All the President’s Lawyers Redux: Privacy in the Federal Docket

During President Trump’s first administration, I was recommended a podcast covering the legal challenges faced by the administration called “All the Presidents’ Lawyers,” hosted by journalist Josh Barro and attorney Ken White. Although I had no legal knowledge at the time, it was an accessible and entertaining weekly series about the lawsuits and the cast of characters at the center of these lawsuits—think Rudy Giuliani, Michael Avenatti,[1] Michael Cohen, and, of course, Donald Trump.

Now in the second Trump administration, although Barro and White have moved on to a more general legal podcast, “Serious Trouble,” I myself am now armed with an at least more than trifling level of legal knowledge. I decided to pick up some of the mantle of the original “All the Presidents’ Lawyers” podcast and look into the myriad of legal challenges—one tracker has counted 126 as of March 15[2]—against the Trump administration.

The first group of lawsuits I investigated were the challenges to agencies’ and the Department of Government Efficiency’s (DOGE) access to personal and financial records, for which there are currently a dozen cases pending in federal courts. Although no court has ruled on the merits of these cases, several have ruled on motions for temporary restraining orders (TROs) and preliminary injunctions. These early decisions offer some insights into the key legal issues at stake and how these courts may ultimately rule when they reach the merits.

Executive Orders

First, however, some basic background is in order. President Trump issued Executive Order No. 14158 on January 20, which formally established DOGE for the purpose of “implement[ing] the President’s DOGE Agenda, by modernizing Federal technology and software to maximize governmental efficiency and productivity.”[3] Pertinent among its directives, it renamed the United States Digital Service as the United States DOGE Service (“USDS”) and placed this entity within the Executive Office

It also ordered the USDS Administrator to “commence a Software Modernization Initiative to improve the quality and efficiency of government-wide software, network infrastructure, and information technology (“IT”) systems.” To those ends, it directed federal agencies to create internal “DOGE Teams” to coordinate with the USDS and to “take all necessary steps, in coordination with the USDS Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.”

President Trump issued a second executive order, Executive Order No. 14210, on February 11 to “commence . . . a critical transformation of the Federal bureaucracy” by reducing the federal workforce and “eliminating waste, bloat, and insularity.”[4]

Privacy Act

Here’s the rub: “tak[ing] all necessary steps . . . to ensure USDS has full and prompt access to all unclassified agency records” implicates the Privacy Act, a 1974 law protecting personally identifiable information (“PII”) collected by the government.[5] The Privacy Act provides: “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, [subject to a list of enumerated exceptions].”[6] A “record” is simply personal “information about an individual that is maintained by an agency.”[7] A “system of records” is also straightforward: “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identif[ier].”[8]

The two relevant exceptions to the duty of nondisclosure are: (1) “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties,”[9] and (2) “for a routine use,”[10] which is a “use of such record for a purpose which is compatible with the purpose for which it was collected,”[11] which has been published in the Federal Register.[12]

Lawsuits

The primary complaint in these lawsuits is that providing DOGE-affiliated employees access to PII in government systems of records violates the Privacy Act. The various plaintiffs are seeking injunctions against these agencies and DOGE to enjoin them from disclosing such records pursuant to the Administrative Procedure Act, which waives sovereign immunity for injunctive relief against federal agencies for violations of federal law.[13]

The lawsuits have primarily been filed by organizations representing federal workers, veterans, and student loan borrowers against a range of defendants, including: the Department of the Treasury; Office of Personnel Management; Department of Education; Department of Labor; Department of Health and Human Services; Consumer Financial Protection Bureau; Internal Revenue Service; and Social Security Administration.

I list all these entities to emphasize the scope of this access to PII by DOGE-affiliated employees across the federal government. These various databases of PII include commensurately broad types of information: social security number; date and location of birth; address; telephone number; marital status; bank account information; federal tax return information; employment history and disciplinary record; income and asset information; personal and financial information of family members; health and life insurance policy numbers; civil and criminal history information; security clearances; and education records.

Motions for TROs and Preliminary Injunctions

As I alluded to above, courts have thus far only ruled on motions for TROs or preliminary injunctions in six of the pending cases. Time for a throwback to Civ Pro! To obtain a TRO or preliminary injunction, plaintiffs must establish (1) they are “likely to succeed on the merits,” (2) they are “likely to suffer irreparable harm in the absence of preliminary relief,” (3) “the balance of equities tips in [their] favor,” and (4) “an injunction is in the public interest.”[14]

Most plaintiffs have thus far failed to meet their burden in either proving irreparable harm or likelihood of succeeding on the merits. In Alliance for Retired Americans v. Bessent, for example, the court held that even though the alleged unauthorized disclosure of records to DOGE-affiliated employees would establish a sufficiently concrete injury to confer standing, it would not constitute irreparable harm absent public disclosure of such private information.[15] Disclosure to a small number of officials obligated to maintain the confidentiality of the information was not sufficient.[16] Furthermore, the court held the mere risk of harm from future public disclosure of such records was too speculative to justify equitable relief, at least where the defendants have purportedly taken precautionary measures to mitigate such risk, as the record currently demonstrates.[17]

