Credit: shutterstock.com/Gyorgy Keszthelyi

Hungary under fire for GDPR suspension

The Hungarian government's emergency decision to suspend parts of the GDPR has drawn the ire of the head of the European Data Protection Board, with the body set to discuss the situation at its next official meeting.

In a decree issued earlier this week, Hungary suspended articles 15 to 22 of the GDPR as part of its package of emergency measures designed to tackle covid-19. The relevant provisions provide data subjects’ rights, such as rights of access, rectification, erasure and portability. The suspension is expected to last as long as the country’s state of emergency – which currently has no end date. 

Andrea Jelinek, head of the EDPB, told GDR in a statement that she is “personally very worried” about the developments, and described the Hungarian government’s decision as “unnecessary [and] detrimental”. 

A spokesperson for the Belgian data protection authority told GDR that the EDPB is aware of the issue and that Jelinek has put the issue on the board's next plenary meeting agenda, to get information from the Hungarian regulator and to discuss the issue. 

The move came as part of a raft of emergency decrees issued by the Hungarian government which allows it to deviate from the usual application of its laws to tackle the health crisis. According to Máté Szabó, a director at the Hungarian Civil Liberties Union, the government has so far issued 99 such decrees.

Observers said the government has considered it necessary to suspend data rights to implement a contact-tracing programme – a technique for tackling the pandemic that has drawn criticism across the globe for its potential privacy pitfalls. 

But the government has not specified that this is the reason for the suspension. Eva Simon, a lawyer at civil rights group Liberties.eu, told GDR that the decree only broadly cites covid-19 as its motivation for the change, with no specifics about why the suspension is required.

Simon said it is unclear how exactly the suspension will work in practice. She said officials at Hungary’s data protection authority told her that the regulator was still evaluating the situation. The authority said that it was not consulted on the decision, she said. The regulator did not respond to GDR’s request for comment. 

Simon said the decision to suspend parts of the GDPR fits into a pattern of wider derogations from national and EU law by the Hungarian government, allowing the government to rule by decree. 

She added that the GDPR allows member states to make broad derogations regarding national security and the public interest, and that the covid-19 crisis could be considered one of those issues, but said that any changes must be “necessary and proportionate” and must respect “the essence of fundamental rights and freedoms”.

Onlookers have suggested that the decision may be in breach of EU law. Hungarian Civil Liberties Union director Szabó argued the move creates “a clear conflict between the Hungarian state of emergency and the legal system of the European Union, and affects the supremacy of the EU law.”

“If the [European] Commission takes seriously its role of being the guardian of the [EU’s] legal system, it is obvious that it should initiate an infringement proceeding. Ideally, this proceeding should feel with not only the GDPR itself but through this regulation the state of emergency and the Hungarian coronavirus law should be also dealt with, as these offer a framework of such a conflict.”

Challenges

There are three possible routes by which the decision could be challenged, Simon said: European Commission infringement proceedings, data subjects challenging the measure through Hungarian and eventually EU courts, and political pressure from bodies such as the European Data Protection Board. 

A European Commission infringement proceeding is likely to take a very long time, Simon said – and would need to be preceded by a series of questions from the commission to the Hungarian government. However, she said, due to the current political climate and the GDPR making it possible to introduce some derogations, it is “questionable” whether the commission will launch an infringement procedure. Simon added that a data subject challenge would also be time-consuming. 

EDPB head Jelinek told GDR that the GDPR “allows for an efficient response to the pandemic, while at the same time protecting fundamental human rights and freedoms. Data protection law already enables data-processing operations necessary to contribute to the fight against an epidemic.” 

“As the EDPB has recently stated, government measures taken in these extraordinary circumstances, such as the use of location data and contact-tracing tools, need to be necessary, limited in time, of minimal extent, and subject to periodic and genuine review as well as to scientific evaluation. Therefore, suspending GDPR provisions is not only unnecessary but also detrimental.”

The European Commission spokesperson for justice issues did not respond to requests for comment. News reports from 1 May said that Věra Jourová, the EU commissioner for values and transparency, had said infringement proceedings were not yet required to deal with the Hungarian coronavirus emergency measures. 

Marit Hansen, head of the data protection authority for the German state of Schleswig-Holstein, told GDR that she is “convinced that the GDPR – as well as human rights as such – are not impeding the necessary measures for dealing with the current pandemic situation. 

“All requests my office [has] received on how to design data processing concerning patient or infection data could be answered in a way [that is] compliant with the GDPR and the data protection principles. I cannot imagine Germany will change the laws in a way that leads to suspension of parts of the GDPR,” she said. 

Consumer and digital rights activists have also criticised the suspension. Fanny Hidvégi, Europe policy manager at Access Now, said the suspension shows “what was clear from the beginning – that Hungary’s emergency legislation is unacceptable. Human rights apply in emergencies and health crises. We don’t have to choose between privacy and health: protecting digital rights also promotes public health.”

And Ursula Pachl, a director at pan-European consumer organisation BEUC, said: "Especially in times of crises, such as this global health pandemic, people’s fundamental rights must be protected. EU institutions have issued guidance on how to apply the GDPR, for instance as regards the use of tracing apps. Member states should use all the tools offered by the GDPR to fight this pandemic, not limit its application."

Documents

  • Hungarian decree regarding the GDPR

    Download document Hungarian decree regarding the GDPR