Ms. Horvath:  I’m Jane Horvath. I’m the Chief Privacy and Civil Liberties Officer at the Department of Justice.  I’ve been in the position for a year.  Prior to joining the Department of Justice I ran the Washington, D.C. Office of Privacy Laws in Business, which is part of a UK privacy consulting firm.  It was started by Stuart Dresner, who is very well known in Europe as a privacy consultant.

So when I came on I had an expertise in first pillar EU data protection.  Upon arriving at the Department of Justice I started working with our Office of International Affairs.  About that same time data protection issues started to creep into some of the agreements that we were doing with the EU and the member states of the EU, so they asked me to get involved on the data protection side and do some outreach.  They felt like there was a lot of misunderstandings about how we treat data in the U.S. as opposed to Europe.

What I have been trying to do and what we as a government are trying to do is identify common principles that we share in common with the EU, and basically our data protection law which is the Privacy Act and the EU data protection directive both derive from the Fair Information Principles.  They were developed by HEW which was a U.S. agency back in the early ‘70s, I believe, or maybe late ‘60s, to determine how to fairly handle information.  They’re open as redress, collection limitations.

So what we are working on, after the last PNR agreement in the fall, the Attorney General and Secretary Chertoff and [European Justice, freedom and Security] Commissioner Frattini determined that it might be a good idea for us to get together in a high-level contact group and identify these common principles and work out commonalities between us.  So we established the high-level contact group, which is made up of assistant secretary level personnel in the U.S. and also Hugo and myself, and then EU officials.  Under that we’ve established an experts group to actually work out the details and specifics of those principles.

That’s why I’m here today, to meet with EU officials about the commonalities that we share.

Mr. Teufel:  Thank you very much.  It’s great to be here.  I’m Hugo Teufel, the Chief Privacy Officer for the Department of Homeland Security.  I’ve also been designated and have responsibility for FOIA, so I’m the Chief Freedom of Information Act Officer at the Department.

Prior to my joining the Privacy Office I had been in the General Counsel’s Office providing legal advice and counsel on, among other things, FOIA, privacy, civil rights and civil liberties.  Before that I had served in the Solicitor’s Office at the Department of Interior, again providing advice and counsel in the same areas.

A little bit more about me, I’ve been in private practice out in Colorado, worked in the Colorado Attorney General’s Office where I was the Deputy Solicitor General and handled criminal and civil matters as well as open records issues.  Presently, in addition to being the father of a one-year-old daughter who is just absolutely wonderful and keeps me awake every night, especially the last night that I was in D.C. before I flew here, I’m also working on a Master’s Degree through the Naval War College in National Security Studies.  In my spare time I serve in the Army National Guard.

So Jane had mentioned why we’re here and I’m here for the same reasons.  In addition I’ll be traveling to Switzerland to meet with the Data Protection Authority there and going over to the University of Constance on the Bodensee or Lake Constance to meet with some professors from the university with whom I participated on a panel through the, I think it was the Marshall Fund three or four months ago.  I had promised them that the next time I was in Europe I would go to the university to talk with them about privacy in government.

You all are working on your third pillar and as Jane mentioned, we already have worked that out through the Privacy Act of 1974.  What undergirds the Privacy Act, and I can’t stress this enough, neither of us can stress this enough, because as we look for what we have in common with the Europeans on privacy the answer is the Fair Information Practice Principles that undergird the Privacy Act of 1974.  They also were adopted, recognized by the OECD in the 1980s.  That is where we have commonality.  That’s the base upon which we can work together.

I’ll stop with that, and fire away.

Question:  You mentioned your part in this high-level contact group.  I presume this is the one that was settled earlier on this year, you met for the first time in January I think?

Ms. Horvath:  We met in December, didn’t we?  I think we had an early December meeting.

Question:  You’re saying it’s to identify common principles.  If you can just expand that out, what exactly are you talking about?

