AMERICAN FEDERATION OF TEACHERS v. BESSENT (2025)

MEMORANDUM OPINION AND TEMPORARY RESTRAINING ORDER

This lawsuit is one of several filed by plaintiffs who seek to enjoin federal government agencies from disclosing records with their sensitive personal information to government personnel affiliated with the newly established Department of Government Efficiency (“DOGE”).

The plaintiffs in this suit are unions and membership organizations representing current and former federal employees and federal student aid recipients and six military veterans who have received federal benefits or student loans. In their amended complaint, filed on February 12, 2025, the plaintiffs assert claims under the Administrative Procedure Act, 5 U.S.C. § 551 et seq. (“APA”) against the U.S. Department of the Treasury (“Treasury”); the U.S. Department of Education (“Education”); the U.S. Office of Personnel Management (“OPM”); Scott Bessent, the Secretary of the Treasury; Charles Ezell, the Acting Director of OPM; and Denise L. Carter, the Acting Secretary of Education (collectively, “the government”). ECF 13. The plaintiffs allege that the agencies unlawfully granted access to records that contain their personally identifiable information (“PII”) to personnel implementing the President's Executive Orders on the DOGE agenda.

The plaintiffs have moved for a temporary restraining order to enjoin the government from granting access to record systems with their sensitive personal information to individuals who are implementing the President's DOGE agenda. ECF 14 & 14-1. The government filed an opposition, ECF 27, and the plaintiffs replied, ECF 28. The Court held a hearing on February 19, 2025.

Upon consideration of the amended complaint, the TRO briefing, the limited record evidence, oral argument, and the recent decisions of other courts in similar cases, the Court finds that the plaintiffs have met their burden for the extraordinary relief they seek. The TRO is granted in part and denied in part.¹

I. Background

A. DOGE Executive Orders

On January 20, 2025, President Donald J. Trump signed an Executive Order called “Establishing and Implementing the President's ‘Department of Government Efficiency.’ ” Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 29, 2025) (“DOGE Executive Order”). The DOGE Executive Order established the Department of Government Efficiency “to implement the President's DOGE Agenda, by modernizing Federal technology and software to maximize governmental efficiency and productivity.” Id. § 1. The order renames the United States Digital Service as the United States DOGE Service (“USDS”) and establishes “the U.S. DOGE Service Temporary Organization” to be “dedicated to advancing the President's 18-month DOGE agenda.” Id. § 3(a), (b). It directs each agency head to establish “a DOGE Team of at least four employees, which may include Special Government Employees, hired or assigned within thirty days of the date of this Order.” Id. § 3(c). “Each DOGE Team will typically include one DOGE Team Lead, one engineer, one human resources specialist, and one attorney.” Id. DOGE Team Leads will “coordinate their work with USDS and advise their respective Agency Heads on implementing the President's DOGE Agenda.” Id.

The DOGE Executive Order directs the USDS Administrator to “commence a Software Modernization Initiative to improve the quality and efficiency of government-wide software, network infrastructure, and information technology (IT) systems,” which includes “work[ing] with Agency Heads to promote inter-operability between agency networks and systems, ensure data integrity, and facilitate responsible data collection and synchronization.” Id. § 4(a). The DOGE Executive Order commands agency heads to “take all necessary steps, in coordination with the USDS Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.” Id. § 4(b). It also directs that “USDS shall adhere to rigorous data protection standards.” Id.

On February 11, 2025, President Trump signed an Executive Order called “Implementing the President's ‘Department of Government Efficiency’ Workforce Optimization Initiative.” Exec. Order No. 14,210, 90 Fed. Reg. 9669 (Feb. 14, 2025) (“Workforce Executive Order”). The Workforce Executive Order “commences a critical transformation of the Federal bureaucracy.” Id. § 1. It proclaims that the Trump “Administration will empower American families, workers, taxpayers, and our system of Government itself” by “eliminating waste, bloat, and insularity.” Id. In a section titled “Reforming the Federal Workforce to Maximize Efficiency and Productivity,” the Order directs: (a) the Office of Management and Budget (“OMB”) to submit a plan to reduce the size of the federal government workforce; (b) agency heads to “develop a data-driven plan, in consultation with its DOGE Team Lead, to ensure new career appointment hires are in highest-need areas”; (c) agency heads to prepare “to initiate large-scale reductions in force”; (d) OPM to revise regulations on fitness and suitability criteria; (e) agency heads to submit to OMB “a report that identifies any statutes that establish the agency ․ as statutorily required entities” and discusses “whether the agency ․ should be eliminated or consolidated”; and (f) the USDS Administrator, within 240 days of the Order, to “submit a report to the President regarding implementation of this order.” See id. § 3.

B. Agency Defendants

1. Education

Education manages the federal student loan system. ECF 13, ¶ 94. Within this system, the Federal Student Aid Office maintains the National Student Loan Data System (“NSLDS”), the Common Origination and Disbursement System (“CODS”), the FUTURE Act System (“FAS”), and the Financial Management System (“FMS”). See id. ¶¶ 95, 98, 100, 102. These systems house records that contain PII of individuals who either apply for or receive federal student aid, such as Social Security numbers and taxpayer identification numbers, names and addresses, dates of birth, email addresses, income and asset information, tax information, marital status, demographic information including citizenship status, and family members’ personal and financial information. Id. ¶¶ 95–102; see also, e.g., 87 Fed. Reg. 57,873, 57,878 (2022) (listing categories of records in the NSLDS); 88 Fed. Reg. 41,942, 41,947 (2023) (listing categories of records in the CODS); 88 Fed. Reg. 42200, 42222 (2023) (listing categories of records in FAS).

The DOGE affiliates at Education include Adam Ramada, a USDS employee detailed to Education, and five other “DOGE-affiliated individuals” who “play the principal role in helping to advance the mission of President Trump's Executive Order 14,158.” ECF 27-6, ¶¶ 1–2 (A. Ramada Supp. Decl.).² These individuals are “assist[ing] the Department of Education with auditing contract, grant, and related programs for waste, fraud, and abuse, including an audit of the Department of Education's federal student loan portfolio to ensure it is free from, among other things, fraud, duplication, and ineligible loan recipients.” ECF 27-5, ¶ 4 (A. Ramada Decl.). They also “help senior Department leadership obtain access to accurate data and data analytics to inform their policy decisions at the Department.” Id. ¶ 4. These individuals “primarily worked to identify contracts and grants that are wasteful, abusive, or inconsistent with leadership's policy priorities.” ECF 27-6, ¶ 8; see also ECF 27, at 9 (“All six [Education DOGE affiliates] work to audit contract, grant and related programs for waste, fraud and abuse.”).

DOGE affiliates at Education “have been granted access to Department information technology and data systems.” ECF 27-6, ¶ 7. This includes records that Education maintains in its operation of federal student loan programs. See also ECF 27-5, ¶ 9 (“The relevant employees require access to Department of Education information technology and data systems related to student loan programs in order to audit those programs for waste, fraud, and abuse.”); see also ECF 27, at 26 (describing how “Executive Order 14,158 provides that these individuals have a need to know ‘all unclassified agency records, software systems, and IT systems’ to perform their duties” and that “Education personnel need to access such records in order to audit student loan programs for waste, fraud, and abuse” (quoting Exec. Order 14,158, § 4)). DOGE affiliates at Education are also expected to access tax-related information maintained by Education in the future. ECF 27-5, ¶ 11.

