American Federation of Labor and Congress of Industrial Organizations v. Department of Labor

• Court: District Court, District of Columbia
• Decided: April 16, 2025
• Docket: Civil Action No. 2025-0339
• Status: Published

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

AMERICAN FEDERATION OF LABOR AND CONGRESS OF INDUSTRIAL ORGANIZATIONS, et al.,

Plaintiffs, v. Civil Action No. 25-339 (JDB) DEPARTMENT OF LABOR, et al.,

Defendants.

MEMORANDUM OPINION

Before the Court is defendants’ motion to dismiss plaintiffs’ first amended complaint.

Unlike on a typical motion to dismiss, this isn’t the first time defendants have presented the Court

with their legal arguments; two temporary restraining order (“TRO”) motions and three discovery-

related motions have already given defendants the chance to air those grievances. However, the

Court has not yet resolved all the legal issues defendants continue to raise. Now it does—at least

as applied to the allegations in the complaint. Plaintiffs adequately state their ultra vires claim

against the United States DOGE Service and some claims under the Administrative Procedure Act

(“APA”) against the Department of Labor (“DOL”), the Department of Health and Human

Services (“HHS”), and the Consumer Financial Protection Bureau (“CFPB”). However, plaintiffs

fail to state their standalone Privacy Act claim. So the Court will grant defendants’ motion in part

and deny it in part.

BACKGROUND

Plaintiffs filed this case on February 5, 2025. Compl. [ECF No. 1]. Since then, the Court

has denied plaintiffs’ two TRO motions, Mem. Op. & Order [ECF No. 18]; Mem. Op. & Order

1 [ECF No. 34] (“Second TRO Order”), granted in part (then reaffirmed and slightly modified)

plaintiffs’ motion for limited expedited discovery, Order [ECF No. 48]; Mem. Op. & Order [ECF

No. 71] (“Recons. Order”), and set a preliminary injunction briefing schedule, see Order [ECF No.

43], among other things. Throughout this motions practice, there has been an ever-evolving factual

record. See Recons. Order at 15 (noting the “consistent alterations” in the factual record and

“trickle of information” throughout the litigation). That record, however, has no bearing here. On

a motion to dismiss, the Court is generally limited to reviewing the allegations as set forth in the

complaint. See Air Excursions LLC v. Yellen, 66 F.4th 272, 277 (D.C. Cir. 2023). Therefore,

what follows reflects the allegations in the complaint—not necessarily the facts on the ground.

I. United States DOGE Service

The same day that President Donald Trump was inaugurated for his second term, he issued

an executive order entitled “Establishing and Implementing the President’s ‘Department of

Government Efficiency.’” Exec. Order No. 14,158, 90 Fed. Reg. 8441 (Jan. 20, 2025) (the “DOGE

E.O.”). That E.O. renamed the United States Digital Service as the United States DOGE Service

(“USDS”) and reorganized it within the Executive Office of the President. Id. § 3(a). USDS is

headed by the USDS Administrator—who reports to the White House Chief of Staff—and contains

within it “the U.S. DOGE Service Temporary Organization,” which is charged with “advancing

the President’s 18-month DOGE agenda.” Id. § 3(b). That agenda, per the E.O., involves

“modernizing Federal technology and software to maximize governmental efficiency and

productivity.” Id. § 1. The Court uses “USDS” to refer to both USDS and U.S. DOGE Service

Temporary Organization throughout this Opinion.

In addition to creating USDS, the E.O. gave it—along with the heads of every federal

agency—marching orders. Agency heads were directed to “establish within their respective

2 [a]gencies a DOGE Team of at least four employees . . . within thirty days.” Id. § 3(c). These

teams were to be selected by the agency head “in consultation with the USDS Administrator” and,

once established, the agency heads must “ensure that DOGE Team[s] . . . coordinate their work

with USDS” and receive advice from the Teams on how to “implement[] the President’s DOGE

Agenda.” Id. As relevant here, the E.O. also provides that agency heads “shall take all necessary

steps, in coordination with the USDS Administrator and to the maximum extent consistent with

law, to ensure USDS has full and prompt access to all unclassified agency records, software

systems, and IT systems.” Id. § 4(b); see also id. § 4(a) (directing the USDS Administrator to

“commence a Software Modernization Initiative” in which the Administrator “work[s] with

Agency Heads to promote inter-operability between agency networks and systems, ensure data

integrity, and facilitate responsible data collection and synchronization”). Throughout its work

with said records and systems, “USDS shall adhere to rigorous data protection standards.” Id.

§ 4(b). Similarly, the E.O. states—as most executive orders do—that it “shall be implemented

consistent with applicable law and subject to the availability of appropriations.” Id. § 5(b); see

also id. § 5(a)(i) (stating that nothing in the E.O. affects “the authority granted by law to an

executive department or agency, or the head thereof”).

II. USDS

According to plaintiffs, “[s]ince Inauguration Day, [USDS] personnel have sought and

obtained unprecedented access to information systems across numerous federal agencies.” Am.

Compl. [ECF No. 21] ¶ 49. Those agencies include defendants DOL, HHS, and CFPB.1

1 The Amended Complaint also contains allegations of USDS’s actions at other federal agencies. See Am. Compl. ¶¶ 49–67 (describing USDS’s actions at United States Agency for International Development, Department of Treasury, National Oceanic and Atmospheric Administration, Office of Personnel Management, and Department of Education). The Court does not detail those allegations because (1) the allegations of USDS’s actions at the agency defendants alone are sufficient to establish standing to sue and to state a claim against the defendants here and (2) the Court seeks to avoid any confusion between the allegations here and the facts that have been found in separate ongoing litigation against those other agencies.

3 a. Department of Labor

On February 4, 2025, media began reporting that USDS was “going after the Department

of Labor” and that DOL staffers had “been ordered to give [USDS personnel] access to anything

they want—or risk termination.” Id. ¶ 68 (internal quotation marks omitted). A DOL staffer and

member of plaintiff American Federation of Government Employees (“AFGE”) confirmed those

reports. See id. ¶ 69. According to the employee, DOL leadership had instructed employees that

when USDS “visit[s] DOL, they are to do whatever” USDS asks and give USDS “access to any

DOL system [it] requested access to”—without questions or regard to “any security protocols.”

Id.

As a result of these reports, plaintiffs filed this lawsuit and their first TRO motion on

February 5. See id. ¶ 70. The Court scheduled a call with the parties that same day, and on that

call DOL “confirmed that the reported meeting between [USDS] staff” and DOL “was underway.”

Id. ¶ 70; cf. Order [ECF No. 5] 1 (explaining that “Defendants represented to the Court that DOL

will not allow [USDS] access to any DOL data until after this Court rules on the TRO motion”).

A day later, defendants filed along with their TRO opposition a declaration by Adam Ramada,

who identified himself as a USDS employee detailed to DOL to carry out the USDS agenda. See

Am. Compl. ¶ 71; Decl. of Adam Ramada [ECF No. 16-1] (“Ramada Decl.”) ¶¶ 1, 5. Ramada did

not “contest that DOL employees had been ordered to give [USDS] access to all DOL systems,”

nor did he say that USDS “detailees at [DOL] would only serve a detail at one agency at a time”

or “be solely accountable to leadership at DOL, and not to leadership at [USDS].” Am. Compl.

¶ 71.

USDS’s access to DOL systems worries plaintiffs because of the personal information

those systems hold. While DOL “lists over 50 different systems containing personally identifiable

4 information [(“PII”)] across its functions,” plaintiffs identify the following systems at issue here:

the Federal Employees’ Compensation Act (“FECA”) Claims Administration, the Wage & Hour

Investigative Support and Reporting Database (“WHISARD”), the Occupational Safety and

Health Administration’s (“OSHA”) Integrated Management Information Systems, the Employee

Benefit Security Administration’s (“EBSA”) Enforcement Management System, Office of Federal

Contract Compliance Programs’ (“OFCCP”) systems, Office of Labor-Management Standards

(“OLMS”) investigation files, and the Bureau of Labor Statistics’ (“BLS”) systems. See id. ¶¶ 81,

84–117. The PII these systems hold includes not only names and contact information but also

social security numbers, healthcare records, financial information, and more. See, e.g., id. ¶¶ 86,

177. Beyond that, many systems—including FECA, WHISARD, OSHA, and OFCCP—hold

complaints against employers by employees who rely on the promise of anonymity. See id. ¶¶ 85,

90–91, 95, 101–102. And EBSA and OLMS’s systems include files on investigations into labor

unions for alleged violations of laws such as the Employee Retirement Income Security Act of

1974 (“ERISA”) and the Labor Management Reporting and Disclosure Act. See id. ¶¶ 97–99,

103–06.

In addition to containing PII, these systems contain information that could be relevant to

the person who allegedly directs USDS’s work: Elon Musk. See id. ¶ 30. Musk—an

entrepreneur—owns a range of companies, several of which “have been subject

to . . . investigations and fines by” DOL. Id. ¶ 74. OHSA has investigated and fined two of them

for safety violations, SpaceX and Tesla, and has both fined in the past and has open investigations

into a third, the Boring Company. See id. ¶¶ 75–77. Plus, OHSA and other DOL components

investigate Musk’s competitors. See id. ¶ 78. While Musk typically wouldn’t be able to access

5 non-public information on these investigations, plaintiffs assert that DOL leadership’s “blanket

instruction to provide [USDS] employees with ‘anything they want’” will allow him to. Id. ¶ 80.

b. Department of Health and Human Services

A similar story has unfolded at HHS, which houses, among other things, the Centers for

Medicare and Medicaid Services (“CMS”). The same day that plaintiffs filed this lawsuit, reports

were published saying that USDS “employees had access to . . . [HHS] systems, including ‘key

payment and contracting systems.’” Id. ¶ 118. Any doubt as to the validity of these reports was

squelched that very day. For one, Musk posted on his social media website X an image of a news

headline that read “DOGE Aides Search Medicare Agency Payment Systems for Fraud” and added

the comment, “Yeah, this is where the big money fraud is happening.” Id. ¶ 120.2 In addition,

HHS issued a statement explaining that “two senior HHS employees were ‘leading the

collaboration with [USDS], including ensuring appropriate access to CMS systems and

technology.’” Id. ¶ 123.3

CMS houses a plethora of systems that contain PII. Start with the Healthcare Integrated

General Ledger Accounting System (“HIGLAS”)—which USDS employees reportedly requested

to access soon after they arrived at HHS. See id. ¶ 124. HIGLAS is an “accounting system that

standardizes and centralizes federal financial accounting functions for all of CMS’s programs,” id.

¶ 125, and thus “exchanges data with other systems that are necessary to support financial

management.” Id. The data HIGLAS holds includes individuals’ “Medicare accounts

receivables,” and the system “allows CMS to collect outstanding debts more timely.” See id. Even

2 Elon Musk (@elonmusk), X (Feb. 5, 2025 12:01 PM ET), https://x.com/elonmusk/status/1887184902543577590. 3 CMS, CMS Statement on Collaboration with DOGE (Feb. 5, 2025), https://www.cms.gov/newsroom/press- releases/cms-statement-collaboration-doge.

6 more basically, CMS keeps a “comprehensive database” of “enrollment, eligibility, and paid

claims data about Medicaid recipients” that includes the “[n]ame, address, phone number, email,

. . . and [social security number (“SSN”)] or other identifying number” of not only the recipients,

but of Medicaid providers and the guardians of Medicaid recipients who are minors. See id.

