critical issues in government service delivery. Over the past decade, it has evolved into a trusted partner for more than 30 federal agencies, helping modernize and improve digital services for the public. USDS brings together top technologists, including engineers, data scientists, and designers, to work alongside civil servants in solving pressing technical challenges. Through its efforts, USDS has enhanced digital experiences at agencies like the Social Security Administration and IRS, making government interactions more user-friendly, efficient, and accessible. 10 Years of the U.S. Digital Service: Transforming Government for the Digital Age, The White House (Aug. 13, 2024), https://bidenwhitehouse.archives.gov/omb/briefing-room/2024/08/13/10-years-of-the-u-s-digital-service-transforming-government-for-the-digital-age/ [https://perma.cc/G9QA-A8AL]; Jessie Bur, Inside the agency where you wish you worked, Fed. Times (July 25, 2018), https://www.federaltimes.com/it-networks/2018/07/25/inside-the-agency-where-you-wish-you-worked/ [https://perma.cc/54VN-W62K].

[28] Id.

[29] Megan Cerullo, Elon Musk’s DOGE says it is hiring. Here are the jobs it’s looking to fill, CBS News (Jan. 8, 2025), https://www.cbsnews.com/news/musk-department-of-government-efficiency-doge-jobs-applicants-hiring-x/ [https://perma.cc/U6NZ-Y3SC]; Brian Slodysko & Byron Tau, Federal technology staffers resign rather than help Musk and DOGE, Associated Press (Feb. 25, 2025 3:48 PM EDT), https://apnews.com/article/doge-elon-musk-federal-government-resignations-usds-6b7e9b7022e6d89d69305e9510f2a43c [https://perma.cc/LR5W-56RF]. 

[30] Cerullo, supra note 29.; Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[31] See Natalie Alms, Some employees who were in the U.S. Digital Service already when it became part of the DOGE fear the interviews are an assessment of their loyalty, Nextgov/FCW (Jan. 22, 2025), https://www.nextgov.com/people/2025/01/us-digital-service-employees-are-being-re-interviewed-under-doge-transition/402423/ [https://perma.cc/FP4A-EYZS ]; see also Noam Scheiber, Federal Budget Ax Threatens Contractors, but Could Also Be an Opportunity, N.Y. Times (Mar. 14, 2025),  https://www.nytimes.com/2025/03/14/business/economy/trump-doge-federal-contractors.html [https://perma.cc/UW84-JNYB].

[32] Ng, supra note 3.

[33] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[34] Id.

[35] Ng, supra note 3.

[36] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[37] Collier, supra note 7.

[38] See id.

[39] See id.

[40] Ng, supra note 3.

[41]AFL-CIO v. DOL, No. 25-0339, 2025 U.S. Dist. LEXIS 31877, at *4 (Dist. Ct. D.C. Feb. 7, 2025) [hereinafter EPIC]. In this case, labor unions, a think tank, and two nonprofits sought a TRO to prevent the Department of Labor, the Department of Health and Human Services, and the Consumer Financial Protection Bureau from sharing personal information with DOGE personnel. The plaintiffs argued that DOGE’s access to sensitive data, including information on Medicare and Medicaid beneficiaries, violated the Privacy Act of 1974.

[42] Elec. Priv. Info. Ctr. v. U.S. OPM, No. 1:25-cv-255, 2025 U.S. Dist. LEXIS 31690, at *2-3 (E.D. Va. Feb. 21, 2025). The Electronic Privacy Information Center and an individual plaintiff alleged that DOGE personnel had unlawfully accessed sensitive data systems maintained by OPM and the Treasury Department, including the Enterprise Human Resources Integration system and the Bureau of Fiscal Service payment systems. The plaintiffs sought a TRO to prevent further access to these systems, arguing that the disclosures violated the Privacy Act and posed a significant risk of identity theft and other harms.

[43] Univ. of Cal. Student Ass’n v. Carter, No. 25-354, 2025 U.S. Dist. LEXIS 30795, at *1-2 (Dist. Ct. D.C. Feb. 17, 2025). The University of California Student Association sought a TRO to prevent the Department of Education from sharing student data with DOGE personnel. The plaintiffs argued that DOGE’s access to sensitive student information, including financial aid data, violated the Privacy Act and the Internal Revenue Code.

[44] Id. at *12; Elec. Priv. Info. Ctr., 2025 U.S. Dist. LEXIS 31690 at *21.

[45] AFL-CIO, 2025 U.S. Dist. LEXIS 31877 at *14.

[46] EPIC, 2025 U.S. Dist. LEXIS 31690 at *18.

[47]  AFT v. Bessent, No. DLB-25-0430, 2025 U.S. Dist. LEXIS 31940, at *5-6 (D. Md. Feb. 24, 2025).

[48] Id. at *47-48.

[49] Id. at *35.

[50] Id. at *44-45.

[51] Citizens for Resp. & Ethics in Wash. v. U.S. Doge Serv., Case No. 25-cv-511, 2025 U.S. Dist. LEXIS 42869, at *22-23 (D.C. Dist. Ct. Mar. 10, 2025).

[52] Email from Jonathan Maier, Sr. Lit. Couns., CREW, to United States DOGE Service (Jan. 24, 2025) (on file at https://www.citizensforethics.org/reports-investigations/foia-requests/crew-requests-records-on-doge/ [https://perma.cc/J9DJ-USK8]).

