Article 59 of the Constitution of the Republic of Hungary provides that "everyone has the right to the good standing of his reputation, the privacy of his home and the protection of secrecy in private affairs and personal data." "Everyone in the Republic of Hungary shall have the right to good reputation, the inviolability of the privacy of his home and correspondence, and the protection of his personal data."[1383] In 1991, the Supreme Court ruled that a law creating a multi-use personal identification number violated the constitutional right of privacy.[1384]
Act No. LXIII of 1992 on the Protection of Personal Data and Disclosure of Data of Public Interest (the Act) covers the collection and use of personal information in both the public and private sectors. It is a combined data protection and freedom of information act. Its basic principle is informational self-determination.[1385] As regards data protection, the Act sets out general provisions on the request, collection, handling and transfer of personal information and provides legal remedies to individuals whose rights are violated. Under the Act personal data may only be collected and processed with the consent of the individual or if it is required by law. The individual must be fully informed of the purpose of the data processing. Only the data necessary to accomplish this purpose may be collected and it may only be stored until that purpose is fulfilled. The data must be accurate, complete and up to date. Individuals are granted the right to access their personal information and where necessary to request its correction or even deletion. Special protections are set out for 'sensitive data,' which is defined as data relating to "racial origin, nationality, and ethnic status, political opinion or party affiliation, religious or other conviction" or "medical condition, abnormal addiction, sexual life and criminal record." This kind of data may only be processed where the subject has consented in writing or if it is based on an international agreement or required by law for the purpose of enforcing a constitutional right, national security purposes, crime prevention or a criminal investigation.[1386] The Act also expressly prohibits the use of all purpose identification numbers or codes.
Hungary is an applicant for European Union membership. In April 2003, Hungarians voted in favor of joining the European next year. In June 1999, the Parliament amended the Act to create a distinction between 'data handling' and 'data processing' in accordance with the European Union Data Protection Directive (95/46/EC).[1387] The Article 29 Data Protection Working Group of the European Commission recommended in September 1999 "the Commission and the Committee established by Article 31 of Directive 95/46/EC note that Hungary ensures an adequate level of protection within the meaning of Article 25(6) of this directive."[1388] In July 2000, the European Commission formally adopted this position, thereby approving all future transfers of personal data to Hungary.[1389] Some further revisions of the act are anticipated, for example, regarding the regulation of transfers abroad and automated decision making, in order to ensure full compliance with the EU Data Protection Directive. Public drafts of these amendments have been released publicly but they have not yet been introduced in Parliament.
The Parliamentary Commissioner for Data Protection and Freedom of Information oversees the 1992 Act.[1390] Besides supervising the implementation of the Act and acting as an ombudsman for both data protection and freedom of information, the Commissioner's tasks include investigating complaints, maintaining the Data Protection Register, and providing opinions on draft legislation. Under the Secrecy Act of 1995, the Commissioner is also entitled to review and propose changes to the classification of state and official secrets. The Commissioner (along with the two other Parliamentary Commissioners - one for human rights in general, the other for the ethnic minorities) was elected for the first time on June 30, 1995, for a six-year term. The next Commissioners were elected after a half year interregnum in 2001.