¶ 134(b); see also id. ¶ 134(a), (c) (describing other Medicaid datasets that contain PII). The same

is true for Medicare. For example, CMS has records of every Medicare recipient’s name, her

health insurance claims, “all services rendered to [her] . . . in an inpatient hospital,” and any

Supplemental Security Income information. See id. ¶ 135(a), (b). And Medicare recipients aren’t

the only people whose information CMS stores; CMS also has the tax identification number and

SSN of every practitioner who seeks reimbursement, along with “information concerning [their]

birth, residence, medical education, and eligibility information for Medicare reimbursement.” Id.

¶ 135(c).

HHS’s cache of data systems isn’t limited to CMS. For example, the Centers for Disease

Control and the National Institute of Health (and thus the data they hold) are also parts of HHS—

and USDS has visited both. See id. ¶¶ 126–27. And, like other employers, HHS holds extensive

records and information about its employees and their families, including SSNs, addresses,

income, personnel orders, information on individuals’ disabilities, requests for religious

accommodations, use of an Employee Assistance Program, and more. Id. ¶ 138.

c. Consumer Financial Protection Bureau

Completing this case’s USDS-agency-involvement trilogy is CFPB. “Musk and his

associates began targeting the CFPB for dismantling” “[e]ven before the current administration

took office.” Id. ¶ 141. Then, on February 7, 2025, “three young men associated with [USDS]

arrived at the agency . . . and sought access to CFPB systems.” Id. ¶ 147. According to reports,

7 those men “gained access to internal computer systems that manage the agency’s human resources,

procurement, and finance systems.” Id. Musk once again appeared to confirm the news reports:

that same day, he posted on X “CFPB RIP” followed by an image of a tombstone. Id. ¶ 148. Also

that day, the CFPB Acting Director reportedly emailed agency staff and explained that USDS

personnel were authorized to “begin work on all unclassified CFPB systems.” Id. ¶ 150. And

CFPB took various steps in the days that followed to downsize or dismantle the agency. See id.

¶¶ 151–54.

CFPB has “over 40 different systems containing personally identifiable information across

its functions.” Id. ¶ 155. Plaintiffs point out three types of data in particular. The first is the “over

10 million consumer complaints” filed with CFPB. See id. ¶ 160. These complaints—which

contain grievances about “a broad range of consumer products or services, from mortgages, credit

cards, student loans, and credit reporting”—contain a lot of information about the individuals who

submit them, such as their names, SSNs, contact information, and “sensitive financial information”

like “bank account and routing numbers, credit card numbers, credit history,” and more. See id.

¶¶ 158–59. The second is Home Mortgage Disclosure Act (“HMDA”) data, which is data that

financial institutions submit to CFPB regarding mortgage lending practices. See id. ¶ 167. CFPB

makes this data public, but the “public data are modified to protect applicant and borrower

privacy.” Id. ¶ 169. The third is market monitoring data that CFPB collects to “monitor for risks

to consumers in the offering or provision of consumer financial products or services, including

developments in markets for such products or services.” Id. ¶ 163 (quoting 12 U.S.C.

§ 5512(b)(4)). Plaintiffs include this dataset because it “would allow [] Musk to learn otherwise

unavailable information about the operations of a competitor.” Id. ¶ 166.

III. Amended Complaint

8 According to plaintiffs, the events they describe are unlawful for a host of reasons, which

they form into five counts.

In Count One, plaintiffs assert an ultra vires claim against USDS because they assert USDS

is operating and directing actions at the agency defendants without any legal authority to do so.

See id. ¶¶ 226–36.

In Counts Two through Four, plaintiffs assert APA claims against DOL, CFPB, and HHS

respectively. According to plaintiffs, each agency defendant has chosen “to allow for [USDS]

staff to access” all or most systems within the agency, and those choices amount to “policies” and

thus final agency actions reviewable under the APA. See ¶¶ 238–39, 251, 258. These policies

are, as plaintiffs see it, contrary to multiple federal laws. Most prominently, plaintiffs allege that

the policies violate the Privacy Act, which prohibits an agency from “disclos[ing] any record which

is contained in a system of records . . . to any person, or to another agency, except pursuant to a

written request by, or with the prior written consent of, the individual to whom the record pertains.”

5 U.S.C. § 552a(b); see Am. Compl. ¶¶ 241, 253, 260. Plaintiffs also allege that: each policy

violates the Federal Information Security Modernization Act of 2014 (“FISMA”) as well as each

agency’s preexisting regulations, Am. Compl. ¶¶ 244–45, 254–55, 261–62; DOL’s policy violates

the Confidential Information Protection and Statistical Efficiency Act of 2002 (“CISPEA”) and a

federal retaliation statute, 5 U.S.C. § 2302(b)(9)(D), id. ¶¶ 242–43; and HHS’s policy violates the

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), id. ¶ 262. Beyond being

contrary to law, plaintiffs contend that DOL’s policy failed to consider important aspects of the

data-access problem, see id. ¶¶ 246–47, and that each agency’s policy “effectively revoked”

preexisting regulations and thus required notice and comment, see id. ¶¶ 247–49, 255–57, 262–64.

9 Lastly, in Count Five, plaintiffs bring stand-alone Privacy Act claims against USDS and

each agency defendant. See id. ¶¶ 266–69. That is, plaintiffs bring claims under the Privacy Act’s

private cause of action for defendants’ alleged violation of 5 U.S.C. § 552a(b). See 5 U.S.C.

§ 552a(g)(1)(D).

Plaintiffs seek declaratory and injunctive relief to remedy defendants’ allegedly unlawful

conduct. In relevant part, plaintiffs ask the Court to (1) declare unlawful agency defendants’

decisions to provide USDS personnel access to sensitive systems, (2) require agency defendants

to remove anything USDS personnel have installed on agency systems and USDS to return or

destroy any material it has unlawfully accessed, and (3) to prohibit USDS from exercising ultra

vires authority. Am. Compl. ¶¶ 270–76.

IV. Motion to Dismiss

In their motion to dismiss, defendants mount a barrage of reasons why they think the Court

should dismiss plaintiffs’ claims. See Mem. L. Supp. Defs.’ Mot. Dismiss Pls.’ First Am. Compl.

[ECF No. 49-1] (“Mot.”). As an initial matter, defendants contend that this Court lacks jurisdiction

because plaintiffs don’t have standing to raise any of their claims. Id. at 13–20. From there,

defendants take aim at the five counts by arguing that plaintiffs fail to state any of the claims they

assert. Id. at 21–36. Plaintiffs, unsurprisingly, disagree on all fronts. See Pls.’ Resp. Defs.’ Mot.

Dismiss [ECF No. 50] (“Opp’n”).

ANALYSIS

I. Standing4

4 Defendants’ first argument for dismissing the complaint in its entirety is that this case “does not belong in federal court at all” because plaintiffs’ claims “[i]mproperly [a]ttack[] [t]he President’s Article II Powers.” Mot. at 10–11. There is no basis for such an argument. Courts frequently review agencies’ implementation of executive orders to ensure they comply with the law. See Chamber of Com. of U.S. v. Reich, 74 F.3d 1322, 1326–27 (D.C. Cir. 1996) (explaining that D.C. Circuit precedent establishes that an agency’s actions based on an executive order are not “insulate[d] . . . from judicial review under the APA, even if the validity of the Order [is] thereby drawn into question”).

10 Defendants begin by asserting that this Court lacks the power to adjudicate any of the

counts because plaintiffs lack standing to raise them. Article III requires that a plaintiff have an

injury in fact, caused by the challenged conduct, and redressable by the relief requested. Lujan v.

Defs. of Wildlife, 504 U.S. 555, 560–61 (1992). Standing, however, “is not dispensed in gross.”

Town of Chester v. Laroe Ests., Inc., 581 U.S. 433, 439 (2017) (internal quotation marks omitted).

Rather, at least one plaintiff “must demonstrate standing for each claim [plaintiffs] seek[] to press

and for each form of relief that is sought.” Id. (quoting Davis v. Fed. Elec. Comm’n, 554 U.S.

724, 734 (2008)). As organizations, the plaintiffs here have two routes to demonstrate standing:

associational standing—i.e., relying on their members’ injuries—or organizational standing—i.e.,

relying on their own. See Food & Water Watch, Inc. v. Vilsack, 808 F.3d 905, 914, 919 (D.C. Cir.

2015).

Here, defendants argue that plaintiffs lack standing on the face of the complaint (rather

than as a matter of fact). See Mot. at 1, 9; Phx. Consulting Inc. v. Republic of Angola, 216 F.3d

36, 40 (D.C. Cir. 2000) (explaining facial versus factual standing challenges). So, to survive

defendants’ attack, plaintiffs’ “complaint must state a plausible claim” of standing. Humane Soc’y

of the U.S. v. Vilsack, 797 F.3d 4, 8 (D.C. Cir. 2015). A court determines whether a complaint

does so by “accept[ing] facts alleged in the complaint as true and draw[ing] all reasonable

inferences from those facts in the plaintiffs’ favor.” Id. That said, merely restating the elements

of standing doesn’t cut it. See Arpaio v. Obama, 797 F.3d 11, 19 (D.C. Cir. 2015). Importantly,

while assessing whether plaintiffs have standing, “the [C]ourt must assume that . . . [they] will

prevail on the merits” of their legal claims. Comm. on Judiciary of U.S. House of Representatives

v. McGahn, 968 F.3d 755, 762 (D.C. Cir. 2020).

a. Department of Labor and Department of Health and Human Services

11 At least one plaintiff has standing to sue DOL and HHS for violating the APA and the

Privacy Act: the American Federation of Labor and Industrial Organizations (“AFL-CIO”) and

AFGE have associational standing to sue DOL, and the American Federation of State, County and

Municipal Employees (“AFSCME”) as well as the Service Employees International Union

(“SEIU”) have associational standing to sue HHS.5 Associational standing requires that (1) at

least one of the association’s members would have standing in her own right, (2) the interests that

the association seeks to protect in the lawsuit are germane to the association’s purposes, and (3)

the claims the association asserts and relief it requests don’t require individual-member

participation. Sierra Club v. EPA, 754 F.3d 995, 999 (D.C. Cir. 2014).

Here, the bulk of the action lies in requirement one. More specifically, it lies in whether

one of plaintiffs’ members would have an injury in fact. A plaintiff has an injury in fact if the

harm she suffers is “particularized,” “actual or imminent,” and “concrete.” TransUnion LLC v.

Ramirez, 594 U.S. 413, 423 (2021).

In their complaint, certain plaintiffs allege that their members are suffering because DOL

and HHS have unlawfully given USDS personnel access to agency systems that contain the

members’ PII (giving rise to both their APA and Privacy Act claims). AFL-CIO and AFGE’s

members have filed their PII with DOL through OSHA complaints, claims under the Black Lung

Benefits Act and FECA, and by virtue of being DOL employees. See Am. Compl. ¶¶ 175–76,

179–82. As for HHS, AFSCME and SEIU’s members include healthcare providers who submit

claims (and thus their PII) to Medicare and Medicaid, id. ¶¶ 187–88, 196, 202, as well as Medicare

5 This is not to say the other plaintiff organizations definitively lack standing to sue these defendants; the Court simply focuses on these plaintiffs for the sake of efficiency.

