Ex-Homeland Security chief Chertoff wants EU-style data privacy laws

In This Article:

Michael Chertoff, the former U.S. Secretary of Homeland Security, is interviewed on the floor of the New York Stock Exchange, on its first day of trading, Tuesday, July 10, 2018. (AP Photo/Richard Drew)
Michael Chertoff, the former U.S. Secretary of Homeland Security, is interviewed on the floor of the New York Stock Exchange, on its first day of trading, Tuesday, July 10, 2018. (AP Photo/Richard Drew)

Following a series of high-profile data leaks and hacks, many concerned Americans are now demanding stronger data privacy regulations. Some are even suggesting the European Union’s General Data Protection Regulation is a model worth adopting, including, surprisingly, Michael Chertoff, George W. Bush’s second Department of Homeland Security secretary.

That’s exactly the point he makes in his new book,Exploding Data. He expanded on those ideas—and how his national-security experience has left him willing to trust the government with “metadata” about the who and when of our communication but not the keys to decrypt its contents —in an interview Wednesday.

A pitch for regulation

The GDPR’s extensive list of rights goes far beyond U.S. law—yet because it’s often easier for companies to ship one version of an app, U.S. citizens have benefited from its provisions requiring user permissions and controls.

Chertoff called the roughly 54,000-word GDPR “somewhat over-bureaucratic and complicated” but would enshrine the GDPR’s core logic in U.S. law.

“The principle that people ought to have some right to control their data is a principle we need to adopt ourselves,” he said.

Specifically, as he writes in Exploding Data, Chertoff would require companies to get your buy-in for “extrinsic” uses of data, those beyond making the app you’re using work better. Others—such as third-party marketing—would become a permission-only enterprise.

Chertoff would even import a limited version of the EU’s “right to be forgotten” rule. But instead of letting citizens demand that search engines like Google (GOOG, GOOGL) suppress “inadequate” or “irrelevant” links in searches for their names, he would limit that to false and defamatory material.

Chertoff also voiced support for giving customers a choice not required by GDPR rules: “get the service by paying for it as opposed to getting it by giving your data over.”

First, though, Congress will have to work together.

“I’m not holding my breath that that’s going to happen tomorrow,” he said. “We don’t have a Congress that’s particularly adept at working across party lines.”

Different rules for the government

Another key argument Chertoff (today, executive chairman of the Chertoff Group, a Washington-based consultancy) makes in Exploding Data may not have so many of you nodding in agreement.

That’s his contention that we should let the government keep more “metadata” about our communications as long as it can’t look at the information without judicial permission in instances of national-security and cybersecurity purposes.