[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Republic of Hungary

Constitutional Privacy Framework

Article 59 of the Constitution of the Republic of Hungary provides that "everyone has the right to the good standing of his reputation, the privacy of his home and the protection of secrecy in private affairs and personal data."[2716] "Everyone in the Republic of Hungary shall have the right to good reputation, the inviolability of the privacy of his home and correspondence, and the protection of his personal data."[2717] In 1991, the Supreme Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[2718]

Data Protection Framework

The Hungarian law on data protection follows the model of general and sector-specific regulation. The most important principles of data protection, along with the conditions and guarantees of limiting the right to the protection of personal data, are laid down in a single, so-called general act. This act does not contain explicit authorizations for processing information, the mandatory rules associated with various types of data and different data controllers are collected in sector-specific acts. Without these sector-specific acts the content of the general act could not be put into effect and the principles defined in the general act would be translated into practice only to a minimal extent.

The Hungarian general act, the Data Protection Act of 1992 (the Act), covers the collection and use of personal information in both the public and private sectors. It is a combined data protection and freedom of information act.[2719] Its basic principle is informational self-determination. As regards data protection, the Act sets out general provisions on the request, collection, handling and transfer of personal information and provides legal remedies to individuals whose rights are violated. The Hungarian data protection system follows the opt-in regime. Under the Act personal data may only be collected and processed with the freely given, specific and informed consent of the individual or if it is required by law. The individual must be fully informed of the purpose of the data processing. Only the data necessary to accomplish this purpose may be collected, and it may only be stored until that purpose is fulfilled. The data must be accurate, complete, and up to date. Individuals are granted the right to access their personal information and, where necessary, to request its correction or even deletion. Special protections are set out for "sensitive data," which is defined as data relating to "racial origin, nationality, and ethnic status, political opinion or party affiliation, religious or other conviction" or "medical condition, abnormal addiction, sexual life, trade-union membership and criminal record." This kind of data may only be processed where the subject has consented in writing or if it is based on an international agreement or required by law for the purpose of enforcing a constitutional right, national security purposes, crime prevention, or a criminal investigation.[2720] The Act also expressly prohibits the use of all-purpose identification numbers or codes.

The Article 29 Data Protection Working Party of the European Commission recommended in September 1999 that the Commission and the Article 31 Committee note that Hungary ensures an adequate level of protection within the meaning of Article 25(6) of the EU Data Protection Directive.[2721] In July 2000, the European Commission formally adopted this position, thereby approving all future transfers of personal data to Hungary.

January 1, 2004 marked the start of a new era in Hungarian data protection. The entry into force of the amendment of Act LXIII of 1992 on the Protection of Personal Data and Disclosure of Data of Public Interest, which harmonized the law with applicable European Union regulations, also instated changes regarding the classic role of the ombudsman in protecting privacy, and opened a new chapter in the history of the institution.[2722]

On May 1, 2004, Hungarian Republic joined the European Union. In order to fulfill the requirements of the EU Data Protection Directive (1995/46/EC) the Parliament amended the Act three times. In June 1999, it created a distinction between "data handling" (i.e., data controlling) and "technical data processing."[2723] Another amendment came into force in 2004 that adopted some legal institutions from the Directive, such as automated individual decisions, data protection officials, and liberated the data flows to the Member States. The regulation on transborder data flows was specified in 2005. As a consequence of the implementation of the Directive, decisions relating to the regulation on data protection are partly out of the competence of Hungarian authorities.

On May 1, 2004, also Hungary became a full member of the Working Party– an independent consulting body operating on the side of the Commission, made up by the member states' privacy commissioners and/or other authority.[2724]

Many sector-specific acts contain rules for handling personal data including addresses,[2725] sector-specific identification codes,[2726] medical information,[2727] police information,[2728] public records,[2729] employment,[2730] telecommunications,[2731] and national security services.[2732] The Direct Marketing Act authorizes companies to process individuals' names and addresses for marketing purposes but requires consent for the processing of other information such as telephone numbers or e-mail addresses.[2733] There is no sector-specific legislation covering the Internet; however, the Data Protection Commissioner issued a recommendation[2734] in February 2001 calling for amendments or supplements to existing law to address this issue. The Criminal Code also has provisions on privacy.[2735]

Data Protection Authority

The Parliamentary Commissioner for Data Protection and Freedom of Information oversees the 1992 Act.[2736] Besides supervising the implementation of the Act and acting as an ombudsman for both data protection and freedom of information, the Commissioner's tasks include investigating complaints, maintaining the Data Protection Register, and providing opinions on draft legislation. Until 2004, the Commissioner’s only effective power was provided by the Secrecy Act of 1995. Under this Act, the Commissioner is entitled to review and propose changes to the classification of state and official secrets. Since 2004, the Commissioner has also been entitled to order the blocking, deletion, or destruction of unlawfully processed data; prohibit the unlawful processing or technical processing of data, and suspend the transfer of data to foreign countries. The data controller concerned may institute court proceedings against these measures of the Commissioner.