12 beneficiaries, id. ¶¶ 198, 200. These plaintiffs contend that DOL and HHS’s provision of access

to this data violates their members’ expectation of privacy. See id. ¶¶ 173, 192, 200, 246.

This alleged harm constitutes an injury in fact. To begin, the members’ alleged harm is

particularized: the violation of the individual members’ privacy stems from the disclosure of their

own PII. See TransUnion, 594 U.S. at 423. The harm is also imminent: plaintiffs allege that USDS

personnel are currently operating at both DOL and HHS, see Am. Compl. ¶¶ 68–71, 73, 118–23,

that DOL leadership directed agency employees to give USDS personnel access to “any DOL

system,” id. ¶¶ 68–69, and that HHS has granted USDS personnel access to CMS and other HHS

systems, id. ¶¶ 118–23, 126–27. It takes no chain of speculation to conclude from these allegations

that DOL and HHS are providing USDS personnel access to systems that contain plaintiffs’

members’ PII. See Clapper v. Amnesty Int’l USA, 568 U.S. 398, 411–14 (2013).6

Contrary to defendants’ arguments otherwise, the harm these union members allege is also

concrete. See Mot. at 14–16. That the Privacy Act makes the defendants’ alleged conduct illegal

and gives plaintiffs a right to sue is not enough to make plaintiffs’ alleged harm concrete. See

TransUnion, 594 U.S. at 425–26. To the contrary, to be concrete, plaintiffs’ harm must be a “harm

‘traditionally’ recognized as providing a basis for a lawsuit in American courts,” or have a “close

relationship” to such a harm. Id. at 424 (internal quotation marks omitted).7 No one contends that

6 The same is not true, however, for the knock-on harms plaintiffs allege their members will face, such as employment retaliation and disruption of patient care. See Am. Compl. ¶¶ 175, 188; Mot at 16–17. Plaintiffs allege no facts that show USDS personnel will publicize or otherwise share DOL or HHS data outside of USDS. Accordingly, an employer’s receipt of an employee’s complaint against it, plus the employer’s decision to retaliate against the employee as a result, is mere speculation. So, too, for doctor members’ feared disruption of patient care: many far-from-certain events would have to take place for USDS personnel’s data access to lead to members’ patients distrusting the whole medical system. 7 The harm must also be “real, and not abstract.” TransUnion, 594 U.S. at 424 (quoting Spokeo, Inc. v. Robins, 578 U.S. 330, 340 (2016)). Assuming plaintiffs succeed on the merits of their claims, USDS personnel’s access to union members’ PII is a real, albeit intangible, harm.

13 a nonauthorized person’s access to systems that contain PII was a harm recognized at common

law. But that’s of no moment, because the harm has “a close historical or common-law analogue.”

As three judges facing nearly identical issues have explained, the harm that plaintiffs allege

their members are suffering has a close relationship with the harm asserted in a suit for the tort of

intrusion upon seclusion.8 See All. for Retired Ams. v. Bessent, Civ. A. No. 25-313 (CKK), 2025

WL 740401, at *15–17 (D.D.C. Mar. 7, 2025); Am. Fed.Fed’n of Tchrs. v. Bessent, Civ. A. No.

25-430 (DLB), 2025 WL 895326, at *7–13 (D. Md. Mar. 24, 2025); AFSCME, AFL-CIO v. Social

Sec. Admin., Civ. A. No. 25-596 (ELH), 2025 WL 868953, at *35–43 (D. Md. Mar. 20, 2025).

That tort makes liable any person “who intentionally intrudes, physically or otherwise, upon the

solitude or seclusion of another or his private affairs or concerns . . . if the intrusion would be

highly offensive to a reasonable person.” Restatement (Second) of Torts § 652B. “The intrusion

itself” inflicts the harm; “no publication or other use of any kind” of the information intruded upon

is necessary. Id. cmt. b.; see, e.g., Froelich v. Adair, 213 Kan. 357, 359–61 (1973).

Such harm is akin to that which plaintiffs allege their members suffer here: USDS

personnel have intruded upon their sensitive personal information within the agency systems.

Defendants disagree, citing for support two concurrences to the Fourth Circuit’s recent stay of a

district court’s preliminary injunction. See Defs.’ Notice of Suppl. Authority [ECF No. 76]; Am.

8 The Court is aware that the tort of intrusion upon seclusion was not a tort heard in the common law courts of England, or at the Founding. See Laufer v. Arpan LLC, 29 F. 4th 1268, 1287 (11th Cir. 2022) (Newsom, J. concurring), vacated as moot, 77 F.4th 1366 (11th Cir. 2023). “[P]rivacy-related torts” such as this “didn’t materialize until the late nineteenth century, at the earliest.” Id. But the Supreme Court demonstrated in TransUnion that eighteenth century pedigree isn’t necessary for a tort to provide a common-law analogue for an intangible, statutorily- created harm: the tort TransUnion relied on was itself a privacy-related tort. See TransUnion, 594 U.S. at 434. Likely for that reason, TransUnion explicitly said that “intrusion upon seclusion” is a “harm[] traditionally recognized as providing a basis for lawsuits in American courts,” id. at 425 (emphasis added), not necessarily in the common law courts of England or the Colonies.

14 Fed’n of Tchrs. v. Bessent, No. 25-1282, 2025 WL 1023638 (4th Cir. Apr. 7, 2025). In American

Federation of Teachers, unions and other organizations challenge under the Privacy Act USDS’s

access to records systems maintained by the Department of the Treasury, Department of Education,

and the U.S. Office of Personnel Management (“OPM”). See Am. Fed’n of Tchrs., 2025 WL

895326 3, at *1. After the district court granted plaintiffs’ motion for a preliminary injunction, id.

at *32–33, a panel of the Fourth Circuit granted the defendants’ motion to stay the injunction, Am.

Fed’n of Tchrs., 2025 WL 1023638, at *1. Two judges wrote concurrences explaining that a main

reason they granted the stay was that the plaintiffs likely lack standing. While one concurrence

dealt with Fourth Circuit precedent not binding on this Court, id. at *1–3 (Agee, J. concurring),

the other concurrence—Judge Richardson’s—dealt directly with the issue of whether a violation

of the Privacy Act leads to harm sufficiently analogous to the harm inflicted by the tort of intrusion

upon seclusion, id. at *3–5.

In Judge Richardson’s view, the harm that results from a Privacy Act violation does not

bear enough resemblance to the harm inflicted by the common-law tort of intrusion upon seclusion.

That common-law tort, he explains, “has long been understood to guard not against the disclosure

of sensitive information . . . but against the feeling of unease when and where one should ideally

be at peace.” Id. at *4 (citing Restatement (Second) of Torts § 652B cmt. a). The intrusion has a

sort of spatial component—e.g., into the seclusion of one’s home. No plaintiff, Judge Richardson

concluded, suffered that sort of harm, and regardless, it is “question[able]” that accessing

individual data in “one row . . . [of] millions” within a database results in a harm anywhere close

to “the harm inflicted by [the] reporters, detectives, and paparazzi” that are usually intrusion-upon-

seclusion defendants. Id. at *5.

15 This Court is the first to admit that seeing someone’s name and SSN in the 648th row of a

spreadsheet is “different in kind” from peeping into someone’s bedroom window. See id. But the

Court reads TransUnion and the cases it relied upon to leave it to Congress, not judges, to

determine what is sufficiently bad to be deemed unlawful. True, courts “cannot treat an injury as

concrete for Article III purposes based only on Congress’s say-so.” TransUnion, 594 U.S. at 426

(internal quotation marks omitted). But “[i]n determining whether a harm is sufficiently concrete

to qualify as an injury in fact, . . . Congress’s views may be ‘instructive.’” Id. (quoting Spokeo,

Inc. v. Robins, 578 U.S. 330, 341 (2016)). As the Supreme Court has routinely explained,

Congress can “‘elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that

were previously inadequate in law.’” Spokeo, 578 U.S. at 341 (alteration in original) (quoting

Lujan, 504 U.S. at 578).

Congress enacted the Privacy Act to “protect the privacy of individuals identified in

information systems maintained by Federal agencies.” Doe v. Chao, 540 U.S. 614, 618 (2004)

(quoting The Privacy Act of 1974, Pub. L93-579, § 2(a)(5), 88 Stat. 1896 (1974)); see also Wilson

v. Libby, 535 F.3d 697, 713 (D.C. Cir. 2008) (Rogers, J., concurring in part and dissenting in part)

(explaining that the Act was “[a]imed at protecting one of our most fundamental civil liberties—

the right to privacy” (internal quotation marks omitted)). Put simply, then, Congress “identified”

an individual’s interest in his information being viewed only by the federal agency that maintains

it—and even then, only by those employees with a need to view it—as “a modern relative of a

harm with long common law roots.” See Gadelhak v. AT&T Servs., Inc., 950 F.3d 458, 462 (7th

Cir. 2020) (Barrett, J.). So § 552a(b) in effect created a new sphere in which individuals not only

expect privacy, but have a right to it—i.e., a sphere of seclusion. As a result, an intrusion upon

that sphere—even if the sphere literally encompasses only one row of millions in a dataset—

16 amounts to an injury similar to the intrusion upon other private spheres, such as one’s home. Cf.

Hamberger v. Eastman, 106 N.H. 107, 110–112 (1964) (“The tort of intrusion upon the plaintiff’s

solitude or seclusion is not limited to a physical invasion of his home or his room or his quarters,”

but rather extends “beyond such physical intrusion” and includes “eavesdropping upon private

conversations by means of wire tapping and microphones.” (internal quotation marks omitted)).

Put differently, the Privacy Act makes it so an individual “should . . . be at peace” with the

fact that his information is maintained and only reviewable by the relevant agency, and it is thus

warranted that individuals like the union members here “feel[] . . . unease” when outsiders view

it. See Am. Fed’n of Tchrs., 2025 WL 1023638, at *4 (Richardson, J., concurring). The harm that

results from such a disclosure may not seem as grave as the harm in a window-peeper intrusion-

upon-seclusion claim. But the intrusions “nevertheless pose the same kind of harm that common

law courts recognize—a concrete harm that Congress has chosen to make legally cognizable.”

Gadelhak, 950 F.3d at 463.

Setting aside the Fourth Circuit concurrences, defendants’ other arguments that plaintiffs’

members lack concrete injuries in fact miss the forest for the trees. Putting all their marbles into

TransUnion, defendants contend that only dissemination or “use[] of confidential information can

give rise to standing” and that plaintiffs’ members’ harms are thus insufficient because plaintiffs

plausibly allege neither that defendants are currently disseminating or using members’ information

nor that defendants will do so imminently. Mot. at 15–17. It’s true that TransUnion said that

publication was necessary to concretize the harms suffered by the plaintiffs in that case. See 594

U.S. at 433–34. But defendants overlook TransUnion’s key holding: an intangible, statutorily-

created injury is concrete so long as it is akin to a harm traditionally recognized in American courts.