[53] Citizens for Resp. & Ethics in Wash. v. U.S. Doge Serv., No. 25-cv-511, 2025 U.S. Dist. LEXIS 42869 (Dist. C. D.C. Mar. 10, 2025).

[54] Id. at *18.

[55] Ng, supra note 3.

[56] Id.

[57] See id.

[58] See id.

[59] See id.

[60] Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025).

[61] AFL-CIO v. DOL, No. 25-0339, 2025 U.S. Dist. LEXIS 31877, at *7-9 (Dist. Ct. D.C. Feb. 7, 2025).

[62] Alvarez, supra note 22.

[63] See 5 U.S.C. § 552a.

[64] Shirin Sinnar, A Label Covering a “Multitude of Sins”: The Harm of National Security Deference, 136 Harv. L. Rev. F. 59, 69 (2022).

[65] See AFT v. Bessent, No. DLB-25-0430, 2025 U.S. Dist. LEXIS 31940, at *25 (D. Md. Feb. 24, 2025). As the court in AFT noted, the Privacy Act was enacted in response to concerns about the government’s increasing use of computers and the potential for abuse. See id at *35-37. Allowing DOGE to access sensitive data without robust safeguards or clear legal justification erodes these protections and sets a dangerous precedent for future executive actions.

[66] Elec. Priv. Info. Ctr. v. U.S. OPM, No. 1:25-cv-255, 2025 U.S. Dist. LEXIS 31690, at *20. In EPIC, for example, the court found that the plaintiffs had not demonstrated irreparable harm because there was no evidence that DOGE personnel had misused the data or that it had been further disseminated. Similarly, in UCSA, the court emphasized that DOGE personnel were subject to confidentiality obligations and that there was no evidence of actual misuse.

[67] AFT, 2025 U.S. Dist. LEXIS 31940 at *19. In AFT, the court recognized that the unauthorized disclosure of sensitive personal information to DOGE affiliates could constitute an injury even if the information was not publicly disseminated.

[68] EPIC, 2025 U.S. Dist. LEXIS 31690 at *20-21. As the court in EPIC acknowledged, the risk of identity theft and other privacy violations is heightened when sensitive data is accessed by individuals who may not have a clear need for the information.

[69] @SollenbergerRC, X (Twitter) (Feb. 28, 2025, 5:57 PM), https://x.com/SollenbergerRC/status/1895609294810464390 [https://perma.cc/53LK-AX5A]. GitHub is a website for hosting coding projects in a manner that saves previous versions and facilitates collaboration. A GitHub repository is to coding as a Google Doc is to writing a paper, except anyone can access the former at any time, as was the case here. About Repositories, GitHub, https://docs.github.com/en/repositories/creating-and-managing-repositories/about-repositories (last visited Mar. 20, 2025) [https://perma.cc/W3F8-BBJT].

[70] In AFL-CIO, for example, the court suggested that USDS, and by extension DOGE, could be considered an “agency” under the Economy Act of 1932, which governs interagency details. AFL-CIO v. DOL, No. 25-0339, 2025 U.S. Dist. LEXIS 31877, at *13-14 (Dist. Ct. D.C. Feb. 7, 2025).

[71] Id. at *10-11.

[72] Id. at *13.

[73] Id. at *14.

[74] Citizens for Resp. & Ethics in Wash. v. U.S. Doge Serv., 2025 U.S. Dist. LEXIS 42869, at *22-23 (D.C. Dist. Ct. Mar. 10, 2025).

[75] In AFT, for example, the court found that DOGE affiliates at the Department of Education and OPM did not have a demonstrated need for the sensitive personal information they were accessing, even though they were operating under the authority of the executive order. AFT, 2025 U.S. Dist. LEXIS 31940, at *21-22.

[76] Univ. of Cal. Student Ass’n v. Carter, No. 25-354, 2025 U.S. Dist. LEXIS 30795, at *13 (Dist. Ct. D.C. Feb. 17, 2025). As the court in UCSA noted, the Privacy Act and the Internal Revenue Code provide remedies for unauthorized disclosures, but these remedies are only available after the fact.

[77] See Ng, supra note 3.

[78] See id.

[79] See id.

[80] Geller, supra note 8.

[81] See Ng, supra note 3.

[82] See Ray Bresica, Elon Musk’s DOGE is executing a historically dangerous data breach, MSNBC (Feb. 12, 2025, 6:00 AM EST) https://www.msnbc.com/opinion/msnbc-opinion/elon-musk-doge-privacy-data-breach-rcna191605 [https://perma.cc/AS7N-FA9C].

[83] See id.

[84] See id.

[85] See id.

[86] See id.

[87] Ng, supra note 3.

[88] See id.

[89] See, e.g., Katz v. United States, 389 U.S. 347, 353 (1967) (holding that the Fourth Amendment is not only a protection against a physical search and seizure of one’s person and property but also as a protection of one’s right to privacy more generally); see also Carpenter v. United States, 585 U.S. 296, 318 (2018) (holding that “when confronting new concerns wrought by digital technology, this Court has been careful not to uncritically extend existing precedents,” meaning the Court takes a deliberate approach, recognizing that traditional legal doctrines may not always fit novel technological contexts).

---

Cover Photo generated by ChatGPT.