In the coming days and weeks, the institutions and Member States of the European Union are examining the laws recently enacted by the Hungarian Parliament to assess whether, overall, they dispel concerns that were previously articulated in relation to the status of rule of law in Hungary. One of the laws amended the legal rules on freedom of information.
In order to reach an agreement with the European Commission, the Hungarian Parliament has amended Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information (hereinafter: the "Freedom of Information Act") with Act XL of 2022 by:
speeding up court proceedings in data of public interest cases,
creating a (new) central public data register to enforce the publication obligation.
In our view, the changes made to the freedom of information legislation were adopted with the sole purpose of reaching an agreement with the European Commission as they shall not restore the constitutional guarantees of freedom of information. The proposed changes do not systematically and comprehensively dismantle the obstacles, which have accumulated over the past decade, to access data of public interest. While there are few forward-looking decisions, the legislator has instead placed new obstacles in the way of public access. Given the content of the amendment, it is doubtful that the Government aims to truly improve access to data of public interest. It may only aim to keep up appearances for the sake of reaching an agreement with the EU, and thus accessing EU funds that have been held back due to concerns relating to rule of law.
A. Unresolved irregularities
Before detailing and evaluating the autumn 2022 amendments, we highlight some of the unresolved obstacles that the legislator should have removed but failed to do so.
A/1. The time limit for responding to requests for public interest information is still subject to a Government special rule. According to the rule, bodies performing public functions must respond to requests for public interest information (not to fulfil them!) within 45 days, which may be extended by a further 45 days. This time limit is in stark contrast to the 15-day time limit (which may be extended by 15 days in justified cases) under the Freedom of Information Act. Furthermore, public bodies only need to claim that responding to the request for information more quickly would jeopardise their specific tasks and workflow due to the emergency. This has led to arbitrary practice whereby data controllers routinely use the possibility of an extension without any substantive consequences, without even fulfilling the constitutional requirement set out by the Constitutional Court, that the extension must be factually justified. A Government Decree would have repealed this rule. However, with the real possibility to enact state of emergency again will keep the extended time limits for responding to requests for public interest information. (The state of emergency has been declared by the Government, it awaits Parliamentary approval. With the governing parties enoying 2/3 majority, it is more than probable that it will be enforced).
A/2. The legislator has not resolved the implementation anomalies occurring following public lawsuits. Even speedy lawsuits are no guarantee of timely access to data of public interest. In many cases, public bodies fail to disclose data of public interest despite final judgments. In the current legal environment, if a public body rejects access to public interest data, the enforcement rules cannot force it to comply with the judgement. Therefore, even if the amendment speeds up data of public interest cases, it is of no use if it does not guarantee the enforcement of final judgments.
A/3. The refusal to comply with a request for data must be justified by law. In a possible lawsuit, the data requester may challenge this justification. However, the law does not prohibit the data controller from modifying the reasons for refusing the data request in a lawsuit. Thus, data controllers of public interest data may invoke restrictive grounds in a lawsuit on the lawfulness of a refusal to grant a data request that they have not invoked before. The data applicant is thus sometimes forced to challenge the ever-changing grounds for refusal, which leads to a prolonged procedure.
B. Speeding up data of public interest cases
The problem to be solved:
The amendments to speed up litigation were indeed timely. Litigation on data requests to ensure public access to data of public interest, which is brought because public sector bodies refuse to comply with a public data request, usually takes months, if not years to conclude (from the hearing on the merits, the first instance judgment, the appeal and to the curatorial review after the final judgment). In many cases, this makes a data of public interest request pointless.
The solution chosen by the law:
The amendment adds procedural rules to the rules for public data actions against refusals to comply with a public data request, which will speed up the procedure. It lays down specific procedural time limits, in days, and rules on the procedural steps to be taken. However, the amendment also contains rules with a slowing-down effect: in addition, the holder of a trade secret may intervene in the proceedings in order to ensure that the data controller wins the case.
HCLU’s assessment:
These rules will indeed reduce the potential for time delays in litigation in cases starting in 2023. However, the possibility for trade secret holders to intervene in order to ensure that the data controller wins the case is unlikely to ensure the timely conclusion of public litigation and the widest possible freedom of information.
C. Central Public Information Register
The problem to be solved:
In Hungary, the law provides for the disclosure of data of public interest not only through a request for data, but also through the mandatory publication of certain data without request. The published data must be kept up-to-date by the public sector bodies, and have so far had to be continuously uploaded to a central electronic register. In accordance with this legislation, there is also a single public data search system, the Public Data Repository, which can be used by anyone. In many cases, public bodies fail to fulfil this obligation, either because the websites do not contain data of public interest or because they contain outdated and inaccurate data. And the central electronic register – at first glance – is not up to date, has a poor search engine and no owner. Publication and the obligations attached to it do not make it easier to find information. Furthermore, the law does not impose any sanctions for failure to publish.
