Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

In June 2004, the Constitutional Court ruled1 that the provisions on control of personal data in the Act regulating the work of security guards2 are unconstitutional and furthermore annulled the right of security guards to search anyone's package or vehicle in a private area open to the public. The Constitutional Court called upon the Parliament to amend the Act by 31 December 2004. The Parliament exceeded the deadline and it was only in 2005 that a new Act was enacted3. In the meantime, security guards continued working on the basis of the annulled provisions, with the explicit support of the Ministry of the Interior.4 Although the new Act complies with at least some aspects of the Constitutional Court decision, it also gives several surveillance powers to private security enterprises. It allows private companies to store CCTV records as a main rule for three working days, in special cases (e.g. for counter-terrorism purposes) for about 30 days, and in post offices, banks, and similar institutions for 60 days, without any legal purpose.5

A controversial position6 of the DP&FOI Commissioner in November 2007 and several subsequent court decisions exposed a paradoxical relationship between law enforcement and privacy. According to these rulings, the face of a policeman performing his duty is not allowed to be published/disclosed in the media without his consent. Although the arguments supporting these rulings are questionable since they may confuse the individual's private and official capacities, most journalists exercise self-censorship in such situations.

Wiretapping, access to, and interception of communications

In 2005, the Parliament passed the Act on Security Services and the Activities of Private Investigators.7 This law defines the purposes of surveillance and the rights of surveillance subjects, as well as the conditions of recording and archiving the images.8 Surveillance by police requires a court order and is limited to investigations of crimes punishable by more than five years' imprisonment.9 Surveillance by national security services requires the permission of a specially appointed judge or the Minister of Justice, who can authorise surveillance for up to 90 days.10 In April 1998, the government issued a decree ordering phone companies that offer cellular service to modify their systems to ensure that they could be intercepted. The cost was estimated to be HUF10 billion (approximately €36,500,000).11 It has been reported that the National Security Service (NSS) regularly installs black boxes on Internet Service Providers' (ISP) networks and intercepts communications without warrants. Furthermore, signing a contract to allow full access to data by the NSS is a precondition for obtaining an ISP operating licence.12

In January 2007 the Constitutional Court stated that the current judicial guarantees in the criminal procedure law and in the national security sector were inadequate to provide efficient protection to the right to privacy of the citizens.13 The secret surveillance and other secret data collection activities of law enforcement and national security bodies require prior authorisation by appointed judges, but the oversight of this process did not meet the required level of constitutionality. The Constitutional Court ordered the Parliament to establish conditions of the proper judicial overview of these applications.

National security legislation

No specific information has been provided under this section.

Data retention

An amendment to the Act on Electronic Communications in 2008 implemented the EU Directive 2006/24/EC (Data Retention Directive).14 The new Act did not include many modifications as those data retention provisions were already in place. The retention period varies depending on internal orders of the service provider.15 The only novelties were the retention of Internet communications data and the elimination of the legal purposes of data processing. The new rules establish that data controllers must keep personal data stored in databases without previously defined purposes. Such data processing was prohibited by a 1991 decision of the Constitutional Court. The Act on Protection of Personal Data (1992) also contains this ban. Therefore the Hungarian Civil Liberties Union filed a complaint to the Constitutional Court requesting an ex-post examination for unconstitutionality and the annulment of the data retention provisions of the Act. The case is still pending. In another case a court ruled that statistics on the usefulness of retained data are not available to the public.16 The DP&FOI Commissioner took an active part in the evaluation of the national implementation of the Data Retention Directive. The evaluation coordinated by the Article 29 Working Party resulted in a report pointing out, among other issues, that statistics on the use of retained data are generally missing in the member states.17

National databases for law enforcement and security purposes

Hungary joined the group of Schengen countries in 2008. The Schengen accession required, among other things, the setup of the legal and technical framework for the operation of the Schengen Information System (SIS), which required significant amendments to the immigration law, the Act on police, the Act on border control and others. Throughout 2006 and the first half of 2007 numerous acts of Parliament were amended in order to provide the SIS with relevant information stored in the Hungarian databases on law enforcement, immigrants, on passports and visas, on the search of persons, objects, vehicles, etc. The Republic of Hungary also joined the Prüm Convention, a data-sharing initiative between some EU countries.18 Part of the Prüm Convention provisions, falling under the former third pillar of the EU, were later subsumed into the police and judicial cooperation provisions of European Union law by 2008 Council Decisions commonly referred to as the Prüm Decision.19

