The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary
В статті розглядаються обставини, що спонукали до еволюції у врегулюваннях питань щодо захисту даних, свободи інформації, та обставини, які спонукали до формування Омбудсменського інституту. Конституція, прийнята після змін у 1989 р., визначила право на захист персональних даних і свободи інформації...
Gespeichert in:
| Datum: | 2010 |
|---|---|
| 1. Verfasser: | |
| Format: | Artikel |
| Sprache: | English |
| Veröffentlicht: |
Інститут держави і права ім. В.М. Корецького НАН України
2010
|
| Schriftenreihe: | Часопис Київського університету права |
| Schlagworte: | |
| Online Zugang: | http://dspace.nbuv.gov.ua/handle/123456789/23345 |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Назва журналу: | Digital Library of Periodicals of National Academy of Sciences of Ukraine |
| Zitieren: | The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary / Attila Peterfalvi // Часопис Київського університету права. — 2010. — № 1. — С. 317-326. — Бібліогр.: 18 назв. — англ. |
Institution
Digital Library of Periodicals of National Academy of Sciences of Ukraine| id |
irk-123456789-23345 |
|---|---|
| record_format |
dspace |
| spelling |
irk-123456789-233452011-07-04T12:09:47Z The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary Peterfalvi, Attila Правова система України й міжнародне право, порівняльне правознавство В статті розглядаються обставини, що спонукали до еволюції у врегулюваннях питань щодо захисту даних, свободи інформації, та обставини, які спонукали до формування Омбудсменського інституту. Конституція, прийнята після змін у 1989 р., визначила право на захист персональних даних і свободи інформації, як конституційне право. Але минуло три роки, перш ніж був затверджений відповідний Статут, і ще три роки перш ніж було створено парламентську комісію, яка повинна була забезпечувати дотримання цього конституційного права. Хоча робота з підготовки законопроекту про свободу інформації; почалася в середні 80-х років, остаточно закон було прийнято лише в 1992 р., після чого Парламентська комісія приступила до виконання своїх обов’язків. Ключові слова: захист даних, закон про свободу інформації, кодифікація роботи, ратифікація, конвенція, директива, інтеграція критеріїв, омбудсмен, контролер даних. В статье рассматриваются обстоятельства, которые привели к эволюции в вопросах касающихся защиты данных, а также обстоятельства предшествующие формированию Омбудсменского управления. Конституция, принятая после изменений в 1989 году, определяет право защиты персональных данных и свободы информации, как Конституционное право. После этого пройдет три года, прежде чем соответствующий Устав будет утвержден, и еще три года, прежде чем будет создана парламентская комиссия, задача которой контролировать исполнение этого конституционного права. Хотя работа над данным законопроектом началась в середине 1980-х, принят он был 1992 г., после чего, парламентская комиссия приступила к своим обязанностям. Ключевые слова: защита данных, закон о свободе информации, кодификация работы, ратификация, конвенция, директива, интеграция критериев, омбудсмен, контролер данных. In the article examined the circumstances that led to the evolution in the settlement of issues concerning data protection, and the circumstances of the formation of the Ombudsman's Office. The Constitution enacted after the change of regime in 1989 guaranteed the right to protection of personal data and freedom of information as a constitutional right. After that, three years were to pass before the relevant statute was enacted and three further years before the Parliamentary Commissioners who were to supervise the enforcement of this constitutional right would be confirmed in their positions. Although the process for preparation of the Act started in the mid 1980s, he was only promulgated in 1992, then Parliamentary Commission to commence his duties. Key words: data protection, law right to disclosure of information, codification of work, ratifying, Convention, directive, integration criteria ombudsman, data controller. 2010 Article The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary / Attila Peterfalvi // Часопис Київського університету права. — 2010. — № 1. — С. 317-326. — Бібліогр.: 18 назв. — англ. XXXX-0074 http://dspace.nbuv.gov.ua/handle/123456789/23345 en Часопис Київського університету права Інститут держави і права ім. В.М. Корецького НАН України |
| institution |
Digital Library of Periodicals of National Academy of Sciences of Ukraine |
| collection |
DSpace DC |
| language |
English |
| topic |
Правова система України й міжнародне право, порівняльне правознавство Правова система України й міжнародне право, порівняльне правознавство |
| spellingShingle |
Правова система України й міжнародне право, порівняльне правознавство Правова система України й міжнародне право, порівняльне правознавство Peterfalvi, Attila The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary Часопис Київського університету права |
| description |
