Pegasus case: Hungarian procedures

Data obtained from surveillance is usually classified, so even the personal data of the target persons can become state secrets (classified data); however, the rules governing such data make the possibilities for redress particularly limited. Surveillance by intelligence services is also considered such data. Special rules apply to their disclosure, the relationship between which and the various avenues of redress (judicial, administrative) are not always clear. We are launching a series of proceedings against the Constitutional Protection Office (CPO) under the Ministry of the Interior and the Information Office (IO) under the Ministry of Foreign Affairs and Trade to bring these abuses to light and to bring justice to our clients.

If we are unsuccessful in the following proceedings, we will take the cases to the European Court of Human Rights (ECtHR) in Strasbourg and have the Court once again declare that the Hungarian regulation of secret services does not provide any controls for the people concerned—in other words, the Hungarian regulation systematically violates everyone's rights, as anyone can become a target of surveillance.

1. Ministerial inquiry and Parliament’s national security committee

    The National Security Act allows anyone who becomes aware of, or suspects, unlawful conduct by the secret services to lodge a complaint with the Minister in charge of the service concerned. The Minister will investigate the complaint and notify the complainant of the outcome. It can be said that ministerial investigations never produce any substantive results, which is not surprising. In such cases, politically motivated surveillance is investigated by a member of the government whose political interests were ostensibly served by the surveillance.

    Anyone who does not accept the outcome of a ministerial inquiry can ask for their complaint to be investigated by the National Security Committee of Parliament. However, the Commission's decisions are not based on legal criteria, but solely on political ones, which makes it completely unpredictable whether it will investigate a person, and its procedure is therefore in no way an effective remedy.

    2. Inquiry by the Commissioner for Fundamental Rights (Ombudsman)

      The Ombudsman's main task is to protect fundamental rights. Anyone who believes that their fundamental rights have been violated by the security forces (including the CPO and IO) can turn to him/her. Illegal covert surveillance is of course a violation of fundamental rights, so we are also taking the matter to the Ombudsman in the Pegasus case. The Ombudsman will investigate the complaint received and, if he identifies a genuine violation of fundamental rights, he may take a number of measures.

      Firstly, he may make a recommendation to the superior body of the offending body to remedy the infringement. In the case of the CPO and IO, the competent bodies are the Ministry of Interior and the Ministry of Foreign Affairs and Trade. As mentioned above, the surveillance may have served the political interests of the government, and therefore little substantive action can be expected from a member of the government in response to the Ombudsman's recommendation. Fortunately, the Ombudsman has other tools at his disposal. If his investigation suggests that a criminal offence may have been committed, he can initiate criminal proceedings. And if he finds anomalies in the protection of personal data, he can refer the matter to the National Authority for Data Protection and Freedom of Information (NAIH). Finally, he can also bring the violation to Parliament.

      In the course of his investigation, the Ombudsman may even have access to classified data, albeit with limitations. For example, he cannot know who is cooperating with the secret services, the technical details of the techniques and methods they use to gather information, how they encrypt it or from whom it comes. If the Ombudsman also considers it necessary to examine documents that are not accessible to him—and this may be so in the Pegasus case—he can ask the minister in charge of the service to examine them for him and inform him of the outcome. But, as already mentioned, here the ministerial inquiry cannot be politically independent.

      3. Procedures of the National Authority for Data Protection and Freedom of Information (NAIH)

        The NAIH is Hungary's data protection authority. Anyone who suspects that they have been illegally surveilled by the government can initiate one of two NAIH procedures:

        • Investigations: this is an ombudsman-like power, meaning that the NAIH identifies systemic problems and does not necessarily stay within the confines of the specific case of the data subject. It can carry out a wide range of checks on the (alleged) controller's processing, inspecting the processing sites, inspecting documents, etc., but it cannot take a binding decision on the controller under investigation, only make a recommendation (or initiate another type of ex officio procedure).

