The Hungarian Ministry of Public Administration and Justice has released by 7 June 2011 for the purpose of public consultation the first ministerial draft of the new Hungarian Data Protection Act (the Act on informational self-determination and freedom of information) which is scheduled to enter into force on 1 January 2012 along with the new Basic Law of Hungary. Notably, the Basic Law in its 6th Article regulates the fundamental right to privacy and data protection as well as its guarantees, including the set-up of an independent data protection agency which shall replace the Data Protection Commissioner and its Office.
Although the Ministry of Public Administration and Justice secured only 24 hours (sic!) for the public consultation of the draft bill, the editors of the present weblog have also compiled and submitted their general comments in relation to the draft legislation which we made available here (in Hungarian).
The draft bill generally preserves the most important material provisions of the Hungarian Data Protection Act and its covers – similarly to the Data Protection Act currently in force – both the general material provisions of data protection as well as freedom of information (access to data of public interest).
Scope of the Act: Section 1 of the draft legislation lays down that its provisions shall apply to all data processing and technical data processing activities carried out in the territory of Hungary that pertain to the data of natural persons or contain data of public interest or data public on grounds of public interest. The draft legislation covers data processing carried out wholly or partially by automatic means, as well as the manual processing of data, however, it excludes from its scope data processing carried out by natural persons exclusively for their own personal (household) purposes.
We note that the Scope of the draft legislation is based on the principle of territoriality as it covers each data processing activity relating to the Hungarian territory, however, this transposition of the law does neither comply with Article 4 of the European Data Protection Directive on applicable national law, nor with its common interpretation by the Article 29 Working Party on applicable law released on 16 December 2010.
The legal basis of data processing: The Data Protection Act currently in force lays down in its 3rd Section the criteria for making data processing legitiamte. Besides data processing based on statutory legal provisions, Data Protection Act currently in force acknowledges the following legal bases:
– Consent to the processing of data not considered as special data [Data Protection Act. 3. § (1)(a)]
– Written consent to the processing of special data [Data Protection Act 3. § (2)(a)]
– (Written) consent to the public disclosure of data [Data Protection Act 3. § (4)]
– Presumed consent of the data subject in the case of data communicated by him in the course of his/her public appearances or handed over by him for making them public [Data Protection Act 3. § (5)]
– Presumed consent of the data subject in proceedings commenced upon request of the data subject [Data Protection Act 3. § (6)]
– Consent of the data subject in a written contract where processing is necessary for the performance of same [Data Protection Act 3. § (7)]
– Legal presumption of consent in case of a person unable to give his consent to the processing of his data, his personal data, including special data, due to physical causes or his physical incapacity to act, if processing is necessary to protect the vital interests of the data subject or of another person, or in order to avert or prevent a catastrophe or emergency [Data Protection Act 3. § (8)]
Section 5 of the draft legislation fully preserves the above legal bases with minor changes. However, with a view to the balance of interest provision of the Data Protection Directive under Article 7(f) (whose implementation is completely missing form the Data Protection Act), the draft legislation introduces a new legal basis for data processing partially based on consent. Section 6 (7) of the draft bill provides if personal data has been recorded with the data subject’s prior consent and data processing is necessary for the data controller to perform his/her obligations prescribed by the act of legislation or for the assertion of a legitimate interest of the data controller or a third person – unless otherwise provided by law – and except where such interests are overridden by the interests for data protection of the data subject, data can be processed without further consent or even after withdrawal of consent the data subject. Notably, this new provision does not fully comply with Article 7(f) of the Directive, since the Directive does not require the prior consent of the data subject to data processing based on the balance of interest clause.
Data controller-data processor: the draft legislation preserves the formal distinction between the processing activity performed by data controller (as data processing) and by the data processor (as technical data processing). Technical data processing’ means the performance of technical tasks related to data processing operations, regardless of the methods or means employed or of the place of application. In that regard, the activity of the processor is limited only to technical tasks relating to processing which has been also defined as technical data processing by the draft legislation. (under Section 3 item 17) We represent that the distinction is redundant, further, the regulation of the relationship of data controller and data processor is completely missing from the draft legislation which does not comply with the Directive either.
International transfer of personal data: Section 8 (1) lays down that data controllers falling under the scope of the Act can transfer personal data to a data controller processing personal data in a third country if the data subject explicitly consents hereto or if the conditions (for making data processing legitimate) under Section 5 of the Act are complied with and in the course of processing in the respective third country adequate protection of personal data would be ensured. The draft legislation also lists when adequacy is given, however, considering that this list is only limited to “safe countries” and the draft bill does not mention model clauses or ad hoc contractual arrangements as an adequacy mean, we represent that this implementation does not comply with the pertaining provisions of the EU Directive either.
The draft legislation has also preserved the general principles of data processing, such as necessity and proportionality, the rights of the data subjects as well as the notice requirement by with minor changes as originally laid down by the Data Protection Act.
The draft legislation intends to set up the National Agency for Data Protection and Freedom of Information that would replace the Data Protection Commissioner’s Office and which is both responsible for the enforcement of compliance with privacy laws as well as freedom of information laws. The Agency is independent, it cannot be instructed within its competence and it shall take its measures exclusively on the basis of legislative acts. The Agency is headed by the President who is nominated by the Prime Minister and appointed by the President of the Republic for a period of nine years among Hungarian citizens with voting rights and at least five years of professional practice in the control/supervision of proceedings concerning data protection and information freedom or with academic degree in these subjects.
The supervision proceedings of the Agency will be governed by the Act on the General Provisions of Administrative Procedure. The Agency will be empowered to request cease and desist from unlawful data processing and may impose a data protection fine in case of the breach of the material provisions of the Act. The fine might range between HUF 100,000,- and HUF 10,000,000,- (equals to ca. EUR 35.000,-) the amount of which does not seem to be high enough to deter from infringement.
The Data Protection Register shall kept by the Agency. The new legislation preservers the notification system. The draft bill lays down that data processing may be commenced after registration of data processing. The exemptions relating to the mandatory notification will remain unchanged. However, financial institutions, community service providers and electronic communication service providers to notify data processing relating to customers.
The registration procedure will be governed by the Act on the General Provisions of Administrative Procedure. Notably, the Agency will be required to register data processing within 8 days and if the Agency does not respond within this deadline, data processing could be commenced in conformity with the filing.
Summarizing the above, we represent that the draft bill on the new Data Protection Act does not introduce any significant changes in the privacy legislation of Hungary, except for the set-up of the National Agency for Data Protection and Freedom of Information an administrative agency responsible for privacy enforcement which may also impose a data protection fine in case of the breach of privacy laws.
The general remarks of the Data Protection Commissioner relating to the draft bill are also available and can be accessed here.