I. Legal framework
The Hungarian Data Protection Act of 1992 (the Act), covers the collection and use of personal information in both the public and private sectors. It is a combined data protection and freedom of information act.1 Its basic principle is informational self-determination. As regards data protection, the Act sets out general provisions on the request, collection, handling, and transfer of personal information and provides legal remedies to individuals whose rights are violated.
The Hungarian data protection system follows the "opt-in" regime. Under the Act personal data may only be collected and processed with the freely given, specific, and informed consent of the individual or if it is required by law. The individual must be fully informed of the purpose of the data processing. Only the data necessary to accomplish this purpose may be collected, and it may only be stored until that purpose is fulfilled. The data must be accurate, complete, and up to date. Individuals are granted the right to access their personal information and, where necessary, to request its correction or even deletion. Special protections are set out for "sensitive data", which is defined as data relating to "racial origin, nationality, and ethnic status, political opinion or party affiliation, religious or other conviction" or "medical condition, abnormal addiction, sexual life, trade-union membership, and criminal record". These kinds of data may only be processed where the subject has consented in writing or if it is based on an international agreement or required by law for the purpose of enforcing a constitutional right, national security purposes, crime prevention, or a criminal investigation.2 The Act also expressly prohibits the use of all-purpose identification numbers or codes.
Hungary, as a member of the European Union (since 2004), allows personal data to flow freely across borders within the EU, as if the data remained in the territory of Hungarian Republic. Personal data from other member states of the EU may be transferred to Hungary under the same conditions. Earlier, in July 2000, the European Commission considered Hungary as a country that ensures an adequate level of protection within the meaning of Article 25(6) of the EU Data Protection Directive.
On 1January 2004 the amendment of Act LXIII of 1992 on the Protection of Personal Data and Disclosure of Data of Public Interest entered into force, which harmonised the law with applicable EU Data Protection Directive (1995/46/EC), also included changes regarding the classic role of the ombudsman in protecting privacy, and opened a new chapter in the history of the institution.3 As a consequence of the implementation of the Directive, decisions relating to the regulation of data protection are partly outside of the competence of Hungarian authorities. On 1 May 2004, Hungary also became a full member of the European Commissionâ€™s Article 29 Data Protection Working Party â€“ an independent consulting body operating on the side of the Commission, made up by the member States' privacy commissioners and/or other authorities.4
Many sector-specific acts contain rules for processing personal data including addresses,5 sector-specific identification codes,6 medical information,7 police information,8 public records,9 employment,10 telecommunications,11 and national security services.12 The Direct Marketing Act authorises companies to process individuals' names and addresses for marketing purposes on an "opt-out" basis, but requires consent for the processing of other information such as telephone numbers or email addresses.13 One of the most recent sector-specific acts regulates the protection of human genetic data and the operation of biobanks.14 The law does not expressly prohibit the use of such data by employers and insurance companies. The Criminal Code also includes privacy provisions.15
Data protection authority
The Parliamentary Commissioner for Data Protection and Freedom of Information (DP&FOI Commissioner or Commissioner) oversees the 1992 Act.16 Besides supervising the implementation of the Act and acting as an ombudsman for both data protection and freedom of information, the Commissioner's tasks include investigating complaints, maintaining the Data Protection Register, and providing opinions on draft legislation. Until 2004, the Commissioner's only effective power was provided by the Secrecy Act of 1995. Under this Act, the Commissioner is entitled to review and propose changes to the classification of state and official secrets. Since 2004, the Commissioner has also been empowered to order the blocking, deletion, or destruction of unlawfully processed data; to prohibit the unlawful processing or technical processing of data; and to suspend the transfer of data to foreign countries. The data controller concerned may institute court proceedings against these measures by the Commissioner.
The Commissioner has been very active reviewing cases involving personal information. The great majority of the cases involve data protection, while cases involving freedom of information represent only about 10 percent of the cases on average. The Commissioner opened 122 cases in the first half-year of his term in 1995; 597 cases in 1996; 937 cases in 2000; 2,350 cases in 2005, 2,724 cases in 2007, 2,115 cases in 2008 and 3,953 cases in 2009. In 2009, 3,981 petitions were submitted to the Commissioner's Office by email. Complaints represented 63 percent of the cases related to data protection in 2009, while consultations initiated by data controllers were 35 percent, and the Commissioner acted on his own initiative in 2 percent of the cases.17
Towards the end of his six-year term in office, the first Commissioner, LÃ¡szlÃ³ MajtÃ©nyi, issued several recommendations directly blocking interests of the prevailing power-holders. In response, there was pressure from some political institutions to propose abolishing the office of the Data Protection and Freedom of Information Commissioner altogether. Finally, after negotiations lasting almost six months, in December 2001 the National Assembly succeeded in electing the country's second DP&FOI Commissioner, Attila PÃ©terfalvi, a lawyer from the first Commissioner's office. In 2008 a similar situation occurred. In December 2007 the Parliament failed to re-elect the DP&FOI Commissioner. After ten months of unsuccessful political negotiations and several attempts to nominate the Commissioner's successor, at the end of September 2008 AndrÃ¡s JÃ³ri, again a lawyer from the first Commissioner's office, was elected as the third DP&FOI Commissioner. His term of office will expire in 2014. Dr. JÃ³ri declared his intent to lay more emphasis on freedom of information than his predecessor,18 so as to reduce the imbalance of the two main areas of activity of the Commissioner. He also firmly supported the idea of extending the administrative powers of the Commissioner.19
However, in 2009 and again in 2010 there were political attacks against the institution of parliamentary commissioners, including the DP&FOI Commissioner: instead of independent commissioners, cooperating with each other only at the professional level, the concept of a centralised, hierarchical system has been promoted.20 In such a system the DP&FOI Commissioner would have only a subordinate position.