Similarly, in American Federation of Labor and Congress of Industrial Organizations v. Department of Labor, the court concluded that the DOGE-affiliated employees of the respective agencies were “employees of the agenc[ies] which maintain[] the record[s]” and therefore subject to the § 552a(b)(1) need-to-know exception.[18] And since the employees required access to such information to carry out their duties as set forth under the executive orders, no unauthorized disclosure occurred supporting an injury for either standing or a TRO.[19]

Plaintiffs have, however, successfully met their burden in two cases, resulting in TROs or preliminary injunctions—and conflicting rulings—against the Department of the Treasury, Department of Education, and Office of Personnel Management, enjoining them from “disclosing [PII] of the plaintiffs and the members of the plaintiff organizations to any DOGE affiliates.”[20] In American Federation of Teachers v. Bessent, for example, the court held that the access granted to the DOGE-affiliated employees was on an unprecedented scale that exceeded the access necessary to fulfill their job responsibilities.[21] Absent from the record, according to the court, was a justification for “why [the DOGE-affiliated employees] need such comprehensive, sweeping access to the plaintiffs’ records to audit . . . programs for waste, fraud, and abuse or to conduct cost-estimate analyses” or “to implement the workplace reform measures.”[22] Furthermore, the court concluded, the “continuing, unauthorized disclosure of the plaintiffs’ sensitive personal information to DOGE affiliates” itself constituted irreparable harm.[23]

What’s Next and Why Does It Matter

In short, what comes next is the parties will go through discovery, and the courts will need to rule on the merits of these individual cases after more evidence has been entered into the record. Meanwhile, more recent cases will go through the initial phases of motions for TROs and preliminary injunctions. But how are these courts likely to rule on the merits, and what will be the key issues? Here is where I will attempt to use my “at least more than trifling level of legal knowledge.”

It seems that one of the main issues that must be determined is whether the DOGE-affiliated employees nominally employed by the respective agencies are in fact employees of those agencies, not USDS. As I mentioned earlier, the organizational structure of the USDS is murky, and attorneys representing USDS in court have not been able to provide clarity.[24] Furthermore, the agency DOGE Teams are often comprised of USDS employees assigned on detail to the various agencies, and other hiring decisions are made in coordination with USDS.[25] So, what is the chain of command? Are these employees reporting to their assigned agencies or to USDS? Who are they taking directions from? Does a constructive agency argument apply in this context? I do not know.

But if these employees are in fact USDS employees, then providing them access to agency records would not qualify under the § 552a(b)(1) need-to-know exemption—they would have to resort to the “routine use” § 552a(b)(3) exemption. However, the respective Federal Register notices do not consistently enumerate routine uses for “eliminating waste, bloat, and insularity,”[26] or for tracking and blocking funding appropriated by Congress, another directive that has been communicated to DOGE-affiliated employees.[27] Perhaps this may not matter, though. According to Judge Colleen Kollar-Kotelly, delayed notice in the Federal Register for new routine uses may not be sufficient basis to establish injury-in-fact for standing: “A ‘bare procedural violation’ (for example, failing to publish a notice of a new routine use in the Federal Register) does not qualify as ‘concrete’ on its own, even if it is directly contrary to law or gives rise to a statutory cause of action.”[28]

Moreover, is USDS even an “agency” subject to the “routine use” § 552a(b)(3) exemption? One such argument was made in American Federation of Labor and Congress of Industrial Organization v. Department of Labor.[29] If not, then the exemption cannot apply.

If these employees are in fact employees of the individual agencies, there remains the question of whether protected records were disclosed beyond the respective agencies, for instance, to USDS. Such a possibility, although seemingly unlikely based on current evidence, was suggested in New York v. Trump.[30] In any event, the same question over whether the disclosure would constitute a routine use would still apply.

Perhaps a stronger argument was suggested by Judge Deborah Boardman, who suggested that the DOGE-affiliated employees do not “have a need for the record[s] in the performance of their duties” and would fail under the § 552a(b)(1) need-to-know exemption. Such employees may need access to the systems generally, but this does not necessitate access to all PII housed within each system, especially where methods exist to “mask[]” PII with “dummy” data.[31] Indeed, as Judge Boardman noted, the scale of this access is unprecedented: “In other Privacy Act cases where the need-to-know exception is invoked, the dispute typically involves the alleged unauthorized disclosure of one record. This involves the alleged unauthorized disclosure of millions of records . . . . [T]his appears to be unlawful.”[32]

Judge Boardman’s argument resonates with the underlying goal of the Privacy Act, which was adopted to address the computerization of PII by limiting its collection, disclosures, and permissible uses. The original drafters recognized the profound harms posed by the unbridled government collection of PII. Take one comment by a contemporary Congressman: “Where will it end? . . . Will we permit all computerized systems to interlink nationwide so that every detail of our personal lives can be assembled instantly for use by a single bureaucrat or institution?”[33]

The sentiments captured by such remarks sound eerily relevant today, where a centralized organization within the Executive Office of the President, created by the President by executive order, has distributed its own associates across the federal bureaucracy where they have access to PII that is nowhere else contained in one location. Remember that long list above?

