A view from DC: Conflicts over data are battles for power

The long-lingering atmosphere of uncertainty in the nation's capital has given way this week to open power struggles. Last night, Attorney General Pam Bondi purported to appoint a new "emergency police commissioner" with "all the powers and duties" of the jurisdiction's existing police chief, setting up a direct conflict with the local government and disrupting the otherwise relatively cooperative implementation of the president's assertion of direct executive power over the District.

One underlying disagreement prompting the action appears to relate to immigration enforcement and the level of cooperation between federal officials and local police. A debate over the appropriate level of information sharing between law enforcement agencies is one core aspect of this disagreement.

Privacy professionals should not be surprised to see personal data cropping up again and again in such legal battles. After all, in the digital age, data has become the basic fuel of power and control.

Quieter but no less contentious battles over the administration's access to personal data have been raging in the courts throughout the year. They have led to a dizzyingly complex set of preliminary court opinions about data access touching everything from Social Security and tax records to state-managed voter rolls and public benefits programs. It is still far from certain how these cases will play out as they move beyond their initial stages, but the clear trend is toward allowing, at least temporarily, the administration's push for increased centralization of data, though with ongoing limits on usage of this data and other guardrails.

Most recently, the U.S. Court of Appeals for the 4th Circuit vacated a preliminary injunction that had kept Department of Government Efficiency personnel from accessing records held by some federal agencies. The 2-1 decision in American Federation of Teachers v. Bessent allows DOGE to move forward with administrator-level access to data systems at an additional tranche of agencies, including the Department of Education, which includes the Student Loan Data System with the records of 43 million Americans.

This data access debate, like many similar other ongoing court actions, stems from Executive Order 14158, signed by President Donald Trump on the first day of his second term. The order created DOGE, both as a centralized authority within the White House, and as a decentralized set of administrators to be hired by each federal agency.

The Executive Order requires DOGE representatives to "improve the quality and efficiency of government-wide software, network infrastructure, and information technology (IT) systems." In service of this mission, DOGE has sought access to databases across the federal government.

At issue in this case and other similar cases has been the question of whether such access violates the Privacy Act of 1974, which strictly limits how U.S. federal agencies can access, share and use personal data.

Writing for the majority, Judge Julius Richardson contends that the Privacy Act of 1974 does not forbid the sharing of information with government employees who have a "good reason to access it" as part of their official duties. To demand that DOGE specify its exact data needs in advance would be to "demand something just short of clairvoyance."

Even if the plaintiffs can successfully assert a violation of the Privacy Act, an "injury in law," they must also show a concrete injury, an "injury in fact," which requires comparisons to other harms in American common law. The IAPP previously analyzed the current requirements for standing in American courts, which were most directly clarified in the 2021 TransUnion case.

Focusing on the traditional tort of intrusion upon seclusion, Judge Richardson downplays the importance of access by "a handful of government employees" as a sufficient privacy injury. A few more government officials with access is not the same as a journalist or detective invading an individual's seclusion, especially when "each Plaintiff's information is one row in various databases that are millions upon millions of rows long. In fact, Plaintiffs do not allege in their complaint that any particular row of information belonging to any particular Plaintiff has been examined at all."

And other traditional privacy torts are not helpful to the plaintiffs because they all require public disclosure.

Although the opinion takes pains to highlight the fact that this is a preliminary ruling subject to the limitations of summary judgment, it also deploys an onerous interpretation of how summary judgment should work, which the majority terms the "multiplicative problem." In short, in complex cases where a plaintiff must win on multiple, independent legal hurdles to prevail — such as establishing standing, proving the matter is reviewable under the American Procedure Act, and then proving a violation of the Privacy Act — their overall probability of success is not their average chance, but the product of their probabilities on each separate issue.

Thus, as the court concludes:

"We do not hold with certainty that Plaintiffs lack standing, that they have not challenged final agency action, that they cannot sue under the APA, or that the DOGE affiliates' IT access falls into the Privacy Act's need-to-know exception. We instead come to a statistically surer conclusion: that Plaintiffs have failed, by a decent margin, to show that they will likely prevail on all of these issues combined. The district court abused its discretion in finding that Plaintiffs were likely to prevail on each one, and with such certainty that they were likely to succeed overall."

In his dissent, Judge Robert Bruce King takes direct issue with the majority's novel multiplicative approach, warning that it effectively "stacks the deck" against plaintiffs and imposes an impermissibly "heightened standard" for obtaining relief, going far beyond the established requirements of the Supreme Court's test in Winter v. Natural Resources Defense Council. He concludes with a preview of how these seemingly arcane debates over procedural legal hurdles will likely be determinative for the DOGE story.

"I would reject the panel majority's heightened standard and affirm the district court's Preliminary Injunction as a proper application of the entire four-factor Winter test. In any event, similar questions about the applicable standard, the likelihood of success on the merits, and the other Winter factors are set to be considered and decided by our en banc Court in … American Federation of State, County & Municipal Employees v. Social Security Administration, concerning DOGE's access to Social Security records containing the highly sensitive personal information of essentially everyone in our Country."

Whether the debates play out on procedural grounds, administrative procedures or substantive battles over legal privacy protections, we are still far from the end of understanding how the Trump administration's unified executive theory will interact with data privacy norms in the U.S.

Please send feedback, updates and sub sandwiches to cobun@iapp.org.