On January 20, 2025, President Trump issued an Executive Order reorganizing and renaming the U.S. Digital Service as the Department of Government Efficiency (DOGE). The Executive Order tasked DOGE with "modernizing Federal technology and software to maximize governmental efficiency and productivity." By early February, multiple lawsuits had been filed alleging that federal agencies working with DOGE were violating fifty-year-old privacy protections Congress enacted in the Privacy Act of 1974 (Privacy Act or the act).
The Privacy Act was enacted in response to earlier innovations to government technology. In the 1950s, federal agencies began using large-scale data processing computers. The technology was considered a powerful tool for managing agency records, while the government's use of computers and information technology (IT) also raised privacy concerns. From 1966 to 1971, three congressional committees held hearings about the impact of computers and government data storage on personal privacy. Three years later, Congress enacted the Privacy Act to "provide certain safeguards for an individual against an invasion of personal privacy" by a federal agency. In the act, Congress found that "the increasing use of computers and sophisticated information technology . . . magnified the harm to individual privacy" that can result from the collection or dissemination of personal information.
Courts are now faced with questions about how the Privacy Act's protections apply to DOGE's modernization efforts. A number of groups have filed lawsuits alleging that DOGE has requested access to Social Security numbers, bank account information, and other personal data, and that disclosing this information without first seeking written consent from the affected individuals is an infringement of personal privacy prohibited by the Privacy Act. The groups are seeking court orders that would bar federal agencies from disclosing records to DOGE in violation of the act.
This Legal Sidebar provides an analysis of selected lawsuits in which plaintiffs rely on the Privacy Act to prevent disclosure of agency records to DOGE, as well as some related considerations for Congress.
The Privacy Act governs federal agencies' handling of records that include personal information. The act creates rights for individuals to request access to and request the amendment of certain information that agencies maintain about them. It also enumerates a series of requirements that apply to each agency-maintained system that allows records to be retrieved by an individual's uniquely identifying information. For example, agencies may maintain systems that permit retrieval of records by individual identifier only to the extent the maintenance is relevant and necessary to a required agency function. Agencies also must publish information about each such system in the Federal Register.
Most relevant here, the Privacy Act limits when agencies may disclose records. The act provides that "no agency shall disclose any record which is contained in a system of records," without the written consent of "the individual to whom the record pertains," unless the disclosure falls under a statutory exception. The statutory exceptions are a list of thirteen categories of disclosures that are permissible even when an agency does not obtain written consent. Agencies may, for example, disclose records to "officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties" (the need-to-know exception). Agencies can also define "routine uses" for which disclosure is allowed (the routine use exception), but the routine use must be "compatible with the purpose for which [the record] was collected" and described in a System of Records Notice (SORN) published in the Federal Register. Other exceptions include disclosures to either house of Congress, disclosures to the National Archives, and disclosures pursuant to court orders.
For the purposes of the Privacy Act, individuals are defined as U.S. citizens and lawful permanent residents. Record "means any item, collection, or grouping of information about an individual that is maintained by an agency." A system of records is "a group of any records under the control of any agency from which information is retrieved by the name of the individual" or by another unique identifier. Agency has the same meaning as it does in the Freedom of Information Act. That definition includes executive branch departments, government-controlled corporations, and independent regulatory agencies. The definition of agency does not, however, reach Congress, federal courts, the President's immediate personal staff, or units in the Executive Office of the President whose sole function is to advise and assist the President.
The Privacy Act creates a private right of action under which individuals may sue agencies based on certain violations of the act, including any violation that has "an adverse effect on an individual." For most violations, including unlawful disclosure of records, the Privacy Act does not provide for injunctive relief (i.e., court orders requiring the agency to take or refrain from taking certain actions). In unlawful disclosure suits, individuals may, however, obtain "actual damages" of at least $1,000 if they can show that the agency "acted in a manner which was intentional or willful."
More information about the administration of the Privacy Act can be found in this CRS Report.
In February 2025, news outlets began to report that individuals affiliated with DOGE gained or sought access to sensitive databases at several agencies, such as Department of the Treasury (Treasury) databases with federal payment records, Office of Personnel Management (OPM) databases with federal employment records, Internal Revenue Service (IRS) databases with tax information, and Social Security Administration (SSA) databases with Social Security records. Following these news reports, various plaintiffs—associations, unions, and public interest organizations, among others—filed suits against the pertinent agencies in federal courts seeking to block DOGE's access to these records.
The plaintiffs' arguments rest, in significant part, on the Privacy Act's disclosure restrictions. The plaintiffs argue that the agencies needed to obtain individual written consent before disclosing the records in these databases to DOGE-affiliated individuals. While the precise arguments vary depending on the facts of each case, plaintiffs generally argue that the need-to-know exception does not apply because the DOGE-affiliated individuals do not need such broad access to data to pursue their mission of improving efficiency. Some plaintiffs further argue that the need-to-know exception does not apply because certain DOGE-affiliated individuals are not true employees of the agency. Plaintiffs also argue that the routine use exception does not apply because the disclosures do not fit into any of the routine uses published by the agencies in their SORNs.
Although Privacy Act violations are at the forefront of the plaintiffs' claims, most plaintiffs have sued under the Administrative Procedure Act (APA) rather than the Privacy Act itself. As mentioned, the Privacy Act's private right of action does not provide for injunctive relief when an individual is suing over the unlawful disclosure of their records. Because the plaintiffs in these cases are primarily seeking injunctive relief, they have sued under the APA, under which courts may enjoin or vacate agency actions that are "not in accordance with law." Plaintiffs challenging unlawful agency actions under the APA must show that the agency action is "final" and that there is "no other adequate remedy" outside of the APA.