The Commissioner has been very active reviewing cases involving personal information. The Commissioner opened 2,350 cases in 2005.[2737] The number of complaints and investigations grew in 2005 to 1,149 from 909 in the previous year. The number of consultations has remained fairly constant at approximately 500 and the number of reports on draft law was 469. The Data Protection Commissioner noted that while the bulk of data privacy requests were complaints alleging violations, about half of the freedom of information requests asked for consultations on compliance with legislation. This is partly due to the enactment of a new freedom of information statute, the Freedom of Information by Electronic Means Act.[2738]

Public disturbances in the fall of 2006 raised questions concerning privacy rights of citizens, policemen and judges.[2739] The data protection commissioner intervened in all of these issues. The police headquarters of Budapest addressed a letter to hospitals asking for access to the personal information of all individuals injured on the nights of public disturbances. This inquiry did not fulfill the formal and legal requirements of such queries, since providing the requested data would have infringed the rights of other patients. Hospitals refused to disclose the data, and a long dispute began between the police and the hospitals. Following several consultations with the data protection commissioner, the police was finally able to compose its query in compliance with the legal requirements, so hospitals had to disclose only the appropriate data.

Following the public disturbances, names, home addresses, home and mobile telephone numbers of the judges and prosecutors presiding over the related criminal cases were published on an internet site, www.kuruc.info. It was clear that according to the law, the name and position of judges and prosecutors are public. However, as the data protection commissioner stated, home addresses and phone numbers are confidential personal data, even if some are published in public registers, such as the phone directory, because the original purpose of the publication in the directories and the purpose of the publication on the website were different. The disclosure of these latter data would have been lawful only with the consent of the judges and prosecutors concerned. However, the data could not be removed from the site because the site was hosted on a foreign server, and had listed false contact data.[2740]

In 2005 and 2006, the Commissioner dealt extensively with problems of political direct marketing conducted by telephone, e-mail and short text messages (sms), as well as with databases set up by political parties containing data relating to the – supposed or existing – political views of individual voters.[2741] The biggest scandal involved activists adding to the list of voters (which is legally obtainable for election purposes and can be used for a limited time period before the elections) information relating to political views of the voters. Based on this information, voters were classified into three categories, indicated with letters E (Enemy), S (Sympathizer) and B (for Undecided in Hungarian). Protesting against this practice, local representatives of the socialist party attended the meetings of the local self government with a big letter E on their suits. Unfortunately, neither the Commissioner, nor the police investigators could establish the origin of the data, nor could they prove the actual use of the database.

In 2003, the deployment of closed circuit television (CCTV) systems by public authorities, primarily in Budapest, was in the headlines. Although it is mandatory to inform citizens about the installation and use of video surveillance cameras by notices on the walls of the buildings of the monitored areas, the authorities did not comply with that rule in 82 percent of the cases. Surveillance cameras now monitor almost every street and square of the downtown area. It has been reported that some of them have nighttime vision and face recognition capabilities. Authorities have claimed that video cameras are efficient tools against crime. Authorities planned to use their camera systems for purposes different from the ones that justified their original installation.[2742] The Commissioner investigated the case of the Budapest neighborhood of Terézváros where the mayor wanted to give rights to a private company to run the CCTV network, even though only the police have the right to process personal data collected by cameras on public areas. The mayor later complied with the Commissioner's opinion.[2743]

Major Privacy Case Law

In January 2007 the Constitutional Court stated that the current judicial guarantees in the criminal procedure law and in the national security sector were inadequate to provide efficient protection to the right to privacy of the citizens.[2744] The secret surveillance and other secret data collection activities of law enforcement and national security bodies require prior authorization by appointed judges, but the oversight of this process did not meet the required level of constitutionality. The Constitutional Court ordered the Parliament to establish conditions of the proper judicial overview of these applications.