2. OPM

OPM acts as the “chief human resources agency and personnel policy manager for the Federal Government.” ECF 13, ¶ 71 (quoting “About Us,” OPM, https://www.opm.gov/about-us (last visited Feb. 23, 2025)). OPM maintains a host of records about federal government personnel, including human resource and payroll data, application and hiring systems for federal jobs, and health benefits for federal employees. Id. ¶ 72. For example, OPM maintains the electronic Official Personnel Folder (“eOPF”), which contains digital versions of federal employees’ personnel files that cover their entire period of federal civilian service. See OPM, Privacy Impact Assessment for Electronic Official Personnel Folder System (eOPF) 1 (Oct. 28, 2020), https://www.opm.gov/information-management/privacy-policy/privacy-policy/eopf-pia.pdf. The eOPF contains current and former federal employees’ PII such as Social Security numbers, bank account numbers, names and addresses, dates of birth, health and life insurance policy numbers, civil and criminal history information, and personnel actions such as promotions and suspensions. Id. at 5. OPM also maintains the Enterprise Human Resources Integration Data Warehouse (“EHRI”), which contains PII as well. See ECF 13, ¶¶ 81–82.

The DOGE affiliates at OPM include Greg Hogan, the Chief Information Officer (“CIO”) of OPM. See ECF 27-8, ¶ 4 (G. Hogan Decl.). As CIO of the agency, Hogan's statutory responsibilities include development and management of OPM's information technology and resources. See 40 U.S.C. § 11315. Hogan can grant or revoke access to record systems including eOPF and EHRI. See ECF 33-1, ¶ 12 (G. Hogan Supp. Decl.). Additional personnel at OPM have been granted access to OPM's record systems to “contribute[ ] to facilitating the President's initiatives related to workplace reform.” ECF 33-1, ¶¶ 6, 8, 13–14; see also ECF 27, at 10 (explaining that at least some individuals at OPM who are working to implement the President's directives have access to “OPM records systems”). Other than Hogan, there are five “key systems engineers” working at OPM on these efforts. ECF 33-1, ¶ 13. None of these five individuals has access to EHRI, “though that could change if their duties require access in the future.” See id. ¶¶ 11–12. Hogan periodically reviews access to these systems. Id. ¶ 12. In early February, he directed his team to remove access to eOPF and EHRI “for three engineers whose job duties do not require prospective access.” Id.

C. The Plaintiffs

The organizational plaintiffs are: American Federation of Teachers (“AFT”), International Association of Machinists and Aerospace Workers (“IAM”), International Federation of Professional and Technical Engineers (“IFPTE”), National Active and Retired Federal Employees Association (“NARFE”), and National Federation of Federal Employees (“NFFE”). ECF 13, ¶¶ 18–21. AFT represents over 1.8 million people employed in the teaching and nursing professions. Id. ¶ 18. IAM and its affiliate organization NFFE represent more than 100,000 federal workers, veterans, and veterans’ groups. Id. ¶ 20. IFPTE represents approximately 34,000 federal employees, most of whom work in shipyards for the Department of Defense. Id. ¶ 21. Other IFPTE members include nuclear submarine engineers, scientists and researchers at NASA, administrative law judges at the Social Security Administration, nuclear engineers at the Tennessee Valley Authority, and employees at the Environmental Protection Agency. Id. NARFE represents approximately 128,000 current former federal employees and spousal annuitants. Id. ¶ 19. The members of the plaintiff organizations have records with their PII housed within Education, OPM, and/or Treasury. Id. ¶¶ 18–21.

The individual plaintiffs are Jason Cain, Kristofer Goldsmith, Clifford Grambo, Thomas Fant, Donald Martinez, and Christopher Purdy. Id. ¶¶ 22–27. Cain, a U.S. Army veteran, receives veterans’ disability benefits and previously received GI bill benefits, student loans, and a VA home loan from the federal government. Id. ¶ 22. Goldsmith, a U.S Army veteran, receives veterans’ disability benefits and previously received federal student loans. Id. ¶ 23. Grambo, a U.S. Navy veteran, receives veterans’ disability benefits and a military pension. Id. ¶ 24. Fant, a veteran of the U.S. Coast Guard, receives veterans’ disability benefits. Id. ¶ 25. Martinez, a U.S. Army veteran, receives veterans’ benefits, Social Security Disability Insurance/Medicare, and Combat Related Special Compensation. Id. ¶ 26. Martinez previously worked for the Federal Emergency Management Agency and received federal student loans. Id. Purdy, a veteran of the Army National Guard, receives veterans’ disability benefits and previously received federal student loans. Id. ¶ 27. The individual plaintiffs have records with their PII housed in OPM, Education, and/or Treasury. Id. ¶¶ 22–27.

The plaintiffs allege that pursuant to the DOGE Executive Order and the Workforce Executive Order, Treasury, Education, and OPM have given DOGE affiliates unrestricted access to their PII and other sensitive personal information. Id. ¶¶ 61, 76, 77, 78, 84, 85, 103, 104, 108. None of the plaintiffs or the members of the plaintiffs’ organizations requested disclosure or provided express written consent to the disclosure of their records and information to DOGE affiliates. Id. ¶¶ 62, 87, 109. And none of the DOGE affiliates needs to know their personal information to perform their duties. Id. ¶¶ 64, 65, 89, 113–16. The plaintiffs allege that the “continued and ongoing disclosure of their records to DOGE affiliates constitutes a violation of the Privacy Act, for which no exception applies.” Id. ¶ 87. The purportedly unlawful disclosures to DOGE affiliates have caused the plaintiffs “major stress and anxiety, as they do not know who their data has been or will be shared with, whether these disclosures have made them vulnerable to further privacy breaches, and how it may be weaponized against them.” Id. ¶ 140.

The plaintiffs assert three violations of the APA. First, the agencies’ actions violate the Privacy Act. Id. ¶¶ 145–51. Second, the agencies acted arbitrarily and capriciously when they failed to consider the requirements of the Privacy Act and failed to engage in reasoned decision-making when they granted DOGE affiliates sweeping access to their systems of records containing sensitive and personal data. Id. ¶¶ 152–56. Finally, the agencies violated their non-discretionary duties to protect records from unauthorized disclosure. Id. ¶¶ 157–59.

II. Discussion

A. Jurisdiction

Before the Court considers the TRO motion, the Court must assure itself that the plaintiffs have standing and that it may review the agency actions.

1. Standing

Article III of the Constitution extends the “judicial Power” of the federal courts only to “Cases” or “Controversies.” U.S. Const. art. III, § 2, cl. 1; see TransUnion LLC v. Ramirez, 594 U.S. 413, 423, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021). There is a case or controversy only if the plaintiff has standing to assert their claim. TransUnion, 594 U.S. at 423, 141 S.Ct. 2190. To establish standing, a plaintiff must show “(1) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury would likely be redressed by judicial relief.” Fernandez v. RentGrow, Inc., 116 F.4th 288, 294 (4th Cir. 2024) (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). “An organization ․ can assert standing either in its own right or as a representative of its members.” S. Walk at Broadlands Homeowner's Ass'n, Inc. v. OpenBand at Broadlands, LLC, 713 F.3d 175, 182 (4th Cir. 2013).

Here, the organizational plaintiffs assert standing as representatives of their members. See ECF 14-9, ¶¶ 6–11; ECF 14-10, ¶¶ 10–15; ECF 14-11, ¶¶ 5–10; ECF 14-12, ¶¶ 8–13. An organization pleads “representational standing” by “alleg[ing] that ‘(1) its own members would have standing to sue in their own right; (2) the interests the organization seeks to protect are germane to the organization's purpose; and (3) neither the claim nor the relief sought requires the participation of individual members in the lawsuit.’ ” S. Walk at Broadlands, 713 F.3d at 184 (quoting Md. Highways Contractors Ass'n, Inc. v. Maryland, 933 F.2d 1246, 1251 (4th Cir. 1991)).