Id. at 424–28. In TransUnion, the plaintiffs relied on the common law analogue of defamation, a

17 tort for which a plaintiff only suffers actionable harm upon publication. Id. at 434. The harm

suffered in the tort of defamation, however, is far from the only harm traditionally recognized in

American courts. Indeed, it is not even the only traditionally recognized privacy-related harm, as

the Supreme Court explicitly said. See id. at 425 (“[I]njuries with a close relationship to harms

traditionally recognized as providing a basis for lawsuits in American

courts . . . include . . . reputational harms, disclosure of private information, and intrusion upon

seclusion.”). Here, plaintiffs’ members’ alleged harms are akin to the traditionally-recognized

harm seen in the tort of intrusion upon seclusion, a harm which—unlike defamation—does not

require publication or use to be actionable. Restatement (Second) of Torts § 652B cmt. b.9

While plaintiffs’ harm is analogous that inflicted by the tort of intrusion upon seclusion, it

may not be the only tort plaintiffs can hang their hats on. The D.C. Circuit has also recognized

that the tort of “breach of confidence” can serve as a common-law analogue for a harm inflicted

by a statutory violation. See Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059, 1064 (D.C. Cir.

2019). That tort “lies where a person offers private information to a third party in confidence and

the third party reveals that information to another.” Id. (internal quotation marks omitted).

Nothing beyond the “plaintiff’s trust in the breaching party [being] violated” must occur for the

harm to be actionable. Id. The trusted party’s disclosure to a third party is sufficient. See id. at

1064–65.

The unions allege their members are suffering precisely that harm. The members gave

DOL and HHS their personal information in confidence, backed by the Privacy Act’s guarantee

that the agencies would not disclose the information to any other person or agency. Yet the

agencies, plaintiffs allege, have made “unconsented, unprivileged disclosure to a third party”—

9 For the same reasons, defendants’ analogies to data breach cases miss the mark.

18 USDS personnel. See id. at 1065 (quoting Kamal v. J. Crew Grp., 918 F.3d 102, 114 (3d Cir.

2019)). This common-law analogue is more like a common-law twin.

To sum up, plaintiffs allege their members are currently suffering actionable harm for the

sole reason that the agency defendants are disclosing the plaintiffs’ members’ personal information

to unauthorized individuals. That’s enough to plausibly allege a concrete, actual harm that would

give plaintiffs’ members standing to sue DOL and HHS for violating the APA and the Privacy

Act.

So the first requirement of associational standing—that a member would have standing in

her own right—is satisfied. See Sierra Club, 754 F.3d at 999. Defendants (rightly) do not argue

that the interests AFL-CIO, AFGE, AFSCME, and SEIU seek to protect in this lawsuit—their

members’ privacy—are not germane to the unions’ purposes.10 Nor do defendants argue that

plaintiffs’ APA claims against DOL and HHS require individual-member participation; “[n]either

these claims nor the” injunctive and declaratory relief plaintiffs seek “require[] the . . . Court to

consider the individual circumstances of any aggrieved” union member. See Int’l Union, United

Auto., Aerospace & Agric. Implement Workers of Am. v. Brock, 477 U.S. 274, 287 (1986).

What defendants do argue is that individual-member participation is required for plaintiffs’

standalone Privacy Act claims against DOL and HHS. See Mot. at 18. As defendants explain, the

provision of the Privacy Act under which plaintiffs sue—5 U.S.C. § 552a(g)(1)(D)—only provides

a cause of action for damages, see id.§ 552(a)(g)(4), and individualized proof of harm (and thus

individual-member participation) would be needed to award said damages. Mot. at 18; see Air

10 See Am. Compl. ¶¶ 172–74 (explaining that AFL-CIO represents the interests of and advocates for their laborer members, including by assisting them with filing confidential complaints with DOL); id. ¶¶ 179, 182 (similar for AFGE); id. ¶¶ 186–88 (explaining that AFSCME represents the interests of and advocates for public employees, including many healthcare providers); id. ¶¶ 189–98 (explaining that SEIU represents the interests of and advocates for laborers whom the union helps file complaints with DOL, as well as healthcare professionals and Medicare beneficiaries).

19 Transp. Ass’n of Am. v. Reno, 80 F.3d 477, 484 (D.C. Cir. 1996). But, as plaintiffs point out,

their complaint does not seek damages—it only seeks declaratory and injunctive relief, neither of

which requires individual-member participation. Opp’n at 10–11; Am. Compl. ¶¶ 270–79.

Similarly, the allegations that underlie plaintiffs’ Privacy Act claims are not “grounded on the

claims of [their] members,” Tanner-Brown v. Haaland, 105 F.4th 437, 447 (D.C. Cir. 2024)

(internal quotation marks omitted), but instead are based solely on agency defendants’ alleged

disclosure of information from agency systems writ large, see Am. Compl. ¶¶ 265–69. The

questions whether plaintiffs can in fact seek declaratory and injunctive relief under

§ 552a(g)(1)(D) and whether plaintiffs’ allegations in fact state a claim under the Privacy Act are

non-jurisdictional issues the Court addresses below. What matters for Article III standing is that

“neither the claim asserted nor the relief requested requires the participation of individual

members.” Tanner-Brown, 105 F.4th at 447. That is true of plaintiffs’ standalone Privacy Act

claims against DOL and HHS.

AFL-CIO, AFGE, AFSCME, and SEIU therefore have associational standing to sue DOL

and HHS for the agencies’ alleged violations of the APA and Privacy Act.

b. CFPB

Unlike for the claims against the other agency defendants, plaintiffs do not allege that the

personal information of any of their individual members lies with CFPB. So at least one

organizational plaintiff must have standing in its own right—i.e., organizational standing—to sue

CFPB for violating the APA and Privacy Act.

Organizational standing has two requirements. First, an organization must face a “concrete

and demonstrable injury to . . . [its] activities,” more than “simply a setback to . . . [its] abstract

social interests.” Am. Anti-Vivisection Soc’y v. U.S. Dep’t of Agric., 946 F.3d 615, 618 (D.C.

20 Cir. 2020) (quoting Havens Realty Corp. v. Coleman, 455 U.S. 363, 379 (1982)). Second, the

organization must divert “resources to counteract that” injury. People for the Ethical Treatment

of Animals v. U.S. Dep’t of Agric. (“PETA”), 797 F.3d 1087, 1094 (D.C. Cir. 2015).

Plaintiffs Virginia Poverty Law Center (“VPLC”) and Economic Action Maryland Fund

(“Economic Action”) both meet this test. Begin with the harm to their missions. The two

nonprofits “each provide direct services to consumers experiencing difficulties with financial

products and services, from mortgages to debt collection to predatory loans.” Am. Compl. ¶ 222.

These services form one of VPLC’s and Economic Action’s respective four core activities. See

id. ¶¶ 21–22. For both organizations, the CFPB complaint system is an “irreplaceable tool” for

providing direct services to consumers. See id. ¶ 222. That tool only has use, however, if

consumers can “expect[] that th[e] information” they submit to CFPB “will be protected from

unlawful disclosure.” See id. ¶ 221. CFPB’s alleged unlawful disclosure of the Consumer

Response System—which houses consumers’ complaints, PII and all—make it so VPLC and

Economic Action can no longer “recommend that consumers submit complaints that may contain

confidential personal and financial data.” Id. at ¶ 223. In other words, the alleged unlawful

disclosure of records systems removes “an irreplaceable tool” for one of the organizations’ core

activities.

And that’s not all. VPLC and Economic Actions’ core activities—notably their direct

services and their consumer education initiatives—also depend on the redacted versions of

consumer complaints that CFPB makes public. See id. ¶¶ 21–22, 223–24. The organizations use

that data, in part, “to understand emerging problems in the market” that the individuals they serve

face or could face. See id. ¶ 225. And “without the” assurance that the “CFPB complaint system

and other CFPB resources” remain confidential, VPLC and Economic Action would have to invest

21 time and resources into finding other ways “to provid[e] direct assistance to consumers and to

understand” those problems. Id. In other words, the organizations allege the harms they suffer

“require shifting money and resources from [their] other core missions.” Id.; PETA, 797 F.3d at

1094 (requiring as much).

These injuries are like those found sufficient for organizational standing in PETA. There,

the U.S. Department of Agriculture’s (“USDA”) refusal to regulate birds in a certain way

“‘perceptibly impaired’ PETA’s mission in two respects: it ‘precluded PETA from preventing

cruelty to and inhumane treatment of these animals through its normal process of submitting

USDA complaints’ and it ‘deprived PETA of key information that it relies on to educate the

public.’” Id. (quoting PETA v. USDA, 7 F. Supp. 3d 1, 8 (D.D.C. 2013)). The D.C. Circuit

concluded that because “PETA redirected its resources in response to USDA’s allegedly unlawful

failure to provide the means by which PETA would otherwise advance its mission—filing

complaints with the USDA and using the USDA’s information for its advocacy purposes”—PETA

had organizational standing. Id. at 1097; see also Am. Anti-Vivisection Soc’y, 946 F.3d at 618–

19 (relying on PETA to find standing on similar facts).

VPLC and Economic Actions’ asserted harms are different from those in PETA, but

ultimately in not a way the Court finds meaningful. For one, the organizations are not precluded

from directing or helping their clients in filing CFPB complaints; they just cannot do so in good

faith. See Am. Compl. ¶ 223. But an organization need not be “entirely hamstrung” by an action

to have standing to challenge it. Capital Area Immigrs.’ Rights Coal. v. Trump, 471 F. Supp. 3d

25, 40 (D.D.C. 2020) (internal quotation marks omitted). Its activities need only be “perceptibly

impaired.” Id. (quoting PETA, 797 F.3d at 1093). VPLC and Economic Action plausibly allege

22 perceptible impairment, as they allege CFPB’s unlawful disclosure removes an “irreplaceable

tool” and key information that they use to accomplish their missions. Id. ¶ 222.

Moreover, VPLC and Economic Action plausibly allege their injuries are imminent. Per

the complaint, CFPB leadership has already directed USDS to “begin work on all unclassified

CFPB systems,” id. ¶ 150, which includes the systems containing consumer complaints. It is that

ongoing allegedly unlawful provision of access that VPLC and Economic Action allege

deteriorates their missions.

Thus, given the similarities between the organizations’ asserted injuries and those in PETA,

the Court concludes that the complaint plausibly alleges that VPLC and Economic Action have

standing to sue CFPB for allegedly violating the APA and Privacy Act.

c. USDS

Armed with the determinations that at least some plaintiffs have standing to sue DOL,

HHS, and CFPB, it is simple to conclude that those same plaintiffs have standing to bring their

Privacy Act and ultra vires claims against USDS. The injuries plaintiffs assert for these claims are

the same injuries the Court has now found cognizable.11 And plaintiffs allege that USDS caused

those injuries by seeking access to sensitive systems and by exercising authority it allegedly does

not possess. See Am. Compl. ¶¶ 73, 120–24, 144–47, 227–36; cf. id. ¶¶ 49, 51, 54. Since the

declaratory and injunctive relief plaintiffs seek could redress plaintiffs’ injuries, AFL-CIO, AFGE,

AFSCME, SEIU, VPLC, and Economic Action have standing to sue USDS.12

11 The Court’s analysis of the associational standing factors of germane purpose and no-individual- participation applies equally to USDS. 12 The Court emphasizes that its determination that plaintiffs have standing to sue each defendant is a result of this stage of the litigation. As previously stated, to survive a facial motion to dismiss, a complaint need only plausibly allege standing, and, in determining whether the complaint does so, the Court must accept as true the complaint’s well-pleaded allegations. See Humane Soc’y, 797 F.3d at 8. But “[a] plaintiff must demonstrate standing ‘with the manner and degree of evidence required at the successive stages of the litigation.’” TransUnion, 594 U.S.