The solution chosen by law:
The amendment creates a Central Public Data Information Register accessible to all from 2023. Budgetary bodies and local as well as local ethnic minority self-governments will have to publish on this public platform the budgetary support they receive from EU or national sources exceeding HUF 5 million. They will also have to publish the contracts they have concluded and costs associated with non-core tasks. The new central register will have to be updated every two months, and the data must be accessible for ten years. In addition, it will have to ensure "machine readability, group downloading, grouping, searchability, extraction and comparability of data." A recent amendment to the law, tabled by the Government on the night of 11 November 2022 – not yet adopted at the time of writing this letter – would empower the National Authority for Data Protection and Freedom of Information (NAIH – Nemzeti Adatvédelmi és Információszabadság Hatóság) to conduct a so-called ‘transparency authority procedure’. In this context, the authority could impose fines (from HUF 100,000 to 20 million) on budgetary bodies and local governments that fail to comply with their obligations regarding the Central Public Data Registry.
HCLU’s assessment:
The fact that no one is enforcing the rules that already exist and the way the Public Data Repository and the central electronic register have been working in the past – or rather not working–, does not bode well for the efficiency of the new Central Public Data Register. Rather than proliferating registers, the Government and public bodies should take the existing rules requiring proactive publication seriously instead.
After the amendment, the law still does not contain any rules to enforce the disclosure of data subject to the general disclosure obligation through effective sanctions. In the transparency authority procedure (if the Parliament also adopts the amendment to the Freedom of Information Act to this effect), NAIH would only be able to verify compliance with the disclosure obligation for a limited number of public bodies (budgetary bodies and municipalities), only for certain management of data, and only in relation to the new central register. Even within this narrow scope, the accountability of the disclosure obligation will depend on the willingness of NAIH to initiate proceedings and impose fines on public bodies.
The amendment does not improve the scope of the information to be published. The law already required the data of public interest to be uploaded on the organisation's website. The new register is therefore redundant. It does not help but rather makes it more difficult for public bodies to fulfil their publication obligations.
The introduction of a format that allows for automated processing, if implemented, is a step forward.
However, the amendment also requires the bodies concerned to stop uploading data on their own websites if they are published in the new central public data register. This means that important management data will no longer be found together with other data of public interest of the body concerned. Therefore the amendment does not serve the interest of freedom of information and is explicitly contrary to the legislative purpose.
D. Reimbursement of expenses
The previous legislation:
Since 2015, public sector bodies have been able to charge for the "disproportionate use of staff resources necessary for the performance of their core activities" in the context of the reimbursement of costs for public data requests for large-scale copying. The criteria for determining the amount of the reimbursement that can be charged for "disproportionate workload" were laid down in Government Decree 301/2016 (IX. 30.). The "disproportionate workload" was also chargeable when the data requester requested electronic copies of data of public interest that were also processed electronically by the data controller. Public sector bodies were of course keen to use this possibility to hold up requests for data, as they could make compliance conditional on advance reimbursement of costs in order to increase their costs.
Amendment:
This burden has now been alleviated by Government Decree No. 382/2022 (X.10.) (and Act XXVIII of 2022 amending the Freedom of Information Act in this respect), so that only “objective costs” may be considered in the reimbursement of costs that public sector bodies may charge for data requests requiring substantial copying. Only the cost of the physical medium (paper, optical, electronic) and postal charges may be charged as reimbursement of costs, and only up to certain limits. The cost of labour related to the fulfilment of a data request may no longer be charged to the data requestor.
HCLU’s assessment:
Where the recipient of a public interest data request otherwise has the intention to comply with the data request, the changes to the reimbursement of costs can be seen as a significant improvement in terms of access to public interest data.
However, the possibility, also introduced in 2015, for the data controller to extend the deadline for responding to a public data request on the grounds that it would involve a "disproportionate" use of human resources necessary for the performance of its core business will not be removed. (Currently, the Emergency Ordinance setting a 45+45 day deadline is a much more effective tool, as responding to data requests is simply slow.)
The data controller may continue to refuse a request for the same data submitted by the same data subject for the same set of data within one year, provided that there has been no change in those data.
Endnote
As is customary, the amendment of the Freedom of Information Act in order to reach an agreement with the European Commission was not preceded by professional and public debate. The Government failed to consult organisations or researchers that have expertise in freedom of information and researchers on the amendment. Furthermore, it did not take into account international best practices. The National Authority for Data Protection and Freedom of Information has recently conducted a research (yet to be finalised in Autumn 2022) entitled "Mapping the domestic practice of freedom of information and increasing its effectiveness" (KÖFOP-2.2.6-VEKOP-18-2019-00001), which was funded 100% by the European Union and worth one billion forints. However, the results of it are not reflected in the legislation at all, and they were obviously not used in the preparation of the law.
Budapest, 15 November 2022.