The Trump administration has unlawfully accessed the private data of federal employees in an equally illegal attempt to dismantle the Consumer Financial Protection Bureau (CFPB), according to a lawsuit filed on Monday.

Throughout the nearly seven months of his second term, the 45th and 47th president openly expressed his disdain for the CFPB – an agency widely regarded as the creation of Sen. Elizabeth Warren. In February, Trump stated that his intention was for the CFPB to be “totally eliminated” because “number one, it was a bad group of people running it, but it was also a waste.” That same month, while still serving as a special employee leading the Department of Government Efficiency (DOGE), Elon Musk posted “CFPB RIP” on his personal X, formerly known as Twitter.

But the attacks on the agency have not only been rhetorical.

The CFPB’s Acting Director Russell Vought has instructed the agency’s employees to close operations and, in a message to the entire agency, to stop performing “any work tasks.” In another message, he directed specific CFPB staff to instead assist “DOGE members with requests.”

Currently, a labor union representing federal employees from numerous agencies and departments claims that the CFPB director’s concessions to DOGE have excessively divulged sensitive employee information, breaching multiple federal laws.

“CFPB has a statutory responsibility to safeguard the information it collects and maintains about its employees from unlawful disclosure to third parties,” the lawsuit states. “The Bureau has acted contrary to law and regulation by granting DOGE and its members access to the records that the Bureau collects and maintains about every CFPB employee.”

In their 26-page amended complaint, the National Treasury Employees Union (NTEU) alleges that Vought provided DOGE and its agents with “unauthorized and unfettered” access to employees’ personally identifiable information (PII), violating the federal Privacy Act, the Administrative Procedure Act (APA), and internal CFPB regulations.

To hear the plaintiffs tell it, disclosure of such information is specifically governed by the Privacy Act. Here, the lawsuit describes something like a cross-referencing of rules and laws.

And, to be clear, this is an argument about massive reams of data.

“At the Office of Personnel Management (OPM), a DOGE team sought and obtained access to federal employee personnel information. DOGE team members have access to a massive database called Enterprise Human Resources Integration, which contains dates of birth, Social Security numbers, appraisals, home addresses, pay grades and length of service of government workers,” the lawsuit explains.

Essentially, whenever the CFPB wants to make changes – or grant access to – these wholesale databases, their internal rules require what is called a “system of records” alteration. But the Privacy Act itself requires a “System of Records Notice” when such an action occurs. The act also requires the CFPB to file a pre-notice statement in the Federal Register 30 days before the action.

Under federal law, the pre-notice filing is mandatory to “provide an opportunity for interested persons to submit written data, views, or arguments to the agency.”

In the present litigation, which was actually initiated in February, the plaintiffs argued the last such notice filed in September 2024 did not grant CFPB or DOGE access to PII data. Earlier this month, however, the Trump administration issued a new notice.

The plaintiffs allege the new notice, while enumerating 16 separate “routine uses” for employee data – including “categories of users and the purposes of such uses” – is still insufficient.

At heart, the plaintiffs say there are very few reasons the agency’s management is allowed to share sensitive information about the agency’s staff – and all such reasons are in the CFPB’s internal rules. Those “narrow” disclosure reasons “do not include disclosure for purposes of dismantling CFPB,” according to the lawsuit.

The plaintiffs go on to say that, despite efforts to paper over their earlier disclosures with new bureaucratic language, the government has still failed to justify granting DOGE “unauthorized” access to such data.

“CFPB has not, and indeed cannot, show that disclosure of employee information to DOGE falls within a statutory exception to the Privacy Act,” the lawsuit argues. “Nor can CFPB show that disclosure of employee information is permissible under the ‘routine use’ exception to the Privacy Act. “

The NTEU explains, at length:

CFPB has failed to demonstrate how the disclosure of specific and highly sensitive employee information, including Social Security numbers, personal addresses, biographic and demographic data, health-related information, employment background information, and information related to employee family members, dependents, beneficiaries, and other emergency contacts, to DOGE members comports with the intended use of that employee information.

Moreover, even if disclosure of employee information to DOGE could be defined as a “routine use”, none of the permissible routine uses listed in CFPB’s Employee Administrative Records System of Records Notice allow for the disclosure of such employee information to DOGE or its members.

The lawsuit has been assigned to U.S. District Judge Richard J. Leon, a George W. Bush appointee known for his expressive writing style and dogged criticisms of what he views as governmental overreach.