23 II. Failure to State a Claim

With its jurisdiction assured, the Court turns to defendants’ contention that plaintiffs fail

to state any of their claims. A complaint escapes a Rule 12(b)(6) motion unscathed if it contains

sufficient factual matter that, accepted as true, states each claim to relief plausibly on its face. See

Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Accordingly, a court assessing a Rule 12(b)(6)

motion “assume[s] . . . veracity” of all “well-pleaded factual allegations” in the complaint, id. at

679, “construe[s] the complaint in favor of the plaintiff,” and gives the plaintiff “the benefit of all

inferences that can be derived from the facts alleged,” Hettinga v. United States, 677 F.3d 471,

476 (D.C. Cir. 2012) (internal quotation marks omitted). A court does not, however, credit

“[t]hreadbare recitals of the elements of a cause of action,” “conclusory statements,” Iqbal, 556

U.S. at 678–79 (internal quotation marks omitted), or “legal conclusions cast as factual

allegations,” Hettinga, 677 F.3d at 476.

Here, although the complaint survives, it does not escape unscathed: it states its ultra vires

claim and some of its APA claims but not the standalone Privacy Act claim.

a. APA Claims

Defendants put forward a buffet of reasons why they think plaintiffs fail to state any of

their APA claims. The Court finds some, but not all, palatable.

at 431 (quoting Lujan, 504 U.S. at 561). At later stages of this litigation—including at the preliminary injunction stage—plaintiffs will “no longer” be able to “rest on . . . mere allegations, but must set forth by affidavit or other evidence specific facts” that establish that there is a substantial likelihood plaintiffs have standing. See Clapper, 568 U.S. at 412 (internal quotation marks omitted); OPM v. AFGE, No. 24A904, 2025 WL 1035208 (U.S. Apr. 8, 2025). So the unions with associational standing will need to put forward evidence that DOL and HHS have given or will imminently give USDS personnel access to record systems containing their members’ data. And VPLC and Economic Action will need to put forward evidence (1) that CFPB has granted or will imminently grant USDS personnel access to consumer complaint data, (2) that, as a result, the organizations cannot assist or will imminently not be able to assist consumers with filing complaints, and (3) that the organizations—because of USDS personnel’s actual or imminent access to consumer complaint data, not because of their subjective fears of possible access—have or will imminently have to divert resources away from their other core work. See Clapper, 568 U.S. at 411–428.

24 i. Final Agency Action

At the outset, defendants argue that plaintiffs lack a cause of action under the APA because

they do not seek review of final agency actions. Only such actions are subject to review under the

APA. 5 U.S.C. § 704. As defendants see it, “[p]laintiffs allege final agency action in the form of

Agency Defendants granting USDS personnel access to agency informational systems.” Mot. at

22. That provision of access, defendants aver, is not an “agency action” within the meaning of the

APA, but instead is an unreviewable “broad programmatic attack.” Id. at 22–23 (quoting Norton

v. S. Utah Wilderness Alliance, 542 U.S. 55, 64 (2004)). And even if it is an agency action, it is

not “final” because it has no “direct and appreciable legal consequences.” Id. at 23–25 (quoting

Cal. Cmtys. Against Toxics v. EPA, 934 F.3d 627, 640 (D.C. Cir. 2019)).

Defendants are spot on about what it takes to be a “final agency action.” As an initial

matter, the action must be an “agency action,” which “includes the whole or a part of an agency

rule, order, license, sanction, relief, or the equivalent or denial thereof, or failure to act.” 5 U.S.C.

§ 551(13). That action then must be “final,” or in other words, “the consummation of the agency’s

decisionmaking process . . . by which rights or obligations have been determined or from which

legal consequences will flow.” Venetian Casino Resort, LLC v. EEOC., 530 F.3d 925, 931 (D.C.

Cir. 2008) (alterations in original) (quoting Bennett v. Spear, 520 U.S. 154, 177–78 (1997)).

However, defendants miss the mark when it comes to defining plaintiffs’ alleged agency

action. Plaintiffs do not challenge the individual decisions of the agency defendants to give

particular USDS personnel access to agency systems. Rather, plaintiffs challenge what they allege

are agency defendants’ across-the-board policies (the so-called “DOGE Access Policies”) to grant

USDS personnel access to sensitive record systems, Am. Compl. ¶¶ 239, 251, 258—access that

plaintiffs allege is unlawful.

25 The D.C. Circuit has held that such unwritten policies are final agency actions. See Am.

Fed. of Teachers, 2025 WL 895326, at *16 (determining as much); AFSCME, 2025 WL 868953,

at *50–52 (same). In Venetian Casino, the plaintiff challenged under the APA an informal Equal

Employment Opportunity Commission (“EEOC”) policy that “permit[ted] Commission

employees to disclose an employer’s confidential information . . . without first notifying the

employer.” 530 F.3d at 927. The D.C. Circuit rejected EEOC’s argument that said policy did not

amount to a “final agency action.” Id. at 930. A “decision of” an agency “to adopt a policy of

disclosing confidential information without notice,” the Circuit said, is an agency action that is

“surely a consummation of the agency’s decisionmaking process, and one by which the submitter’s

rights and the agency’s obligations have been determined.” Id. at 931 (cleaned up); see also

Brotherhood of Locomotive Engineers & Trainmen v. Fed Railroad Admin., 972 F.3d 83, 100

(D.C. Cir. 2020) (“[T]he absence of a written memorialization by the agency does not defeat

finality.”).

Defendants try to resist the conclusion that Venetian Casino is on all fours here. They point

out that Venetian Casino involved the EEOC’s informal policy “of disclosing confidential

information . . . without providing notice,” and say plaintiffs here only allege the agencies have an

informal policy of “giving information access to other government employees,” which defendants

seem to think does not amount to disclosure. Mot. 24–25 (emphasis in original). But defendants

gloss over plaintiffs’ core contention: that giving USDS personnel access to agency systems

amounts to unlawful disclosure, government employees or not. That’s far from an outlandish

contention (indeed, as explained later, plaintiffs state a claim that the access is unlawful)

considering that the Privacy Act prohibits agencies from disclosing individualized records to other

agencies without the individual’s consent. See § 552a(b). Put simply, plaintiffs allege that agency

26 defendants have policies of unlawfully disclosing information without consent just like the

EEOC’s policy in Venetian Casino. And, just like the policy in Venetian Casino, the DOGE

Access Policies determine the rights of those whose information is being disclosed and the

obligations of the agency defendants. See Am. Fed. of Teachers, 2025 WL 895326, at *16.

So the only question left is whether the complaint goes beyond mere conclusions to

plausibly allege that each agency has in fact adopted such a policy. It clearly does. (Indeed,

defendants appear to concede as much. See, e.g., Mot. at 4–5). To recap, plaintiffs allege that:

DOL leadership instructed employees “to give [USDS] access to anything they want,” Am. Compl.

¶ 68, and USDS employees currently on detail to DOL intend to access agency systems; HHS

leadership put out a statement that “two senior HHS employees were leading the collaboration

with [USDS], including ensuring appropriate access to CMS systems and technology,” id. ¶ 123,

and the agency has provided USDS personnel access to HIGLAS, id. ¶ 124; and the CFPB Acting

Director told staff that USDS could “begin work on all unclassified CFPB systems,” id. ¶ 150.

Hence, plaintiffs adequately allege a final agency action that each agency defendant has

taken.

ii. Contrary to Law

Next, defendants assert that the complaint fails to allege that the DOGE Access Policies

violate any statute or regulation. A complaint states a claim for APA relief if, as relevant here, it

alleges that a reviewable agency action is “arbitrary, capricious, an abuse of discretion, or

otherwise not in accordance with law.” § 706(2)(A).

1. Privacy Act

Arguably the primary focus of plaintiffs’ complaint is the claim that DOL, HHS, and

CFPB’s DOGE Access Policies violate the Privacy Act. “Aimed at protecting one of our most

27 fundamental civil liberties—the right to privacy, the Privacy Act established certain enforceable

rights.” Wilson, 535 F.3d at 713 (Rogers, J., concurring in part and dissenting in part) (internal

quotation marks omitted). To that end, the Act prohibits agencies from disclosing “any record

which is contained in a system of records by any means of communication to any person, or to

another agency, except pursuant to a written request by, or with the prior written consent of, the

individual to whom the record pertains.” 5 U.S.C. § 552a(b).

The Act’s definitions are broad. A record, per the Act, “means any item, collection, or

grouping of information about an individual that is maintained by an agency, including, but not

limited to, his education, financial transactions, medical history, and criminal or employment

history and that contains his name, or the identifying number, symbol, or other identifying

particular assigned to the individual, such as a finger or voice print or a photograph.” § 552a(a)(4).

A “system of records,” meanwhile, “means a group of any records under the control of any agency

from which information is retrieved by the name of the individual or by some identifying number,

symbol, or other identifying particular assigned to the individual.” § 552a(a)(5). And “agency”

“includes any executive department, military department, Government corporation, Government

controlled corporation, or other establishment in the executive branch of the government

(including the Executive Office of the President), or any independent regulatory agency.”

§ 552(f)(1).13

Defendants first argue that the Court need not even ask whether the complaint alleges that

the agency defendants violated § 552a(b) because plaintiffs simply cannot bring APA claims for

violations of the Privacy Act. See Mot. at 25–28. Defendants point out that, even where a plaintiff

alleges a final agency action, the APA only permits review if that action is one “for which there is

13 The Privacy Act incorporates the definition of “agency” now appearing at 5 U.S.C. § 552(f)(1). See Palmieri v. United States, 896 F.3d 579, 586 (D.C. Cir. 2018); 5 U.S.C. § 552a(a)(1).

28 no other adequate remedy in a court.” § 704; Elec. Priv. Info. Ctr. v. IRS, 910 F.3d 1232, 1244

(D.C. Cir. 2018). The Privacy Act, defendants contend, backs up its prohibitions with a

“comprehensive remedial scheme,” Wilson, 535 F.3d at 703, making the remedies it provides

adequate—and therefore depriving plaintiffs of an APA cause of action.

This argument is formidable but ultimately unavailing. The Privacy Act’s remedial scheme

provides “for injunctive types of relief” in “two instances” not present here, both involving an

agency’s failure to disclose records whose disclosure the Act compels. Cell Assocs., Inc. v. Nat’l

Insts. of Health, Dep’t of Health, Educ. & Welfare, 579 F.2d 1155, 1159 (9th Cir. 1978); see 5

U.S.C. § 552a(g)(2), (3). The Act thus empowers courts to compel disclosure (or the amendment

of inaccurate records) where the agency has refused. In two other instances, the Act “provide[s]

for damages, but not for injunctive relief.” Cell. Assocs., 579 F.2d at 1159. Unlike the first two

instances, these latter two involve situations where, generally, the cat is out of the bag: either a

record’s inaccuracy has already caused “a determination . . . adverse to the individual,”

§ 552a(g)(1)(C), or the agency has “fail[ed] to comply with any other provision of this section,”

§ 552a(g)(1)(D)—including the requirement that an agency obtain “a written request by” or the

“prior written consent of[] the individual to whom the record pertains,” § 552a(b).14

In most cases, this scheme makes sense. Generally, injunctive relief would only be

requested, let alone needed, where the agency has failed to act in response to an individual’s

request. In the other two circumstances, injunctive relief will rarely be appropriate. The first

circumstance requires something already to have happened to the individual, see § 552a(g)(1)(C),

leaving damages as the only saving grace. The second could only be the basis of injunctive relief

if an individual somehow anticipated the imminent and illegal disclosure of his records—

14 The Act also “provides for criminal penalties against federal officials who willfully disclose a record in violation of the Act.” Wilson, 535 F.3d at 707 (citing 5 U.S.C. § 552a(i)(1)).