The individual plaintiffs and the members of the organizational plaintiffs allege their injury is the unauthorized access to their sensitive personal information.³ The plaintiffs assert that granting DOGE affiliates access to their sensitive personal information invades their privacy and increases their risk of identity theft. The government argues that the plaintiffs have not alleged an injury in fact because their personal information has not been publicly disclosed and, without public disclosure, an alleged violation of the Privacy Act does not satisfy the injury-in-fact requirement.⁴ The Court finds that the plaintiffs have alleged an injury in fact.⁵

In TransUnion LLC v. Ramirez, the Supreme Court explained “[w]hat makes a harm concrete for purposes of Article III.” 594 U.S. at 424, 141 S.Ct. 2190. To determine whether the concrete-harm requirement has been met, “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally’ recognized as providing a basis for a lawsuit in American courts.” Id. (quoting Spokeo v. Robins, 578 U.S. 330, 341, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016)). “That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury.” Id. The inquiry “does not require an exact duplicate in American history and tradition.” Id. Traditional tangible harms include physical and monetary harms. Id. at 425, 141 S.Ct. 2190. Intangible harms also can be concrete. Id. They include injuries such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id.; accord Krakauer v. Dish Network, L.L.C., 925 F.3d 643, 653 (4th Cir. 2019) (“Intrusions upon personal privacy were recognized in tort law and redressable through private litigation.”).

In the wake of TransUnion, the Fourth Circuit affirmed that invasion of privacy constitutes a cognizable injury for Article III standing. In Garey v. James S. Farrin, P.C., the plaintiffs alleged violations of the Driver's Privacy Protection Act (“DPPA”) after lawyers obtained car accident reports from state law enforcement and private data brokers and mailed unsolicited attorney advertisements to drivers involved in crashes. 35 F.4th 917, 920 (4th Cir. 2022). The DPPA provides a cause of action against “[a] person who knowingly obtains, discloses or uses personal information, from a motor vehicle record.” Id. (quoting 18 U.S.C. § 2724(a)). The plaintiffs alleged that they “sustained actual damages by having [their] privacy invaded by Defendants’ knowingly obtaining [their] name[s] and address[es] from motor vehicle record[s] for an impermissible purpose in violation of law.” Id. (quoting second am. compl.). These allegations of merely obtaining names and addresses satisfied the injury-in-fact requirement because “injuries to personal privacy have long been ‘recognized in tort law and redressable through private litigation.’ ” See id. at 921–22 (quoting Krakauer, 925 F.3d at 653). By pleading a violation of a statute “aimed squarely at ‘the right of the plaintiff ․ to be let alone,’ ” the plaintiffs had “alleged a legally cognizable injury.” See id. (cleaned up) (quoting William L. Prosser, Privacy, 48 Calif. L. Rev. 383, 389 (1960)); see also Restatement (Second) of Torts § 652A (“One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.”).

The plaintiffs allege that they are experiencing an ongoing invasion of privacy. This alleged harm resembles the common law tort of intrusion upon seclusion, a type of invasion of privacy. “The right of privacy is invaded by,” among other things, “unreasonable intrusion upon the seclusion of another.” Restatement (Second) Torts § 652A. The Second Restatement of Torts defines “intrusion upon seclusion” as follows: “intentional[ ] intru[sion], physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, ․ if the intrusion would be highly offensive to a reasonable person.” Id. § 652B; see Krakauer, 925 F.3d at 653 (quoting § 652B).

The plaintiffs allege that Education and OPM have granted DOGE affiliates unauthorized access to their sensitive personal information. The information includes bank account numbers; Social Security numbers; dates of birth; physical and email addresses; disability status; income and asset information; marital status; demographic information; employment records such as performance appraisals and personnel actions; and information about family members, such as their financial status, dates of birth, and addresses. The DOGE affiliates who have been granted unauthorized access to the plaintiffs’ records at OPM and Education could use the information available to them to create a comprehensive picture of the plaintiffs’ familial, professional, or financial affairs. See Dep't of Just. v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 764, 109 S.Ct. 1468, 103 L.Ed.2d 774 (1989) (recognizing “the distinction, in terms of personal privacy, between scattered disclosure of the bits of information contained in a rap sheet and revelation of the rap sheet as a whole”). The unauthorized disclosure of this massive amount of personal information can be considered an “unwanted intrusion into the home that marks intrusion upon seclusion.” See O'Leary v. TrustedID, Inc., 60 F.4th 240, 246 (4th Cir. 2023). The plaintiffs have alleged a harm similar to an “intru[sion] ․ upon the solitude or seclusion of another or his private affairs or concerns” that is “highly offensive to a reasonable person.” Restatement (Second) Torts § 652B. Thus, the plaintiffs have alleged an injury in fact.

The government argues that the plaintiffs are not experiencing an injury akin to intrusion upon seclusion because access to their personal information has been granted only to other government employees, not to the public. But the tort does not require public disclosure of personal information. Intrusion upon seclusion, unlike the tort of public disclosure of private information, “does not depend upon any publicity given to the person whose interest is invaded or to his affairs.” Restatement (Second) Torts, § 652B, cmt. a. The disclosure to unauthorized government employees suffices. Indeed, Congress passed the Privacy Act “in light of the government's ‘increasing use of computers and sophisticated information technology,’ which ‘greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information.’ ” Tankersley v. Almand, 837 F.3d 390, 395 (4th Cir. 2016) (quoting the Privacy Act of 1974, Pub. L. No. 93-579, § 2(a)(2), 88 Stat. 1896). The Act was meant “to protect the privacy of individuals identified in information systems maintained by Federal agencies” by “regulat[ing] the collection, maintenance, use, and dissemination of information by such agencies.” Doe v. Chao (“Chao I”), 540 U.S. 614, 618, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004) (quoting Pub. L. No. 93-579, § 2(a)(5), 88 Stat. 1896). The Privacy Act's purposes included “prevent[ing] the kind of illegal, unwise, overbroad, investigation and record surveillance of law abiding citizens produced in recent years from actions of some overzealous investigators, and the curiosity of some government administrators, or the wrongful disclosure and use, in some cases, of personal files held by Federal agencies.” Doe v. DiGenova, 779 F.2d 74, 84 (D.C. Cir. 1985) (quoting S. Rep. No. 1183, 93d Cong., 2d Sess. 1 (1974)). The legislative history of the law's enactment reveals Congress's concerns that “every detail of our personal lives can be assembled instantly for use by a single bureaucrat or institution” and that “a bureaucrat in Washington or Chicago or Los Angeles can use his organization's computer facilities to assemble a complete dossier of all known information about an individual.” See Danielle Keats Citron, A More Perfect Privacy, 104 B.U. L. Rev. 1073, 1078 (2024) (first quoting 120 Cong. Rec. 36,917 (1974) (statement of Sen. Goldwater); and then quoting 120 Cong. Rec. 36,917 (statement of Sen. Percy)).