В статті розглядаються обставини, що спонукали до еволюції у врегулюваннях питань щодо захисту даних, свободи інформації, та обставини, які спонукали до формування Омбудсменського інституту. Конституція, прийнята після змін у 1989 р., визначила право на захист персональних даних і свободи інформації, як конституційне право. Але минуло три роки, перш ніж був затверджений відповідний Статут, і ще три роки перш ніж було створено парламентську комісію, яка повинна була забезпечувати дотримання цього конституційного права. Хоча робота з підготовки законопроекту про свободу інформації; почалася в середні 80-х років, остаточно закон було прийнято лише в 1992 р., після чого Парламентська комісія приступила до виконання своїх обов’язків. Ключові слова: захист даних, закон про свободу інформації, кодифікація роботи, ратифікація, конвенція, директива, інтеграція критеріїв, омбудсмен, контролер даних. |
| format |
Article |
| author |
Peterfalvi, Attila |
| author_facet |
Peterfalvi, Attila |
| author_sort |
Peterfalvi, Attila |
| title |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary |
| title_short |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary |
| title_full |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary |
| title_fullStr |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary |
| title_full_unstemmed |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary |
| title_sort |
legislation of the right for protection of personal data and the right to disclosure of information of pablic interest in hungary |
| publisher |
Інститут держави і права ім. В.М. Корецького НАН України |
| publishDate |
2010 |
| topic_facet |
Правова система України й міжнародне право, порівняльне правознавство |
| url |
http://dspace.nbuv.gov.ua/handle/123456789/23345 |
| citation_txt |
The Legislation of the Right for Protection of Personal Data and the Right to Disclosure of Information of Pablic Interest in Hungary / Attila Peterfalvi // Часопис Київського університету права. — 2010. — № 1. — С. 317-326. — Бібліогр.: 18 назв. — англ. |
| series |
Часопис Київського університету права |
| work_keys_str_mv |
AT peterfalviattila thelegislationoftherightforprotectionofpersonaldataandtherighttodisclosureofinformationofpablicinterestinhungary AT peterfalviattila legislationoftherightforprotectionofpersonaldataandtherighttodisclosureofinformationofpablicinterestinhungary |
| first_indexed |
2025-07-03T02:50:55Z |
| last_indexed |
2025-07-03T02:50:55Z |
| _version_ |
1836592463201959936 |
| fulltext |
A. PETERFALVI
Prof. Dr. Attila Péterfalvi, ParliamentaryCommissioner of Data Protection andFreedom of Information
© A. Péterfalvi, 2010THE LEGISLATION OF THE RIGHT FOR PROTECTION OF PERSONAL DATA AND THE RIGHT TO DISCLOSURE OF INFORMATION OF PUBLIC INTEREST IN HUNGARYThe circumstances of the evolution of legal regulation for data protection and freedom ofinformation and the circumstances of the formation of the Ombudsman's Office are wellknown. The Constitution enacted after the change of regime in 1989 guaranteed the right toprotection of personal data and freedom of information as a constitutional right. After that,three years were to pass before the relevant statute was enacted and three further years beforethe Parliamentary Commissioners who were to supervise the enforcement of this constitution-al right would be confirmed in their positions. Although the process for preparation of theDP&FOI Act started in the mid 1980s and the Government requested the Minister of Justicein January 1989 to introduce the necessary bill by the end of December 1990, Act LXIII of1992 on the Protection of Personal Data and the Disclosure of Information of Public Interest(henceforth the "DP&FOI Act") was only promulgated on 17 November 1992. The deadline(1 October 1993) for the Commissioners' elections passed without avail. Although thePresident of the Republic heard the candidates, their election by Parliament was unsuccessful.Finally, the Parliamentary Commissioners took up their positions on 30 June 1995.The preparatory drafts of the next significant amendment to the DP&FOI Act commencedin 2001. Due to the legal harmonisation programme of the Government, the revision of theDP&FOI Act was planned in the legislation programme of the second part of 2001, in theinterests of precise harmonisation with the 1995 Directive. The materials that were producedduring the preparation of the proposal were sent at the end of March 2001 to the firstHungarian Data Protection Commissioner. Considering that it was not a worked-out draft, theCommissioner did not make any remarks. Meanwhile Dr. László Majtényi's term had run out.At the end of July, the Ministry of justice sent the draft of the "Act on the Protection ofPersonal Data and Access to Data of Public interest" to the Parliamentary Commissioner forHuman Rights who had been substituting for the Data Protection Commissioner. The propos-al contained basic changes to the original conception. It planned to codify the rules of the pro-tection of personal data and the access to data of public interest in two separate Acts; it intro-duced new concepts in connection with the processing of personal