29 something that will rarely happen given that the basis of the violation is the failure to consult the

individual. See § 552a(g)(1)(D), (b).

But here we have that rare case. So the question is whether the APA’s “generic cause of

action in favor of persons aggrieved by agency action,” Cohen v. United States, 650 F.3d 717, 723

(D.C. Cir. 2011) (en banc), can step into the breach and permit the Court to enjoin agency action

alleged to be in violation of the Privacy Act despite the Privacy Act’s failure to authorize such a

step, see Doe v. Stephens, 851 F.2d 1457, 1463 (D.C. Cir. 1988).

It likely can. An alternative remedy is adequate so as to preclude a cause of action under

the APA if, though not “identical to relief under the APA,” it is at least “of the same genre.” See

Elec. Priv. Info. Ctr., 910 F.3d at 1244 (citations omitted). Damages and injunctions belong to

different genres: one compensates for harm while the other prevents it. Thus, in Radack v. DOJ,

for instance, a judge in this District concluded that, because “the Privacy Act provides only for

monetary relief when an agency makes illegal disclosures,” the Privacy Act did not “provide an

‘adequate remedy’” to a plaintiff seeking “declaratory and injunctive relief.” 402 F. Supp. 2d 99,

104 (D.D.C. 2005); see also Poss v. Kern, Civ. A. No. 23-2199 (DLF), 2024 WL 4286088, at *6

(D.D.C. Sept. 25, 2024) (citing Radack for the same proposition); Cent. Platte Nat. Res. Dist. v.

U.S. Dep’t of Agric., 643 F.3d 1142, 1149 (8th Cir. 2011) (accepting but distinguishing Radack).

Though with less clarity, the D.C. Circuit appears to agree. In Doe v. Stephens, the Circuit

explained that the Privacy Act “does not by itself authorize the injunctive relief sought”—relief

similar to that sought here—because its remedial scheme “precludes . . . forms of declaratory and

injunctive relief” other than those explicitly provided for. 851 F.2d 1457, 1463 (D.C. Cir. 1988).

But that did not end the case: despite the lack of a Privacy Act cause of action, the court concluded

that the plaintiff was “entitled under the Administrative Procedure Act to a declaration.” Id. at

30 1463; see also id. at 1466–67. And the D.C. Circuit isn’t alone in its view that § 552a(g)(1)(D)’s

narrow cause of action does not preclude non-monetary relief under the APA. To the contrary, the

Supreme Court has all but said as much (albeit in dicta). See Chao, 540 U.S. at 619 n.1 (“The

Privacy Act says nothing about standards of proof governing equitable relief that may be open to

victims of adverse determinations or effects, although it may be that this inattention is explained

by the general provisions for equitable relief within the . . . APA.” (cleaned up)).

This conclusion is equally consistent with case law beyond the Privacy Act. In a tax case,

for instance, the en banc D.C. Circuit concluded that a statute permitting tax refunds was not an

adequate alternative for plaintiffs seeking “equitable relief rather than recovery” of money

damages. Cohen, 650 F.3d at 734 (internal quotation mark omitted). This was true even though,

as then-Judge Kavanaugh explained in dissent, “Congress has established a judicial procedure that

. . . is relevant to the subject matter—namely, a tax refund suit.” Id. at 739 (Kavanaugh, J.,

dissenting) (internal quotation marks omitted).

It is true that there are many cases from this District that broadly declare that “a plaintiff

cannot bring an independent APA claim predicated on a Privacy Act violation.” Wilson v.

McHugh, 842 F. Supp. 2d 310, 320 (D.D.C. 2012) (internal quotation marks omitted); see also,

e.g., Poss, 2024 WL 4286088, at *5–6; Haleem v. U.S. Dep’t of Def., Civ. A. No. 23-1471 (JEB),

2024 WL 230289, at *13–14 (D.D.C. Jan. 22, 2024); Bierly v. Dep’t of Def., Civ. A. No. 23-2386

(RCL), 2024 WL 4227154, at *8–9 (D.D.C. Sept. 18, 2024); Berardi v. U.S. Dep’t of the Air Force,

Civ. A. No. 05-2269 (JR), 2006 WL 8448631, at *6 (D.D.C. Sept. 29, 2006). But these cases all

dealt with a different situation entirely, one where plaintiffs sought injunctive relief under the APA

despite its availability under the Privacy Act. See AFSCME, 2025 WL 868953, at *53 (“Where

courts have held that a plaintiff could not also bring an APA claim to obtain relief for an agency’s

31 alleged Privacy Act violation, it has been where the Privacy Act provided the kind of relief plaintiff

sought.”). In those cases, the plaintiffs sought to compel disclosure unlawfully withheld, not to

prevent disclosure imminently (and unlawfully) threatened.

Said otherwise, those cases presented the two circumstances in which the Privacy Act

provides “for injunctive types of relief.” Cell Assocs., 579 F.2d at 1159. So despite their broad

language, these cases stand for the unremarkable proposition that plaintiffs may not proceed

“under the APA when they seek remedies available under the Privacy Act.” Poss, 2024 WL

4286088, at *6. In that situation, the APA would merely “duplicate existing procedures for review

of agency action.” Bowen v. Massachusetts, 487 U.S. 879, 903 (1988). But not so here, where

the plaintiffs seek relief unavailable under the Act. See Radack, 402 F. Supp. 2d at 104.

To crystalize the conclusion that the APA permits review of plaintiffs’ Privacy Act-based

claims, the Court emphasizes what the “adequate remedy” question ultimately boils down to:

whether the APA’s “basic presumption of judicial review,” Abbott Lab’ys v. Gardner, 387 U.S.

136, 140 (1967), has been overcome by “a showing of clear and convincing evidence” that

Congress wanted to preclude APA review of alleged Privacy Act violations of this type, see Garcia

v. Vilsack, 563 F.3d 519, 523 (D.C. Cir. 2009). As another judge in this District explained, the

Supreme Court recently held that the Privacy Act is “complementary” to (i.e., does not preclude a

remedy under) the Fair Credit Reporting Act. Alliance for Retired Ams., 2025 WL 740401, at *19

(citing Dep’t Agric. Rural Dev. Rural Housing Serv. v. Kirtz, 601 U.S. 42, 63 (2024)). This

“suggests that the Privacy Act is not the kind of comprehensive and ‘exclusive’ remedial statute

that impliedly displaces related remedies under other statutes,” including the APA. See id. It

appears, then, that the Supreme Court reads the Privacy Act to show no “clear and convincing

32 evidence” that Congress wanted to preclude review outside of the Act’s confines, including

through the APA. See also Chao, 540 U.S. at 619 n.1.

Hence, plaintiffs’ reliance on the Privacy Act does not rob them of an APA cause of

action.15 Still, defendants say, the claim should be dismissed because the complaint does not

adequately allege the DOGE Access Policies in fact violate the Privacy Act.

Defendants appear to concede that plaintiffs adequately allege that the DOGE Access

Policies permit agency defendants to “disclose . . . record[s] . . . contained in a system of records”

without a “written request by” or “the prior written consent of[] the individual to whom the record

pertains.” § 552a(b); see Mot. at 28–30. But defendants point the Court’s attention to

§ 552a(b)(1), which permits agencies to disclose without permission or consent records “to those

officers and employees of the agency which maintains the record who have a need for the record

in the performance of their duties.” As defendants see it, USDS personnel are “employees of the

agency” defendants and thus the Privacy Act permits the agency defendants to disclose records to

them. Mot. at 28–30.

Defendants claim three sources support their argument. First is the DOGE E.O. As

explained, the E.O. requires agency heads to “establish within their respective Agencies” a DOGE

Team to implement the President’s DOGE Agenda. DOGE E.O. § 3(c). Defendants insist that a

team “within” an agency must necessarily be comprised of “employees of the agency.” Mot. at

28. Second is caselaw that has found individuals detailed from one federal agency to another to

be employees of the receiving agency. Id. at 29 (collecting cases). That caselaw, per defendants,

15 Within its argument that Privacy Act violations are not reviewable under the APA, plaintiffs mention in passing that the Privacy Act’s cause of action is reserved for individuals. Mot. at 27. To the extent that defendants intend to argue that plaintiffs thus do not fall within the statute’s zone of interests, the Court concludes for the reasons explained by Judge Hollander that organizations like plaintiffs here have prudential standing to bring a Privacy Act- based APA claim. See AFSCME, 2025 WL 868953, at *55.

33 shows anyone detailed from USDS to agency defendants—such as Ramada at DOL—are in fact

employees of agency defendants to whom the agencies can disclose records. See id. Third is the

Economy Act of 1932. See 31 U.S.C. § 1535. Defendants challenge the complaint’s contention

that USDS cannot lawfully detail employees, see, e.g., Am. Compl. ¶ 235, explaining that the

Economy Act permits an “agency” to detail its employees to another agency and defines agency

as any “department, agency or instrumentality of the United States Government,” Mot. at 29

(quoting 31 U.S.C. § 101). USDS, defendants say, is an “instrumentality” and thus can lawfully

detail its employees to agency defendants.

To begin, defendants’ first source simply does not do the work defendants want it to. The

DOGE E.O.’s terms do not limit an agency’s DOGE Team membership to employees of that

agency. The E.O. states that agency heads must “establish within their respective Agencies” a

DOGE Team, DOGE E.O. at § 3(c); it does not say that agency heads must “establish a DOGE

Team consisting of employees of their respective Agencies.” In terms of who may comprise an

agency’s team, the E.O. speaks in broad terms: the Team must contain “at least four employees”—

without specifying the employer—and can contain “Special Government Employees, hired or

assigned”—without specifying the hirer or assignor—“within thirty days of” the E.O. See id. So

the E.O. does not require that all USDS personnel operating at the agency defendants are

employees of those agencies.

Regarding defendants’ second source, the Court notes at the outset that the complaint only

alleges USDS personnel are detailed to DOL—not HHS or CFPB. So, even if defendants were

right that the caselaw they cite confirms that detailees are employees of the receiving agency

defendants, the USDS personnel operating at HHS and CFPB would not be, per the complaint,

“employees of the agenc[ies]” under § 552a(b)(1). That said, defendants are not right about the

34 caselaw. As defendants have argued elsewhere, the cases they cite did not determine that a detailee

was an employee of the agency to which he was detailed merely because he was detailed there.

See Defs.’ Mem. Opp’n Pls.’ Renewed Mot. TRO [ECF No. 31] at 25. Rather, these cases show

that, to determine a detailee’s employment, “the D.C. Circuit has adopted a functional approach”

that “look[s] to the subject matter and purpose of the individual’s work, their supervision, and their

physical worksite as illustrative (but not conclusive) factors.” Id. at 25–26; see Jud. Watch, Inc.

v. Dep’t of Energy, 412 F.3d 125, 131 (D.C. Cir. 2005).

