Data Protection

Data-protection-based (GDPR) SLAPP cases in Hungary - HCLU’s report is now available

The Hungarian Civil Liberties Union (HCLU, in Hungarian: TASZ) has been addressing data protection (GDPR) -based SLAPP issues for several years. GDPR based SLAPP cases are legal proceedings, where influential individuals try to stifle journalism with the misuse of data protection. We represent numerous affected editorial offices and actively participate in the dialogue on the anti-SLAPP directive at the European level. It is our primary aim to learn as much as possible about this new phenomenon, and to use this knowledge to facilitate meaningful dialogue between the relevant stakeholders.

According to the latest Freedom House report, internet is "partly free" in Hungary

Internet freedom in Hungary continues to decline. Hungary enjoys high levels of overall connectivity and relatively affordable internet access. While there are few overt restrictions on content in Hungary, the government continues to consolidate its control over the telecommunications and media landscape. During the coverage period, the political opposition experienced significant cyberattacks during their primary elections. Additionally, Parliament extended a “state of danger,” akin to a state of emergency that was originally enacted in response to the COVID-19 pandemic, in response to the Russian invasion of Ukraine. The government also blocked state-owned Russian websites in response to a European Council regulation following the invasion. Additionally, the government admitted to purchasing spyware technology, which was allegedly used to target journalists and lawyers.

Pegasus case: Foreign procedures

As there are several international aspects to the abuses—the spyware was produced by an Israeli company and an EU citizen living in Hungary was targeted with it—we are also launching international proceedings.

1. Complaint to the European Commission

One of our clients, Adrien Beauduin, a student involved in the CEU protests, is a Belgian citizen and therefore the European Union may have jurisdiction over his attempted surveillance. On his behalf, we lodged a complaint with the Commission and asked it to investigate whether his rights to freedom of residence and employment guaranteed by the Treaty on the Functioning of the European Union had been violated (university education is also considered to be a form of employment according to the interpretation of the Court of Justice of the European Union).

It is easily conceivable that foreigners are more likely to attract the attention of the secret services and to be subject to politically motivated surveillance than Hungarian citizens—it is therefore reasonable to assume that there may be discrimination against citizens of other Member States. People in professions that require strict confidentiality (such as journalists or lawyers) may be deterred from working in Hungary because of the risk of surveillance. This could violate the free movement of labour and services and thus EU law.

Hungarian national security legislation falls short of the fundamental rights standards of other EU countries, which in itself may act as a deterrent to other EU citizens from residing in Hungary, as they may have a more well-founded fear of surveillance than elsewhere in the EU. The mere fact that it is impossible to prove discrimination because of the covert nature of the surveillance should not in itself lead to the erosion of rights guaranteed to EU citizens. We therefore take the view that the right to the free movement of persons and the free movement of labour of an EU citizen who is deterred from residing or working in Hungary by a rule that discriminates against foreigners is infringed.

Our client's right to privacy under the Charter of Fundamental Rights of the European Union may also have been infringed where the case has a European Union relevance.


17.08.2022 Unfortunately, the European Commission rejected our client's complaint and did not even consider our arguments.

In its reply (which can be downloaded here), it only provided information on which EU legislation is available to those whose data protection rights have been infringed. However, none of these apply in the case of surveillance by national security services. The Commission did not take into account that the complaint was not about a specific breach of our client's personal data, but about a systemic problem of abuse of the security services.

We regret that the Commission refused to examine whether it is compatible with European Union law for a Member State not to have effective control over surveillance for national security purposes.

2. Investigation by the Attorney General of Israel

Because of the difficulties of Hungarian law enforcement, we would have liked to ensure that the Hungarian authorities were not the only ones to act in investigating abuses. This is why we contacted Israeli human rights lawyer Eitay Mack, who has been fighting Israeli arms exports to autocracies for more than a decade. With his help, we were able to file a complaint with the Israeli Attorney General on behalf of three of our clients. We asked him to investigate whether a criminal offence had been committed when the NSO Group obtained a state export licence for Pegasus knowing that such a spy weapon could be more easily misused by the government in Hungary than in other countries.

3. Mass litigation before the European Court of Human Rights (ECtHR)

The ECtHR already ruled in 2016, in the case Szabó and Vissy v Hungary, that the authorisation procedure for secret surveillance is unlawful because it is unclear under what conditions this tool can be used, the authorisation is granted by the Minister of Justice, not by a body independent of the government, and the conduct of the surveillance is not controlled by an independent body. In the more than six years since then, the government has amended the National Security Act nearly 20 times (!), but has done nothing to remedy the shortcomings—which it justifies to the Council of Europe by claiming that the analysis required for the amendments is time-consuming. The unsustainability of the government's position was also explained in our letter to the Council of Europe's Committee of Ministers.