data; and it provided forseveral new tasks for the Commissioner (investigations of automated individual decisions;issuing binding decisions by ordering the blocking, deletion or destruction of unlawfullyprocessed data; participation in the legal proceedings; prior checking; as well as the right toform opinions on legislative proposals concerning data of public interest).In 2001, the Commissioner proposed an important amendment to the legislator in theinterests of the enforcement of data protection and freedom of information: "Over the almostsix years since I took up my position as Data Protection Commissioner, I have often had toface the fact that the deficiencies of our rules weaken sanctions under criminal law as one ofthe major guarantees of privacy and freedom of information. This is because the CriminalCode, in providing assurances for these two fundamental rights, assigns excessively broad lim-its to criminal liability by imposing sanctions on acts that could well be tackled by means otherthan those of criminal prosecution. In addition, the notions used by the Code do not preciselycorrespond to the dogmatics of data protection law�1. The Commissioner issued a
Peterfalvi A. The Legislation of the Right for Protection of Personal Data and the Right�
317×àñîïèñ Êè¿âñüêîãî óí³âåðñèòåòó ïðàâà � 2010/1© Péterfalvi, 2010
Recommendation to the Minister of Justice in which he stated that no illegal control of datashould carry a punishment under the Criminal Code unless using such force was inevitablycalled for and justified. The terminology of the Criminal Code should be aligned with that ofthe Act in the interests of promoting uniform legal practice. Felonies involving personal datashould not be discussed in the same section as felonies involving data of public interest. TheCommissioner proposed that the definition of such felonies should be reclassified as misde-meanours. Following that, the legislator mitigated the strictness of this crime, but did not elab-orate the conditions for applying sanctions. Therefore the Commissioner initiated the amend-ment with the Minister of the Interior in 2003, asking again for the possibility to punish theviolation of data protection, at least as an offence if there were a minor violation. Relating tohis examinations concerning the Internet, he proposed to the legislator to harmonise the trans-border data-flow with the Directive 94/46/EC. For the introduction of the electronic freedomof information, he asked for the legislation to prescribe the list of data of public interest whichmust be published. According to him, it would be important to create the legal conditions forprotection against attacks from hackers, the regulations for spam and the rules for processingtraffic data2.In the Government's Work Plan for the second half of 2002, the revision of the DP&FOIAct could also be found. The first version was much modified after a broad discussion, but theGovernment still proposed the version of two Acts. In his opinion on the drafts, theCommissioner stated that "the categories and some rules surely will have an effect on devel-oping the legal culture, but the draft gives no answer to the question why it is necessary to sep-arate these rights into two statutes, by abandoning in this way the Hungarian method of regu-lation which is, incidentally, very well recognised abroad. We also criticise the fact that thedraft intends to abandon the logic of the Act and the relevant EU Directive, that is to say thatW condition for lawful data processing is the con-sent of the data subject or the ordering of anAct�3.This idea of separation emerged in the proposals up until 2003. Although neither theCommissioner's Office nor the new Commissioner after his 2002 election ever considered thisconcept well-founded, it was not enough to convince the Ministry of Justice. In fact the rea-son for abandoning this idea was that a pro-found codification was needed but because of theshort time-limits and the large number of tasks about EU accession, it was not possible.Nevertheless, it is important to mention that this proposal was the basis and starting point forthe subsequent amendments to the DP&FOI Act in 2003.The year of 2003 � as far as legislation was concerned � was the year of data protectionand freedom of information. After a long preparatory work, after many consultations, and revi-sions, a new Data Protection Act came into being. The Act on Secrecy was the result of a longlegislative process too, and the Act on the so-called "Glass-pockets Programme" also cameinto force.The amended DP&FOI Act4 mainly extended the Chapters regarding data control andinvested the Commissioner with new powers and competences. It was reasonable to determine� taking the Directive into consideration � the personal and objective scope, as well as the ter-ritoriality in the amended Act. Therefore the scope of the DP&FOI Act now covers all per-sonal data processing and data transfer within the territory of Hungary, regardless of the citi-zenship, place of residence, or seat of the data controller/processor. The provisions of the Actapply