The Commission has been very active reviewing cases involving personal information. The Commissioner conducts about 900 examinations each year.[1391] In 2002, the number of complaints and investigations reached 538 while the number of consultations was approximately 500 and the number of reports on draft law 180. As of the end of 2002, 3,851 data controllers have reported with the Commissioner 31,559 data processing registrations.[1392] In his annual report for the year 2000, the Commissioner noted that the single most important development of the year was the unprecedented rise in the number of complaints against private organizations.[1393] He stated that whereas in 1997 there were three and a half more investigations of public data controllers than private ones, by 2000 the ratio was less than double (614 public versus 364 private). He also noted that in 2000 the majority of investigations into the private sector concerned collection agencies processing 'intersectoral' information whereas previously the investigations seemed to concern the collection practices of banks, telecommunications and insurance companies. In June 2000, the Commission issued a Recommendation on the Disclosure of Personal Information by Private Companies to Debt Collection and Repayment Organizations.[1394] The number of complaints about workplace privacy also continued to increase. In September 2000, the Commissioner ruled against a state owned company that required employees to complete a personality test, containing 480 questions, and submit to a lie detector test in order to determine whether the employees had ever stolen company property or were likely to do so in the future.[1395] In March 2000, the Commissioner expressed concern about United States Federal Bureau of Investigations agents based in Hungary having access to personal information while being given diplomatic immunity.[1396] Throughout the year the Commissioner also issued recommendations on the collection of records concerning the political views of military officers,[1397] on the processing of data by car repair shops,[1398] and on the use of image, recording devices in surveillance and information collection.[1399] In February 2001, in response to a recommendation issued by the Commissioner, the Central Statistics Office (KSH) amended the national census questionnaire to omit the name and address of respondents.[1400] There was a long delay in filling the post of Commissioner, following the departure of Dr. Laszlo Majtenjyi in 2001. The present commissioner is Mr. Attila Péterfalvi, who was elected by Parliament in December, 2001.
In December 2001, the Hungarian Socialist Party (Magyar Szocialista Párt, or MSZP) sent three million campaign letters to their constituents on behalf of Péter Medgyessy, their candidate for the position of Prime Minister. Although the Party stated that it had used a telephone directory to collect the recipients' addresses, they actually sent their message to persons who only had a private telephone number. Attila Péterfalvi, the Data Protection Commissioner, opposing the opt-out model, ordered to erase the databases that contained voters' addresses and the information about whether they wanted to get a second letter from the MSZP. The Socialist Party followed his opinion by destroying their databases.[1401]
In 2002, László Majtényi, ex-Data Protection Commissioner emphasized after the end of the elections, that the "political class" had not taken at all notice of the rights for informational autonomy. It all started in 2001 when the Department of Country Image (Országimázs Központ) sent its Country Traveler (Országjártó), a periodical to popularize the Hungarian Government headed by Viktor Orbán (1998-2002), to every house without obtaining the legal authorization to use the recipients' names and addresses. Member of Parliament Róbert Répássy advocated the abolition of the Data Protection Commissioner's Office, and Hungarian elections produced questionable political tactics.[1402]
In the spring of 2002, the resigning Minister of Finance, Mihály Varga, directed the National Pension Institute (Országos Nyugdíjbiztosítási Igazgatóság) to transfer the list of addresses of 1.5 million pensioners to the Hungarian Post Corporation. The Post was thus able to send Viktor Orbán (the resigning Prime Minister)'s letter to pensioners about the increase of the amount of their pension. The Hungarian Data Protection Commissioner held that it was not necessary to announce a new law affecting pensioners by personalized mailing, and while Orbán's letters did not harm anybody's constitutional rights for privacy, the letters did not comply with Hungarian data protection regulations.[1403]
In 2003, the deployment of closed circuit television (CCTV) systems by public authorities, primarily in Budapest, was in the headlines. Although it is mandatory to inform citizens about the installation and use of video surveillance cameras by notices on the walls of the buildings of the monitored areas, the authorities did not comply with that rule in eighty-two percent of the cases. Surveillance cameras now monitor almost every street and square of the downtown area. It has been reported that some of them have nighttime vision and face recognition capabilities. Authorities have claimed that video cameras are efficient tools against crime. When authorities planned to use their camera systems for purposes different from the ones that justified their original installation,[1404] Attila Péterfalvi, the Data Protection Commissioner, pointed out that law prohibited this. The Commissioner investigated the case of the Budapest neighborhood of Terézváros where the mayor) wanted to give rights to a private company to run the CCTV network, even though only the police has the right rights to process personal data collected by cameras on public areas. The mayor later complied with the Commissioner's opinion.[1405]
