Privacy & Information Security Law Blog

On January 17, 2012, the European Commission initiated expedited infringement proceedings against Hungary over recent changes to its Constitution which are considered incompatible with EU law. The proceedings follow a number of changes made to the Hungarian Constitution that came into effect on January 1, 2012. Of particular concern to the Commission are amendments affecting the independence of the national data protection authority. The Hungarian government has one month to comply, or face enforcement proceedings in the European Court of Justice.

The Hungarian national data protection authority (“DPA”) was established under Act LXIII of 1992 on the Protection of Personal Data and Public Access to Data of Public Interest (“PPD”), and maintained independent status as an ombudsman. In June 2011, the Hungarian government adopted Act CXII on Informational Self-Determination and Freedom of Information (the “Information Act”) which replaced the PPD as of January 1, 2012. The Information Act abolished the previous DPA before the expiration of its mandate and replaced it with a new administrative authority, the National Data Protection and Freedom of Information Authority (Nemzeti Adatvédelmi és Információszabadság Hatóság, or “NAIH”). The Commission is concerned that the Hungarian Prime Minister and President now have the ability to dismiss the NAIH on arbitrary grounds. Further, the NAIH is a public authority, not an independent body, which breaches Article 16 of the Treaty of the European Union and Article 8 of the European Charter of Fundamental Rights.

The Information Act also makes a number of other changes to the data protection landscape in Hungary. Under the PPD, the head of the DPA was appointed by Parliament for a renewable term of six years, whereas under the Information Law, the head of the NAIH is appointed directly by the President for a renewable term of nine years. Other new features of the Information Law include fees for data controller registrations, possible voluntary data protection audits conducted by the NAIH, and monetary penalties of up to HUF 10 million (approximately €35,000) for violations of the Information Law.