Ms. Horvath:  There’s no mandate on the EU side at this point to negotiate, so what we are doing is exploring to see whether we can come to an agreement.  It’s very easy because we both work from the basis of the Fair Information Principles, but when we come down to the specifics, as Hugo mentioned, we have been working in the third pillar since 1974 but the EU has not yet settled their draft framework decision with regard to data protection in the third pillar.

So while we are set on what we have done in the third pillar, the EU is not.  So it’s more difficult for them to make a commitment in the third pillar, but we’re trying to figure out whether we have enough commonalities that the EU could then go and get a negotiating mandate and that would settle a lot of the issues between the two countries with respect to data protection if we could move on down past the idea of identifying commonalities into an agreement.

Question:  In terms of practicalities then were you talking about the data protection safeguards around PNR, around SWIFT?

Ms. Horvath:  Around all third pillar transfers.

Question:  Obviously you’re probably aware there is some concern among Europeans that data is not being protected to adequate levels with regards to both those examples, PNR [Passenger Name Records] and SWIFT?  Are you talking about how that can be achieved?

Ms. Horvath:  We are, but I do want to raise one issue.  When we checked in at our hotel we were asked to fill out information that included our passport, our name, our address, our birth date, and it said Police at the top.  There was no notice, no explanation of how our data was going to be treated. And knowing that the EU has no third pillar data protection I think we’re in somewhat the same boat in the third pillar 

Mr. Teufel:  If you were to go to the United States, in fact any American checking into a hotel having to provide that kind of information would be outraged, would be incensed. 

I wanted to point something out.  You mentioned SWIFT.  Jane works for the Department of Justice, I work for the Department of Homeland Security.  SWIFT involved the Department of the Treasury.  So I want to make it clear, yes, there are things that happened in SWIFT and the Europeans are very concerned about that.  It wasn’t my agency, it wasn’t Jane’s agency that was involved with that.

You have to forgive me, I just got off a plane, so not only are my arms tired from flying over here, but I’m tired.

You mentioned PNR.  We did a lot of work in that area, both the [Homeland Security] Department in negotiating with the Europeans and then my office in issuing a privacy impact assessment and system of records notice. In addition to that the department has, as a matter of policy, recognized and extended Privacy Act protections to non-U.S. citizens.  I don’t know how familiar you are with the Privacy Act, but by the terms of the Act it covers legal permanent residents and U.S. citizens.  It does not extend to others, people who might be visiting from Europe or elsewhere around the world.  As a matter of policy we have extended the protections which includes the right to seek out whatever information the agency has on you and the right to amend that information.  The one thing we can’t do as a matter of policy because our Constitution and our courts don’t allow us to do so, is extend the right of judicial review.

So I would take issue with you that we are not doing enough to safeguard PNR information.  That’s not true.  We’ve done quite a lot.  And I would urge you to be more familiar with the Privacy Act and the protections that we afford under that Act.

Ms. Horvath:  One of the protections that the Privacy Act does build into it is transfers between agencies.  A lot has been said about purpose and repurposing of information and the Privacy Act controls that, whether you pass information between agencies, it has to be for a similar purpose or the same purpose.

One of the reasons that we are here is to dispel some of the myths that have arisen in connection with PNR and other data transfers.

Question:  When you say the right to judicial review, presumably you mean the right for European citizens to say, excuse me, the information you have, I want to have a look at it to see that it’s correct, and if it’s not correct I want to be able to challenge it. It’s a cornerstone of our legislation.

Mr. Teufel:  Absolutely, but that’s under the Privacy Act.  Then you have the Freedom of Information Act. You can request the same information under the Freedom of Information Act.  Now there may be an exemption that precludes that release, there may not be.  It depends on the situation.

Anyone can avail him or herself of the courts of the United States under the Freedom of Information Act.  It’s not based on citizenship as it is with the Privacy Act.

Question:  What’s the average time it takes for a Freedom of Information Act request to be granted?

Mr. Teufel:  It depends.  I won’t speak to the Department of Justice.  I can tell you that within Homeland Security it would depend upon which of the components you were making the request of.  By the way, the Department of Justice is the main department for Freedom of Information Act, and each executive branch agency is required to submit on an annual basis the status of FOIA requests, Freedom of Information Act requests.  How many there were, how many appeals there are, what the average period of time is per request.  All of that information is publicly available.

