[Electronic Frontier Foundation (EFF)] was the first firm to bring a suit directly against DOGE, representing two federal workers’ unions: the AFGE and the AALJ, and our co-counsel are from Lex Lumina LLP, State Democracy Defenders Fund, and The Chandra Law Firm. At the heart of our case are the millions of personnel records that DOGE agents were given access to by OPM Acting Director Charles Ezell.
The OPM is like the US government’s HR department. It holds files on every federal employee and retiree, filled with sensitive, private data about that worker’s finances, health, and personal life. The OPM also holds background check data on federal workers, including the deep background checks that federal workers must undergo to attain security clearances. Many of us – including me – first became familiar with the OPM in 2015, after its records were breached by hackers believed to be working for the Chinese military….
That breach was catastrophic. Chinese spies stole the sensitive data of tens of millions of Americans. The DOGE breach implicates even more Americans’ private data, though, and while DOGE isn’t a foreign intelligence agency, that cuts both ways. It’s a good bet that a Chinese spy agency will not leak the records it stole, but with DOGE, it’s another matter entirely. I wouldn’t be surprised to find the OPM data sitting on a darknet server in a month or a year.
The US government tried to get the case tossed out by challenging our clients’ “standing” to sue. Only people who have been harmed by someone else has the right (“standing”) to sue over it. Does having your data leaked to DOGE constitute a real injury? Two recent Supreme Court cases say it does: Spokeo vs Robins and Transunion vs Ramirez both establish that “intangible” injuries (like a privacy breach) can be the basis for standing.
The court agreed that our clients had standing because the harms we alleged – DOGE’s privacy breaches – are “concrete harms analogous to intrusion upon seclusion” (“intrusion upon seclusion” is one of the canonical privacy violations, set out in the Restatement of Torts, the American Law Institute’s comprehensive guide to common law).
But the court went further, noting that DOGE’s operation is accused of being “rushed and insecure,” rejecting DOGE’s argument that it only accessed OPM’s “system” but not the data stored in that system.
Lambert here: What the…
The court also said that it wouldn’t matter if DOGE accessed the system, but not the data – that merely gaining access to the data violated our clients’ privacy. Here, the judge is part of an emerging consensus, joining with four other federal judges who’ve ruled that when DOGE gains access to a system containing private data, that alone constitutes a privacy violation, even if DOGE doesn’t look at or process the records in the system.
The judge found that we were entitled to seek relief under the Administrative Procedures [sic] Act (APA), which proscribes the conduct of federal agencies – and that our relief could be both “declaratory” (meaning a court could rule that DOGE was breaking the law) and “injunctive” (meaning the court could order DOGE to knock it off).
All of this is still preliminary – we’re not at the point yet where we’re actually arguing the case. But standing is a huge deal.
Add new comment