Anyone can claim before the ECtHR that their fundamental rights are being violated simply because of poorly regulated surveillance powers of secret services in their country. A finding of a violation is not automatic: the applicant must allege a likelihood of being subjected to surveillance. Since it is impossible to obtain direct evidence of this, they can do so by showing that there are inadequate safeguards over surveillance in the country concerned and that they have a high-risk status for surveillance. This could be journalists, civil society workers or anyone else who might fear that if confronted by their government, it might try to take action against them by illegal means. Ultimately, the Court will consider each case on its own merits, taking into account the applicant's status and the national security arrangements in the country concerned, to determine whether the applicant's fear of surveillance is well founded.

In the case of Hungary, the ECtHR has already ruled that there are inadequate safeguards when it comes to surveillance; meanwhile, the situation of civil society and the independent press has deteriorated, as the government openly treats them as a national security risk. As an example, in 2016/17, three senior government politicians, including the Prime Minister, argued that NGOs labelled as members of the “Soros network” should be dealt with by the secret services. It is also worth remembering that in 2020, the Ministry of Foreign Affairs ordered reports from Hungarian embassies in the European Union on journalists visiting those countries for training in order to counter “attempts to interfere” by the “Soros organisations”. Since then, quite a few journalists have indeed been found to have been attacked by Pegasus software—although not members of the civil society (yet).

In this environment, all Hungarian CSOs and the independent journalistic sector can justifiably claim that the government could use secret service tools against them. We are therefore planning a mass action before the ECtHR with human rights lawyer Balázs Tóth on behalf of the people concerned.

Pegasus case: Hungarian procedures

Data obtained from surveillance is usually classified, so even the personal data of the target persons can become state secrets (classified data); however, the rules governing such data make the possibilities for redress particularly limited. Surveillance by intelligence services is also considered such data. Special rules apply to their disclosure, the relationship between which and the various avenues of redress (judicial, administrative) are not always clear. We are launching a series of proceedings against the Constitutional Protection Office (CPO) under the Ministry of the Interior and the Information Office (IO) under the Ministry of Foreign Affairs and Trade to bring these abuses to light and to bring justice to our clients.

If we are unsuccessful in the following proceedings, we will take the cases to the European Court of Human Rights (ECtHR) in Strasbourg and have the Court once again declare that the Hungarian regulation of secret services does not provide any controls for the people concerned—in other words, the Hungarian regulation systematically violates everyone's rights, as anyone can become a target of surveillance.

1. Ministerial inquiry and Parliament’s national security committee

The National Security Act allows anyone who becomes aware of, or suspects, unlawful conduct by the secret services to lodge a complaint with the Minister in charge of the service concerned. The Minister will investigate the complaint and notify the complainant of the outcome. It can be said that ministerial investigations never produce any substantive results, which is not surprising. In such cases, politically motivated surveillance is investigated by a member of the government whose political interests were ostensibly served by the surveillance.

Anyone who does not accept the outcome of a ministerial inquiry can ask for their complaint to be investigated by the National Security Committee of Parliament. However, the Commission's decisions are not based on legal criteria, but solely on political ones, which makes it completely unpredictable whether it will investigate a person, and its procedure is therefore in no way an effective remedy.

2. Inquiry by the Commissioner for Fundamental Rights (Ombudsman)

The Ombudsman's main task is to protect fundamental rights. Anyone who believes that their fundamental rights have been violated by the security forces (including the CPO and IO) can turn to him/her. Illegal covert surveillance is of course a violation of fundamental rights, so we are also taking the matter to the Ombudsman in the Pegasus case. The Ombudsman will investigate the complaint received and, if he identifies a genuine violation of fundamental rights, he may take a number of measures.

Firstly, he may make a recommendation to the superior body of the offending body to remedy the infringement. In the case of the CPO and IO, the competent bodies are the Ministry of Interior and the Ministry of Foreign Affairs and Trade. As mentioned above, the surveillance may have served the political interests of the government, and therefore little substantive action can be expected from a member of the government in response to the Ombudsman's recommendation. Fortunately, the Ombudsman has other tools at his disposal. If his investigation suggests that a criminal offence may have been committed, he can initiate criminal proceedings. And if he finds anomalies in the protection of personal data, he can refer the matter to the National Authority for Data Protection and Freedom of Information (NAIH). Finally, he can also bring the violation to Parliament.

In the course of his investigation, the Ombudsman may even have access to classified data, albeit with limitations. For example, he cannot know who is cooperating with the secret services, the technical details of the techniques and methods they use to gather information, how they encrypt it or from whom it comes. If the Ombudsman also considers it necessary to examine documents that are not accessible to him—and this may be so in the Pegasus case—he can ask the minister in charge of the service to examine them for him and inform him of the outcome. But, as already mentioned, here the ministerial inquiry cannot be politically independent.

3. Procedures of the National Authority for Data Protection and Freedom of Information (NAIH)

The NAIH is Hungary's data protection authority. Anyone who suspects that they have been illegally surveilled by the government can initiate one of two NAIH procedures:

Investigations: this is an ombudsman-like power, meaning that the NAIH identifies systemic problems and does not necessarily stay within the confines of the specific case of the data subject. It can carry out a wide range of checks on the (alleged) controller's processing, inspecting the processing sites, inspecting documents, etc., but it cannot take a binding decision on the controller under investigation, only make a recommendation (or initiate another type of ex officio procedure).