So getting back to your question, some components within Homeland Security are very timely.  The law specifies that there’s 10 and 20 day periods for the request and for the appeal, assuming that one has properly addressed the request or the appeal. 

Some components of DHS are very timely, others are not so timely. Unfortunately, citizenship and immigration services has a significant backlog right now and again, you can look up this information. 

Ms. Horvath:  It’s on the DOJ web site, USDOJ.gov.

Mr. Teufel:  But they’re fairly timely.  I haven’t made a FOIA request on myself in some time, but I know that 20 years ago, 20-plus years ago I used to work at the Department of State and I made a Privacy Act FOIA request on myself and it took about nine months to get that stuff.  I think they’ve gotten better, by the way.  And I know that the Department of State’s hosting us here so I should probably be not mentioning how tardy they’ve been in the past. 

Ms. Horvath:  The President recently issued an Executive Order urging more timeliness in the processing of FOIA requests so it’s something that the administration is very aware of and working hard to speed up.

Mr. Teufel:  Under the Executive Order there was a requirement to submit reports and I think those reports may be public. 

Ms. Horvath:  They are. 

Mr. Teufel:  They are.  As I’m thinking about our web site I’m realizing that our report’s on there so I’m sure everyone else’s has theirs. 

Ms. Horvath:  An Executive Order is basically a policy order by the President of the United States and it has the effect of law on each of the departments. 

Question:  Can I ask a really broad question?  I had the impression it was really post September 11^th legislation that created sort of a wider gulf between Europe and the United States’ perception of we’re at war and Europe’s not.  You’re going back to an act from 1974.  Do you think that can overcome the policy changes that we’ve had more recently that seem to be the basis of those mindsets? 

Mr. Teufel:  We’re asking what the issue is here.  We’ve had the Privacy Act for 33 years.  

Ms. Horvath:  Nothing’s changed. 

Mr. Teufel:  Nothing’s changed other than the United States was attacked and realized that it had to do a better job of sharing information and obtaining information on persons who might be threats to the United States.  But doing so within the law. 

Question:  When do you expect this high-level group to have finished its work?  Do you expect the common principles to be set in July, for example?   

Ms. Horvath:  Ideally it would be a dream to have that happen.  We’re working hard.  We’re having a lot of expert meetings.  We will have some more expert-level meetings later this week.  It’s one of the reasons we’re in to try to be face-to-face. 

Question:  But it would be a dream that -- 

Ms. Horvath:  There is an intense hope that we can come to some kind of solution because it would be an ideal way to dispel a lot of the tension between the parties. 

Question:  If there is no agreement on these common principles in July that means -- 

Ms. Horvath:  Then we’ll continue working on it. 

Question:  But there won’t be any agreement on the PNR issue?  If that means -- 

Ms. Horvath:  No, they’re separate.  There are separate negotiations going on on PNR. 

Question:  I was just wondering if you could specify a little bit about what you mean by coming to some sort of solution.  If you come to a solution will that still have to be discussed on another level?  How much influence will your high-level expert group have? 

Ms. Horvath:  I think it depends on what negotiating mandate the EU Commission is granted by the ambassadors in the third pillar.  Right now competency lies within each of the member states in the third pillar so they’ll have to have a negotiating mandate and each of the member states would then have to sign off on whatever agreement we were able to conclude.  At that point that would control the data protection principles surrounding European data. 

Question:  On the SWIFT stuff, I know you're saying originally it wasn’t yourselves, it was Treasury.  But the implications for data protection, I presume you guys have oversight on it or -- 

Mr. Teufel:  It’s not our agency. 

Question:  A broader level, in terms of the Europeans, one of the things that alarms them most about SWIFT was the fact that this was something that was done by, originated from effectively U.S. subpoenas.  And requesting this information, SWIFT says they had no choice but to comply with it.  Is there any kind of talk within your group about actually informing Europeans when things like this happen?  That’s one of the problems the public has.  This information was going over for years before anybody knew about it. 