The plaintiffs have a privacy interest in restricting access to their personal information to government employees properly authorized to access it. Cf. Krakauer, 925 F.3d at 653 (finding a cognizable injury for violation of a privacy statute after “[l]ooking both to Congress's judgment and historical practice” to recognize that “[i]n enacting § 227(c)(5) of the [Telephone Consumer Protection Act], Congress responded to the harms of actual people by creating a cause of action that protects their particular and concrete privacy interests”). Education and OPM possess a significant amount of detailed information about the plaintiffs’ lives. To say that the plaintiffs suffer no cognizable injury when their personal information is improperly disclosed to government employees would nullify their interest in preventing unlawful government intrusion into their private affairs. The unauthorized disclosure of the plaintiffs’ sensitive personal information is an injury in fact. See Parks v. U.S. IRS, 618 F.2d 677, 683 (10th Cir. 1980) (finding plaintiffs had standing to bring a Privacy Act action for intra-agency disclosure because “[t]he plaintiffs are the objects or the subjects of the disclosure and the allegation is that they suffered a personal invasion”). The plaintiffs adequately allege standing to pursue their APA claims against the government.⁶

2. Judicial Reviewability

The APA allows for judicial review of “final agency action for which there is no other adequate remedy in a court.” 5 U.S.C. § 704. The government argues there is no final agency action and that the plaintiffs have an adequate remedy under the Privacy Act.

a. Final Agency Action

Agency action is “final” when two conditions are met: (1) “the action must mark the ‘consummation’ of the agency's decisionmaking process—it must not be of a merely tentative or interlocutory nature,” and (2) “the action must be one by which ‘rights or obligations have been determined,’ or from which ‘legal consequences will flow.’ ” Bennett v. Spear, 520 U.S. 154, 177–78, 117 S.Ct. 1154, 137 L.Ed.2d 281 (1997) (quoting Chicago & S. Air Lines, Inc. v. Waterman S.S. Corp., 333 U.S. 103, 113, 68 S.Ct. 431, 92 L.Ed. 568 (1948); and then quoting Port of Boston Marine Terminal Ass'n v. Rederiaktiebolaget Transatl., 400 U.S. 62, 71, 91 S.Ct. 203, 27 L.Ed.2d 203 (1970)); see Biden v. Texas, 597 U.S. 785, 808, 142 S.Ct. 2528, 213 L.Ed.2d 956 (2022) (quoting Bennett, 520 U.S. at 178, 117 S.Ct. 1154).

In Venetian Casino Resort, L.L.C. v. EEOC, the D.C. Circuit concluded that an agency's decision to permit its employees to disclose confidential information without notice was a final agency action. 530 F.3d 925, 930–31 (D.C. Cir. 2008). There, a company operating a hotel and casino (“Venetian”) filed suit against the EEOC. Id. at 930–31. Venetian asserted the EEOC violated the APA through a policy that allowed EEOC “employees to disclose an employer's confidential information to potential ․ plaintiffs without first notifying the employer that its information [would] be disclosed.” Id. The EEOC argued that Venetian could not bring an APA claim because the challenged policy appeared in its compliance manual, which was not a final agency action. Id. at 931. According to the D.C. Circuit, EEOC's “argument [was] misdirected” because the final agency action at issue was not the manual but rather “the decision of the Commission to adopt a policy of disclosing confidential information without notice.” Id. The court determined that “the agency took final action by adopting the policy” and that action was subject to judicial review. Id. Ultimately, the Venetian Court found that “[a]dopting a policy of permitting employees to disclose confidential information without notice is surely a ‘consummation of the agency's decisionmaking process’ ” and ‘one by which [the submitter's] rights [and the agency's] obligations have been determined.’ ” Id. at 931 (quoting Bennett, 520 U.S. at 178, 117 S.Ct. 1154). The D.C. Circuit remanded the case for entry of “an injunction prohibiting the [EEOC] from disclosing Venetian's confidential information pursuant to its current disclosure policy.” Id. at 927.

Here, as in Venetian, the decisions to grant DOGE affiliates access to agency record systems were final agency actions. Education and OPM granted DOGE affiliates access to systems that contain records with the plaintiffs’ PII. See ECF 27-5, ¶¶ 8–9 (A. Ramada Decl.); ECF 27-6, ¶ 7 (A. Ramada Supp. Decl.); ECF 27-7, ¶¶ 4, 6–9 (T. Flagg Decl.); ECF 27-8, ¶¶ 10–12 (G. Hogan Decl.); ECF 33-1, ¶¶ 11–13 (G. Hogan Supp. Decl.). The decision to grant access was neither tentative nor interlocutory in nature. It was “the ‘consummation of the agenc[ies’] decisionmaking process.” See Bennett, 520 U.S. at 177–78, 117 S.Ct. 1154 (quoting Chicago & S. Air Lines, 333 U.S. at 113, 68 S.Ct. 431). There was nothing further for the agencies to do to formalize the decisions. No written decision was required to finalize the actions. See Bhd. of Locomotive Eng'rs & Trainmen v. Fed. R.R. Admin., 972 F.3d 83, 100 (D.C. Cir. 2020) (“[T]he absence of a written memorialization by the agency does not defeat finality․ Agency action generally need not be committed to writing to be final and judicially reviewable.” (citing Venetian, 530 F.3d at 930–31)); Garcia v. Unknown Parties, No. 23-468-TUC-CKJ, 2024 WL 1619370, at *6 (D. Ariz. Apr. 15, 2024) (noting “district courts have recognized that a final and judicially reviewable agency action need not be in writing”) (collecting cases). And, while the agencies have the authority to revoke or restrict the access, that authority does not make their decisions tentative. The agencies decided that DOGE affiliates could access their record systems, and DOGE affiliates did so. The agency actions marked the consummation of their decisionmaking process.

And here, as in Venetian, Education and OPM “[a]dopt[ed] a policy of permitting ․ disclos[ure]” that determines the plaintiffs’ legal rights and the agencies’ legal obligations. See Venetian, 530 F.3d at 931. The Privacy Act prohibits disclosure of the records at issue “except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains,” unless the disclosure falls within an enumerated exception. See 5 U.S.C. § 552a(b). The agencies have determined that, to comply with the Privacy Act, they do not need the plaintiffs’ written authorization to disclose their records to DOGE affiliates. Thus, OPM and Education made determinations about the plaintiffs’ rights to protect their personal information and the agencies’ legal obligations under the Privacy Act.

The agency decisions to grant DOGE affiliates access to the plaintiffs’ personal information are final agency actions.

b. No Adequate Remedy

The government argues that the plaintiffs cannot seek relief under the APA because they have an adequate remedy available under the Privacy Act. They do not. The Privacy Act provides a cause of action for damages when an agency improperly discloses records; it does not provide a cause of action for injunctive relief in these circumstances. See Doe v. Chao (“Chao II”), 435 F.3d 492, 504 (4th Cir. 2006). Thus, the plaintiffs do not have an available remedy under the Privacy Act. Instead, they can only bring an action under the APA for injunctive relief. See id. at 504–05 & n.17 (recognizing that while injunctive relief is not authorized by the Privacy Act for unauthorized disclosure of records, “we do not read these cases to stand for the proposition that the Government may not be enjoined from violating the Privacy Act by disclosing personal records,” and “injunctive relief for a Government's violation of the Act will instead be appropriate and authorized by the APA,” which “empower[s] courts to ‘hold unlawful and set aside agency action ․ found to be ․ not in accordance with the law’ ”) (quoting 5 U.S.C. § 706(2)); see also Radack v. U.S. Dep't of Just., 402 F. Supp. 2d 99, 104 (D.D.C. 2005) (“Because Radack seeks declaratory and injunctive relief in addition to damages, the Privacy Act does not provide an ‘adequate remedy.’ ”); cf. Doe v. Stephens, 851 F.2d 1457, 1466 (D.C. Cir. 1988) (noting case involving unauthorized disclosure claims under the Veterans’ Records Statute, which incorporates the Privacy Act, “clearly is a case of agency action ‘not in accordance with law’ ” (quoting 5 U.S.C. § 706(2))).

The plaintiffs challenge a “final agency action for which there is no other adequate remedy in a court.” See 5 U.S.C. § 704. Therefore, the APA allows for judicial review of their claims.