Administrative procedure: this procedure is carried out by the NAIH under the Administrative Procedures Act. The applicant is considered a client, which gives him/her rights, such as access to the files of the procedure or the right to challenge the NAIH's decision in court.

If at any time the NAIH finds that data have been unlawfully classified, it will initiate ex officio a “calssification reassessment procedure”, which may even result in an order to declassify the data. It is important to note, however, that the calssification reassessment procedure cannot be initiated by individuals—it can only be initiated ex officio, at the discretion of the NAIH.

In the course of its procedures, the DPA can also access classified data, but there are some limitations, as the national security service can refuse access to:

documents containing technical data on the operation and functioning of the means and methods used to gather classified information, or which would allow the identification of the persons using them;

documents the disclosure of which would enable the source of the information to be identified;

and to certain other information.

The grounds for refusal are therefore relatively broad, but more problematically, if there is a disagreement between the NAIH and the relevant intelligence service as to whether the grounds for refusal exist, the Minister in charge of the service—who cannot, of course, make an independent judgement on the matter—is entitled to decide the matter.

We have initiated official proceedings on behalf of our clients because in these proceedings the NAIH is obliged to decide on the specific case.

4. Application for a clearance to access classified personal data

Everyone has the right to know who is processing personal data about them and what personal data they hold. Classified personal data can only be disclosed to the data subject with a clearance. The clearance is granted by the classifier (who initiated the classification of the data); in the case of a secret service, this is the Director-General. Under the clearance, the data subject is entitled to access his or her classified data, but must sign a confidentiality agreement and is prohibited from disclosing the information to anyone else under penalty of criminal prosecution. So even if someone had access to the surveillance data about them, they would not be able to publish it.

It is also unclear whether it is possible to ask for the clearance if the person concerned does not know whether their classified data is being processed at all. More worryingly, access is very rarely granted—we know of very few cases.

Yet it is necessary to make the request, because without it, no administrative action could be brought (see later).

5. Lawsuits

If you want to find out whether you have been observed, there are two types of lawsuits you can consider:

a lawsuit for unlawful processing of personal data following the refusal of a subject access request under the Data Protection Act (civil action);

an administrative lawsuit under the Classified Data Act which was created specifically for this category of cases (administrative lawsuit), following the refusal of a request for clearance to access classified personal data.

One of the features of litigation is that unlawful secret surveillance (which is, however, in accordance with the letter of the law) is by its very nature not officially disclosed to anyone*, so it is always a question whether the right data controller is sued at all.

*Some surveillance, or the fact that classified data is being processed for other reasons, is communicated to the data subject. For example, if he/she has been subject to a national security screening (consent must be given) or if a secret service has acted as a specialised authority in his/her proceedings (this may be the case in aliens proceedings).

Pegasus case

The secret services have essentially unlimited data collection powers in Hungary. There are no strict conditions for surveillance, and even these are not subject to independent control. The Pegasus case has shown that this is not a theoretical problem: the telephones of Hungarian citizens were hacked without any national security reason. Yet it is a natural and basic need of every human being to have a domain of their life to which no one has access, except for themselves. We cannot talk about human dignity where we become completely transparent to the state. That is why we have decided to take action in all possible fora on behalf of those affected by the Pegasus case, in order to prevent politically motivated surveillance.

Pegasus case: HCLU takes coordinated domestic and foreign legal action

The Hungarian Civil Liberties Union (HCLU) is taking legal action on behalf of six of its clients before the Hungarian authorities, the European Commission, the European Court of Human Rights in Strasbourg and in Israel. The organisation aims to expose the practice of unlawful secret surveillance, to have international fora declare that the Hungarian regulation of secret information gathering violates fundamental rights and to prevent politically motivated abuses.

Hungarian government plans to enforce encryption backdoors

According to an action plan to fight terrorism being drafted by the Hungarian Ministry of Interior, a person using a service providing encrypted communication could be imprisoned for up to two years.

Judicial Warrants Are Required for Government Surveillance

The Strasbourg court's decision in a case from Hungary declares once and for all that uncontrolled government surveillance is incompatible with European human rights standards.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy.

NGOs Reject "Safe Harbor 2.0," Urge EU and US to Protect Fundamental Rights

Leading human rights and consumer organizations have issued a letter to urge the US and the EU to protect the fundamental right to privacy.

Will Hungary's Constitutional Court Repeal the Data Retention Law?

The Hungarian Civil Liberties Union has filed a complaint against Internet and mobile service provider Telenor in an attempt to have the Constitutional Court annul an unlawful act that allows for the retention of telephone and Internet traffic data (concerning the identity of the calling party, the length of call, frequency of communication, etc.) for 6 months. Such data retention constitutes a severe breach of the fundamental rights to privacy and the protection of personal data.More:

International coalition to support the Canadian Civil Liberties Association

The HCLU as a member of International Civil Liberties Organisations (INCLO) endorses the statement of the Canadian human rights NGO against the new Anti-Terror Act.