The Commission maintains close relations with the data protection authorities in other central and eastern European countries. In December 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia and Poland signed a joint declaration agreeing to closer cooperation and assistance. The Commissioners agreed to meet twice a year in the future, to provide each other with regular updates and overviews of developments in their countries, and to establish a common website for more effective communication.[1406]
Many laws contain rules for handling personal data including addresses,[1407] universal identifiers,[1408] medical information,[1409] police information,[1410] public records,[1411] employment,[1412] telecommunications,[1413] and national security services.[1414] In November 2001 passed an anti-money laundering package outlawing anonymous bank accounts.[1415] The Direct Marketing Act authorizes companies to process individuals' names and addresses for marketing purposes but requires consent for the processing of other information such as telephone numbers or e-mail addresses.[1416] There is no sectoral legislation covering the Internet, however, the Commissioner issued a Recommendation on Data Protection in Cyber-Space in February 2001 calling for amendments or supplements to existing law to address this issue. The Criminal Code also has provisions on privacy.[1417]
Surveillance by police requires a court order and is limited to investigations of crimes punishable by more than five years imprisonment.[1418] Surveillance by national security services requires the permission of a specially appointed judge or the Minister of Justice, who can authorize surveillance for up to ninety days.[1419] In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF10 billion.[1420] It has been reported that the NSS regularly install black boxes on Internet service providers (ISPs)' networks and intercept communications without warrants. Furthermore, it is reported that signing a contract to allow full access to data by the NSS is a precondition for obtaining an ISP operating license.[1421]
There have been several scandals involving spying on politicians, environmental activists and ethnic minorities. In March 2001, the Chairman of the Hungarian Coalition Party (SMK) reported that its members were being monitored and their communications bugged.[1422] In 1998 Prime Minister Viktor Orbán stated that members of the then-opposition political party FIDESZ were the targets of illegal secret surveillance by the secret services.[1423] A parliamentary committee was established to investigate the matter but its final report released in the spring of 2000 did not find evidence to support the allegations.[1424] In November 2001, the Justice Minister denied reports that there had been an increase in secret surveillance saying that the number of authorizations for this surveillance were twenty-five percent less than under previous governments.[1425]
The Hungarian Parliament created an investigative committee (AKA Mécs-bizottság, named after its head, Member of Parliament Imre Mécs) to investigate the political past of the members of the government because it was revealed that the new Prime Minister, Péter Medgyessy, had worked in counter-intelligence for a state security agency during the communist era. The political opposition tried to use this information against the governing party, arguing that the Prime Minister was a "spy"), which sparked a political battle between the political factions. The main privacy issue was whether the fact that someone who had worked as a "secret police agent" before the nineties could be considered "personal information," or whether the interest for open government and freedom of information trumped an individual's privacy rights and informational autonomy. The Data Protection Commissioner's position was that the investigative committee was established constitutionally, but it had no right to manage the personal data of government members. Nevertheless, a Hungarian daily magazine, Magyar Hírlap, published the names of eleven politicians, who were "affected," i.e., the names of the people who either worked for a secret agency, or whose name was only mentioned in a document of a spy agency. The investigative committee's head, László Mécs, published almost the same list of affected persons a week later.[1426]
In July 2002, the National Radio and Television Council (ORTT), created by the Parliament in 1996 to defend free speech and warrant the independence of the media, published its Internet regulation plan.[1427] The report provides for the application of the same rights and liabilities to online and offline newspapers, and to extend the traditional press regulations to online content providers. It also backed the use of a filtering system to prevent minors from being exposed to harmful content, and endorsed the idea of a "notice and takedown" procedure applicable to Internet service providers (ISPs) when they have to deal with infringement claims. The ORTT declared, however, that an ISP hosting web space for free could not be responsible for its content, unless the ISP had known about the infringement and did not act upon it.[1428]
In terms of access to information the 1992 Act on the Protection of Personal Data and Disclosure of Data of Public Interest (the Act) guarantees access to information of public interest, which is defined as any information being processed by government authorities except for personal information. Exemptions can be made for state secrets or official secrets and information related to national defense, national security, criminal investigations, monetary and currency policy, international relations and judicial procedure. In June 2002, the Government announced that it would ask the Parliament to pass legislation authorizing the further opening of the secret police files from the Communist era.[1429] The announcement came following an admission by the Prime Minister that he had been a counter-intelligence officer in the secret police during that time.[1430]
Hungary is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1431] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1432] In November 2001, Hungary signed the Council of Europe Convention on Cybercrime.[1433] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.