Ms. Horvath:  I think that is an interesting question to think about American data as the European member states move into having a PNR-like regime or requesting our own data.  Our landing cards, do we know what happens to the data when we land?  I think that is one of the things we’re looking at in the high-level contact group is what kind of notice is necessary?  Collection limitations.  So we as Americans and you as Europeans know what’s going to be expected and what kind of notice and limitations will be put on with respect to data. 

Question:  So you think that will come to it, where you’ll say if we do subpoena a company which has European data, we will tell you? 

Mr. Teufel:  The line of questions that you’re asking go above our departments, although certainly the Attorney General would be involved in the Department of Justice as the government’s lawyers would be involved.  But really, that’s a high-level policy matter that’s above either of us. 

Ms. Horvath:  A subpoena is a law, it’s controlled by a body of law, when you can subpoena data.  There is judicial oversight of a subpoena.  So that is a very established body of law.  The company that owns the data is subpoenaed for the data.  I would argue that whether the subpoena is secret or not, that’s whether the contents of the subpoena could be disclosed to the customers or not by the person who’s subpoenaed.  It’s governed by the content of the subpoena itself and the rules that are issued in the subpoena. So that would not be something we would be addressing as a high-level contact group because that’s a matter of law in the United States.  And settled law. 

Question:  Are the Europeans looking for anyone else to sort this out? 

Ms. Horvath:  I don’t think there’s anything to really sort out. 

Question:  A lot of the customers who had their banking [inaudible] in the U.S. Treasury. 

Ms. Horvath:  Like I said, it’s not our program, but at the same point, it’s data that was in the U.S. and was subpoenaed by legitimate legal process. 

Question:  I just want to try and understand you.  At what point in the PNR, I think it’s going to run out in July and you’re here now talking about identifying common principles.  Are we really having to say, given the heavy process in Europe that it takes to make these sort of decisions, we’re going to have to start again, we’re going to have to build from the beginning, and that these agreements are going to take a lot longer? 

Mr. Teufel:  The two sides will negotiate the agreement by July, and if not by July we’ll do as we did last year and we’ll work it out and some point after that we’ll get an agreement done. 

I don’t know if Jane wants to add anything.  I’m hesitant to talk about the negotiations while the negotiations are ongoing. 

Ms. Horvath:  Absolutely. 

Mr. Teufel:  There is a system of records notice which is a formal document that’s required under the Privacy Act, I’m sure you’re aware of that, that my office issued.  And I would not be surprised if I were any of you, to be seeing sometime in the near future a revised system of records notice on ATS.  Automated Targeting System.  That may be fairly soon. 

Ms. Horvath:  The two are not tied together.  The HLCG [High-Level Contact Group] is not going to hold up PNR.  They’re different negotiating teams. 

Question:  What does system of records mean? 

Ms. Horvath:  It’s the mechanism under the Privacy Act pursuant to which we’re required to give notice of collections of data.  It is published in the Federal Register and the Federal Register is available on the World Wide Web, and it’s also published in a hard-bound copy. 

Mr. Teufel:  That’s required under the Privacy Act of 1974.  There’s an additional law that comes into play and that’s Section 208 of the E-Government Act of 2002.  Section 208 requires privacy impact analyses on every time when a government agency is using or leasing, purchasing IT [information technology] systems.  It requires that the privacy impact analysis, whenever personally identifiable information is going to be used in that IT system.  So the two are separate requirements under separate laws, but after 2002 invariably if a system of records notice is to be issued a privacy impact analysis will be issued as well. 

With respect to ATS, my office issued a system of records notice and a privacy impact assessment back in November/December and if you have not been to our web site, I urge you to look at it.  It’s DHS.gov/privacy.  There are lots of links. 

Unfortunately, unlike all the European data protection web sites, ours is only in English.  It may not be easy for you to navigate, as easy as it was for me to navigate some of the European Data Protection Commissioners’ web sites when I was in my spare time this last week getting ready to come over here.   

