As there are several international aspects to the abuses—the spyware was produced by an Israeli company and an EU citizen living in Hungary was targeted with it—we are also launching international proceedings.

One of our clients, Adrien Beauduin, a student involved in the CEU protests, is a Belgian citizen and therefore the European Union may have jurisdiction over his attempted surveillance. On his behalf, we lodged a complaint with the Commission and asked it to investigate whether his rights to freedom of residence and employment guaranteed by the Treaty on the Functioning of the European Union had been violated (university education is also considered to be a form of employment according to the interpretation of the Court of Justice of the European Union).

It is easily conceivable that foreigners are more likely to attract the attention of the secret services and to be subject to politically motivated surveillance than Hungarian citizens—it is therefore reasonable to assume that there may be discrimination against citizens of other Member States. People in professions that require strict confidentiality (such as journalists or lawyers) may be deterred from working in Hungary because of the risk of surveillance. This could violate the free movement of labour and services and thus EU law.

Hungarian national security legislation falls short of the fundamental rights standards of other EU countries, which in itself may act as a deterrent to other EU citizens from residing in Hungary, as they may have a more well-founded fear of surveillance than elsewhere in the EU. The mere fact that it is impossible to prove discrimination because of the covert nature of the surveillance should not in itself lead to the erosion of rights guaranteed to EU citizens. We therefore take the view that the right to the free movement of persons and the free movement of labour of an EU citizen who is deterred from residing or working in Hungary by a rule that discriminates against foreigners is infringed.

Our client's right to privacy under the Charter of Fundamental Rights of the European Union may also have been infringed where the case has a European Union relevance.

17.08.2022 Unfortunately, the European Commission rejected our client's complaint and did not even consider our arguments.

In its reply (which can be downloaded here), it only provided information on which EU legislation is available to those whose data protection rights have been infringed. However, none of these apply in the case of surveillance by national security services. The Commission did not take into account that the complaint was not about a specific breach of our client's personal data, but about a systemic problem of abuse of the security services.

We regret that the Commission refused to examine whether it is compatible with European Union law for a Member State not to have effective control over surveillance for national security purposes.

Because of the difficulties of Hungarian law enforcement, we would have liked to ensure that the Hungarian authorities were not the only ones to act in investigating abuses. This is why we contacted Israeli human rights lawyer Eitay Mack, who has been fighting Israeli arms exports to autocracies for more than a decade. With his help, we were able to file a complaint with the Israeli Attorney General on behalf of three of our clients. We asked him to investigate whether a criminal offence had been committed when the NSO Group obtained a state export licence for Pegasus knowing that such a spy weapon could be more easily misused by the government in Hungary than in other countries.

The ECtHR already ruled in 2016, in the case Szabó and Vissy v Hungary, that the authorisation procedure for secret surveillance is unlawful because it is unclear under what conditions this tool can be used, the authorisation is granted by the Minister of Justice, not by a body independent of the government, and the conduct of the surveillance is not controlled by an independent body. In the more than six years since then, the government has amended the National Security Act nearly 20 times (!), but has done nothing to remedy the shortcomings—which it justifies to the Council of Europe by claiming that the analysis required for the amendments is time-consuming. The unsustainability of the government's position was also explained in our letter to the Council of Europe's Committee of Ministers.

Anyone can claim before the ECtHR that their fundamental rights are being violated simply because of poorly regulated surveillance powers of secret services in their country. A finding of a violation is not automatic: the applicant must allege a likelihood of being subjected to surveillance. Since it is impossible to obtain direct evidence of this, they can do so by showing that there are inadequate safeguards over surveillance in the country concerned and that they have a high-risk status for surveillance. This could be journalists, civil society workers or anyone else who might fear that if confronted by their government, it might try to take action against them by illegal means. Ultimately, the Court will consider each case on its own merits, taking into account the applicant's status and the national security arrangements in the country concerned, to determine whether the applicant's fear of surveillance is well founded.

In the case of Hungary, the ECtHR has already ruled that there are inadequate safeguards when it comes to surveillance; meanwhile, the situation of civil society and the independent press has deteriorated, as the government openly treats them as a national security risk. As an example, in 2016/17, three senior government politicians, including the Prime Minister, argued that NGOs labelled as members of the “Soros network” should be dealt with by the secret services. It is also worth remembering that in 2020, the Ministry of Foreign Affairs ordered reports from Hungarian embassies in the European Union on journalists visiting those countries for training in order to counter “attempts to interfere” by the “Soros organisations”. Since then, quite a few journalists have indeed been found to have been attacked by Pegasus software—although not members of the civil society (yet).

In this environment, all Hungarian CSOs and the independent journalistic sector can justifiably claim that the government could use secret service tools against them. We are therefore planning a mass action before the ECtHR with human rights lawyer Balázs Tóth on behalf of the people concerned.

Data obtained from surveillance is usually classified, so even the personal data of the target persons can become state secrets (classified data); however, the rules governing such data make the possibilities for redress particularly limited. Surveillance by intelligence services is also considered such data. Special rules apply to their disclosure, the relationship between which and the various avenues of redress (judicial, administrative) are not always clear. We are launching a series of proceedings against the Constitutional Protection Office (CPO) under the Ministry of the Interior and the Information Office (IO) under the Ministry of Foreign Affairs and Trade to bring these abuses to light and to bring justice to our clients.

If we are unsuccessful in the following proceedings, we will take the cases to the European Court of Human Rights (ECtHR) in Strasbourg and have the Court once again declare that the Hungarian regulation of secret services does not provide any controls for the people concerned—in other words, the Hungarian regulation systematically violates everyone's rights, as anyone can become a target of surveillance.