Applying this approach, the complaint alleges that USDS personnel are employees of

USDS. Although it acknowledges that USDS personnel are working at agency defendants and on

those agencies’ systems, the complaint also alleges USDS personnel are working on USDS

initiatives, for USDS purposes, as directed by USDS leadership. The E.O. says as much even

absent plaintiffs’ allegations. The DOGE Teams are tasked with “implementing the President’s

DOGE Agenda”—in other words, with executing the agenda laid out in the DOGE E.O. and other

relevant Executive Orders16—as interpreted by the USDS Administrator. See DOGE E.O. §§ 3(c),

4. This includes “a Software Modernization Initiative” “commence[d]” by “[t]he USDS

Administrator . . . to improve quality and efficiency of government-wide software, network

infrastructure, and information technology (IT) systems.” Id. § 4. These are core USDS initiatives

for USDS purposes. See id. § 1 (explaining that the purpose of USDS is to “moderniz[e] Federal

technology and software to maximize governmental efficiency and productivity”). Additionally,

DOGE Team members are both chosen and directed not only by the agency heads but also by the

USDS Administrator. See id. §§ 3(c), 4(b) (requiring agency heads to “select the DOGE Team

members in consultation with the USDS Administrator,” “ensure that DOGE Team Leads

16 See, e.g., Implementing the President’s “Department of Government Efficiency” Cost Efficiency Initiative, Exec. Order No. 14,222, 90 Fed. Reg. 11095 (Feb. 26, 2025).

35 coordinate their work with USDS,” and, “in coordination with the USDS Administrator,” “ensure

USDS has full and prompt access to all unclassified agency records, software systems, and IT

systems”).

The complaint then alleges that it is really USDS that is directing DOGE Team operations

at the agency defendants. For example, it alleges that USDS personnel (rather than agency

leadership) “have directed operations and decisions” at the DOL, HHS, and CFPB, Am. Compl.

¶ 229, that USDS (rather than agency leadership) is determining which DOL, HHS, and CFPB

systems its personnel need access to, and that USDS personnel (rather than agency leadership) are

directing DOL, HHS, and CFPB employees to give them access to those systems, see id. ¶¶ 69,

124, 127, 147, 150, 230, 233. Plus, the complaint alleges that USDS is operating under the same

modus operandi at other agencies not party to this case. See id. ¶¶ 62, 65. So the complaint

alleges that—even if agency defendant leadership has authorized USDS’s activities, see id. ¶¶ 69,

123, 150—USDS personnel at DOL, HHS, and CFPB are being directed by USDS, not agency,

leadership.

Considering the above, both parties’ Economy Act arguments fall to the wayside. It

matters not whether USDS can lawfully detail its personnel to the agencies; taking the complaint’s

allegations as true, even lawfully-detailed USDS personnel remain employees of USDS.

The upshot is that USDS personnel do not fall within the Privacy Act’s exception for

officers and employees of the agency maintaining the records systems. See § 552a(b)(1). Because

defendants concede plaintiffs satisfactorily allege § 552a(b)’s other requirements, the complaint

states an APA claim that the DOGE Access Policies violate the Privacy Act.

2. Other Statutes and Regulations

36 Defendants also argue that plaintiffs fail to state APA claims that the three DOGE Access

Policies violate FISMA; that the DOL DOGE Policy violates CISPEA and 5 U.S.C.

§ 2302(b)(9)(D); and that each DOGE Access Policies violate the respective agency’s own

regulations.

FISMA. FISMA “provide[s] a comprehensive framework for ensuring the effectiveness of

information security controls over information resources that support Federal operations and

assets,” 44 U.S.C. § 3551(1), by “assign[ing] responsibilities to the Director of [the Office of

Management and Budget] and to the head of each agency,” Cobell v. Kempthrone, 455 F.3d 301,

313 (D.C. Cir. 2006). Among other things, each agency head is responsible for “providing

information security protections commensurate with the risk and magnitude of the harm resulting

from unauthorized access, use, disclosure, disruption, modification, or destruction of” agency

information. § 3554(a)(1)(A). Plaintiffs allege the DOGE Access Policies violate this requirement

because “[o]n information and belief, the . . . Access Polic[ies] authorize[] access without

requiring the protections mandated by FISMA.” See Am. Compl. ¶¶ 244, 254, 261.

Here, defendants once again argue that plaintiffs’ claims are simply unreviewable under

the APA. As they see it, FISMA commits to agency discretion the question of “what measures

they should take to ensure compliance” with FISMA’s requirements, Mot. at 30–32, meaning that

alleged violations are unreviewable actions “committed to agency discretion by law,” 5 U.S.C.

§ 701(a)(2).

“[T]he § 701(a)(2) exception” to the general presumption of APA review is “quite

narrow[].” Dep’t of Com. v. New York, 588 U.S. 752, 772 (2019). The Supreme Court has

restricted the exception’s applications “to those rare circumstances where the relevant statute is

drawn so that a court would have no meaningful standard against which to judge the agency’s

37 exercise of discretion.” Id. at 772 (internal quotation marks omitted). To determine whether a

statute provides “no meaningful standard,” courts “consider . . . the language and structure of the

statute,” Sierra Club v. Jackson, 648 F.3d 848, 855 (D.C. Cir. 2011), as well as “formal and

informal policy statements and regulations,” Sec’y of Labor v. Twentymile Coal Co., 456 F.3d

151, 158–59 (D.C. Cir. 2006).

As defendants point out, the scant case law on whether fulfilling FISMA’s requirements is

committed to agency discretion weighs in their favor. While the D.C. Circuit has not decided the

issue, it has strongly implied that FISMA gives agencies full latitude to decide how to carry out its

directives. Cobell, 455 F.3d at 314 & n.5 (“We are far from certain that courts would ever be able

to review the choices an agency makes in carrying out its FISMA obligations.”). And the one

district court to decide the issue has gone the same way. In re U.S. Off. of Pers. Mgmt. Data Sec.

Breach Lit., 266 F. Supp. 3d 1, 43–44 (D.D.C. 2017), aff’d in part & rev’d in part on other grounds,

928 F.3d 42 (D.C. Cir. 2019).

This Court, however, need not put a stake in the ground on the issue. Assuming arguendo

that an alleged violation of 44 U.S.C. § 3554(a)(1)(A) is reviewable under the APA in the way

plaintiffs suggest, the complaint still fails to state a claim that the DOGE Access Policies violate

it. Not even plaintiffs think the Court can wade into defining what protections are “commensurate

with the risk and magnitude of the harm” that could result from unauthorized access. Opp’n at

25–26 (acknowledging the dicta in Cobell). Instead, they contend that APA review may lie where

the agency has made “no meaningful attempt . . . to consider or comply with” § 3554(a)(1)(A). Id.

at 26. But the complaint does not allege that agency defendants have ignored § 3554(a)(1)(A). To

the contrary, it acknowledges that each agency has adopted at least some regulations regarding

information security. See Am. Compl. ¶¶ 245, 255–56, 262–63. While plaintiffs allege agency

38 defendants have violated said regulations, their existence still evinces that each agency has

“provid[ed] information security protections” of some sort. § 3554(a)(1)(A). Plus, the complaint

alleges that leadership at each agency has authorized USDS personnel’s systems access. Am.

Compl. ¶¶ 69, 123, 150. Even drawing reasonable inferences in plaintiffs’ favor, these allegations

imply that the agency defendants determined that whatever protections agency heads employed—

even if they employed none—are what leadership deemed “commensurate with” any risk and harm

of “unauthorized access.” See § 3554(a)(1)(A). Plaintiffs may disagree with the agency

defendants’ assessments, but under plaintiffs’ own view of FISMA reviewability, claims of

violations of § 3554(a)(1)(A) are nonreviewable. Thus, the Court dismisses Counts Two, Three,

and Four to the extent they rely on the alleged violations of FISMA.

CISPEA. Pursuant to CISPEA, “[d]ata or information acquired by an agency under a

pledge of confidentiality for exclusively statistical purposes shall not be disclosed by an agency in

identifiable form, for any use other than an exclusively statistical purpose,” absent consent. 44

U.S.C. § 3572(c)(1). Plaintiffs allege (and only allege) that “DOGE personnel are likely to demand

access to BLS data and, pursuant to the DOL DOGE Access Policy,” DOL employees will grant

said access, “notwithstanding that doing so would violate CISPEA.” Am. Compl. ¶ 243.

Defendants argue that this allegation is insufficient to show the DOL DOGE Access Policy violates

CISPEA. Mot. at 32.

Defendants are right.17 Alleging a violation of § 3572 requires more than alleging an

agency is disclosing or will disclose data it obtained “for exclusively statistical purposes.” A

complaint must also allege that the agency’s disclosure was “for any use other than an exclusively

17 But not about everything. Defendants also argue that sharing BLS data with USDS personnel would not be disclosure, Mot. 32, an argument the Court already rejected, and that plaintiffs do not allege USDS personnel have accessed or will access BLS data, id., but plaintiffs allege that DOL leadership has ordered that USDS personnel receive any access they request, Am. Compl. ¶ 69, and that President Trump has taken issue with BLS data, id. ¶ 115.

39 statistical purpose.” § 3572(c)(1). Statistical purpose is defined as “the description, estimation, or

analysis of the characteristics of groups, without identifying the individuals or organizations that

comprise such groups” and “includes the development, implementation, or maintenance of

methods, technical or administrative procedures, or information resources that support th[ose]

purposes.” § 3561(12). But plaintiffs do not allege that the agencies are disclosing BLS data for

any nonstatistical use. While the complaint is generally silent as to agencies’ motivations for

disclosing data, the DOGE E.O. commands agency heads to give USDS personnel “full and prompt

access to all unclassified agency records” to use to “improve the quality and efficiency of

government-wide software, network infrastructure, and information technology (IT) systems,”

DOGE E.O. § 4, and anchors its broader orders in the purpose of “modernizing Federal technology

and software to maximize governmental efficiency and productivity,” id. § 1; cf. Ramada Decl.

¶ 5 (explaining that USDS personnel at DOL are detailed to the agency to “among other things,

assist the Department of Labor with improving its information technology and data organization

systems”); Am. Compl. ¶ 71 (incorporating Ramada Declaration). Modernizing and improving

the efficiency of BLS’s data systems falls within “the development, implementation, or

maintenance of . . . information resources that support” BLS’s statistical efforts. See

§ 3561(12)(B).

To be sure, the complaint alleges that USDS personnel may be using BLS data for

nonstatistical purposes. The complaint states that “[p]olitical leaders may wish for a BLS that is

less independent; one that, for example, . . . alters data to support the President’s political needs”

and that “[a] DOGE takeover of the type seen at other agencies could . . . turn [BLS] from a reliable

source of data . . . into a far less valuable political mouthpiece.” See Am. Compl. ¶¶ 116–17; id.

¶ 57 (alleging that the DOGE takeovers at other agencies have included USDS personnel

40 “chang[ing] data in [agency] system[s]”). But this does not allege that DOL is disclosing BLS

data—or any other agency data—for a non-statistical use, such as altering the data as a means to

the President’s political ends.

The complaint thus does not allege that the DOGE Access Policy is contrary to § 3572, so

the Court dismisses Count Two as to the CISPEA claim.