Ms. Horvath:  I urge you to look at the privacy impact assessment.  It’s about a 15-page questionnaire that really parses a system and how they handle the data, how the data will be transferred, what redress mechanisms there are, what kind of tools will be used to analyze the data.  It is a very very good internal tool for us to change a system.  Both of us encourage the people that are, the technologists who start what we call a PIA, privacy impact assessment, early on in the system so if there needs to be changes to the architecture we can make them early on.   

It’s a very iterative process.  We don’t sign off on it usually at the first.  We require changes.  And only when we’re comfortable that the data is being protected adequately do we sign off. 

Mr. Teufel:  Because I’ve got all of you here I want to take a moment to brag about my office and somebody in my office.  My office is four directors -- a Director for International Privacy Policy and that’s John Kropf who is here in the room with us.  He’s a super star, and we’re very lucky to have him.  I also have a Director for Technology, Director for Compliance, Director for Legislative and Regulatory Affairs. But with respect to privacy impact assessments I wanted to talk about the Director for Compliance, Becky Richards.  She developed the privacy impact assessment structure we use and that is copied throughout the federal government, throughout the U.S. government. 

I was looking, because I wanted to go through all the things that are in the PIA.  Our office annually gives workshops on how to conduct a privacy impact assessment.  We usually have 200 or 300 people from the federal government and the private sector come to visit us to see how we do things.  We’ve had folks from other, from Data Protection Commissioners’ offices come to our office to see how we do things.  In fact we’ve been talking with Canada about doing an exchange of personnel so that we can better understand how the Canadians deal with privacy issues and so that they can better understand how we do things, among other things how we handle privacy impact assessments. 

So I wanted to brag on Becky Richards who works in my office and also get in a plug for the Canadian Data Protection Commissioner who’s just an absolutely wonderful person. 

Question:  One of the things that the Europeans, particularly the members of the European Parliament, have with the PNR agreement is they feel there’s not adequate training for people who are managing data. 

Mr. Teufel:  I’m sorry, I missed the -- 

Question:  They don’t think there’s enough training done for people who are managing the data that’s going over.  The other thing they have a problem with is there’s not regular reports, annual reports done on actually how the system is working and they’re not made public.  Do you want to comment on those things? 

Ms. Horvath:  Training is a great thing, and I don’t want to say you can never have too much training, but training is so important in what we do in privacy.  I don’t know that I would agree with those within Europe who say that the folks at Customs and Border Protection don’t have enough training.  But I would agree in principle that training with respect to privacy is a very important thing. 

I should mention to you that at Homeland Security presently there are two component privacy officers.  There’s one at TSA [Transportation Security Administration] and another privacy officer over at US Visit.  They don’t report directly to my office, but we work very closely with them. 

We have recently, within the last week or two, made a recommendation to the Secretary of Homeland Security that there be additional component privacy officers and I don’t want to get ahead of the Secretary because it’s the Secretary’s decision. We’ve teed it up for him.  But it wouldn’t surprise me if there are additional component privacy officers at some of the larger components and Customs and Border Protection might well be one of those where we see a privacy officer. 

The advantage to that would be of course that having additional folks involved with privacy at the components, at the operational components.  And when I talk about operational components, let me be clear, and I have to use my fingers because if I don’t I always forget one. 

Immigration and Customs Enforcement, Customs and Border Protection, Citizenship and Immigration Services, Secret Service, Transportation Security Administration, Federal Emergency Management Agency, and U.S. Coast Guard.  Those are the seven operational components.  We probably won’t have component privacy officers at all of them, but I anticipate that there will be others joining the component privacy officer at TSA, Peter Pietra, who also is an absolutely wonderful guy and was recently called up and is on his way to Kuwait to serve for two months in the Air Force, and then he’ll be back working alongside of us. 

Ms. Horvath:  I just wanted to add one thing on training.  We are required under either FISMA or the Privacy Act -- FISMA is our Information Security Management Act -- to have privacy training once a year.  As a department we are required to run that training on privacy and certify that we have done that in order to pass our information security certification. 

