Federal Judge Rules Trump Administration’s Data Transfer to DOGE Violated Privacy Act and Cybersecurity Protections

New York Court Denies Dismissal, Finds Trump Admin’s Data Sharing with DOGE Illegal and Risky

A federal judge in New York has ruled that the Trump administration’s hasty transfer of federal employee data to the Department of Governmental Efficiency (DOGE) constituted a “breach of law and trust,” violating the Privacy Act of 1974 and established cybersecurity protections. In a decision issued by Judge J. Paul Oetken in the U.S. District Court for the Southern District of New York, the court denied the Trump administration’s motion to dismiss a lawsuit brought by plaintiffs alleging significant privacy and security violations. The ruling, identified as Case 1:24-cv-03346-JPO, centers on the unauthorized disclosure of sensitive personal information belonging to millions of federal employees.

The court’s findings outline how the Trump administration, in an effort to streamline government operations, directed the transfer of federal employee data—including names, Social Security numbers, and other personally identifiable information—to DOGE, a newly formed entity tasked with improving efficiency. The plaintiffs argued that this action bypassed critical safeguards, lacking proper authorization, notice, or consent as required by the Privacy Act. The ruling underscores that the law, enacted to protect individuals’ privacy, mandates that federal agencies maintain strict controls over personal data and limit its disclosure without explicit permission or legal basis.

Judge Oetken’s decision emphasized that the administration’s actions failed to comply with the Privacy Act’s requirements and disregarded cybersecurity protocols outlined in federal regulations, such as those under the Federal Information Security Modernization Act (FISMA). The court concluded that the rushed data transfer exposed millions of federal employees to potential identity theft, data breaches, and other risks, as DOGE lacked adequate systems to secure the information. The ruling highlights the absence of risk assessments, encryption standards, and oversight mechanisms, which the judge deemed a reckless breach of trust.

The lawsuit, which will now proceed to further litigation, was supported by evidence from whistleblowers and cybersecurity experts who testified to the haphazard nature of the data transfer. The court’s judgment rejected the administration’s claim that the transfer was justified under executive authority for efficiency reforms, stating that such authority does not supersede statutory protections. Judge Oetken noted in the ruling that the government’s failure to provide notice to employees or obtain their consent further compounded the violation, undermining public trust in federal data management.

This ruling marks a significant rebuke of the Trump administration’s approach to data handling and sets a precedent for future cases involving federal employee privacy. The court’s decision allows the plaintiffs to seek remedies, including potential damages and injunctive relief to halt further unauthorized transfers. As the case moves forward, the ruling says a clear message about the critical balance between government efficiency initiatives and the legal duty to protect sensitive personal information from misuse or exposure.

Read the full order: HERE