B. Temporary Restraining Order

“The standard for a temporary restraining order is the same as a preliminary injunction.” Maages Auditorium v. Prince George's County, 4 F. Supp. 3d 752, 760 n.1 (D. Md. 2014), aff'd, 681 F. App'x 256 (4th Cir. 2017). The party seeking the temporary restraining order must establish (1) that they are likely to succeed on the merits; (2) that they are likely to suffer irreparable harm if preliminary relief is not granted; (3) that the balance of equities favors them; and (4) that an injunction is in the public interest. See Frazier v. Prince George's County, 86 F.4th 537, 543 (4th Cir. 2023) (citing Winter v. Nat. Res. Def. Council, Inc., 555 U.S. 7, 20, 129 S.Ct. 365, 172 L.Ed.2d 249 (2008)).

1. Likelihood of Success on the Merits

The plaintiffs have shown a likelihood of success on the merits of their APA claim that Education and OPM took final agency actions “not in accordance with law.” 5 U.S.C. § 706(2)(A). Specifically, the plaintiffs have shown that Education and OPM likely violated the Privacy Act by disclosing their personal information to DOGE affiliates without their consent.⁷

The Privacy Act prohibits agencies from “disclos[ing] any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” 5 U.S.C. § 552a(b). The Privacy Act defines a “record” as “any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” Id. § 552a(a)(4). The plaintiffs did not request or consent to disclosure of their records to DOGE affiliates.⁸

There are several exceptions to the Act's bar on disclosure. See id. § 552a(b)(1)–(13). Of relevance here is the so-called “need-to-know” exception. Under that exception, disclosure of records is permitted “to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties.” Id. § 552a(b)(1). To fall within this exception, the disclosure must be within the agency that maintains the record, see In re Sealed Case, 551 F.3d 1047, 1051 (D.C. Cir. 2009), and the recipient must “examine[ ] the record in connection with the performance of duties assigned to him ․ in order to perform those duties properly,” Bigelow v. Dep't of Def., 217 F.3d 875, 877 (D.C. Cir. 2000).

The government insists, and the Court assumes for purposes of the TRO motion, that the DOGE affiliates are employees of Education and OPM and that the disclosure of the plaintiffs’ records is within the agency that maintains the records. The question, then, is whether the DOGE affiliates “have a need for the record in the performance of their duties.” 5 U.S.C. § 552a(b)(1).⁹

a. Education

Currently, there are six DOGE affiliates working at Education: Adam Ramada and five others who have not been identified by name.

Ramada is a USDS employee detailed to Education. He and the five “DOGE-affiliated individuals” who work with him at Education “play the principal role in helping to advance the mission of President Trump's Executive Order 14,158.” ECF 27-6, ¶¶ 2, 7. Ramada's duties include “assist[ing] the Department of Education with auditing contract, grant, and related programs for waste, fraud, and abuse, including an audit of the Department of Education's federal student loan portfolio to ensure it is free from, among other things, fraud, duplication, and ineligible loan recipients.” ECF 27-5, ¶ 4. DOGE affiliates at Education “help senior Department leadership obtain access to accurate data and data analytics to inform their policy decisions at the Department.” ECF 27-6, ¶ 5. Ramada and the five other DOGE affiliates have “primarily worked to identify contracts and grants that are wasteful, abusive, or inconsistent with leadership's policy priorities.” Id. ¶ 8.

Ramada and his DOGE colleagues “have been granted access to Department information technology and data systems.” Id. ¶¶ 2, 7. These systems of records contain many of the plaintiffs’ PII, including marital status, income and asset information, Social Security numbers, taxpayer identification numbers, dates of birth, demographic information (such as citizenship status), and some similar information about family members. See, e.g., 87 Fed. Reg. 57,873, 57,878 (2022) (listing categories of records in NSLDS). The government says DOGE affiliates at Education need access to all this information “in order to audit student loan programs for waste, fraud, and abuse.” ECF 27, at 26 (citing ECF 27-5, ¶ 9 (same)). Ramada states that DOGE affiliates will access tax-related information in Education's systems of record in the future “with appropriate authorization and for purposes consistent with applicable law, such as conducting analyses to estimate costs related to student loan repayment plans, awards, or debt discharges.” ECF 27-5, ¶ 11. But neither Ramada nor the government explain why he and the DOGE affiliates at Education need such comprehensive, sweeping access to the plaintiffs’ records to audit student loan programs for waste, fraud, and abuse or to conduct cost-estimate analyses.¹⁰

There appears to be no precedent with similar facts. In other Privacy Act cases where the need-to-know exception is invoked, the dispute typically involves the alleged unauthorized disclosure of one record. This case involves the alleged unauthorized disclosure of millions of records. Even under existing precedent, this appears to be unlawful. “[P]ermitting agency-wide distribution under § 552a(b)(1) without any showing of why each employee needed to receive the information would allow the exception to swallow the rule.” Dick v. Holder, 67 F. Supp. 3d 167, 178 (D.D.C. 2014); see also Walker v. Gambrell, 647 F. Supp. 2d 529, 538 n.4 (D. Md. 2009) (disclosure of an employee's miscarriage did not fall within the need-to-know exception because “it is difficult to see how knowledge with such specificity was necessary”). At this stage, the record does not indicate that DOGE affiliates at Education need access to the plaintiffs’ PII to perform their jobs.¹¹

It may be that, with additional time, the government can explain why granting such broad access to the plaintiffs’ personal information is necessary for DOGE affiliates at Education to do their jobs, but for now, the record before the Court indicates they do not have a need for these records in the performance of their duties. Compare Parks, 618 F.2d at 681 (rejecting argument that employee needed to know protected information to fulfill duties pursuant to President Nixon's executive order creating committee of agency heads to promote savings bond program because the executive “order, which was at odds with the stated legislative purpose of the Privacy Act, d[id] not license the defendants to violate the Privacy Act”), with Pippinger v. Rubin, 129 F.3d 519, 530 (10th Cir. 1997) (concluding staff members needed to know Pippinger's identity to “decide whether and how to discipline Pippinger” and “knowledge of Pippinger's identity allowed ․ staff members to put the investigation in context, and might potentially have enabled them to connect the information about Pippinger's alleged misconduct with other data already know[n] to them”), and Bigelow, 217 F.3d at 877 (finding Department of Defense employee's immediate supervisor “had a need to examine [his subordinate's personnel file] in view of the doubts that had been raised in his mind about” his subordinate's “access to the country's top secrets”).¹²

The plaintiffs have shown a likelihood of success on the merits of their claim that Education's disclosure of their records to DOGE affiliates does not fall within the need-to-know exception and thus violates the Privacy Act.

b. OPM

At OPM, the DOGE affiliates outnumber their counterparts at Education. OPM DOGE affiliates include Greg Hogan, the CIO, and numerous OPM employees who have been granted access to OPM's systems of records to “contribute[ ] to facilitating the President's initiatives related to workplace reform, including the deferred resignation program that closed on February 12.” ECF 33-1, ¶¶ 6, 8, 13–14; ECF 27, at 10.

Hogan's duties are defined by statute. See 40 U.S.C. § 11315. The CIO of an executive agency, including OPM, is generally responsible for, among other things, “developing, maintaining, and facilitating the implementation of a sound, secure, and integrated information technology architecture for the executive agency” and “promoting the effective and efficient design and operation of all major information resources management processes for the executive agency, including improvements to work processes of the executive agency.” See id. § 11315(b)(2)–(3). This statute also dictates that the CIO's “primary duty” is “information resources management”; that the CIO “monitors the performance of information technology programs of the agency, evaluates the performance of those programs on the basis of the applicable performance measurements, and advises the head of the agency regarding whether to continue, modify, or terminate a program or project”; and that the CIO “assesses the requirements established for agency personnel regarding knowledge and skill in information resources management and the adequacy of those requirements for facilitating the achievement of the performance goals established for information resources management.” Id. § 11315(c); see also id. (specifying that the duties defined in 5 U.S.C. § 11315(c) apply to agencies listed in 31 U.S.C. § 901(b)); 31 U.S.C. § 901(b)(2)(E) (listing OPM).