Mr. Teufel:  I’m glad you mentioned that.  My office has got a couple of packages that we have put together, training packages.  Every new employee that comes into the department has to go through training and privacy is one of those things.  But we have some fairly extensive web-based training packages that we have available that we’ll be rolling out here fairly soon.  It is very likely that my office, along with the Civil Rights and Civil Liberties Office, headed by Dan Sutherland, will be engaged in providing training to DHS employees who man the various state fusion centers which are information fusion centers that are not federal, they’re not state or local or tribal, they are joint combined officers in the various states that provide for greater sharing of information among law enforcement, other first responders to include emergency preparedness, the National Guard units, as well as the federal government. 

Question:  Do you find any concerns of the European Union reasonable?  For example taking the number of data that are required by the U.S. Mr. Frattini recently mentioned that it’s too much, for example, and members of the European Parliament would also like to see less data going to the U.S.   Also the number of agencies that are handling the information.  The flexibility.  So do you find any of that reasonable?   

Mr. Teufel:  Let me get the second part of your question first.  I’m not sure when the Europeans talk about too many agencies what that means.  I know that the Europeans wanted to limit the data to Customs and Border Protection, but Customs and Border Protection, under federal law, is not the agency.  The Department of Homeland Security is the agency.  We, through our system of records notice can limit how the agency, DHS, uses that information. 

As I said, there is a system of records notice out.  There will likely be another one, a revision to the current system of records notice, coming out sometime in the next future.  There will likely be some changes. 

So yes, there are some things that the Europeans have raised that are reasonable and that we’ll probably be changing.  There are other things that the Europeans have raised that are reasonable but we may not necessarily agree with. 

Really, because it’s a formal legal process, I’m really hesitant right now to say what’s going to be in that document because I haven’t issued that document. 

Question:  [Inaudible] some of your bottom line?

 Mr. Teufel:  Absolutely when one follows the Fair Information Practice Principles – the limitation --

 Ms. Horvath:  The transfers between agencies.  There’s this perception that data can just be transferred between government agencies for any purpose whatsoever for fishing expeditions.  It can’t happen.  Data has to be transferred for a specific purpose and in the system of records notice you notice what the purpose of the data -- if it’s for law enforcement purposes.  It can be transferred to another agency solely for law enforcement purposes. 

Mr. Teufel:  You always want to limit the amount of information that’s gathered.  You want to use it for the minimum needs absolutely necessary.  When you no longer need that information you want to properly dispose of that information in a way that it’s secure.  It’s just the fundamentals of privacy.  We’re always looking for ways we can tighten up and be better in complying with the Fair Information Practice Principles.  You’ll probably see some changes in the system of records notice that you’ll like.

 Question:  You said earlier you were outraged by the amount of information you had to give out at your hotel desk.  Which leads us to air passenger data.  The U.S. is asking for 34 different kinds of data when buying a flight ticket.  I would like you to comment and maybe do a comparison between the two situations.

 Second question on the air passenger data. There has been information about the U.S. wanting to include the remaining EU member states in the Visa Waiver regime in exchange for the EU backing off on their request to not hand over air passenger data.  Do you know if there’s anything new on those discussions? 

Ms. Horvath:  I can answer the hotel -- the form that I filled out, and I have it actually in my case, had no notice.  So all it said at the top was “Police”.  It didn’t tell me what purpose they were going to use it for, it didn’t tell me how long they would retain it for.  With PNR there is an agreement and there are clear standards for that data.  So when you do give your data there are agreed-upon standards with respect to PNR.  In the system of records notice, that will be clarifying it even more.  But there were none of the data protection principles on the form that I filled out at the hotel.  Including my birth date, home address, name.  The form could easily be used for identify theft if someone lost it, someone could apply for a credit card with that information.