Perhaps these associates are faithfully upholding their obligations driven by a commitment to civic duty. I hope that is the case—after all, “eliminating waste, bloat, and insularity” is not intrinsically objectionable. But there is at least reason to fear this idealistic image is not our current reality, not amidst the vocal opposition from the current administration against the federal bureaucracy—not to mention the mass layoffs—and the open threats against their political opponents.

A more efficient government is a good thing. Unrestrained access to personal records is not. As these cases continue to work through the courts, I hope that judges restrain the excesses of the administration and uphold the spirit of the Privacy Act.

[1] Is he a good lawyer?

[2] Litigation Tracker: Legal Challenges to Trump Administration Actions, Just Security, https://www.justsecurity.org/107087/tracker-litigation-legal-challenges-trump-administration/.

[3] Establishing and Implementing the President's “Department of Government Efficiency,” https://www.federalregister.gov/documents/2025/01/29/2025-02005/establishing-and-implementing-the-presidents-department-of-government-efficiency.

[4] Implementing the President's “Department of Government Efficiency” Workforce Optimization Initiative, https://www.federalregister.gov/documents/2025/02/14/2025-02762/implementing-the-presidents-department-of-government-efficiency-workforce-optimization-initiative.

[5] 5 U.S.C. § 552a.

[6] Id. at § 552a(b).

[7] Id. at § 552a(a)(4).

[8] Id. at § 552a(a)(5).

[9] Id. at § 552a(b)(1).

[10] Id. at § 552a(b)(2).

[11] Id. at § 552a(a)(7).

[12] Id. at § 552a(e)(4).

[13] 5 U.S.C. § 702.

[14] Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20 (2008).

[15] No. 25-0313, at 38–39 (D.D.C. Mar. 7, 2025)

[16] Id. at 38.

[17] Id. at 39.

[18] No. 25-0339, at 3–4 (D.D.C. Feb. 24, 2025). The Department of the Treasury was similarly enjoined “from granting access to any Treasury Department payment record, payment systems, or any other data systems maintained by the Treasury Department containing [PII] and/or confidential financial information of payees to any employee, officer or contractor employed or affiliated with the [USDS].” New York v. Trump, No. 25-01144, at 63 (S.D.N.Y. Feb. 21, 2025).

[19] Am. Fed’n Lab. & Cong. Indus. Org., No. 25-0339, at 3–4.

[20] Am. Fed’n Tchr. v. Bessent, No. 25-0430, at 33 (D. Md. Feb. 24, 2025).

[21] Id. at 23–24.

[22] Id. at 23, 27 (emphasis in original).

[23] Id. at 30.

[24] Anna Bower, Who Is Running the U.S. DOGE Service?, Lawfare (Feb. 25, 2025 3:07 pm), https://www.lawfaremedia.org/article/who-is-running-the-u.s.-doge-service.

[25] Am. Fed’n Lab. & Cong. Indus. Org. v. Dep’t of Labor, No. 25-0339, at 4 (D.D.C. Feb. 24, 2025).

[26] At least one such notice does, however, for the Department of Education, which may disclose records in the National Student Loan Database to other federal agencies to “support auditors and program reviewers” and “support the investigation of possible fraud or abuse.” U. Cal. Student Ass’c v. Carter, No. 25-354, at 3 (D.D.C. Feb. 17, 2025) (citing 89 Fed. Reg. 44652, 44657–58 (May 21, 2024)). 

[27] New York v. Trump, No. 25-01144, at 14–16 (S.D.N.Y. Feb. 21, 2025).

[28] All. for Retired Am. v. Bessent, No. 25-0313, at 27 (D.D.C. Mar. 7, 2025) (citing Spokeo, Inc. v. Robins, 578 U.S. 330, 342 (2016)) (emphasis added).

[29] No. 25-CV-01144, at 5.

[30] No. 25-01144, at 46.

[31] Am. Fed’n Tchr. v. Bessent, No. 25-0430, at 22–23 (D. Md. Feb. 24, 2025).

[32] Id. at 23.

[33] Danielle Citron, DOGE Betrays Foundational Commitments of the Privacy Act of 1974, Lawfare (Feb. 7, 2025 11:59 am), https://www.lawfaremedia.org/article/doge-betrays-foundational-commitments-of-the-privacy-act-of-1974.