The National Security Act allows anyone who becomes aware of, or suspects, unlawful conduct by the secret services to lodge a complaint with the Minister in charge of the service concerned. The Minister will investigate the complaint and notify the complainant of the outcome. It can be said that ministerial investigations never produce any substantive results, which is not surprising. In such cases, politically motivated surveillance is investigated by a member of the government whose political interests were ostensibly served by the surveillance.

Anyone who does not accept the outcome of a ministerial inquiry can ask for their complaint to be investigated by the National Security Committee of Parliament. However, the Commission's decisions are not based on legal criteria, but solely on political ones, which makes it completely unpredictable whether it will investigate a person, and its procedure is therefore in no way an effective remedy.

The Ombudsman's main task is to protect fundamental rights. Anyone who believes that their fundamental rights have been violated by the security forces (including the CPO and IO) can turn to him/her. Illegal covert surveillance is of course a violation of fundamental rights, so we are also taking the matter to the Ombudsman in the Pegasus case. The Ombudsman will investigate the complaint received and, if he identifies a genuine violation of fundamental rights, he may take a number of measures.

Firstly, he may make a recommendation to the superior body of the offending body to remedy the infringement. In the case of the CPO and IO, the competent bodies are the Ministry of Interior and the Ministry of Foreign Affairs and Trade. As mentioned above, the surveillance may have served the political interests of the government, and therefore little substantive action can be expected from a member of the government in response to the Ombudsman's recommendation. Fortunately, the Ombudsman has other tools at his disposal. If his investigation suggests that a criminal offence may have been committed, he can initiate criminal proceedings. And if he finds anomalies in the protection of personal data, he can refer the matter to the National Authority for Data Protection and Freedom of Information (NAIH). Finally, he can also bring the violation to Parliament.

In the course of his investigation, the Ombudsman may even have access to classified data, albeit with limitations. For example, he cannot know who is cooperating with the secret services, the technical details of the techniques and methods they use to gather information, how they encrypt it or from whom it comes. If the Ombudsman also considers it necessary to examine documents that are not accessible to him—and this may be so in the Pegasus case—he can ask the minister in charge of the service to examine them for him and inform him of the outcome. But, as already mentioned, here the ministerial inquiry cannot be politically independent.

The NAIH is Hungary's data protection authority. Anyone who suspects that they have been illegally surveilled by the government can initiate one of two NAIH procedures:

Investigations: this is an ombudsman-like power, meaning that the NAIH identifies systemic problems and does not necessarily stay within the confines of the specific case of the data subject. It can carry out a wide range of checks on the (alleged) controller's processing, inspecting the processing sites, inspecting documents, etc., but it cannot take a binding decision on the controller under investigation, only make a recommendation (or initiate another type of ex officio procedure).

Administrative procedure: this procedure is carried out by the NAIH under the Administrative Procedures Act. The applicant is considered a client, which gives him/her rights, such as access to the files of the procedure or the right to challenge the NAIH's decision in court.

If at any time the NAIH finds that data have been unlawfully classified, it will initiate ex officio a “calssification reassessment procedure”, which may even result in an order to declassify the data. It is important to note, however, that the calssification reassessment procedure cannot be initiated by individuals—it can only be initiated ex officio, at the discretion of the NAIH.

In the course of its procedures, the DPA can also access classified data, but there are some limitations, as the national security service can refuse access to:

documents containing technical data on the operation and functioning of the means and methods used to gather classified information, or which would allow the identification of the persons using them;

documents the disclosure of which would enable the source of the information to be identified;

and to certain other information.

The grounds for refusal are therefore relatively broad, but more problematically, if there is a disagreement between the NAIH and the relevant intelligence service as to whether the grounds for refusal exist, the Minister in charge of the service—who cannot, of course, make an independent judgement on the matter—is entitled to decide the matter.

We have initiated official proceedings on behalf of our clients because in these proceedings the NAIH is obliged to decide on the specific case.

Everyone has the right to know who is processing personal data about them and what personal data they hold. Classified personal data can only be disclosed to the data subject with a clearance. The clearance is granted by the classifier (who initiated the classification of the data); in the case of a secret service, this is the Director-General. Under the clearance, the data subject is entitled to access his or her classified data, but must sign a confidentiality agreement and is prohibited from disclosing the information to anyone else under penalty of criminal prosecution. So even if someone had access to the surveillance data about them, they would not be able to publish it.

It is also unclear whether it is possible to ask for the clearance if the person concerned does not know whether their classified data is being processed at all. More worryingly, access is very rarely granted—we know of very few cases.

Yet it is necessary to make the request, because without it, no administrative action could be brought (see later).

If you want to find out whether you have been observed, there are two types of lawsuits you can consider:

a lawsuit for unlawful processing of personal data following the refusal of a subject access request under the Data Protection Act (civil action);

an administrative lawsuit under the Classified Data Act which was created specifically for this category of cases (administrative lawsuit), following the refusal of a request for clearance to access classified personal data.

One of the features of litigation is that unlawful secret surveillance (which is, however, in accordance with the letter of the law) is by its very nature not officially disclosed to anyone*, so it is always a question whether the right data controller is sued at all.

*Some surveillance, or the fact that classified data is being processed for other reasons, is communicated to the data subject. For example, if he/she has been subject to a national security screening (consent must be given) or if a secret service has acted as a specialised authority in his/her proceedings (this may be the case in aliens proceedings).