In his declarations, Hogan cites to his statutory duties and his responsibilities to develop and maintain OPM's information technology and information resource infrastructure, to advise agency leadership on the management and acquisition of information technology resources, and to strategically plan information resources management. See ECF 27-8, ¶ 3; ECF 33-1, ¶ 3. Hogan has access to OPM's systems of records, including eOPF and EHRI. See ECF 27, at 10–11. These systems house records with many of the plaintiffs’ PII, such as Social Security numbers, dates of birth, health and life insurance policy numbers, security clearances, civil and criminal histories, education records, employment histories, and notices of personnel actions. See eOPF Privacy Impact Assessment 5–6.

Hogan's duties as CIO appear to support the level of access he has been granted to OPM's records. In fact, the CIO is listed as the eOPF “system owner.” See id. at 3. On the current record, Hogan's broad access to OPM's records appears to be “in connection with the performance of duties assigned to him” and necessary “in order to perform those duties properly.” See Bigelow, 217 F.3d at 877.

Other DOGE affiliates at OPM are not similarly situated. The duties of the numerous other OPM employees who “have contributed to facilitating the President's initiatives related to workforce reform” are unclear from the current record. See ECF 27-8, ¶ 8. The government says their duties are to implement the Workforce Executive Order. At the February 19 hearing, the government directed the Court to the Workforce Executive Order's purpose of “restor[ing] accountability,” “eliminating waste, bloat, and insularity” in the “Federal bureaucracy,” and creating a plan “to reduce the size of the Federal Government's workforce through efficiency improvements and attrition”; the Order's instructions for agencies to develop “a data-driven plan, in consultation with its DOGE Team Lead, to ensure new career appointment hires are in highest-need areas” and to consult with DOGE team leads when filing vacancies and making new appointment hiring decisions; its requirement for DOGE team leads to prepare monthly agency hiring reports; the initiation of “large-scale reductions in force”; its requirement that OPM initiate rulemaking to revise 5 C.F.R. § 731.202(b) to include new suitability criteria; and its charge for agency heads to identify “statutorily required entities” within their respective agencies. See id. §§ 1, 3.

None of these workplace reform measures appears to require an OPM employee to access records with the sensitive personal information of current and formal federal employees. Yet some OPM personnel who are implementing the directives in the Workforce Executive Order apparently have access to “sensitive OPM records systems” that contain this information, which includes the PII of some plaintiffs. See ECF 33-1, ¶ 12. ECF 27, at 10; ECF 27-8, ¶¶ 6, 8, 12. The government never explains why OPM personnel need access to these sensitive records to implement the workplace reform measures in the Workforce Executive Order. See Walker, 647 F. Supp. 2d at 538 n.4 (“Defendant has failed to describe how knowledge of such information would affect the ability of any of these employees to perform their specific duties.”); cf. Vargas v. Reno, No. 99-2725, slip op. at 13 (W.D. Tenn. Mar. 31, 2000) (denying government's summary judgment motion on Privacy Act claim of unlawful intra-agency disclosure to an agency investigator where “[d]efendants ha[d] not submitted evidence that Vargas had potentially violated any law or regulation or that Vargas's records were relevant or necessary to [the] investigation”).

Hogan, OPM's CIO, does not offer any explanation either. Hogan reports that some measures are in place to limit access to some OPM employees who are participating in the workplace reform efforts. See ECF 33-1, ¶ 10. He says that some OPM personnel “do not require access to sensitive OPM data systems.” Id. Hogan also indicates that certain “OPM data systems containing personally identifiable information ․ require authentication for internal access.”¹³ Id. ¶ 11. He says that “[s]ystems requiring authentication are designed to default to no access, and access is granted on a least-privilege or need-to-know basis by the System Owner and relevant Authorizing Official.” Id. Hogan assures that “OPM regularly reviews access permissions” for “systems engineers who require access to sensitive OPM data systems ․ to ensure that they are appropriately limited.” Id. He also says that, in early February, he directed his “team to remove access to eOPF and EHRI for three engineers whose job duties do not require prospective access.” Id. ¶ 12. And Hogan explains that five “key systems engineers” do not have “access to EHRI, though that could change if their duties require access in the future.” Id. ¶ 13. Although Hogan explains generally that access to personal information is limited at times, he does not explain why those OPM employees who do have access to these systems of record for the principal purpose of implementing the Workforce Executive Order need to access these records to perform their jobs. Hogan also does not identify which OPM employees working on the DOGE workplace reform measures have been granted access to the OPM records systems with sensitive information. And he does not explain the criteria for determining who needs access to this information to fulfill their job duties. Thus, even with Hogan's assurances, the current record does not show that DOGE affiliates at OPM have a need for the plaintiffs’ PII in the performance of their duties.

The plaintiffs have shown a likelihood of success on the merits of their claim that OPM's disclosure of their records to DOGE affiliates (other than Hogan) does not fall within the need-to-know exception and thus violates the Privacy Act.¹⁴

The plaintiffs have shown a likelihood of success on the merits of their APA claim that Education and OPM have taken a final agency action “not in accordance with law.” 5 U.S.C. § 706(2)(A).¹⁵

2. Irreparable Harm

“To establish irreparable harm, the movant must make a ‘clear showing’ that it will suffer harm that is ‘neither remote nor speculative, but actual and imminent’ ” and that the harm “ ‘cannot be fully rectified by the final judgment after trial.’ ” Mountain Valley Pipeline, LLC v. 6.56 Acres of Land, Owned by Sandra Townes Powell, 915 F.3d 197, 216 (4th Cir. 2019) (first quoting Direx Israel, Ltd. v. Breakthrough Med. Corp., 952 F.2d 802, 812 (4th Cir. 1991); and then quoting Stuller, Inc. v. Steak N Shake Enters., 695 F.3d 676, 680 (7th Cir. 2012)).

The plaintiffs have made a clear showing that they are likely to suffer irreparable harm without injunctive relief. DOGE affiliates have been granted access to systems of record that contain some of the plaintiffs’ most sensitive data—Social Security numbers, dates of birth, home addresses, income and assets, citizenship status, and disability status—and their access to this trove of personal information is ongoing. There is no reason to believe their access to this information will end anytime soon because the government believes their access is appropriate. See ECF 27-1, at 23 (articulating the government's position that “[t]he Privacy Act therefore expressly allows disclosure of information protected under that statute in the circumstances of this case”).

This continuing, unauthorized disclosure of the plaintiffs’ sensitive personal information to DOGE affiliates is irreparable harm that money damages cannot rectify. See, e.g., Norman-Bloodsaw v. Lawrence Berkeley Lab'y, 135 F.3d 1260, 1275 (9th Cir. 1998) (finding “the retention of [the plaintiff's] undisputedly intimate medical information [without consent] ․ would constitute a continuing ‘irreparable injury’ for purposes of equitable relief”); Roberts v. Austin, 632 F.2d 1202, 1213 (5th Cir. 1980) (finding irreparable harm from state agency's unauthorized release of food stamp recipients’ files to state's attorney because “the [Food Stamp] Act and accompanying regulations give recipients statutory protection from disclosure of confidential information” and “[a]s such, recipients possess a legitimate expectation that the information will be kept confidential”); In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 802 (N.D. Cal. 2022) (“The invasion of privacy triggered by the Pixel's allegedly ongoing disclosure of plaintiffs’ medical information is precisely the kind of intangible injury that cannot be remedied by damages.”); Haw. Psychiatric Soc. v. Ariyoshi, 481 F. Supp. 1028, 1038 (D. Haw. 1979) (finding irreparable injury because “[t]he disclosure of the highly personal information contained in a psychiatrist's files to government personnel is itself a harm that is both substantial and irreversible”).