Employees of the Hungarian subsidiary of international mobile telephone service provider Vodafone discovered that the company had used its employees for testing the company’s new Mobil Flotta positioning system without informing them. For several months in 2005 the company secretly followed the movement of its employees 24 hours a day, including weekends, through their cell phones, and recorded the data in personally identifiable form. The company’s computer system’s lists contained data about the employees’ physical location in the country in fifteen minute increments. Employees sued the company. The company admitted to the tracking but insisted that the employees had been informed about, and consented to, the tracking in advance. Both the lower court and the appellate court decided in favor of the plaintiffs. Vodafone had to publicly apologize for the case and declare that it would do its best to avoid such infringements of rights from happening again in the future. In addition, the court ordered the discontinuance of the test and ordered Vodafone to delete the data.[2745]

In June 2004, the Constitutional Court ruled[2746] that the provisions on controlling of personal data in the Act regulating the work of security guards[2747] are unconstitutional and furthermore annulled the right of security guards to search anyone’s package or vehicle in a private area open to the public. The Constitutional Court has called upon the Parliament to amend the Act by December 31, 2004. The Parliament exceeded the deadline and enacted a new Act[2748] only in early May. In the meantime, security guards continued working on the basis of the annulled provisions, with the explicit support of the Ministry of Interior.[2749] Although the new Act complies with at least some aspects of the Constitutional Court decision, it also gives several anti-privacy powers to private security enterprises. It allows private companies to store CCTV records for about 30 days, and in post offices, banks, and similar institutions, for 60 days, without any legal purpose.[2750]

Wiretapping and Surveillance Rules

In 2005, the Parliament passed the Rules of Protection of Persons and Property and on the Activities of Private Investigations.[2751] This law defines the purposes of surveillance, the rights of surveillance subjects, as well as the conditions of recording and archiving the images.[2752] Surveillance by police requires a court order and is limited to investigations of crimes punishable by more than five years' imprisonment.[2753] Surveillance by national security services requires the permission of a specially appointed judge or the Minister of Justice, who can authorize surveillance for up to 90 days.[2754] In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF 10 billion (~USD 50 million).[2755] It has been reported that the National Security Service (NSS) regularly install black boxes on Internet Service Providers’ (ISP) networks and intercept communications without warrants. Furthermore, signing a contract to allow full access to data by the NSS is a precondition for obtaining an ISP operating license.[2756]

The Ministry of Economics and Transport prepared a draft on the implementation of the EU data retention directive, which would have been realized by the amendment of the Act on Electronic Communications.[2757] The draft would have introduced further restrictive measures on telecommunications privacy, although the current Act is one of the strictest in the EU. The only positive change from the implementation of the EU directive would be a lowered maximum period of data retention, which is currently three years. However, the draft law failed to provide adequate guarantees of privacy and had not met the requirements of necessity and proportionality. The Hungarian Republic would have been among those few EU member states which would have introduced the retention of internet data without delay. In early 2007 the Ministry revoked the draft due to public protest. A new draft with similar content is to be prepared in 2007.[2758]

Recent Developments

The first major phishing attack against Hungarian banks took place in November and December 2006. The target was Raiffeisen Bank whose customers received an email informing them that they were unable to be contacted by phone during the last routine account check. The email then requests that the individual click on a link to confirm some personal information, and provide more. The given link was redirected to a fake portal site where some 200 customers gave their account details. Only one collaborator was caught by the investigating agencies, the leaders of the attack remained unknown.

In December 2006, the President of Hungary decided not to sign a national law regarding the promulgation of the EU-US PNR (Passenger Name Records) agreement and sent it back to the Parliament for reconsideration. According to the President "it is necessary that the Parliament make possible the forwarding of data in the act on promulgation of the international agreement only in case if the person in question has explicitly consented to it. The President's opinion is that a regulation of such content would not be contradictory to the international agreement." Parliament must now re-discuss the bill and complete it with a rule that stipulates for the explicit consent of the person in question to forwarding of his data abroad.[2759]

Since August 2006, Hungary has been issuing e-passports containing a chip with biometric information about the passport holder, namely the facial image and the digital fingerprints. The new type passport was required by the European Union Council Regulation on standards for security features and biometrics in passports and travel documents issued by Member States.[2760]

Hungary may join the group of Schengen countries by 2008. The Schengen accession requires, among others, the setup of the legal and technical framework for the operation of the Schengen information system (SIS), which requires significant amendments in the immigration law, the Act on police, the Act on border control and others. Throughout 2006 and the first half of 2007 numerous acts of the Parliament were amended in order to connect the SIS with the Hungarian databases on law enforcement, immigrants, on passports and visas, on search of persons, objects, vehicles, etc. The Ministry of Justice and Law Enforcement has also declared its intention to join the Prüm Convention, a DNA database sharing initiative between some EU countries. The current pilot project is operational and uses the databases of Austria and Germany.

