Dear Chair Andrea Jelinek,
The undersigned civil society organisations - Access Now, Hungarian Civil Liberties Union, and Civil Liberties Union for Europe - call on the European Data Protection Board (EDPB) to analyse the Hungarian Government Decree (Decree) suspending the application of certain rights provided for under the General Data Protection Regulation (GDPR) and advise the European Commission in their consideration to launch an infringement procedure.
In the 4 May 2020 edition of the Hungarian Official Gazette, a government decree limiting the exercise of certain rights and measures under the GDPR was published. The Decree limits the application of data subjects’ rights safeguarded under Articles 15 to 22 of the GDPR in relation to the processing of data conducted by both public and private entities for the purpose of the fight against the COVID-19 crisis. It further establishes time limits for the exercise remedy rights, including the right to lodge a complaint and the right to an effective judicial remedy, guaranteed by Articles 77 to 79 of the GDPR.
We welcome the issues raised and steps taken during the EDPB 26th plenary session which took place on 8 May. We further call on the EDPB to evaluate the compatibility of the decree with the GDPR. We provide an unofficial translation of the most relevant sections of the decree in annex for reference.
The decision by the Hungarian government to limit the application of data subjects’ rights is disproportionate, unjustified, and potentially harmful to the public’s response to fight the virus. The “state of danger” was introduced in Hungary without a time limit and the temporal effect of all government decrees are extended without a sunset clause. While the Parliament could potentially end the state of danger, it is unclear how and if it will use this power and it does not, in any case, justify the indefinite scope of the measures. This means that all government decrees, such as the one limiting the application of certains rights under the GDPR, are in effect until the undefined end of the state of danger and without potential Parliamentary oversight.
The Decree refers to Hungary’s state of danger law and the GDPR in general as legal basis for the derogations. The Decree, however, does not make any references to specific Articles under the GDPR to justify such derogations, including Article 23(1). What is more, Article 23 of the GDPR allows a Member State to derogate from certain articles only “by way of a legislative measure”. An executive decree may have the force of law but does not equal a legislative measure which involves higher levels of scrutiny, oversight, and transparency. The Decree derogating GDPR was passed without the involvement of the Parliament or any other democratic safeguards in the legislative process.
Finally, the Decree provides no information as to how the measures “respect the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard public health” as required by Article 23(1) of the GDPR. In contrast, we support your statement in the European Parliament’s Civil Liberties Committee on May 7, recalling that “whenever personal data is processed in the context of fighting COVID-19, data protection rules are indispensable. Without the guarantee that the protection of personal data is respected, there will be no trust in the technology.” This statement is particularly important as EU states are developing digital contact-tracing and quarantine-enforcing applications that, if put forward, shall be safeguarded by the same level of harmonised protection across the European Union. The limitation of data subjects' rights by Hungary during the ongoing public health crisis is therefore disproportionate. The EDPB should continue to stand up for a harmonised application of data protection rights and principles in the context of processing personal data for purposes related to the pandemic.
Pursuant Article 70(1)(b) of the GDPR, the EDPB shall advise the European Commission “on any issue related to the protection of personal data in the Union”. On that basis and ahead of the plenary meeting to be held tomorrow, we call on the EDPB to analyse the Decree’s conformity with the GDPR and advise the European Commission in their consideration to launch an infringement procedure against Hungary to restore the application of data protection rights.
We look forward to hearing back from you and remain at your disposal for any questions you may have.
Best regards,
Estelle Massé for Access Now
Máté Szabó for the Hungarian Civil Liberties Union
Balázs Dénes for the Civil Liberties Union for Europe
ANNEX
Government Decree 179/2020 (4 May)
on diverging measures from certain data protection and access to information related provisions
The Government, acting within its original legislative power laid down in Article 53 (2) of the Fundamental Law, having regard to the provisions of Act XII of 2020 on the containment of coronavirus, acting, with respect to section 4, within its original legislative power laid down in Article 53 (3) of the Fundamental Law, on the basis of authorisation by the National Assembly under section 3 (1) of Act XII of 2020 on the containment of coronavirus, acting within its function laid down in Article 15 (1) of the Fundamental Law, decrees as follows:
Article 1
(1) Until the end of the state of danger promulgated by the Government Decree 40/2020 (11 March) (hereinafter: state of danger) in order to the prevention, cognisance, reconnaissance and hindering the spread of the coronavirus disease, including the organization of the coordinated operation of state organs in relation to it, with respect to personal data processing for this purpose, the exercising of the rights of the data subject based on
a) the Chapter III of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: General Data Protection Regulation), and
b) Article 14 of the Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: InfoAct)
are guaranteed with respect to the derogations in this Article.
(2) With respect to personal data processing for the purpose specified in paragraph (1), all measures following data subject’s request exercising the rights based on
a) Article 14 of the InfoAct and
b) Articles 15-22 of the General Data Protection Regulation
are suspended until the end of the state of danger; the time limits of these measures start on the day after the day of the end of the state of danger. The data subject has to be notified about this without delay but within ninety days after receiving the request.
(3) Information to be provided under Articles 13 and 14 of the General Data Protection Regulation and under the right to prior information based on Article 16 (1)-(2) of the InfoAct has to be considered as provided if electronically published, comprehensible general information on the purposes, legal ground and the volume of the data processing for the purpose specified in paragraph (1) is available to the data subject.
(4) Time limits of proceedings following a complaint, a request or a lawsuit, when exercising the rights guaranteed by Articles 77-79 of the General Data Protection Regulation and Articles 22, 23 and 52(1) of the InfoAct, with respect to personal data processing for the purpose specified in paragraph (1) start the day after the day of the end of the state of danger.
Article 2
[Freedom of information related derogations]
Article 3
(1) With the exception specified in paragraph (2) this Decree enters into force the day after its promulgation.
(2) Article 4 enters into force on the fifteenth day following the promulgation of this Decree.
Article 4
The Government extends the force of this Decree until the end of the state of danger according to Government Decree 40/2020 (11 March).
Article 5
The provisions of Articles 1-2 of this Decree shall apply also to
a) data processing and the requests, information and proceedings,
b) freedom of information requests
pending on the day of the entry into force of this Decree.