3. Balance of the Equities and the Public Interest

The balance of the equities and the public interest “merge when the Government is the opposing party.” Nken v. Holder, 556 U.S. 418, 435, 129 S.Ct. 1749, 173 L.Ed.2d 550 (2009). To balance the equities, the Court considers “the relative harms to the [plaintiffs and defendants], as well as the interests of the public at large.” Barnes v. E-Sys., Inc. Grp. Hosp. Med. & Surgical Ins. Plan, 501 U.S. 1301, 1305, 112 S.Ct. 1, 115 L.Ed.2d 1087 (1991) (Scalia, J., in chambers) (quoting Rostker v. Goldberg, 448 U.S. 1306, 1308, 101 S.Ct. 1, 65 L.Ed.2d 1098 (1980) (Brennan, J., in chambers)). These factors weigh in favor of a temporary restraining order.

The plaintiffs have shown that Education and OPM likely violated the APA by granting DOGE affiliates sweeping access to their sensitive personal information in defiance of the Privacy Act. “There is generally no public interest in the perpetuation of unlawful agency action.” League of Women Voters v. Newby, 838 F.3d 1, 12 (D.C. Cir. 2016). And “[t]here is a strong public interest in curing the effects of the government's unlawful acts[.]” CACI, Inc. – Federal v. U.S. Navy, 674 F. Supp. 3d 257, 279 (E.D. Va. 2023). Preventing the unauthorized disclosure of the plaintiffs’ personal information is in the public interest.

The government argues that preliminary injunctive relief would harm the public interest because it would “limit[ ] the President's ability to effectuate the policy choices the American people elected him to pursue by limiting his advisors and other employees’ ability to access information necessary to inform that policy.” ECF 27, at 28. The temporary injunction in this case does not prevent the President from effectuating the administration's policies. It prevents the disclosure of the plaintiffs’ sensitive personal information to DOGE affiliates who, on the current record, do not have a need to know the information to perform their duties.

The balance of the equities and the public interest favor temporary injunctive relief.

The plaintiffs have established they are entitled to a temporary restraining order.

C. Scope of the Injunction

Injunctive relief grants “full relief needed to remedy the injury to the prevailing party,” but “it should not go beyond the extent of the established violation.” Hayes v. N. State Law Enforcement Officers Ass'n, 10 F.3d 207, 217 (4th Cir. 1993). “Whenever the extraordinary writ of injunction is granted, it should be tailored to restrain no more than what is reasonably required to accomplish its ends.” S.C. Dep't of Wildlife & Marine Res. v. Marsh, 866 F.2d 97, 100 (4th Cir. 1989) (quoting Consol. Coal Co. v. Disabled Miners, 442 F.2d 1261, 1267 (4th Cir. 1971)).

For the foregoing reasons, it is hereby ORDERED, pursuant Rule 65(b) of the Federal Rules of Civil Procedure, at 8:00 a.m. on this 24th day of February, 2025:

1. The plaintiffs’ motion for a temporary restraining order, ECF 14, is GRANTED in part and DENIED in part as follows:

a. The U.S. Department of Education; Denise L. Carter, the Acting Secretary of Education; and their officers, agents, servants, employees, and attorneys are ENJOINED from disclosing the personally identifiable information of the plaintiffs and the members of the plaintiff organizations to any DOGE affiliates, including Adam Ramada and the five other individuals primarily working on the DOGE agenda at the Department of Education, until March 10, 2025 at 8:00 a.m.;

b. The Office of Personnel Management; Charles Ezell, the Acting Director of OPM; and their officers, agents, servants, employees, and attorneys are ENJOINED from disclosing the personally identifiable information of the plaintiffs and the members of the plaintiff organizations to any OPM employee working principally on the DOGE agenda who has been granted access to OPM records for the principal purpose of implementing the DOGE agenda (other than OPM Chief Information Officer Greg Hogan), until March 10, 2025 at 8:00 a.m.; and

c. The plaintiffs’ motion is DENIED as to the U.S. Department of the Treasury and Scott Bessent, the Secretary of the Treasury;

2. The plaintiffs shall post security in the amount of $10,000 by February 28, 2025;

3. The parties shall meet and confer to discuss a schedule for the production of the administrative record, any request for limited discovery, and a briefing schedule for a preliminary injunction motion and shall file a joint status report on these matters by 5:00 p.m. on February 25, 2025; and

4. The Court will conduct a conference call to discuss the information in the joint status report on February 26, 2025, at 11:00 a.m. (chambers will circulate call-in information to counsel and a public access line will be posted on the Court's website).

FOOTNOTES

1.   Other courts recently have denied TROs in similar cases. See Mem. Op. & Order, Am. Fed. of Labor of Indus. Orgs. v. Dep't of Labor, No. 1:25-cv-339 (D.D.C. Feb. 14, 2025) (Bates, J.) (denying TRO against the U.S. Department of Labor, the U.S. Department of Health and Human Services, the Consumer Financial Protection Bureau, the U.S. DOGE Service, and the U.S. DOGE Service Temporary Organization because plaintiffs did not establish likelihood of success on the merits); Mem. Op. & Order, Univ. of Cal. Student Ass'n v. Carter, 1:25-cv-354 (D.D.C. Feb. 17, 2025) (Moss, J.) (denying TRO against Education and Acting Secretary of Education because plaintiffs did not establish irreparable harm); Mem. Op. & Order, EPIC v. OPM, No. 1:25-cv-255 (E.D. Va. Feb. 21, 2025) (Alston, J.) (denying TRO against OPM, Treasury, and agency heads because plaintiffs did not establish irreparable harm). One court has granted a TRO and a preliminary injunction. On February 21, 2025, a district judge in the Southern District of New York granted a preliminary injunction that effectively gives the plaintiffs in this case the relief they seek against Treasury. See Op. & Order, New York v. Trump, 1:25-cv-01144 (S.D.N.Y. Feb. 21, 2025) (Vargas, J.). The court ordered, in part:[T]he United States Department of the Treasury and the Secretary of the Treasury are restrained from granting access to any Treasury Department payment record, payment systems, or any other data systems maintained by the Treasury Department containing personally identifiable information and/or confidential financial information of payees to any employee, officer or contractor employed or affiliated with the United States DOGE Service, DOGE, or the DOGE Team established at the Treasury Department, pending further Order of this Court.Id. at 63. The scope of the preliminary injunction includes Treasury records with the plaintiffs’ PII. Thus, the plaintiffs cannot establish that they will be irreparably harmed if this Court does not grant a TRO against Treasury. For this reason, their motion for a TRO against Treasury and Secretary Bessent is denied.

2.   The Court uses the term “DOGE affiliates” throughout the opinion to refer to the personnel at Education and OPM who are working on the DOGE agenda and have been granted access to records containing PII. At Education, this includes Adam Ramada and the “DOGE-affiliated individuals” granted such access as described in Ramada's supplemental declaration. See ECF 27-6, ¶ 7. At OPM, this includes Greg Hogan, the agency's Chief Information Officer, and OPM personnel who are principally working on the President's DOGE agenda and accessing OPM's records for the principal purpose of implementing the President's DOGE agenda.