Open Government

In terms of access to information, the 1992 Act on the Protection of Personal Data and Disclosure of Data of Public Interest (the Act) guarantees access to information of public interest, which is defined as any information being processed by government authorities except for personal information. Exemptions can be made for state secrets or official secrets and information related to national defense, national security, criminal investigations, monetary and currency policy, international relations and judicial procedure. In June 2002, the Government announced that it would ask the Parliament to pass legislation authorizing the further opening of the secret police files from the Communist era.[2761] The announcement came following an admission by the Prime Minister that he had been a counter-intelligence officer in the secret police during that time.[2762] Hungary has enacted a law opening up secret service files and has been coordinating with the German Stasi archive to prosecute members of the communist regime. The law regulates the access to files for both victims of spying and former spies. Victims can find out who spied on them, but to prevent recriminations and revenge-taking, they are not given access to the spy's files.[2763]

The Freedom of Information by Electronic Means 2005 makes it mandatory for every agency or organization attending to proactively publish data on their organizational structure, operation, and financial management; requires electronic publication of legislative projects and individual drafts, while also prescribing the provision of an interactive interface; mandates publication of the Magyar Közlöny, the official journal of the Hungarian government, and of the Electronic Compendium of Effective Laws and Regulations, in such a way that will make access to them free of charge and unencumbered by any other circumstance for everyone; and requires that the Supreme Court and courts of arbitration to post all of their verdicts, judgments, and rulings on the Internet starting in January 2007.[2764]

In 2003 a law was enacted (while the 1994 law remained in force) with provisions on the rights of victims of surveillance to learn the names of the agents reporting on them and the right to make these names public (but only in the cases where the former agents are presently public figures), and the establishment of the Historical Archives of State Security Services, replacing the Office of History, where documents relating to the activities of the former secret police are to be kept.[2765] Despite these legislative developments, there has been a great deal of uncertainty concerning the contents, authenticity, and completeness of the former secret police documents, which gives rise to political blackmail and keeps the issue on the public agenda.

The so-called Lustration Law (publicly known as the "Agent-Law"),[2766] enacted in 1994, stipulates a compromise solution between the accessibility of data relating to persons who cooperated with the secret police of the past regime in an unconstitutional way, and data relating to subjects of secret police reports, on the one hand, and the right to information privacy of all persons concerned, on the other. Originally the Hungarian solution was much less radical than the German model: the victims of surveillance could not learn the identity of the agents reporting on them, only the data reported on themselves; and the former agents fulfilling public functions in the new regime were allowed to resign hidden from public scrutiny. Consequently, the maximum sanction, namely, the publishing of the agents’ names in the official gazette, could be applied only if they insisted on staying in function.

International Obligations

Hungary is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108).[2767] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2768] Hungary ratified the CoE Convention on Cybercrime in late 2003, and it entered into force in July 2004.[2769] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[2716] Constitution of the Republic of Hungary, Chapter XII, Article 59, unofficial translation available at <http://www.mkab.hu/content/en/encont5b.htm>.
[2717] Id.
[2718] Constitutional Court Decision No. 15/1991 (IV. 13.)-AB.

[2719] Act No. LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest, available at <http://abiweb.obh.hu/dpc/legislation/1992_LXIIIa.htm>.
[2720] See Zita Orb, "Amended Rules on Data Protection," World Data Protection Report, Volume 1, Issue 1, January 2001 at 22.

[2721] European Union Article 29 Data Protection Working Group, Opinion 6/99 concerning the Level of Personal Data in Hungary, September 7, 1999, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/1999/wp24en.pdf>.

[2722] E-mail from Attila Péterfalvi, Parliamentary Commissioner for Data Protection and Freedom of Information, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center (EPIC), May 26, 2005 (on file with EPIC).

[2723] Act No. LXXII. of 1999.

[2724] E-mail from Attila Péterfalvi, supra.