Major privacy and data protection case law
Hungary's first high-profile privacy controversy was the "lottery jackpot affair."21 In October 1995, somebody won the biggest prize in the history of the Hungarian lottery, which had been accumulating for a long time. SzerencsejÃ¡tÃ©k Rt., the State Gambling Company, had the television crew of a news programme named ObjektÃv and photographers from NÃ©pszabadsÃ¡g, one of the largest-circulation dailies, do several "takes" of the "discovery" of the winning ticket. Using the footage, the TV crew managed to identify the name and address of the winners from the reverse of the ticket, and called on their family late at night. Despite the wishes of the winners, who requested anonymity, the interview with them was aired the following day. The imperfect distortion of sound and video, along with the airing of their personal data, made their identity publicly known. The DP&FOI Commissioner investigated the case and this resulted in a judgment against SzerencsejÃ¡tÃ©k Rt.'s processing of the data and the TV crew's conduct. Sadly, the TV crew never really admitted any wrongdoing. The case divided the media industry itself, with some journalists arguing that alert TV journalists should have the right to delve into private events of interest to viewers.
In 1998, a 13-year-old girl applied for an abortion with the consent of her mother. Her case, which came to be known as the "Case of the Girl from DÃ¡vod," received wide exposure due to TV coverage, and triggered an investigation brought by the Commissioner. This case proved even more divisive, as it forced everyone familiar with it to take a stand on the boundaries of privacy and, by implication, also on questions of ethics and ideology. Having learned of the pregnancy, a family rights advocacy group initiated an official process to stop the abortion, and helped to publicise the case. The mother lodged a complaint with the Commissioner in order to identify the person guilty of having abused her daughter's sensitive data. The abortion, which was performed in the meantime, rendered the debate between pro-choice activists and their detractors pointless, even as the continued publicity deprived the family of their privacy. Remarkably, the pro-life commentators never acknowledged the subjects' right to privacy or the legal provisions governing it as legitimate concerns.
A case known as the "VIP list scandal" triggered social debate over another area of privacy. It cantered on Postabank, one of Hungary's major commercial banks. Postabank offered loans and investment opportunities to certain leading politicians, public officials, and celebrities at much more favourable rates than the prevailing market terms. Having acquired a list of names of parties and the benefits they received, the press assumed that improprieties had occurred. Not only did they hold that the bank had offered preferential treatment in the hope of improving its lobbying position, they also charged several of the individuals involved of abuse of office. In his position statement, the Commissioner cited a number of resolutions by the Constitutional Court, which established narrower constitutional protections for the privacy of public officials than for the ordinary citizen. The Commissioner was unable to prevent the publication of the VIP list, which also featured the data of several individuals without public roles, including actors.
