Privacy and data protection in Hungary
Author：Janos Meszaros Full-time Research Assistant
The challenge of defining “privacy” is that the idea means something different to every individual, and constantly changes over time and between societies.
Technological developments have significantly changed the dynamics of privacy since the advent of portable photography technology in the 1890s. The meaning and conceptualization of privacy developed alongside with technologies, with the evolution of laws protecting privacy and personal data following on after.
From the “right to be let alone,” privacy evolved into informational self-determination. According to Alan Westin’s definition, “Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.”
Citizens need stronger governmental protections in today’s digital society as they have no choice but to participate in it (e.g. university students can only manage their exams and classes online and most workplaces demand that their employees be active online).
In Hungary, the country's communist history has significantly impacted privacy regulations. Following the dissolution of the Soviet Union, the Soviet-influenced ruling party and the Opposition Union negotiated constitutional reform, resulting in a slow transition to a democratic society, capitalism, and the rule of law. These constitutional reforms included the right to the protection of personal data and the freedom of information.
There is no single word in the Hungarian language that is the equivalent of the English term “privacy.” The equivalent phrase for the word 'privacy' translates literally to “the protection of personal data,” or “data protection,” sometimes followed by the type of data being referenced.
As a Member State of the European Union and the Council of Europe, Hungary has accepted all the data protection and freedom of information principles of international law, and ratified the International Covenant on Civil and Political Rights (‘ICCPR’), which provides that “no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation.”
Hungary also ratified the European Convention on Human Rights in 1992 and the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108), and the country is bound to the Charter of Fundamental Rights of the European Union, of which Articles 7 and 8 relate to the right to privacy and the protection of personal data respectively.
The national law of Hungary sets forth higher standards of privacy than those extended under international law. The right to privacy and the right to the protection of personal data are recognized by the Hungarian Fundamental law (Constitution), under which everyone has the right to have his or her private and family life, home, communications and good reputation respected, and the right to the protection of his or her personal data, as well as to access and disseminate data of public interest in Hungary.
The means and details pertaining to the protection of privacy and the freedom of information are laid down by Act CXII of 2011 on informational self-determination and freedom of information (Privacy Act) and in the sectoral laws affecting the rights to privacy and protection of personal data in Hungary. The Act implements EU Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and the free movement of such data. There are, however, certain issues where the implementation of the Directive can be controversial, such as legal grounds for data processing, transfer of information to third countries, and the use of sub-processors.
The Act is comprehensive in scope, and concerns all data control and data processing activities undertaken in Hungary. The law defines these activities as those which relate to the data of a natural person, as well as data in the public interest and data made public on the grounds of being in the public interest.
The Hungarian National Authority for Data Protection and Freedom of Information is responsible for supervising and defending the right to the protection of personal data and the freedom of information in Hungary in both public and private sectors.
Everyone is entitled to request an investigation from the Authority on the grounds of infringement of data protection law, and the Authority is entitled to launch an official data protection procedure if it is presumed that the illegal processing of personal data concerns a wide scope of persons, special data, or significantly harms interests or results in the risk of damages.
Data controllers and data processors must ensure they protect personal data and implement technical and organizational measures, as well as adequate procedural rules to enforce the provisions of the Privacy Act and other regulations concerning confidentiality and security of data processing. Personal data must be protected against unauthorized access, alteration, transfer, disclosure, deletion, accidental deletion or damage as well as against being unable to access the data due to the change in the applied technology.
If multiple possibilities for data processing solutions exist, the solution to be chosen should provide a higher level of security for personal data, unless this would result in a disproportionate burden for the data controller.
On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, establishing a modern and harmonized data protection framework across the EU. The new regulation will establish a uniform set of rules throughout the entire EU by creating a one-stop-shop policy enabling organizations to deal with a single supervisory authority, and will cut back administrative burdens on companies.
The European Parliament's Civil Liberties committee approved the agreements with a very large majority and it was also welcomed by the European Council as a major step forward in the implementation of the Digital Single Market Strategy.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to unify data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data protection.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 Directive was established. It is still questionable how the new rights introduced by the GDPR (e.g. right to be forgotten, data portability) will be implemented in 2018, since the Regulation leaves a lot of room for interpretation by the Member States. The new rights could significantly influence the everyday lives of EU citizens, and hopefully the GDPR will strengthen the privacy rights of Hungarian citizens in 2018 when it comes into force.