[2725] Act No. LXVI of 1992 on the Register of Personal Data and Addresses of Citizens.
[2726] Act No. XX of 1996 on the Identification Methods Replacing the Universal Personal Identification Number, and on the Use of Identification Codes.
[2727] Act No. XLVII of 1997 on the Use and Protection of Medical and Related Data.
[2728] Act No. XXXIV of 1994 on the Police (Chapter VIII: "Data Handling by the Police").
[2729] Act No. LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives (Restricting Rules on the Publicity of Documents Containing Personal Data).
[2730] Act No. IV of 1991 on Furthering Employment and Provisions for the Unemployed.
[2731] Act No. C of 2003 on Electronic Communications, available at <http://www.nhh.hu/dokumentum.php?cid=10617>.
[2732] Act No. CXXV of 1995 on the National Security Services, etc.
[2733] Act No. CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing.
[2734] Recommendation of the Data Protection Commissioner on certain issues of handling data in connection with the Internet, Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information 2001, at 101–107, see also <http://abiweb.obh.hu/adatved/indexek/2001/intro2.htm#sector4>.
[2735] Criminal Code, Sections 177-178, available at <http://www.privacy.org/pi/countries/hungary/hungary_criminal_code.html>.

[2736] Homepage <http://www.obh.hu/>.

[2737] Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information 2005, available at <http://abiweb.obh.hu/dpc/index.htm>.
[2738] Act XC of 2005.

[2739] See generally <http://news.bbc.co.uk/2/hi/europe/6209958.stm>.

[2740] Email from Ivan Szekely, OSA Archivum and Budapest University of Technology and Economics, Hungary, to Allison Knight, Research Director, Electronic Privacy Information Center, June 11, 2007 (on file with EPIC).

[2741] Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information 2005, supra; email from Ivan Szekely to Allison Knight, supra.

[2742] As an example, a camera system monitoring payment on a highway was used later to identify those who had not fastened their safety belts.
[2743] Kiss Gábor, "Megfigyelt megfigyelök" ("Watching the Watchers"), Tech-tudomány, January 18, 2003 <http://www.index.hu/tech/jog/urbaneye/>; "Szabadtéri Big Brother Budapesten - nem önkéntes alapon" ("Open-air Big Brother in Budapest - Not on a Voluntary Basis"), Korridor, July 29, 2002; Sándor Tünde, "Minden sarkon térfigyelö. Erzsébetváros teljes területét kamerák pásztázzák" ("There Is a Surveillance Camera at Every Corner. The Whole Area of Erzsébetváros Is Full of Cameras"), Népszabadság Online, July 24, 2002 <http://www.nol.hu/Default.asp?DocCollID=63989&DocID=61783#61783>.

[2744] Decision 940/B/2003 AB.

[2745] Email from Ivan Szekely, supra.

[2746] Decision 22/2004 (VI.19.) AB.
[2747] Act No. IV of 1998 on Security Guards.
[2748] At the time of writing the new act has not as yet been promulgated. Its text is available at <http://www.parlament.hu/irom37/13634/13634.pdf>.
[2749] Letter from the Legal Department of the Ministry of Interior to Balázs Dénes, Executive Director of HCLU, January 17, 2005 <http://www.tasz.hu//download/BM%20v%E1lasz%20a%20ny%EDlt%20lev%E9lre1.pdf?id=13515&time=1107187108&op=cont>.
[2750] Bill No. T/13634, Section 31 (2).

[2751] Act CXXXIII of 2005.
[2752] Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information 2005, supra.
[2753] Act No. XXXIV of 1994 on Police.
[2754] Act No. LXXV of 1995 on the National Security Services.
[2755] "Technical Costs of Phone Tapping Estimated at HUF 10bn," MTI Econews, April 17, 1998.
[2756] Act No. C of 2003 on Electronic Communications, available at <http://www.nhh.hu/english/menu4/m4_8.htm>.

[2757] No C. of 2003, supra.
[2758] Email from Ivan Szekely, supra.

[2759] Email from Ivan Szekely, supra.

[2760] European Union Council Regulation of 13 December 2004 on standards for security features and biometrics in passports and travel documents, available at <http://www.libertysecurity.org/imprimer.php?id_article=133>.

[2761] Radio Free Europe, June 28, 2002.
[2762] Radio Free Europe, June 20, 2002.
[2763] "Former Dictatorships Hoping to Learn from German Stasi Archive," Deutsche Welle, May 12, 2004, available at <http://www.dw-world.de/english/0,3367,1432_A_1197738_1_A,00.html>.

[2764] Freedom of Information by Electronic Means Act, supra.

[2765] Act No. III of 2003 on the disclosure of the secret service activities of the past regime and on the establishing of the Historical Archives of State Security Services.

[2766] Act No. XXIII of 1994 on Supervision of Personnel in Certain Important Positions.

[2767] Signed May 13, 1993; enacted October 8, 1997; entered into force February 1, 1998.
[2768] Signed November 6, 1990; enacted November 5, 1992; entered into force November 5, 1992.
[2769] Signed November 23, 2001; ratified December 4, 2003; entered into force July 1, 2004.