Data obtained from surveillance is usually classified, so even the personal data of the target persons can become state secrets (classified data); however, the rules governing such data make the possibilities for redress particularly limited. Surveillance by intelligence services is also considered such data. Special rules apply to their disclosure, the relationship between which and the various avenues of redress (judicial, administrative) are not always clear. We are launching a series of proceedings against the Constitutional Protection Office (CPO) under the Ministry of the Interior and the Information Office (IO) under the Ministry of Foreign Affairs and Trade to bring these abuses to light and to bring justice to our clients.
If we are unsuccessful in the following proceedings, we will take the cases to the European Court of Human Rights (ECtHR) in Strasbourg and have the Court once again declare that the Hungarian regulation of secret services does not provide any controls for the people concerned—in other words, the Hungarian regulation systematically violates everyone's rights, as anyone can become a target of surveillance.
1. Ministerial inquiry and Parliament’s national security committee
The National Security Act allows anyone who becomes aware of, or suspects, unlawful conduct by the secret services to lodge a complaint with the Minister in charge of the service concerned. The Minister will investigate the complaint and notify the complainant of the outcome. It can be said that ministerial investigations never produce any substantive results, which is not surprising. In such cases, politically motivated surveillance is investigated by a member of the government whose political interests were ostensibly served by the surveillance.
Anyone who does not accept the outcome of a ministerial inquiry can ask for their complaint to be investigated by the National Security Committee of Parliament. However, the Commission's decisions are not based on legal criteria, but solely on political ones, which makes it completely unpredictable whether it will investigate a person, and its procedure is therefore in no way an effective remedy.
2. Inquiry by the Commissioner for Fundamental Rights (Ombudsman)
The Ombudsman's main task is to protect fundamental rights. Anyone who believes that their fundamental rights have been violated by the security forces (including the CPO and IO) can turn to him/her. Illegal covert surveillance is of course a violation of fundamental rights, so we are also taking the matter to the Ombudsman in the Pegasus case. The Ombudsman will investigate the complaint received and, if he identifies a genuine violation of fundamental rights, he may take a number of measures.
Firstly, he may make a recommendation to the superior body of the offending body to remedy the infringement. In the case of the CPO and IO, the competent bodies are the Ministry of Interior and the Ministry of Foreign Affairs and Trade. As mentioned above, the surveillance may have served the political interests of the government, and therefore little substantive action can be expected from a member of the government in response to the Ombudsman's recommendation. Fortunately, the Ombudsman has other tools at his disposal. If his investigation suggests that a criminal offence may have been committed, he can initiate criminal proceedings. And if he finds anomalies in the protection of personal data, he can refer the matter to the National Authority for Data Protection and Freedom of Information (NAIH). Finally, he can also bring the violation to Parliament.
In the course of his investigation, the Ombudsman may even have access to classified data, albeit with limitations. For example, he cannot know who is cooperating with the secret services, the technical details of the techniques and methods they use to gather information, how they encrypt it or from whom it comes. If the Ombudsman also considers it necessary to examine documents that are not accessible to him—and this may be so in the Pegasus case—he can ask the minister in charge of the service to examine them for him and inform him of the outcome. But, as already mentioned, here the ministerial inquiry cannot be politically independent.
3. Procedures of the National Authority for Data Protection and Freedom of Information (NAIH)
The NAIH is Hungary's data protection authority. Anyone who suspects that they have been illegally surveilled by the government can initiate one of two NAIH procedures:
Investigations: this is an ombudsman-like power, meaning that the NAIH identifies systemic problems and does not necessarily stay within the confines of the specific case of the data subject. It can carry out a wide range of checks on the (alleged) controller's processing, inspecting the processing sites, inspecting documents, etc., but it cannot take a binding decision on the controller under investigation, only make a recommendation (or initiate another type of ex officio procedure).
Administrative procedure: this procedure is carried out by the NAIH under the Administrative Procedures Act. The applicant is considered a client, which gives him/her rights, such as access to the files of the procedure or the right to challenge the NAIH's decision in court.
If at any time the NAIH finds that data have been unlawfully classified, it will initiate ex officio a “calssification reassessment procedure”, which may even result in an order to declassify the data. It is important to note, however, that the calssification reassessment procedure cannot be initiated by individuals—it can only be initiated ex officio, at the discretion of the NAIH.
In the course of its procedures, the DPA can also access classified data, but there are some limitations, as the national security service can refuse access to:
documents containing technical data on the operation and functioning of the means and methods used to gather classified information, or which would allow the identification of the persons using them;
documents the disclosure of which would enable the source of the information to be identified;
and to certain other information.
The grounds for refusal are therefore relatively broad, but more problematically, if there is a disagreement between the NAIH and the relevant intelligence service as to whether the grounds for refusal exist, the Minister in charge of the service—who cannot, of course, make an independent judgement on the matter—is entitled to decide the matter.
We have initiated official proceedings on behalf of our clients because in these proceedings the NAIH is obliged to decide on the specific case.
4. Application for a clearance to access classified personal data
Everyone has the right to know who is processing personal data about them and what personal data they hold. Classified personal data can only be disclosed to the data subject with a clearance. The clearance is granted by the classifier (who initiated the classification of the data); in the case of a secret service, this is the Director-General. Under the clearance, the data subject is entitled to access his or her classified data, but must sign a confidentiality agreement and is prohibited from disclosing the information to anyone else under penalty of criminal prosecution. So even if someone had access to the surveillance data about them, they would not be able to publish it.
It is also unclear whether it is possible to ask for the clearance if the person concerned does not know whether their classified data is being processed at all. More worryingly, access is very rarely granted—we know of very few cases.
Yet it is necessary to make the request, because without it, no administrative action could be brought (see later).
5. Lawsuits
If you want to find out whether you have been observed, there are two types of lawsuits you can consider:
a lawsuit for unlawful processing of personal data following the refusal of a subject access request under the Data Protection Act (civil action);
an administrative lawsuit under the Classified Data Act which was created specifically for this category of cases (administrative lawsuit), following the refusal of a request for clearance to access classified personal data.
One of the features of litigation is that unlawful secret surveillance (which is, however, in accordance with the letter of the law) is by its very nature not officially disclosed to anyone*, so it is always a question whether the right data controller is sued at all.
*Some surveillance, or the fact that classified data is being processed for other reasons, is communicated to the data subject. For example, if he/she has been subject to a national security screening (consent must be given) or if a secret service has acted as a specialised authority in his/her proceedings (this may be the case in aliens proceedings).