 Mr. Teufel:  There are two things that strike, well, at least two American privacy officers when having to provide that information.  One is the process.  Was European law followed here, and was there notice and those sorts of things?  Then there’s the substance of it.  Why do you need this information?  You asked, I think, a very reasonable question, why does the United States need 34 pieces of information?  We can and we ought to have that discussion.  By “we” I mean the United States and the Europeans.  And whether that information ought to be limited.  But we’re asking you.  Why do you need that information? It’s not something we do ourselves in the United States.  Of course the answer is, well, for security.  Often that’s the answer.  Of course we say the same thing.  So it’s reasonable and it’s appropriate and in a democratic society one ought to ask why does government need information.

 Ms. Horvath:  And is it a condition precedent to my staying in the hotel room if I had refused to fill out the form?  Would I have been denied staying at the hotel room?  Would the police have been called?

 Mr. Teufel:  And if I refuse to give proper information, if I give false information am I going to --

 Ms. Horvath:  It’s the same mindset that you all have.  That’s why notice, this system of records notice that his office will be putting out will provide a lot of answers to those questions.

 Question:  But you’re saying that as long as it’s noticed then it’s justified?  People can still argue, I have been notified that these 34 different kinds of information will be passed on, whatever, but I still don’t see the reason to why do you want to know what I want to eat or what I don’t want to eat, or my racial --.

 Mr. Teufel:  It addresses process, but it doesn’t get to the substance.  Because we’re in the process of revising, I’m really hesitant to talk about the policy decisions and the substance.  But I know the Secretary of Homeland Security, Michael Chertoff, has on occasion addressed these very questions that you raise and he’s responded to them. He’s given examples of how that information has been useful.

 So I would suggest if you have the opportunity to do some research, because he does talk about some of these things.  But I think it’s absolutely, going back to your question, I think it’s absolutely reasonable for Europeans to ask why do you need this information.  The Americans, I believe, have responded and the Secretary has responded why we need that information.  Just as we’re asking you all, why do the Europeans need all of this information on us when we come and stay in a hotel here?

 Ms. Horvath:  Knowing that at least in the EU there really is the data protection directive applies only to the first pillar, the commercial pillar, and since that says “Police” at the top of the form, that’s obviously a third pillar issue which would be in the competency of the member state.  So we do not know how our data is transferred because it is not controlled by the directive.

 Question:  Can I just retry my second question?  I don’t know if you -- the information [inaudible] other enlargement states minus Slovenia need to have a visa.  The visa, of course when getting the visa the United States asks questions.  Data [inaudible].  And then the U.S. would offer the European Union to include these countries into a visa-free zone in exchange for the EU backing away from the demands of limiting the air data they hand out to the U.S.?  I know I’m not expressing myself well.  Have you any information on this? It was said a few weeks ago that this could be like a diplomatic exchange.

 Ms. Horvath:  I think it’s legislation right now up on the Hill.  I don’t have knowledge of the specific legislation.  Do you?

 Mr. Teufel:  No.

 Ms. Horvath:  I don’t want to talk to something I don’t have knowledge about.

 Mr. Teufel:  To the extent that my department has been engaged in negotiations, I’m just hesitant to talk about stuff here that’s being talked about government-to-government. But I would mention to you that when DHS is involved and Stuart Baker who is the Assistant Secretary for Policy who does a lot of, is involved in a lot of the negotiating.  Stuart and I are the two DHS representatives on the high-level contact group, for instance.  Whenever the policy office at the department is involved in negotiations or discussions of the type that you reference, our office, my office is involved in providing policy advice on privacy and John Kropf and his folks are the ones in the first instance in my office who were called to give advice and counsel on privacy issues.

 So importantly, privacy on the U.S. side is built in at the outset.

 Now you may disagree with the outcome, you may disagree with the substance, but I can tell you from a process perspective, privacy is considered at the Department of Homeland Security early, whenever we are engaged in discussions, negotiations with the Europeans.

 Question:  I was wondering if I could change the subject a bit to biometrics.  I don’t know if you’re familiar with the Prum Treaty?

 Ms. Horvath:  I am.

 Question:  I was wondering to what extent is the United States willing or looking to join or to cooperate on the transfer of DNA records between police and Justice officials?