        • Administrative procedure: this procedure is carried out by the NAIH under the Administrative Procedures Act. The applicant is considered a client, which gives him/her rights, such as access to the files of the procedure or the right to challenge the NAIH's decision in court.

        If at any time the NAIH finds that data have been unlawfully classified, it will initiate ex officio a “calssification reassessment procedure”, which may even result in an order to declassify the data. It is important to note, however, that the calssification reassessment procedure cannot be initiated by individuals—it can only be initiated ex officio, at the discretion of the NAIH.

        In the course of its procedures, the DPA can also access classified data, but there are some limitations, as the national security service can refuse access to:

        • documents containing technical data on the operation and functioning of the means and methods used to gather classified information, or which would allow the identification of the persons using them;

        • documents the disclosure of which would enable the source of the information to be identified;

        • and to certain other information.

        The grounds for refusal are therefore relatively broad, but more problematically, if there is a disagreement between the NAIH and the relevant intelligence service as to whether the grounds for refusal exist, the Minister in charge of the service—who cannot, of course, make an independent judgement on the matter—is entitled to decide the matter.

        We have initiated official proceedings on behalf of our clients because in these proceedings the NAIH is obliged to decide on the specific case.

        4. Application for a clearance to access classified personal data

          Everyone has the right to know who is processing personal data about them and what personal data they hold. Classified personal data can only be disclosed to the data subject with a clearance. The clearance is granted by the classifier (who initiated the classification of the data); in the case of a secret service, this is the Director-General. Under the clearance, the data subject is entitled to access his or her classified data, but must sign a confidentiality agreement and is prohibited from disclosing the information to anyone else under penalty of criminal prosecution. So even if someone had access to the surveillance data about them, they would not be able to publish it.

          It is also unclear whether it is possible to ask for the clearance if the person concerned does not know whether their classified data is being processed at all. More worryingly, access is very rarely granted—we know of very few cases.

          Yet it is necessary to make the request, because without it, no administrative action could be brought (see later).

          5. Lawsuits

            If you want to find out whether you have been observed, there are two types of lawsuits you can consider:

            • a lawsuit for unlawful processing of personal data following the refusal of a subject access request under the Data Protection Act (civil action);

            • an administrative lawsuit under the Classified Data Act which was created specifically for this category of cases (administrative lawsuit), following the refusal of a request for clearance to access classified personal data.

            One of the features of litigation is that unlawful secret surveillance (which is, however, in accordance with the letter of the law) is by its very nature not officially disclosed to anyone*, so it is always a question whether the right data controller is sued at all.

            *Some surveillance, or the fact that classified data is being processed for other reasons, is communicated to the data subject. For example, if he/she has been subject to a national security screening (consent must be given) or if a secret service has acted as a specialised authority in his/her proceedings (this may be the case in aliens proceedings).


            • DPA: Act CXII of 2011 on informational self-determination and freedom of information (Data Protection Act)

            • CDA: Act CLV of 2009 on the protection of classified data (Classified Data Act)

            • NSA.: Act CXXV of 1995 on national security services (National Security Act)

            a) The civil action

            A prerequisite for a civil action is that the data subject has attempted to make a request for information to the relevant secret service (subject access request) and been refused. Our experience has shown that the surveillance material is treated as classified data, although this may not be mandatory. Classified personal data can only be accessed under a clearance to access classified personal data, which is an entirely different procedure. Therefore, the subject matter of a civil action can essentially be one of these three things:

            • whether classified data are handled at all (i.e. whether the defendant is a data controller);

            • under which filing number the data are processed. (Classified data are effectively handled according to the “document principle”, i.e. entire documents are declared secret, regardless of the fact that parts of them could be made public without prejudice to the public interest. We would therefore like to see the “data principle” applied to the handling of data by the secret services, whereby individual documents can only be classified to the extent strictly necessary. We therefore consider suing for file numbers problematic in principle, but we will do so if there is no other way to find out whether our clients have been surveilled.);