3.   For convenience, and in consideration of the organizational plaintiffs’ role as representatives of their members, the Court uses “plaintiffs” to refer to the individual plaintiffs and the members of the organizational plaintiffs.

4.   The government does not argue that the organizational plaintiffs cannot meet the second and third requirements for organizational standing. See ECF 27, at 16–17.

5.   The Court “assumes the merits of a dispute will be resolved in favor of the party invoking our jurisdiction in assessing standing.” See Equity In Athletics, Inc. v. Dep't of Educ., 639 F.3d 91, 99 (4th Cir. 2011).

6.   The plaintiffs argue they have suffered another injury in fact: the risk of identity theft. To establish standing based on the risk of identity theft, the plaintiffs must show that “their contention of an enhanced risk of future identity theft” is more than “speculative.” See Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017). Because the Court finds that the unauthorized disclosure of sensitive personal information is a concrete injury, it need not decide whether the risk of identity theft also is a concrete injury.

7.   The plaintiffs also have shown that they likely have standing. They “must support each element of standing ‘with the manner and degree of evidence required at the successive stages of the litigation.’ ” Murthy v. Missouri, 603 U.S. 43, 58, 144 S.Ct. 1972, 219 L.Ed.2d 604 (2024) (quoting Lujan, 504 U.S. at 561, 112 S.Ct. 2130). At this stage, they “must make a ‘clear showing’ that [they are] ‘likely’ to establish each element of standing.” Id. (quoting Winter, 555 U.S. at 22, 129 S.Ct. 365). The plaintiffs have shown that records stored with OPM and Education contain their sensitive personal information. See ECF 14-3, ¶¶ 7–10 (J. Cain Decl.), ¶¶ 7–10; ECF 14-5, ¶¶ 6–9 (K. Goldsmith Decl.); ECF 14-7, ¶¶ 5–10 (D. Martinez Decl.); ECF 14-8, ¶¶ 6–9 (C. Purdy Decl.); ECF 14-9, ¶¶ 6–11 (S. Tammello Decl.); ECF 14–10, ¶¶ 10–14 (B. Bryant Decl.); ECF 14-11, ¶¶ 5–9 (W. Shackelford Decl.); ECF 14-12, ¶¶ 8–13 (M. Biggs Decl.). And they also have shown a likelihood that the government improperly granted DOGE affiliates access to the systems that house these records. In consequence, they have made a clear showing that they likely have suffered a concrete harm and that they likely have standing.

8.   The Privacy Act does not define “disclosure,” but agencies have interpreted the term to include granting access to records. See OMB Guidelines, 40 Fed. Reg. 28948, 28953 (July 9, 1975) (“A disclosure may be either the transfer of a record or the granting of access to a record.”); 5 C.F.R. § 297.102 (“Disclosure means providing personal review of a record, or a copy thereof, to someone other than the data subject or the data subject's authorized representative, parent, or legal guardian[.]”). Likewise, courts have construed the term “liberally to include not only the physical disclosure of the records, but also the accessing of private records.” See Wilkerson v. Shinseki, 606 F.3d 1256, 1268 (10th Cir. 2010); Tolbert-Smith v. Chu, 714 F. Supp. 2d 37, 43 (D.D.C. 2010) (reading “disclosure” to include “plac[ing] records ․ on a server accessible by other federal employees and members of the public”); cf. Wilborn v. Dep't of Health & Human Servs., 49 F.3d 597, 600–01 (9th Cir. 1995) (“[T]he Privacy Act, if it is to be given any force and effect, must be interpreted in a way that does not ‘go[ ] against the spirit’ of the Act”) (quoting MacPherson v. IRS, 803 F.2d 479, 481 (9th Cir. 1986)), abrogated on other grounds by Chao I, 540 U.S. 614, 124 S.Ct. 1204. Even courts that have required more than mere transmission of records have suggested that disclosure occurs when “information has been exposed in a way that would facilitate easy, imminent access.” See In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 29 (D.D.C. 2014).

9.   The government's explanation of the DOGE affiliates’ need for the records is:[T]hose employees have a “need to know” under the statute. Executive Order 14,158 provides that these individuals have a need to know “all unclassified agency records, software systems, and IT systems” to perform their duties. 90 Fed. Reg. 8441, § 4 (emphasis added). Indeed ․ the OPM personnel need to access such records to execute their direction to implement workplace reform, Hogan Decl. ¶¶ 6, 8, and the Department of Education personnel need to access such records in order to audit student loan programs for waste, fraud, and abuse, Ramada Decl. ¶ 9. Cf. Feb. 14, 2025 Order, Am. Fed. of Labor of Indus. Orgs. v. Dep't of Labor, No. 1:25-cv-339, at 3-4, 8 (D.D.C. Feb. 14, 2025) (Bates, J.).ECF 27, at 26–27; see also id. at 23 (“What is more, they need access to large datasets (including material that may be covered by the Privacy Act) to carry out their Presidentially-directed functions.”).

10.   Notably, for at least one of the Education systems of record, most PII can be masked with “dummy” data. See Dep't of Educ., Privacy Impact Assessment for the Financial Management System (FMS) 21 (May 29, 2024), https://www.ed.gov/sites/ed/files/notices/pia/fsa-financ-manag-syst.pdf.

11.   Courts have found the need-to-know exception applies when there is an explanation for why the employee needed access to the protected information to perform their job duties. See, e.g., Howard v. Marsh, 785 F.2d 645, 648 (8th Cir. 1986) (attorney and personnel specialist gathering information about a discrimination complaint against the agency needed complainant's employment records to respond to the complaint); Covert v. Harrington, 876 F.2d 751, 752–54 (9th Cir. 1989) (Inspector General's agents needed employees’ personnel security files after receiving allegations that they were falsifying their permanent residences to obtain a per diem); Dinh Tran v. Dep't of Treasury, 351 F. Supp. 3d 130, 137–39 (D.D.C. 2019), aff'd per curiam, 798 F. App'x 649 (D.C. Cir. 2020) (employees evaluating a detail request needed to know information in the requestor's performance appraisal to evaluate her skillset and suitability for the detail).

12.   At argument, the Court asked government counsel whether any of the systems of records allow for the redaction of PII or whether any of the DOGE affiliates at the agencies were viewing redacted records. Counsel did not know.

13.   These data systems include eOPF, EHRI, USAJOBS, USA Staffing, USA Performance, and Health Insurance, which houses Federal Employees Health Benefits (“FEHB”) and Postal Service Health Benefits (“PSHB”) data. See ECF 33-1, ¶ 11.

14.   The government identified another potentially relevant Privacy Act exception that permits disclosure “for a routine use,” which is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” 5 U.S.C. § 552a(a)(7), (b)(3). See ECF 27, at 27. However, the government represented to the Court at the hearing that the agencies are not relying on the routine use exception unless the Court determines that DOGE affiliates are not Education or OPM employees. Because the Court assumes (but does not decide) that the DOGE affiliates are employees of the agencies that disclosed the information to them, the Court need not address whether the “routine use” exception might apply to the inter-agency disclosure of information. See 5 U.S.C. § 552a(a)(7), (b)(3).

15.   The plaintiffs have raised two other APA claims against the government: that the agencies acted arbitrarily and capriciously and in excess of their statutory authority. Because the Court finds that the plaintiffs have shown a likelihood of success on the merits of their APA claim that Education and OPM acted “not in accordance with law,” 5 U.S.C. § 706(2), it need not consider the plaintiffs’ likelihood of success on the remaining APA claims.

Deborah L. Boardman, United States District Judge