If you had a chance to pose any question to the person in charge of protecting Americans' privacy as the US Department of Homeland Security executes its mission, what would you say? I had that chance this month when Hugo Teufel, departing chief privacy officer at the DHS, delivered an address, entitled "Reflections on My Time as DHS CPO of the War on Terror," to the Twin Cities Privacy Retreat.
After the address, I cornered Teufel for some follow-up questions. Those and his answers follow.
Your last public act as DHS CPO was to release a report (download PDF) critical of data practices at European hotels. What do you hope this will accomplish? Critical of hotels?
No. We issued a report that set forth the facts and the law, as we currently understand them, about data protection in the "third pillar" and in certain EU member states with regard to security service collection and use of hotel guest registration data, a common practice throughout Europe. If we were critical, it was of the officials who were reluctant in being transparent about what their security services do with hotel guest registration data.
In your speech, you said US CPOs would be wise to understand how the European Union treats privacy differently within its "first pillar" commercial policy and "third pillar" security areas. Can you elaborate?
The rules covering the same personally identifiable information appear to be different for security services than they are for businesses operating in the EU. Security services may make demands of businesses for certain data, which by law the businesses are not allowed to collect. The businesses can refuse, risking the wrath of the security service, or they can comply, risking punishment from the data-protection authority, which may not have competence over the security service collection and use of that data. It's a real catch-22.
What was your top lesson learned from the US-EU compromise on the sharing of airline passenger name records?
Sadly, that politics sometimes took precedence over the security and privacy of Americans and Europeans.
Hey, that involved Treasury, not DHS! I will say that, generally speaking, one should be on firm legal and policy footing when trans-Atlantic data flows are concerned. Certainly, never underestimate the importance of data protection to the Europeans.