High-profile privacy cases are increasingly political. In 2001, the so-called "National Image Centre" illegally obtained from the Ministry of the Interior's central records the data of at least one person in practically every Hungarian household, and proceeded to mail them issues of the magazine entitled Millenniumi OrszÃ¡gjÃ¡rÃ³ (Millennium Country Rambler). The aim was to promote the policies of the conservative government in power. In response to a barrage of complaints, the Commissioner called on the cabinet members in charge to stop the unlawful circulation of the magazine, but to no avail: the government continued to mail the publication to citizens until it lost the next election, in 2002. Attacks on the government's abuse of citizens' data in a political direct marketing campaign was high on the agenda of the political opposition. Ironically, a year later the socialist party, which had led the opposition, availed itself of very similar means when it mailed a campaign letter by its candidate for prime minister to addresses processed in violation of the law. Hungarian laws prohibit political parties from engaging in direct marketing activities. Pursuant to the Election Procedure Act,22 political parties may not legally acquire citizens' addresses until 20 days prior to Election Day. The Commissioner responded by calling on the party to destroy the list in question. Although the Party Chairman insisted that the party had acted within the law, he destroyed the databases publicly, on the record. Similar cases happened in the electoral campaigns of 2010 when one of the parties was able to send a letter to every senior citizen receiving pension. It was also discovered that that the political parties possessed illegal lists on citizens' political views. These cases have not yet been resolved.23
The case spurring the greatest debate after the second Commissioner took office broke out around the website HÃ¡lapÃ©nz.hu in 2004. HÃ¡lapÃ©nz in Hungarian means an informal payment or gratuity given to doctors and health care workers. Operated by private individuals, the site featured "a searchable nationwide database of obstetricians" from which the user could access patient evaluations and learn the amount of the informal payment expected by each physician for care supposedly financed in full by social security â€“ hence theoretically free of charge to the patients. Visitors typically accessed the site to learn how much it would cost them to give birth under the supervision of a specific obstetrician and precisely what services they could expect in return. The advocates of disclosure proposed that the freedom of communication and opinion entitled expectant mothers and their relatives to share their experiences with obstetricians online. They argued that in conducting childbirths financed by social security doctors used public funds and fulfilled a public function â€“ and that therefore their data relevant to these activities did not merit protection under privacy regulations. As for patients referred to a "private practice," they typically received care using institutions and equipment financed by public funds as well. By contrast, the proponents of privacy stressed their perception of the doctor-patient relationship as a strictly confidential one, adding that the physicians involved had never abused their office. According to their view individuals who did not offer a gratuity received equally conscientious care, and gratuities were normally expected only for certain extra services, such as the obstetrician personally attending and conducting the childbirth even when off duty. The DP&FOI Commissioner came out in support of this latter opinion. As a result, the operator removed the site from the Web.
Other relevant case law concerning privacy and data protection is categorised and discussed under the corresponding section.24
- 1. Act No. LXIII of 1992 on the Protection of Personal Data and the Publicity of Data of Public Interest, supra.
- 2. See Zita Orb, "Amended Rules on Data Protection," World Data Protection Report, Volume 1, Issue 1, January 2001 at 22.
- 3. Email from Attila PÃ©terfalvi, Parliamentary Commissioner for Data Protection and Freedom of Information, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center (EPIC), 26 May 2005 (on file with EPIC).
- 4. Email from Attila PÃ©terfalvi, supra.
- 5. Act No. LXVI of 1992 on the Register of Personal Data and Addresses of Citizens.
- 6. Act No. XX of 1996 on the Identification Methods Replacing the Universal Personal Identification Number, and on the Use of Identification Codes.
- 7. Act No. XLVII of 1997 on the Use and Protection of Medical and Related Data.
- 8. Act No. XXXIV of 1994 on the Police (Chapter VIII: "Data Processing by the Police").
- 9. Act No. LXVI of 1995 on Public Records, Public Archives, and the Protection of Private Archives (Restricting Rules on the Publicity of Documents Containing Personal Data).
- 10. Act No. IV of 1991 on Furthering Employment and Provisions for the Unemployed.
- 11. Act No. C of 2003 on Electronic Communications, available at http://www.nhh.hu/dokumentum.php?cid=10617.
- 12. Act No. CXXV of 1995 on the National Security Services.
- 13. Act No. CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing.
- 14. Act No. XXI of 2008 on the Protection of Humangenetic Data, the Humangenetic Examinations and the Operation of Biobanks.
- 15. Criminal Code, Sections 177-178/A.
- 16. Homepage at http://www.obh.hu/.
- 17. See the Annual Reports of the Parliamentary Commissioner for Data Protection and Freedom of Information, available at http://abiweb.obh.hu/dpc/index.php?menu=reports.
- 18. See, for example, his interview (in Hungarian) at http://www.jogiforum.hu/interju/46#axzz13mQniH6X.
- 19. Dr. JÃ³ri already expressed his view in his AdatvÃ©delmi KÃ©zikÃ¶nyv (Data Protection Handbook) published in 2005 by Osiris, Budapest, at. 301.
- 20. The first significant declaration of this concept was published in a controversial interview with the Parliamentary Commissioner for Civil Rights on 1 April 2009, in which he also talked about "gipsy crime", a statement he later withdrew. See http://www.fn.hu/belfold/20090401/szabo_mate_figyelmeztetni_kell/ (in Hungarian).
- 21. For a more detailed description of this and other cases reported here, see Ivan Szekely, "Hungary," in James B. Rule and Graham Greenleaf (eds.), Global Privacy Protection: The First Generation (Edward Elgar Publishing Ltd. 2008).
- 22. Act No. C. of 1997 on the Election Procedure, abstract issue available at http://www.valasztas.hu/en/onkval2010/347/347_1_4.html.
- 23. See Section "Other Recent Factual Developments," infra.
- 24. Cfr. Section "Constitutional Privacy and data Protection Framework," supra and Sections "Wiretapping, access to, and interception of communications," "Data retention," "E-Commerce," "Video surveillance," "Medical records," "Other Recent Factual Developments," infra in this Report.