National and international data disclosure agreements

The Hungarian Government concluded data protection agreements with the Israeli and US Governments in 2001 and 2003 respectively, concerning the processing of personal data included in the Holocaust-related documents preserved in Hungarian archives and transferred to the Yad Vashem Authority in Jerusalem and the Washington Holocaust Museum, and about the rights of the persons concerned.20

In December 2006, the President of Hungary decided not to sign a national law regarding the promulgation of the EU-US PNR (Passenger Name Records) agreement and sent it back to the Parliament for reconsideration. According to the President "it is necessary that the Parliament make possible the forwarding of data in the act on promulgation of the international agreement only in the case that the person in question has explicitly consented to it.” Parliament re-discussed the bill and completed it with a rule that requires the explicit consent of the person in question to forwarding of his data abroad.21

Cybercrime

No specific information has been provided under this section.

Critical infrastructure

No specific information has been provided under this section.

Territorial privacy

Video surveillance

In 2003, the deployment of closed circuit television (CCTV) systems by public authorities, primarily in Budapest, was in the headlines. Although it is mandatory to inform citizens about the installation and use of video surveillance cameras by notices on the walls of the buildings of the monitored areas, the authorities did not comply with that rule in 82 percent of the cases. Surveillance cameras now monitor almost every street and square of the downtown area. It has been reported that some of them have night-time vision and face recognition capabilities. Authorities have claimed that video cameras are efficient tools against crime. However, authorities planned to use their camera systems for purposes different from the ones that justified their original installation.22 The Commissioner investigated the case of the Budapest neighbourhood of Terézváros where the mayor wanted to give rights to a private company to run the CCTV network, even though only the police have the right to process personal data collected by cameras on public areas. The mayor later complied with the Commissioner's opinion.23

The relevant law was modified several times. First, in 2008, the Act on Police was amended in order to give a more precise provision on video surveillance in public spaces. One year later, the Act on Public Space Supervision authorised local governments to install video surveillance systems without the participation of police forces. The amendment was heavily debated since it significantly broadens the possibility of surveillance without a clear strategy.

On 7 May 2009, the DP&FOI Commissioner issued a press release in which he drew the attention of the public to the fact that neither legal grounds of data processing, nor the possibility for data subjects to exercise their rights, are clarified where streets and other public spaces in Budapest are being recorded by Google Street View.24 As a result, Google has suspended recording images in Hungary. Nevertheless, a similar service is freely available at "norc.hu".25 On 2 June 2010, the Commissioner wrote a letter to Google, Inc. and demanded information about the covert collection of communications data emitted by WiFi systems.26 His letter was part of the joint investigation of data protection commissioners coordinated by the EU Article 29 Working party.27

A decision by the DP&FOI Commissioner related to camera surveillance in a block of flats. There is no special provision on video surveillance in houses consisting of several flats. Therefore, the general rule of the Data Protection and Freedom of Information Act applies. According to the general rule, if no sectoral act provides otherwise, the processing of personal data may only be allowed if all data subjects involved have given their consent to it. In the case at stake, this criterion was missing since not even the majority of flat owners had consented to the installation of the CCTV system. The Commissioner ordered the cessation of the processing. The representative of the block of flats challenged the decision of the Commissioner but the court rejected the action in its final ruling.28

Location privacy (GPS, mobile phones, location based services, etc.)

Employees of the Hungarian subsidiary of international mobile telephone service provider Vodafone discovered that the company had used its employees to test the company's new Mobil Flotta positioning system without informing them. For several months in 2005 the company secretly followed the movement of its employees 24 hours a day, including weekends, through their cell phones, and recorded the data in personally identifiable form. The company's computer system's lists contained data about the employees' physical location in the country at 15-minute intervals. The employees sued the company. The company admitted to the tracking but insisted that the employees had been informed about, and consented to, the tracking in advance. Both the lower court and the appellate court decided in favour of the plaintiffs. Vodafone had to publicly apologise for the case and declare that it would do its best to avoid such infringements of rights from happening again in the future. In addition, the court ordered the discontinuance of the test and ordered Vodafone to delete the data.29

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

Since August 2006, Hungary has been issuing e-passports containing a chip with biometric information about the passport holder, namely the facial image and digital fingerprints. The new type of passport was required by the European Union Council Regulation on standards for security features and biometrics in passports and travel documents issued by member states.30

National ID and smart cards

No specific information has been provided under this section.

RFID tags

No specific information has been provided under this section.

Bodily privacy

No specific information has been provided under this section.