to data processing and data transfer operations whether they are performed by an auto-mated process or by manual processing, but not where data is processed by a natural personexclusively for his own purposes.Due to the new rules of the DP&FOI Act, the scope of special data was amended in respectof trade union membership, although the Commissioner had already classified it as specialdata in his practice, because it might refer to a political opinion. In the second group of spe-cial data (personal data concerning health, addictions, sex life, or criminal record), the opinionof the Data Protection Committee of the Council of Europe was taken into consideration: theamended DP&FOI Act accordingly includes personal data relating to criminal offences, ratherthan personal data concerning criminal records. To this category belong such personal data thatmight be related to the data subject and that was obtained by organisations authorised to con-318
Ïðàâîâà ñèñòåìà Óêðà¿íè é ì³æíàðîäíå ïðàâî, ïîð³âíÿëüíå ïðàâîçíàâñòâî
duct criminal proceedings or investigations or by criminal institutions during or prior to crim-inal proceedings in connection with a crime or criminal proceedings; and data concerningcriminal records.The definition of data public on the grounds of public interest was introduced as a new def-inition which now means any data not regarded as personal data that are managed by a stateor local public authority or agency or by any other body attending to public duties specifiedby law and is not to be disclosed for the benefit of the general public.As a principle according to the amended DP&FOI Act, personal data may be processed ifthe data subject has given his consent, or decreed by law, though the amended Act did notinclude any rule in connection with the consent or the making of such statement. TheCommissioner in his case-law has consistently applied the provisions of the Directive, whichprovides for the fact that the consent has to be freely given, and amount to a specific andinformed indication of the data subject' wishes. Due to the 2003 amendment, the said provi-sion has now been included in the amended DP&FOI Act. The data subject has the right toobject to the processing of his personal data, and may request the ending of such operation orerasing/removal of such data.In according with the demands of the 1995 Directive, the amended DP&FOl Act has beenmodified with a general enumeration, which includes that personal data may be processed �either with the data subject's consent or when ordered by a legal rule � in particular, where itis necessary: for the performance of a task of public interest; for the data controller to performhis obligations prescribed by an Act; for the data controller or data recipient third person toperform their official duties; for the protection of the vital interests of the data subject; for themeeting of the obligations laid down in the contract between the data subject and the data con-troller; for the assertion of a legitimate interest of the data controller or a third person; or forthe lawful operation of social organisations.In order to fulfil the requirements set out in the Directive, the amended DP&FOI Act nowprovides that criminal personal data � for the purpose of performing the State's tasks of crim-inal investigation, crime prevention, as well as public administration and judicial tasks, anddata files pertaining to minor offences, civil actions and non-litigious cases � may only beprocessed by state or local government organs.The data subject retains the right of self-determination regarding his own data: he may thusdecide on the delivery of his data, may request its rectification and � with some exceptions �may ask for the deletion of his data. After the 2003 amendment, the deletion of personal datamay also be ordered by the Data Protection Commissioner and the Municipal Court ofBudapest. The data subject must be informed of any rectification or deletion. Such informationmay be dispensed with if, in view of the purpose of processing, no legitimate interests of thedata subject are thereby infringed. The rights of the data subject may be restricted by an Act.After EU accession, the abovementioned right may be restricted by an Act for important eco-nomic or financial interests of the European Union.In order to comply with the Directive, a new rule was introduced into the DP&FOI Act,namely the right to object to data controlling or processing. Such right may be exercised whendata controlling serves the sole interest of the data controller or a third person, that is to saythe data control/transfer occurs for the purpose of, e.g., direct marketing, public opinionresearch or scientific research. The Act itself renders it possible to exercise this right to object:it sets out the time-limits regarding the procedure and the obligations of the data controllers inconnection with the right to object. If the data subject is not able to exercise his right, he mayinstitute court proceedings.Previously there were few examples of requesting the Commissioner to give his opinionbefore the data controller would commence its activity: after 1 January 2005/6, it becamemandatory in the case set out in section 31 of the amended DP&FOI Act. The major data con-troller (national authorities, or national labour or criminal data registry, financial organisationsor public utility providers as well as telecommunications service providers) must notify theData Protection Commissioner of their intention to process technically new data files or toapply a new technical data processing technology 30 days prior to commencing such activitiesand, if the Commissioner so decides, he may perform a prior check. On the basis of the check,
