By extending the deadline for answering FOI requests and suspending data protection regulations due to the COVID emergency, Hungary’s government is continuing its assault on important democratic rights.
The Hungarian government’s decision to limit the application of the EU’s General Data Protection Regulation, GDPR, is fueling fear among the opposition and civil society organisations that human rights face further curbs in the country.
Justified by the need to stop the spread of the coronavirus, the authorities can now use the personal data of citizens without clear regulations about when they can use it, and for what purpose.
Viktor Orban’s government has also additionally limited information access by extending the deadline for public institutions to provide requested data through FOI regulations from 15 to 45 days. The deadline can be prolonged for another 45 days meaning one could have to wait up to 90 days for answers – another step backwards in terms of media freedom.
The government says both decisions will be revoked once the state of the emergency, imposed on March 11, is lifted.
But rights groups and the opposition now fear a repeat of events in 2015. In that year, the Orban government introduced controversial “crisis” measures to stop an influx of migrants that are still in force today – despite the dramatic decline in the number of migrants and refugees coming to Hungary since then.
‘Crisis’ measures that risk becoming permanent
Attila Peterfalvi. Photo: Wikimedia commons/BudayLilla
The government restricted data protection rights as stipulated by the GDPR and the Act on Freedom of information on May 4.
It imposed a state of emergency on 11 March and extended it indefinitely on March 31.
Under the state of emergency, the government has the authority to govern through decrees, while parliament is suspended.
The latest changes come after several international reports highlighted serious declines in the quality of Hungarian democracy and press freedom.
The Nations in Transit report, issued in May by the watchdog organisation Freedom House, notably ranked Hungary as the only non-democracy in the whole of the EU.
“Hungary’s decline has been the most precipitous ever tracked in Nations in Transit; it was one of the three democratic frontrunners as of 2005, but in 2020 it became the first country to descend by two regime categories and leave the group of democracies entirely,” the report said.
The Press Freedom Index released by the watchdog organisation Reporters Without Borders ranked Hungary in the lowest place for press freedom in the EU.
It said access to information was becoming ever more difficult for independent journalists, who are now banned from freely putting questions to politicians or from attending many events.
Now, not only do Hungarian institutions have 90 days instead of 30 to answer an FOI request, – triple the previous length – but requests related to privacy will remain unanswered until the state of emergency is lifted.
This may mean journalists waiting three months to get access to vital information. And, with so many things happening fast during the state of emergency, the risk is that the information will become irrelevant or outdated.
The government justified the much longer deadline to answer FOI requests by claiming that keeping to the 15-day deadline could “endanger the fulfilment of the [relevant institution’s] public tasks in relation to the emergency”, so the decree says.
When it comes to the suspended GDPR articles, they include: the right of access by the data subject; the right to erasure (the “right to be forgotten”); the right to restriction of processing; for information to be provided when personal data are collected from the data subject, or information to be provided when personal data have not been obtained from the data subject.
Important information on the way the authorities obtain personal data, its purpose, and how it is processed, protected, or shared with other authorities, will now only become available when the state of emergency ends.
The authorities insist concern about these changes is needless. In response to a query from BIRN, Attila Peterfalvi, chair of the National Authority for Data Protection and Freedom of Information, said the decree applies only to requests for data in relation to the battle against the coronavirus, and that the data controller will also have to prove why they wish to apply the special regulation.
Peterfalvi noted also that GDPR gives participating states the right to restrict its provisions. The decree doesn’t actually take away any rights, or the right to remedy, but only delays their execution until the end of the state of emergency, he stressed.
Officials also point out that they will lift the state of emergency when it is no longer needed.
But opposition politicians and rights groups are not persuaded. They recall that the “crisis” measures imposed to stop illegal migration in 2015 were prolonged again and again – and still remain effective – long after the number of migrants attempting to cross Hungary decreased drastically.
Worryingly broad legislation
Illustration. Photo : EPA-EFE/Zoltan Balogh
The 30-day GDPR deadline to answer COVID-19-related data subject requests will resume once the state of emergency ends. This means that, until then, if someone submits a request related to COVID-19, or lodges an objection against the processing of his personal data related to COVID-19, the data controller is not required to take any steps to erase the data, rectify the data, or restrict its processing.