5 U.S.C. § 2302(b)(9)(D). Moving on, plaintiffs claim the DOL DOGE Access Policy also

violates 5 U.S.C. § 2302(b)(9)(D)—a provision of the Civil Service Reform Act (“CSRA”) that

prohibits agency leadership from terminating an employee because he “refus[es] to obey an order

that would require the individual to violate a law, rule, or regulation”—because the Policy requires

employees to give USDS personnel “access to any DOL system they requested access to” without

regard for “security protocols,” Am. Compl. ¶ 69; see also id. ¶ 68 (“DOL workers have been

ordered to give [USDS] access to anything they want—or risk termination.”). But the CSRA

“supplies a variety of causes of action and remedies to employees when their rights under the

statute are violated” that are “comprehensive and exclusive.” Grosdidier v. Charmain,

Broadcasting Bd. of Govs., 560 F.3d 495, 497 (D.C. Cir. 2009). So “[f]ederal employees may not

circumvent the [CSRA’s] requirements and limitations by resorting to the catchall APA to

challenge agency employment actions.” Id. The Court thus dismisses Count Two to the extent it

relies on 5 U.S.C. § 2302(b)(9)(D).

HIPAA. Plaintiffs claim that the HHS DOGE Access Policy violates a HIPAA regulation

that provides that “[a] covered entity or business associate may not use or disclose protected health

information, except” under certain conditions not relevant here. 45 C.F.R. § 164.502(a); Am.

Compl. ¶ 262. Defendants argue that the APA does not provide review of alleged violations of

HIPAA. Mot. 32–33. D.C. Circuit caselaw says otherwise. See, e.g., Assoc. for Comm. Affiliated

41 Plans v. U.S. Dep’t of Treasury, 966 F.3d 782, 788 (D.C. Cir 2020). Still, the complaint fails to

plausibly allege that the HHS DOGE Access Policy violates § 164.502(a) because HIPAA does

not apply to HHS: it is not (nor do plaintiff allege it is) a “covered entity” or “business associate.”

See 45 C.F.R. §160.103 (defining “covered entity” to include only “health plan[s],” “health care

clearinghouse[s],” and certain “health care provider[s]” and “business associate” as persons

associated with covered entities). The Court therefore dismisses Count Four to the extent it claims

the HHS DOGE Access policy is contrary to HIPAA.

Other Agency Regulations. The final way plaintiffs claim the DOGE Access Policies are

contrary to law is that each policy violates preexisting DOL, HHS, and CFPB regulations. Am.

Compl. ¶¶ 245, 255, 262. Each of these regulations prohibit agency defendants from disclosing

their records unless permitted by the Privacy Act. See 20 C.F.R. § 10.10 (DOL regulation on

FECA); 45 C.F.R. § 5b.9(a) (HHS regulation); 12 C.F.R. § 1070.59 (CFPB regulation).

Defendants argue that the complaint fails to allege the DOGE Access Policies violate these

regulations solely because the complaint does not allege the Policies violate the Privacy Act. Mot.

at 33. The Court has determined the complaint alleges that the Policies violate the Privacy Act

and thus the Court denies defendants’ motion as to these regulations.

* * *

In sum, the Court dismisses Counts Two, Three, and Four to the extent they rely on

violations of FISMA, Count Two to the extent it relies on violations of CISPEA or 5 U.S.C.

§ 2302(b)(9)(D), and Count Four to the extent it relies on a violation of HIPAA. But the complaint

plausibly states APA claims that the DOGE Access Policies violate the Privacy Act and the agency

defendants’ related regulations.

42 iii. Without Observance of Required Procedures

In addition to claiming the DOGE Access Policies are contrary to law, 18 plaintiffs also

allege they are procedurally unsound. See 5 U.S.C. § 706(2)(D) (instructing courts to “hold

unlawful and set aside agency action[s]” that did not “observ[e] . . . procedure required by law”).

The complaint states that each Policy “effectively revoked [the] pre-existing” agency “regulations

governing disclosure of sensitive . . . records and information” to which plaintiffs also claim the

Policies were contrary. See Am. Compl. ¶¶ 248, 256, 263. Because these regulations were

promulgated through notice-and-comment rulemaking, plaintiffs claim that agency defendants

were prohibited from promulgating the DOGE Access Policies without going through the same

procedures. Opp’n at 28; see Am. Hosp. Ass’n v. Bowen, 834 F.2d 1037, 1044 (D.C. Cir. 1987)

(Section 553 of the APA “requires agencies to afford notice of a proposed rulemaking and an

opportunity for public comment prior to a rule’s promulgation, amendment, modification, or

repeal.”). Defendants urge the Court to dismiss the claim because the agency “[d]efendants have

not disclaimed, formally or otherwise, their regulations about system access.” Mot. at 33–34. The

Court agrees with defendants. The complaint may allege that the DOGE Access Policies violate

these regulations, but it does not allege that the violations have been revoked. No allegation states

or reasonably implies that the pre-existing system-access regulations do not continue to apply in

full force in all situations in which the disclosure would be to someone or to some agency other

than USDS and its personnel. So the Court dismisses Counts Two, Three, and Four’s claims

relating to notice and comment.

18 The complaint also asserts that the DOL DOGE Access Policy is arbitrary and capricious because it fails to consider (1) “the impact” on and “the reliance interests of” individuals whose information DOL systems hold, and (2) that giving USDS personnel access to DOL systems such as OSHA could allow Musk to “improperly access complaints against [his] companies or information related to active Department of Labor investigations into [his] companies.” Am. Compl. ¶ 246–47. Defendants’ motion does not challenge that claim.

43 b. Free-standing Privacy Act Claims

Now that the Court has waded through the APA quagmire, it turns to Count Five: the claims

against all defendants under the Privacy Act’s private right of action. The Court quickly disposes

of these claims. As defendants explain, plaintiffs—all of which are organizations—do not have a

private right of action under the statute. Mot. at 34–35. Recall that 5 U.S.C. § 552a(g)(1)(D)

provides a private right of action for violations of § 552a(b). But only an “individual may bring

[such] civil action against the [offending] agency.” § 552a(g)(1) (emphasis added). Where a

statute explicitly grants a cause of action only for an “individual,” that cause of action generally

does not extend to organizations. See Mohamad v. Palestinian Auth., 566 U.S. 449, 454–56

(2012). Indeed, courts in this District and around the country have explained that “the Privacy

Act’s text permits no . . . interpretation” other than that organizations do not fall within the scope

of its civil right of action. See AFGE v. Hawley, 543 F. Supp. 2d 44, 49 & n.8 (D.D.C. 2008)

(collecting cases). The Court will thus dismiss Count Five.

c. Ultra Vires

Finally, the Court addresses the complaint’s first count, the ultra vires claim against USDS.

This non-statutory form of review derives from courts’ equitable authority to “reestablish the limits

on” executive authority “[w]hen an executive acts ultra vires.” See Dart v. United States, 848 F.2d

217, 224 (D.C. Cir. 1988); Aid Ass’n for Lutherans v. U.S. Postal Serv., 321 F.3d 1166, 1172–

1733 (D.C. Cir. 2003). But this “is a doctrine of last resort, ‘intended to be of extremely limited

scope.’” Schroer v. Billington, 525 F. Supp. 2d 58, 65 (D.D.C. 2007) (quoting Griffith v. Fed.

Labor Relations Auth., 842 F.2d 487, 493 (D.C. Cir. 1988)).

Plaintiffs allege that USDS’s actions are ultra vires because Congress did not create USDS

and thus did not imbue it with the power to exercise the power the complaint alleges it has been

44 exercising—i.e., directing operations and personnel at the agency defendants. See Am. Compl.

¶¶ 226–36. In their motion to dismiss, defendants urge the Court to dismiss Count One because

the complaint does not “plead a specific statutory bound [that] USDS has allegedly exceeded.”

Mot. at 36.19

As plaintiffs point out, however, that argument is barking up the wrong tree. Plaintiffs do

not allege that USDS is exceeding the statutory authority it has been granted; they “allege that

[USDS]’s actions are ultra vires because no statute grants it power.” Opp’n at 33 (emphasis

added).20 The best reading of this argument, and thus the best reading of plaintiffs’ complaint, is

that USDS is operating without any legal authority whatsoever, whether statutory or constitutional.

Yet, “[t]o act within its authority, the President or the Executive Branch must act based on authority

that ‘stem[s] either from an act of Congress or from the Constitution itself.’” Does 1-26 v. Musk,

Civ. A. No. 25-0462 (TDC), 2025 WL 840574, at *20 (D. Md. Mar. 18, 2025) (quoting

Youngstown Sheet & Tube Co. v. Sawyer, 343 U.S. 579, 585 (1952)). Plaintiffs allege that USDS

has been directing operations and personnel decisions at Congressionally-created agencies that

Congress has imbued with the authority to exercise specific responsibilities. See Am. Compl.

¶¶ 226–36. And, at this stage, the Court must accept those allegations as true. See Air Excursions,

19 Defendants do not contest that USDS is an agency—either for purposes of judicial review or APA review. See Mot. at 35–36 (citing ultra vires agency review precedent and seemingly arguing that plaintiffs would have an alternate remedy against USDS under the APA); see also Second TRO Order at 6–8 (determining that USDS appears to be an agency within the meaning of the Economy Act in part by reference to the APA’s definition of agency); AFSCME, 2025 WL 868953, at *56 (same). 20 Plaintiffs also argue that the complaint does allege a specific statutory bound that USDS has exceeded— the Privacy Act. Opp’n at 33–34. But the Privacy Act prohibits an agency from disclosing records, not receiving unlawfully disclosed records. See § 552a(b). And the complaint does not allege that USDS is itself unlawfully disclosing records. The Court notes that, even if the complaint did allege as much, it likely wouldn’t state an ultra vires claim because plaintiffs would likely have an alternate procedure for review under the APA. See supra n.24; Med. Imaging & Tech. Alliance v. Library of Congress, 103 F.4th 830, 841 n.7 (D.C. Cir. 2024) (determining Library of Congress is an agency under the APA and explaining that, as a result, “the ultra vires claim is no longer available” since there exists an alternate procedure for review).

45 66 F.4th at 277. Yet defendants’ motion to dismiss points to no legal source that grants USDS the

authority to take these actions. See Opp’n at 33–34. “But this is” defendants’ “motion to dismiss

and they bear the burden of persuading the Court that plaintiffs’ claim must be dismissed.” Ctr.

for Biological Diversity v. Trump, 453 F. Supp. 3d 11, 48 (D.D.C. 2020) (cleaned up). They have

failed to meet that burden here given the allegations of the complaint. So, while the Court

acknowledges that ultra vires claims are “extremely limited in scope,” Griffith, 842 F.2d at 493,

for now “the Court will permit” the ultra vires claim “to proceed”—at least at “the early stage of

these proceedings.” See Ctr. for Bio. Diversity, 453 F. Supp. 3d at 48.

CONCLUSION

This is a dynamic case undergirded by a set of facts evolving before the Court’s eyes. But

no matter how the record unfolds, the complaint remains static. Assuming the allegations therein

as true, plaintiffs have standing to sue each defendant for each claim, but they fail to plausibly

allege Count Five, along with some of their APA claims in Counts Two, Three, and Four. The

Court thus grants in part and denies in part defendants’ motion to dismiss without prejudice—and

prepares itself for the twists and turns this case will surely continue to bring. An Order consistent

with this Opinion shall issue.

SO ORDERED.

/s/ JOHN D. BATES United States District Judge Dated: April 16, 2025