            • who the classifier is, what the level and duration of classification are—as the CDA treats these as separate from classified data, under the term “classification marking”. (In a previous case, the court ruled that these were also part of the classified data. We disagree with this decision, and have taken the matter to the Constitutional Court because of an unconstitutionally broad interpretation of classified data.)

            b) The administrative procedure

              A special administrative procedure under the CDA can also be initiated in surveillance cases. Such proceedings may be examined in closed court by a judge vetted by the Constitution Protection Office. The subject of the action is the disclosure of classified information, after a clearance to access classified personal data has already been refused once by the classifier (the Director-General of the given national security service). The key question in an administrative lawsuit is whether it can be initiated at all if we do not know whether classified data on the data subject are being handled.

              6. When and on what grounds do the secret services turn us down? And to what extent are they justified?

                It depends on how much data processing we know about and what kind of requests we are trying to make (subject access request under Data Protection Act, clearance to access classified personal data under the Classified Data Act, or a combination of these).

                • If we do not know about data processing, and we make a subject access request under the DPA: the services will refuse to declare whether they process data at all, based on the provisions on refusal in the NSA and the DPA. They argue (if they justify the refusal at all) that if these requests were answered with a clear yes or no, then a possible mass lodging of subject access requests would allow their operational records to be screened (i.e. who they are interested in and who they are not), from which conclusions could be drawn about their work—which would be detrimental to Hungary's national security interests. Experience in the national security field would be needed to judge how well-founded this argument is, and how realistic it is for anyone to want to screen the services through targeted and mass requests for data—it certainly seems rather far-fetched. That said, it may be acceptable for the secret services not to answer the question of whether they are interested / have been interested in someone, as they would be making their own operations impossible if they were to say so.

                • If we do not know about the processing and we make a request for a clearance to access classified personal data: they will usually reply that they can only grant access if we indicate which classified data we are requesting access to. They interpret this to mean that only someone who already knows that they are processing classified data can request access with a clearance, but that information about the fact of processing cannot be requested through such a request. In our view, a request for access with clearance may also be made if it is requested for “all classified data” of the data subject, as this sufficiently clarifies the scope of the data requested. No court decision exists so far on the question.

                • If we know about the processing and therefore make a request for a clearance to access classified personal data: the secret services will always refuse. They argue that even within the limited scope of the clearance, the disclosure of the smallest possible amount of information to the data subject would be sufficient to draw conclusions about the operation of the service, which would violate the requirement of the services to operate free from influence and thus the national security interests of Hungary. This interpretation was also accepted by the Curia in one of our cases, even though it clearly renders the institution of the right of access null and void and deprives the data subject of his or her personal data, in practice permanently and automatically. This restriction is contrary to the fundamental law of Hungary and we challenged the ruling before the Constitutional Court.


                Related articles

                Pegasus case: HCLU takes coordinated domestic and foreign legal action

                The Hungarian Civil Liberties Union (HCLU) is taking legal action on behalf of six of its clients before the Hungarian authorities, the European Commission, the European Court of Human Rights in Strasbourg and in Israel. The organisation aims to expose the practice of unlawful secret surveillance, to have international fora declare that the Hungarian regulation of secret information gathering violates fundamental rights and to prevent politically motivated abuses.

                Hungarian government plans to enforce encryption backdoors

                According to an action plan to fight terrorism being drafted by the Hungarian Ministry of Interior, a person using a service providing encrypted communication could be imprisoned for up to two years.

                United Nations creates Special Rapporteur on Right to Privacy

                The UN Human Rights Council has adopted a resolution on The Right to Privacy in the Digital Age that will lead to the selection of an independent expert on privacy. With 91 NGO worldwide, HCLU called on the UN Human Rights Council in a joint statement to establish a new mandate of a Special Rapporteur on the right to privacy.