Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Hungary streamlines its law to follow the EU Directive [1999] PLBIRp 56; (1999) 51 Privacy Laws and Business International Report 16

Hungary streamlines its law to follow the EU Directive

A report by Dr. László Majtényi

THE EU DATA PROTECTION WORKING PARTY has recommended that Hungary should be seen to provide adequate protection for personal data. The Hungarian Data Protection Commissioner explains how the country has prepared for the Data Protection Directive.

At first sight, the function and application of the EU Data Protection Directive in East-Central Europe would appear to be a theoretical problem, but the issue is far from being that simple. While a number of states in the region keep edging closer to the European Union, none of them have actually gained membership yet. This means that, for the time being, the Directive is not part of the effective law in these countries, and as such it is not binding for them. Nevertheless, these countries - especially Hungary, Poland, the Czech Republic, Slovenia and, increasingly, Slovakia -- have vested interests in social progress, politics and the economy which attach their destinies ever more intimately to the EU.

Work is under way at the European Union to determine, based on Art. 25 of the Directive, whether the data protection regulations in the eligible states meet the requirement of adequate protection. The outcome of the inquest will be far more than symbolic. It will go beyond political considerations to touch upon elemental economic interests. We Hungarians are eager to see the inquest close with positive results. As upcoming members of the European Union, we are equally interested in seeing the Directive become an integral part of Hungarian law at the earliest opportunity.

PRIVACY AS A CONSTITUTIONAL RIGHT

Since the political transformation of 1989, the protection of personal data has been a basic constitutional right in Hungary.^[1] In 1992, the country was among the first in the region to adopt legislation which combined considerations of data protection and freedom of information.^[2] Regarded as one of the most modern on the Continent at the time, the law was streamlined to the thrust of progress which led to the adoption of the Directive in 1995.

Its conceptual framework is, by and large, compatible with that of the Directive. With a scope drawn to extend to the public sphere as well as private business, the law also established the Bureau of the Data Protection Commissioner and vested it with rather broad powers of investigation. In the constitutional law and order of Hungary, the Commissioner is one of the most powerfully legitimized officials, elected for a six-year term by a two-thirds majority in Parliament.

Informational freedom rights played a crucial role in the transition to democracy by enforcing a twofold criterion, which we like to identify as the transparency of the state and the non-transparency of its citizens. The Hungarian constitution guarantees the independence of the Commissioner from the administration, a circumstance of great significance in East-Central Europe, where the notions of efficiency nurtured by the government often come into stark conflict with the guarantees of informational self-determination.^[3] The office of the Commissioner enjoys prestige and a high degree of recognition.^[4]

DATA LAW HAS BEEN MODIFIED

The implementation of the Directive varies from state to state in Central Europe. Some countries, following the example of Italy and Greece, have been justified in taking advantage of the delay in their legislative activity by enacting a new data protection law, which for the most part is simply a translation of the Directive. In these cases, the letter of the law needs to be put into living legal practice.

Hungary has followed a different path, leaving it to the Parliament next year to bring its data protection legislation into full harmony with the Directive. The implementation process in fact started in 1995, when we at the Bureau of the Data Protection Commissioner translated the Directive, and sent the Hungarian version to all the major practitioners of law (such as the courts, prosecutor's offices, the police and secret service agencies), to universities and law libraries. From this point on, when interpreting the provisions of Hungarian law, we have always attempted to construe them in conformity with the Directive. As a matter of fact, this presents no special difficulty, given that the language of the Hungarian law normally lends itself with ease to such interpretation. For instance, the Hungarian law determines the consent of the data subject - a written consent in case of sensitive information as the condition for processing his or her data.

Although trade union membership is not regarded as sensitive data in the Hungarian law, we tend to treat such information as sensitive, because in Hungary membership of a trade union more often than not implies political belief - information which is clearly sensitive in nature. The government has no right to inquire about trade union membership or to process data related to it. Disclosing such information is a personal decision on the part of the individual.