Peterfalvi A. The Legislation of the Right for Protection of Personal Data and the Right�
319×àñîïèñ Êè¿âñüêîãî óí³âåðñèòåòó ïðàâà � 2010/1
the Data Protection Commissioner may call on the data controller to change the range of datato be processed or the method of technical data processing.Upon observing any unlawful processing of data, the Data Protection Commissioner is tocall on the data controller to discontinue the data processing. If the data controller or techni-cal data processor fails to discontinue the unlawful processing (technical processing) of per-sonal data, the Data Protection Commissioner may order in a decision the blocking, deletionor destruction of unlawfully processed data, prohibit the unlawful processing or technical pro-cessing of data, and suspend the transfer of data to foreign countries. The data controller, thetechnical data processor or the data subject may request judicial review from the MunicipalCourt of Budapest against the decision of the Data Protection Commissioner.The amended DP&FOl Act leaves several questions open. The procedural rules of actingas a public authority are not determined. There are no such rules which would lay down themethod and the formal criteria for ordering, blocking, or suspending, although these rules areindispensable. It is still a question as to what happens if the data controller neither stops theunlawful data processing, nor requests a judicial review, considering that the Commissionerdoes not have any further authorisation beyond the ordering (e.g., imposing a fine, orderingenforcement). The amended DP&FOI Act does not provide for in what kind of proceedingsthe matter should come before the Municipal Court of Budapest for trial. In 2004 there weretwo occasions when the data controller filed a case against the Commissioner. In the first case,the data controller withdrew his action, the other case is still pending. The case was filed dueto the general rules of the Code on Civil Procedure because of the violation of personal rights;the data controller was holding the position of the plaintiff while the Commissioner was pro-tecting the rights of the data subjects as the defendant. So the revision and the amendment ofthese rules is needed, with the result that the necessary actions should take the form of admin-istrative proceedings.The abovementioned major data controllers are required to appoint an internal data pro-tection officer and draw up their internal data protection and data security rules. State and localgovernment data controllers are also required to adopt data protection and data security rules.In 2003, Parliament also adopted the "Glass-pockets" Programme which amended 19Acts5. The purpose of the new Act was to ensure the Publicity, Transparency and Control ofthe Appropriation of Public Funds and the Use of Public Property. After many consultations,all of the Commissioner's remarks were incorporated into the Act. The Act (and its imple-menting Decree) made headway in the field of freedom of information because the legislatorended the contradiction between the definition of business secret and data public on thegrounds of public interest. Through the introduction of the definition of data public on thegrounds of public interest, the legislator extended the freedom of information to the organs ofprivate sector which are in a business or financial relationship with government. The Act alsocontained the obligation that publication on the website referred to a broad range of data ofpublic interest relating to government; as well as all organs in government being required toappoint a person or an entity bearing the special knowledge needed in order to publish the dataof public interest.The Ministers and chapter-holders must prepare an action plan. Such plan is intended toinform the citizens clearly and authentically; to examine the scope and range of data, andwhether or not they should be published; and to make proposals regarding those Acts whichshould be amended in order to comply with the obligation of publishing data of public interest.Lastly the Ministers and chapter holders have to consult with the Minister of Finance on thesupplementary financial contributions when executing the tasks required by the Action Plan6.As the result of long preparation work, Act LIII of 2003 on the Amendment to Act LXVof 1995 on State and Official Secrets (the "Secrets Act") also entered into force in 20037. WithEU accession, it was necessary to modify the system of secrets classification, that is to say, tointroduce the four-level, damage-based classification system together with the repeal of theautomatic nature of the classification system, while implementing the EU classification sys-tem into Hungarian law. The EU did not consider it to be reasonable to accept a large volumeof highly-classified data, and therefore those provisions which had required such classificationneeded to be repealed.320
