European Commission investigates the independence of Hungary’s new data protection authority

On January 17, the European Commission (EC) launched an infringement procedure against Hungary and started to investigate whether the establishment and the organisation of its new Data Protection Supervisory Authority (DPA) is in compliance with the mandatory rules of the applicable EU directive which require the “complete independence” of data protection supervisory authorities. In a similar case, the judgment of the EU's Court of Justice has already ordered Germany to ensure the “complete independence” of its supervisory authorities and amend its legislation accordingly. Taking into account that the EC considers this issue very seriously, it would be worth briefly investigating what led to this infringement procedure against Hungary and what should the Hungarian government do to clarify the situation and eliminate the legislative deficiencies, if any.

On July 11, 2011, the Hungarian Parliament accepted Act CXII of 2011 on Informational Self-Determination and Freedom of Information (privacy act). The new privacy act repeals Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest. Most sections of the privacy act came into force on 1 January. Similarly to the old law, the new act is also based on Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EU Privacy Directive), which provides a mandatory general framework for data privacy legislation in all Member States of the EU.

As the result of the new legislation, significant changes are anticipated from the practical application of Hungarian privacy law. One of the most important changes is the establishment of the new DPA as of 1 January. The new DPA will have the right to impose fines between HUF 100,000—approximately €370—and HUF 10,000,000—approximately €37,037. Until now, the authority, which was a Scandinavian-type parliamentary ombudsman, was only entitled to limited scope of sanctions, for example, advising the data controller/processor to cease its unlawful activities, announcing to the general public the results of an investigation or ordering that unlawfully processed data be deleted. The new right of the DPA to impose fines was necessary with a view to the European legislative trends—the old privacy act was out-of-date in this respect—and will strengthen the companies’ compliance with data privacy laws.

Despite these improvements, the organisational structure of the new DPA received strong criticism from legal professionals and privacy/information freedom NGOs as soon as the first draft of the bill was published.

The main concerns are the following:

Critics say this new organisational structure—integrating an authority which is supposed to be autonomous into the public administration—may result in unwanted external influence from the state, and this may affect the day-to-day operation of the DPA as well. For example, a DPA that is part of the public administration may be more tolerant to data security breaches by state-owned organisations, and its independence may also be arguable in connection with the enforcement of “freedom of information” obligations of the state.

The EU Privacy Directive contains strict requirements in relation to the establishment of the DPA. Pursuant to its Article 28, data protection supervisory authorities “shall act with complete independence in exercising the functions entrusted to them.” Due to the concerns outlined above, the organisational structure of the new Hungarian DPA and the premature termination of the term of the former data protection commissioner may not ensure such complete independence. In addition, the EU Privacy Directive says that supervisory authorities “shall be consulted when drawing up administrative measures or regulations relating to the protection of individuals' rights and freedoms with regard to the processing of personal data.” Before the passing of the new privacy act, the former data protection commissioner did not have reasonable time to provide his opinion on the draft bill, which may breach his consultation right under the EU Privacy Directive.

On January 17, the EC launched an infringement procedure against Hungary and started to investigate whether the relevant provisions of the new privacy act are in compliance with the above-mentioned requirements of the EU Privacy Directive.

The efforts of the government to strengthen and update the previously effective law were welcomed by the industry and legal professionals, and this infringement proceeding could have been definitely avoided if the process of passing the legislation and the organisation of the new DPA were managed smoother. For example, the short deadlines for the former data protection commissioner to comment the new law, and the premature termination of his position did not foster the flawless upgrade of the existing privacy framework.

Considering the apparent efforts of the Hungarian government to resolve the issues which are under discussion with the EC, now it is expected that the government will understand the concerns regarding the independence of the DPA and streamline the relevant provisions of the new privacy act accordingly. The former data protection commissioners played an essential role in the development of Hungarian privacy law in the last 20 years, and the industry usually had very good experience with them when it came to discussing practical privacy issues. Therefore, it is expected that a renewed dialogue with the former data protection commissioner and involving him in the reorganisation of the supervisory system would prevent a full infringement procedure by the EC.

As mentioned above, it is important to note that the reorganisation of DPA followed the European trends; for example, it was necessary to authorise the DPA to impose monetary fines and to reorganise the overwhelming administrative tasks of his staff. Nevertheless, these goals do not require the creation of a whole new DPA, which becomes a part of the public administration, instead of being a fully independent parliamentary ombudsman. The new law should be amended only in a few points to eliminate the deficit of compliance and this can be done quickly.

It may also be worth noting that the current governing party received some public criticism from Jóri in the last two years. The most important cases addressed the investigation of the lawful processing of potential voters’ data on political opinions in a governmental database and the questionable disclosure of personal data of people who were granted but refused to take over financial aid by a municipality. In both cases, the commissioner emphasised his legal concerns regarding the data processing activities investigated. Considering that these cases received significant attention from the press, the premature termination of the term of the data protection commissioner may be a politically wrong move. Now it is expected that government will start accepting that such constructive criticism is the normal part of the regulator’s role as a privacy and freedom of information watchdog and will give up its concerns regarding the full independence of the DPA.