In the past few years, the Hungarian Parliament has passed a series of sectoral data protection bills.^[5] In the summer of 1999, Parliament modified the Data Protection Act and enacted a legal distinction between the notion of the data controller and that of the data processor, thus nudging the law closer to the Directive. Incidentally, the distinction loosened the rigor of the Data Protection Act, since formerly data controllers could not legally employ data processors.

CITIZENS SUPPORT PRIVACY LAWS

The Act had a few provisions, which, in fact, established even more stringent criteria for controlling personal data than the Directive does. This may strike the outsider as strange, but Hungarians welcomed these provisions as an expansion rather than a restriction of rights. What I mean is that in Hungary, perhaps in the entire region, the rigor of data protection is viewed not so much as an infringement on freedom as a measure of legal empowerment. A strict data protection regime invites more objection from the administration than from the citizens. What is instead met with incomprehension by individuals is the inconvenience often entailed by the protection of privacy, such as the concurrent use of several identification numbers which have superseded the formerly uniform identification system (these include separate numbers for social security and tax purposes). The victims of the recently overthrown totalitarian system fundamentally approve of dividing informational power.

TECHNOLOGY IS NOT A SOLUTION

This summer I had the opportunity to study legal solutions proposed in the United States in the area of data protection and freedom of information. For my part, I remain somewhat skeptical over Privacy- Enhancing Technologies (PET), the Platform for Internet Content Selection (PICS), P3P, the Codes of Conduct, Lex Informatica and other, mainly technical innovations. I am not sure, no matter how important and creative these measures may be, whether in themselves they are adequate to confront the new types of threat against privacy.

The following numbers give us food for thought: 75%of Americans feel that they have lost control over their personal data; 79% think their privacy is "somewhat" or "very" threatened. In addition, 64% of Americans object to the online service providers' power to monitor the habits of surfers.^[6] Yet the American view is that data protection in Europe amounts to authorizing the state to overstep its limits of normal operation, thus posing a potential threat to the freedom of enterprise, which in turn may well lead to over-regulation and an unjustifiable restriction of market forces.

Interestingly, debates in Hungary over data protection often feature arguments in stark opposition to this view, on the floor of Parliament as well as outside it. What we tend to hear is that the Hungarian regulations, by and large in tune as they are with the Directive, place inadmissible limits on the maneuvering space of the government; that they obstruct law enforcement, especially against organized crime; that they disable efficient work by the police and the secret services; that they prevent a successful fight against AIDS and so on.

In other words, what somewhere in the world comes under criticism as antiliberal intervention is labeled by others elsewhere as a case of extreme liberalism itself.^[7]

Footnotes:

[1] Hungarian Constitution, Art. 59

[2] Act No. LXIII of 1992

[3] See the Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information, 1998 (Abbreviated Version), Budapest, 1999, pp. 17-25.

[4] A 1998 survey revealed the ombudsmen's offices (taken together) as the third most popular social institution after that of the President of the Republic and the Constitutional Court, ahead of the churches, the press, and the trade unions. 43 % of Hungarians claim to have heard about the Data Protection Commissioner. (The recognition and assessment of parliamentary commissioners by citizens, by Szonda Ipsos, December 1998.)

[5] Annual report, the first three years..., p. 66.

[6] Louis Harris &Assocs. &Alan F. Westin, The Equifax Report on Consumers in the Information Age (1990); Joel R. Reidenberg, Lex Informatica: The formulation of Information Policy Rules Through Technology, In: Texas Law Review, vol. 76, No. 3, p. 561., Feb. 1998.

[7] The first three years... pp. 57-60.

This report was written by Dr. László Majtényi, Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information. He can be contacted at Tukory u. 3, H-1054 Budapest, Hungary. Tel: + 36 1 269 3537 Fax: + 36 1 269 3541 Internet: http://www.obh.hu. For more information about the Hungarian law, see PL&B Sep '95 p.3-7, Jun '96 p.11-13 and May '99 p.20).