The agencies have responded to these suits by arguing, as a threshold matter, that the plaintiffs lack constitutional standing to bring their claims. As discussed in another CRS Legal Sidebar, standing can be particularly challenging for plaintiffs in lawsuits based on privacy violations. To establish standing, plaintiffs must show that they suffered a concrete harm. The Supreme Court has held that this can be done by alleging an injury with "a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts." The agencies in these cases, however, generally argue that the plaintiffs' alleged harm—namely, having their records unlawfully disclosed to DOGE affiliates—is not sufficiently analogous to a common law or other traditionally recognized action to establish standing.
The agencies also argue that the Privacy Act's need-to-know exemption allows them to disclose records to DOGE affiliates without obtaining individual written consent. They stress that these affiliates have been onboarded and made employees of the agency and that the broad nature of their mandate requires a corresponding broad access to records. Agencies also argue that plaintiffs may not sue under the APA because the agency actions they are challenging are not "final," and because the plaintiffs could sue for damages under the Privacy Act and thus have adequate remedies outside of the APA.
At the time of this writing, many Privacy Act suits against DOGE are still ongoing. Most court opinions have dealt only with preliminary matters; chiefly, whether plaintiffs are entitled to preliminary injunctions restricting DOGE's access to agency records while litigation is pending. Courts have reached different conclusions on whether preliminary injunctions are warranted.
To obtain a preliminary injunction, the party seeking the injunction must show that
Some courts have granted or denied preliminary injunctions after considering whether the plaintiffs will likely succeed on the merits of their cases. These opinions differ, with some expressing confidence that the plaintiffs will prevail on their arguments and others expressing skepticism. For example, in the case American Federation of Government Employees v. Office of Personnel Management, the district court granted the plaintiffs' motion for a preliminary injunction, concluding that they likely had standing and were likely to succeed on their Privacy Act and APA arguments. Two district courts in Maryland, in the cases American Federation of Teachers v. Bessent and American Federation of State, County and Municipal Employees v. Social Security Administration, similarly determined that plaintiffs were likely to succeed on their claims and granted their request for preliminary injunctions.
The preliminary injunctions in the two Maryland cases, however, were vacated or stayed on appeal. In American Federation of Teachers, a panel of the U.S. Court of Appeals for the Fourth Circuit (Fourth Circuit) vacated the preliminary injunction after concluding that the plaintiffs had not shown they would likely prevail on the merits. The Fourth Circuit panel was particularly skeptical that the plaintiffs would establish standing, and it also raised doubts about their Privacy Act and APA arguments. For instance, the panel wrote that it "appears difficult" for the plaintiffs to show that the Privacy Act's need-to-know exception does not apply, given the DOGE affiliates' "broad and open-ended" responsibilities.
In American Federation of State, County and Municipal Employees, the Fourth Circuit voted to hear the government's appeal of the preliminary injunction en banc (i.e., as a full court) and denied the government's motion to stay the preliminary injunction while the appeal was pending. The Supreme Court, however, reversed the Fourth Circuit's denial and stayed the preliminary injunction. In a brief opinion, the Supreme Court explained that the four-factor test for granting a stay (which includes considering whether the stay applicant is "likely to succeed on the merits") warranted staying the preliminary injunction pending the Fourth Circuit's decision.
Finally, some courts have rejected preliminary injunctions solely based on plaintiffs' failure to show irreparable harm. For the standing inquiry discussed above, plaintiffs need only establish they suffered harm caused by a defendant that a court can remedy. To establish the irreparable harm required for preliminary relief, however, plaintiffs must further show that "absent intervention now," the court would not be able to remedy the harm "down the line." Some courts have held that plaintiffs had not established a likelihood of irreparable harm because they had not presented evidence showing that their "records will imminently be publicly disclosed or misused."
The cases challenging DOGE access are at a preliminary stage, and Congress could wait to see how the cases resolve before deciding whether to address any judicial interpretation of the Privacy Act. Congress is free, however, to amend the Privacy Act to clarify whether the agency records at issue may be disclosed to individuals affiliated with DOGE. Congress has amended the Privacy Act before, and proposals to amend the act further have been introduced in the 119th Congress. To address DOGE-related disclosures, Congress could amend the Privacy Act to expressly permit agencies to disclose records to individuals affiliated with DOGE without obtaining written consent. Alternatively, Congress could amend the act to expressly prohibit disclosure or to provide that employees tasked with modernizing technology and software do not fall within the need-to-know exception.
Congress could also address whether courts may review and redress the challengers' Privacy Act claims. Congress could, for example, amend the private right of action provided in the Privacy Act to expressly permit or prohibit injunctions against disclosures of agency records. As discussed, some court orders in the Privacy Act litigation involving DOGE have turned on questions about irreparable harm. In another context, Congress has provided that a "rebuttable presumption of irreparable harm" applies when plaintiffs seek certain injunctions. If Congress amends the Privacy Act to expressly permit injunctions, it could consider whether a presumption about irreparable harm is appropriate.
Lawsuits challenging DOGE access to agency databases are listed below in the order in which they were filed. This list does not include every suit challenging DOGE access, but is limited to ongoing cases based primarily on alleged Privacy Act violations.