Furthermore, the legislation does not define the exact categories of personal data or the type of data controllers that fall under it.
As a result, any data controller taking part in the fight against COVID-19, or processing COVID-19-related personal data, can interpret the new legal provisions widely and broaden its restrictions to apply to as much personal data as possible.
Ádam Remport, data protection expert at the Hungarian Civil Liberties Union, an NGO, told BIRN that he believes the decree suspends fundamental rights, which the GDPR does not allow for.
The wording of the decree is too general and its reasoning too weak, he adds.
Remport said the GDPR is very strict about when member countries can suspend its application.
He notes that the GDPR says a restriction may only be imposed if it “respects the essence of the fundamental rights and freedoms”, and if this restriction “is a necessary and proportionate measure in a democratic society”.
Remport says the total suspension of certain rights does not fit into this category. He adds that while the decree indicates the purpose of the legislation, all the other reasoning is missing.
“The decree should list explicitly to which data and data controller it applies. It should at least justify why there is no such list,” he said.
In its current form, he added, the decree is too wide-ranging and can be applied to anything, from healthcare to the economy.
The GDPR also demands the right to an effective remedy, a right which cannot be suspended, he said. “According to the European Convention on Human Rights, and the GDPR, a remedy is real if it provides an effective judicial remedy.
“The wording of the decree doesn’t contradict this directly, as in theory one can still appeal. But until the state of emergency ends, nobody can go to court,” he pointed out.
“Nobody knows when the emergency will end, so we can’t call this an effective remedy; it is not a real remedy,” he concluded.
FOI rights undermined for years
Illustration. Photo: Pxfuel
As state communication become more centralized in Hungary – and effectively censored during the COVID-19 emergency, according to one NGO report, FOI requests have become ever more important as tools for journalists to extract relevant information about state operations.
Miklos Ligeti, legal director of Transparency International Hungary, told BIRN that the government in Budapest has been undermining this right for years.
“The Hungarian government has continuously restricted access to public data since 2013. From this point of view, the new decree is not a novelty,” he said.
The only guaranteed way to gain access to public data was via the courts, Ligeti added. “Now the time one has to wait before going to court has been prolonged,” he continued.
According to Transparency International, the decree goes against the constitution, as the right to freedom of information it refers to implies fast and timely access – while waiting months for an answer is anything but.
Since 2013, according to the government, FOI requests can be rejected if they are too “comprehensive”, as over-detailed questions are deemed a “misuse” of FIOA rights.
To decide what question is too detailed is, again, up to the data owner. The next restriction, which followed in 2015, allowed data owners to bill the information requester for “reimbursement of expenses”, if replying to the request involves “a disproportionate amount of work” for the relevant institution.
Tamas Bodoky, founder and editor-in-chief of Átlátszó, an investigative portal, told BIRN that the new moves were yet another attempt to restrict the FOI law.
“This is the third time the Orbán government is restricting FOI. This tendency, and the suspension of the GDPR Articles are the real concern – not that we might have to wait longer to get information,” Bodoky said.
Bodoky notes that if institutions demand reimbursement for work, “it is usually around 5,000 to -20,000 forints [14 to 60 euros]. To pay this money is not a problem for a lawyer or an editorial. But the intention behind this is to prevent citizens from using this tool to control power”.
His investigative portal has developed a tool through which users can send FOI requests to any public body.
According to him, data owners rarely demand “unreasonable” sums of money for reimbursement. If they do, or the info request is denied, “one can go to court. But that takes time and costs money, and people cannot afford it”.
Fortunately, he adds, judges usually favour making data public. But sometimes, despite a court judgment, data owners still withhold the data. “In that case, we remain without means, as public prosecutors will do nothing to enforce the verdict,” Bodoky warned.
Átlátszó uses FOI requests a lot for its investigations, and has faced various other methods by which state institutions hide information.
“Once the cabinet office of the Prime Minister sent us documents that were photocopied so many times – or maybe digitally blurred – that they were barely readable,” Bodoky recalled. “This shows clearly what the Hungarian government thinks about freedom of information,” he adds.
Miklós Ligeti says the broad implications of the latest moves are more concerning than their exact detail.
“If we look at the big picture, we see that the lack of reliable data makes rational public conversation impossible,” he warned. “Once there is no information, citizens cannot make responsible political decisions,” he concluded.