Footnotes

  • 1. Decision No. 22/2004 (VI.19.) AB.
  • 2. Act No. IV of 1998 on Security Guards.
  • 3. Act No. CXXXIII of 2005 on Security Services and the Activities of Private Investigators, promulgated in the Official GazetteNo. 155 30November 2005. It is available in Hungarian at http://www.complex.hu/jr/gen/hjegy_doc.cgi?docid=A0500133.TV.
  • 4. Letter from the Legal Department of the Ministry of Interior to Balázs Dénes, Executive Director of Hungarian Civil Liberties Union, 17 January 2005.
  • 5. Act No. CXXXIII of 2005, Section 31 (2).
  • 6. The position has been left out from the Commissioner's Annual Report for 2007. An interview in which the Commissioner stated that his intent had been distorted is available in Hungarian at http://abiweb.obh.hu/abi/index.php?menu=mediaszemle/aktualis/2007/11/28&....
  • 7. Act No. CXXXIII of 2005.
  • 8. Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information 2005, supra.
  • 9. Act No. XXXIV of 1994 on Police.
  • 10. Act No. LXXV of 1995 on the National Security Services.
  • 11. "Technical Costs of Phone Tapping Estimated at HUF10bn," MTI Econews, 17 April 1998.
  • 12. Act No. C of 2003 on Electronic Communications, supra.
  • 13. Decision 940/B/2003 AB.
  • 14. Act No C. of 2003, supra.
  • 15. Art. 29 Data Protection Working Party, Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive, 13 July 2010, at 22, available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_anne....
  • 16. Case No. 38 P.24.903/2009, available in Hungarian at http://tasz.hu/files/tasz/imce/NBH_%C3%ADt%C3%A9let.pdf.
  • 17. Article 29 Data Protection Working Party, Report 01/2010 on the Second Joint Enforcement Action: Compliance at National Level of Telecom Providers and ISPs with the Obligations Required from National Traffic Data Retention Legislation on the Legal Basis of Articles 6 and 9 of the E-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC Amending the E-Privacy Directive, wp 172, 13 July 2010, available athttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp172_en.pdf.
  • 18. Act No. CXII of 2007 on the Transformation to the National Law of the Prüm-Treaty.
  • 19. Council Decision 2008/615/JHA of on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime, 23 June 2008 OJ L 210, 6 August .2008, at 1-11, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32008D0615:E....
  • 20. Promulgated by Government decrees 231/2004. (VIII. 6.) and 13/2002. (I. 31.)
  • 21. Act No. CXXVIII. of 2006 on the Transformation to the National Law of the "Agreement between the European Union and the United States of America on the Processing and Transfer of Passenger Name Record (PNR) Data by Air Carriers to the United States Department of Homeland Security".
  • 22. As an example, a camera system monitoring payment on a highway was used later to identify those who had not fastened their safety belts.
  • 23. Kiss Gábor, "Megfigyelt megfigyelök" ("Watching the Watchers"), Tech-tudomány, 18 January 2003, at http://www.index.hu/tech/jog/urbaneye/; "Szabadtéri Big Brother Budapesten - nem önkéntes alapon" ("Open-air Big Brother in Budapest - Not on a Voluntary Basis"), Korridor, 29 July 2002; Sándor Tünde, "Minden sarkon térfigyelö. Erzsébetváros teljes területét kamerák pásztázzák" ("There Is a Surveillance Camera at Every Corner. The Whole Area of Erzsébetváros Is Full of Cameras"), Népszabadság Online, 24 July 2002, at http://web.archive.org/web/20031122210633/http://www.nol.hu/Default.asp?....
  • 24. In Hungarian at http://abiweb.obh.hu/abi/index.php?menu=0/Sajtokozlemenyek&dok=20090507_....
  • 25. At http://www.norc.hu/street-view/.
  • 26. The letter is available at http://abiweb.obh.hu/dpc/index.php?menu=cases/DP/2010&dok=1545_H_2009-4.
  • 27. See http://epic.org/privacy/streetview/.
  • 28. The ruling was issued by FÅ‘városi Bíróság on 20 October 2010.
  • 29. Email from Ivan Szekely, OSA Archivum and Budapest University of Technology and Economics, Hungary, to Allison Knight, Research Director, Electronic Privacy Information Center, 11 June 2007 (on file with EPIC).
  • 30. European Union Council Regulation EC 2252/2004 of on standards for security features and biometrics in passports and travel documents issued by Member States, 13 December 2004, OJ L 385, 29 December 2004, at 1–6 available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004R2252:E....