 Secondly, on biometrics, we’re getting these new passports.  [European Union Data Protection Supervisor] Peter Hustinx last week raised some concerns over the use of biometrics and saying that European nations have not tested this new technology well enough.

 Ms. Horvath:  I would say on the area of biometrics, this is an area where the U.S. is much more stringent than the EU.  With respect to our DNA database, we allow nobody but the FBI into the database.  It would be always a facilitated disclosure.  So we would be unable to do a Prum-like exchange where someone could actually do a search of the DNA database and get a result.  We feel like it would disclose too much information.

 The only way we could do an exchange of biometric data with respect to DNA would be for a country to send a request to the FBI.  The FBI would run the search to ensure that the match was indeed a match.  The view of false positives and the risk of false positives is too high to us.  We also want to respect, we have a requirement -- I can really go into DNA because I’ve been working on it a lot -- we have a specific minimum number of alleles that need to match in order to ensure that there is a match.  I believe that Europe requires less alleles to declare a match.  So the compatibility between the two databases would be an issue for us as well.

 Question:  What’s alleles?

 Ms. Horvath:  They’re DNA identifiers.  It’s A-L-L-E-L-E-S.  They’re actual identifiers in the DNA.

 Question:  The U.S. is not going to join Prum?

 Ms. Horvath:  Well, we’re not part of the EU so we can’t join Prum.  Would we consider a Prum-like agreement? I think we would be enthusiastic about that on the fingerprint side and other areas.  But it would have to be a Prum-like agreement.  We can’t join Prum because we’re not a member state.

 Question:  To follow up on that, Peter Hustinx also raised concerns over the Prum Treaty and has some preliminary assessments on the treaty as far as data privacy guarantees.  I don’t know how it works in the United States or if you’ve had that with any other third countries on the sharing of DNA.  How does that work on the American side as far as --

 Ms. Horvath:  Like I said, with the DNA sharing, we have a central DNA database that the FBI runs for the states, and it is governed by a Board of Governors, many of whom come from the states.  The access is very limited to facilitated access.  The FBI lab does the match itself.  So there is no individual type-in access to the database.

 Question:  Are there currently any sharing agreements with the EU or any other countries in the EU, bilateral…?

 Ms. Horvath:  I don’t think we have any DNA sharing right now.  I don’t believe.

 Question:  Generally across the board are there a significant number of cases, people complaining, legal complaints, et cetera, to warrant concern?

 Mr. Teufel:  We’ve seen -- I don’t want to say there are none at the department.  There are a handful, and literally a very very small number, maybe under five, which I guess would be a handful.  Very, very few.

 Mr. Teufel:  I’m speaking generally, not just PNR.

 Ms. Horvath:  Same at Department of Justice.  Very few complaints under the Privacy Act. [inaudible] None right now.  I mean we have one man that has written in and that’s it.

 Question:  Is it enough, I understand there are not so many complaints, is it enough to say that the system is safe enough?  Because [inaudible] the Commission, they say of course there are not so many complaints but that means that nobody knows that it’s possible to complain.

 Mr. Teufel:  Sure.

 Question:  Your process is very difficult…

 Mr. Teufel:  I can’t speak to the Europeans, but Americans love to complain.  They love to call up and complain about their government and send letters.

Ms. Horvath:  And we both have a notice on our web site where to send complaints, right on our office web sites.

Mr. Teufel:  The Department of Homeland Security has recently instituted a redress program and I’m going to get the acronym wrong, it’s TRIP, Travel Redress [Inquiry Program], and then I forget the I.  Okay.  So if you go to the DHS web site you can find information on DHS TRIP which provides pretty much a one-stop shop, to use a colloquial phrase, for someone who wants to get redress, who wants to complain about the situation.  And it works.

So it’s out there.  I don’t know what more we can do.  We’re here.  You’ll write about it, hopefully.  You’ll mention it and maybe we’ll get some more people, if there are some issues out there that we’re unaware of, we’ll get them to write in.

Moderator:  More questions?  If not, thank you.