Legal challenges to DOGE's data access hinge on outdated laws
Add Axios as your preferred source to
see more of our stories on Google.
/2025/02/14/1739554433692.gif?w=3840)
Illustration: Natalie Peeples/Axios
The lawsuits filed against Elon Musk's government tech team hinge on two privacy laws written decades before the modern internet took shape.
Why it matters: How judges interpret those laws will dictate not only the success of these lawsuits in curbing the Department of Government Efficiency's power, but also what data government agencies can collect in the future.
Driving the news: Multiple lawsuits have been filed against DOGE in recent weeks, with some resulting in temporary stays on its data access.
- An ongoing legal dispute over DOGE's access to the Treasury Department's payment system has garnered the most attention, with new documents showing a DOGE member had "write" privileges to a sensitive database despite earlier statements from the administration to the contrary.
- The Electronic Frontier Foundation and a coalition of privacy advocates filed a lawsuit last week to block DOGE's access to the Office of Personnel Management's data and to force the deletion of any previously collected information.
- Several labor unions are also seeking to stop DOGE from accessing data at multiple federal agencies.
- A group of government employees is suing OPM for not conducting a privacy impact assessment before allegedly installing a new server to send mass email blasts.
Zoom in: All of these lawsuits rest on the Privacy Act of 1974 and the E-Government Act of 2002.
- The Privacy Act was passed after the Watergate scandal and governs how government agencies collect, use, maintain and disseminate personal information.
- The E-Government Act requires agencies to conduct privacy impact assessments whenever there are changes to how government systems access and use the personal information they store.
Between the lines: Neither law was designed for modern government's complex, data-driven processes. The Privacy Act, which underpins at least nine DOGE-related complaints, was enacted around the time the personal computer was invented.
- "We're asking [DOGE] to meet the standard around privacy that was set in 1974," Elizabeth Laird, director of equity in civic technology at the Center for Democracy and Technology, told Axios. "It's concerning."
The intrigue: Judges have faced few relevant challenges to these laws, so there's little precedent to guide the new wave of court battles.
- "There's very limited clauses in these laws that these lawsuits can essentially hang onto or build their case for," Ron De Jesus, field chief privacy officer at Transcend, told Axios.
The big picture: The U.S. has a patchwork of privacy laws dictating what can be collected and how it's stored. Few of those laws apply directly to government entities, however.
- For example, there's no breach notification requirement for government agencies, and their privacy policies don't have to be as thorough as those of corporate entities, De Jesus noted.
Yes, but: It remains unclear whether DOGE is violating these laws — and if its work is deemed legal, concerns about notification or transparency may be moot.
- And even if DOGE's access is ruled illegal, damage may have already been done.
- "DOGE already has access and has probably stored a lot of that personal information already," De Jesus said. "It's just like any other breach."
What we're watching: Lawyers may pursue challenges under different laws.
- A group of state attorneys general is trying to curb DOGE's power by questioning its constitutionality.
- Meanwhile, federal agencies holding data on EU citizens may face scrutiny from European officials, who have long been wary of U.S. government data practices.
