Tag: Hungary

Hungary Update: EDPB publishes Statement on Art. 23 GDPR

17. June 2020

Since March 2020, Hungary has been in a “state of emergency” following the COVID-19 pandemic. The country’s COVID-19 related emergency laws and state of emergency received worldwide criticism from constitutional experts, politicians and civil rights groups, because it allows the Prime Minister to rule by decree during the state of emergency and does not provide a predefined end date. During the state of emergency, Prime Minister Victor Orbán made extensive use of his newly gained powers by passing more than a hundred decrees, including Decree No. 179/2020, which suspended the GDPR data subject rights in Art. 15-22 GDPR with respect to personal data processing for the purpose of preventing, understanding, detecting the coronavirus disease and impeding its further spread (we reported).

In response to this suspension of GDPR rights, the European Data Protection Board (“EDPB”) has recently published a Statement on restrictions on data subject rights pursuant to Art. 23 GDPR, which is the provision that Hungary’s measure was based on. This article allows the member states to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State such as public health.

In its Statement, the EDPB points out that any restriction must respect the essence of the right that is being restricted. If the essence of the right is compromised, the restriction must be considered unlawful. Since the data subject’s right of access and the right to rectification are fundamental rights according to Art. 8 para. 2 of the Charter of Fundamental Rights of the European Union, any restriction of those rights must be carefully weighed up by the member states, in order respect the essence of the rights. The EDPB considers that restrictions adopted in the context of a state of emergency suspending or postponing the application of data subject rights, without any clear limitation in time, equate to a de facto blanket suspension and denial of those rights and are not be compatible with the essence of the fundamental rights and freedoms.

The EDPB also recalls that the restrictions under Art. 23 GDPR must be necessary and proportionate. It argues that restrictions that are imposed for a duration not precisely limited in time or which apply retroactively or are subject to undefined conditions, are not foreseeable to data subjects and thus disproportionate.

Furthermore, the EDPB takes the view that in order to safeguard important objectives of general public interest such as public health (Art. 23 para. 1 lit. e GDPR), there must be a clearly established and demonstrated link between the foreseen restrictions and the objective pursued. The mere existence of a pandemic or any other emergency situation alone does not justify a restriction of data subject rights, especially if it is not clearly established, how the restrictions can help dealing with the emergency.

Following the international public backlash, the Parliament of Hungary passed legislation on 16 June 2020 to revoke the emergency laws as soons as the current state of emergency will be terminated by the Government. Hungary’s Government announced in May that it intends to lift the state of emergency on 20 June 2020. After that, the restrictions on the GDPR rights shall be lifted as well, so that data subject may exercise their Art. 15-22 GDPR rights again.

Hungarian Government suspends GDPR rights for COVID-19 related Data Processing

12. May 2020

In the face of the Corona pandemic, Hungary is currently in an indefinite “state of emergency”. Originally, Prime Minister Victor Orbán decreed the state of emergency on 11 March 2020 lasting for a period of 15 days. However, on 30 March 2020, the Hungarian Parliament passed emergency legislation (Bill on Protection against Coronavirus or Bill T/9790) extending the state of emergency until terminated by the Prime Minister and allowing the Prime Minister to rule by decree during the state of emergency. The Bill was passed thanks to the two-thirds majority of Orbán’s Fidesz Party in the Hungarian Parliament.

On 4 May 2020, Prime Minister Orbán issued Decree No. 179/2020 which contains several provisions affecting Data Protection in Hungary extensively for the time of the state of emergency.

Most importantly, the decree suspends the individual data subject’s rights pursuant to Art. 15 to 22 of the European GDPR when processing personal data for the purpose of preventing, recognising, and stopping the spread of the Coronavirus. It also stipulates that the one month time limit for Controllers to provide the necessary information (Art. 12 para. 3 GDPR) will only begin after the termination of the state of emergency for any Coronavirus related data subject requests. Furthermore, the data collection information requirements for Controllers pursuant to Art. 13 and 14 GDPR will be satisfied by publishing an electronic privacy notice providing the purpose and the legal basis of data processing which the data subjects may take notice of.

The emergency decree received much criticism from various European Data Protection authorities and civil rights groups. The head of the European Data Protection Board (“EDPB”) Andrea Jelinek stated that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. In its most recent plenary session, the EDPB also specifically discussed Hungary’s emergency measures in light of European Data Protection Law.