Ïðàâîâà ñèñòåìà Óêðà¿íè é ì³æíàðîäíå ïðàâî, ïîð³âíÿëüíå ïðàâîçíàâñòâî
With the introduction of the four-level, damage-based classification system, the number ofthe types of the secrets has not been altered: however there are more levels of protection avail-able, the state secret being classified now as "Strictly Confidential!" The classifier decides onwhether a piece of data should be classified as a state or official secret, and decides on thechoice of the most suitable classification from the point of view of the protection of the rele-vant data; this method therefore amounts to a flexible tool to assist in observing the rule forproportional cost of the protection. The Commissioner was of the opinion that the amendmentsto the text, which were built at the last moment, might be questioned from the point of viewof data public on the grounds of public interest and might lead to inconsistency in the secrecyrules. "The main concept in the correction of secrecy rules was to repeal those provisionswhich required the classification automatically. The purpose was partially achieved. ActCXXV of 1995 on the National Security Services still includes "ex lege" provisions whichgive rise to classification of secrets. [Sections 30(4), and 42(1), and the questionnaire of thenational security control in the annex are such.]�The annex unnecessarily determines the criteria of the classification of "StrictlyConfidential" because this-and only this-classification can apply to every state secret. And itmay lead to problems in the scope in that the criteria of the classification as state secret do notcoincide with the definition of the state secret in the Act. The inner coherent problems of therules may obstruct the classification of data as state secrets, although the constitutional crite-ria for restricting publication exist.It is doubtful that the official secret � due to the concept of the legislator � is able to playthe part of the "soft state secret, �as there is no difference in the grading between state and offi-cial secrets, but � regarding the different protected subject of the rules � there is a differencein quality�8.One of the reasons for the amendment of the DP&FOI Act in 2005 was the unconstitu-tional regulation of "data that relates to the decision-making process or for internal use only."The Constitutional Court in Decision 12/2004 (IV.7) AB held that the legislator did not guar-antee, to an acceptable constitutional level, the safeguards of the right of access to data of pub-lic interest. As a result of this Court Decision, it was no longer reasonable to restrict the rightof access to data (of public interest) when it only served the interests of making the decision.The definition and the scope of "data relating to the decision-making process and for inter-nal use only" is incorrect and indeterminate, therefore the application of these definitions meanan unnecessary and ill-proportioned obstruction on the fundamental right to freedom of infor-mation. Regarding this, the Constitutional Court held that the legislator did not differentiatebetween the restriction on the publicity of data relating to the decision-making process beforeor after the decision, since the data controller only has to claim that the data relates to the deci-sion-making process and it is only for internal use. The fact that such data came into being dur-ing the day-to-day activities of an organ performing public duties, and it is in connection withthe decision-making process, is not an adequate reason to lock it away from the public. Whenexamining data for internal use, other subjective factors may be taken into consideration, asthe data is not protected due to the contents, but due to the intention of the "creator" of suchdata. "On the one hand, such restriction is possible if section 19(1)-(3) of the DP&FOI Actapplies;, on the other hand, when access to the data would threaten the legal order of opera-tion or the performance of the sphere of tasks and powers, without unauthorised external influ-ence of the organ. The viewpoints of the organs and persons performing public duties may notbe preferred against a fundamental right. Section 19(5) would suit to requirements of theConstitution if the legislator clearly sets the purpose of the restriction of freedom of informa-tion, adequately determines the scope of data to be locked away from the public, and restrictsthe recognition of data of public interest in a necessary and proportionate measure.�9 Anotherproblem is that the restriction of the publicity set out in section 19 (5) of the DP&FOI Act maybe sustained for an indeterminate period of time, as its span has to be counted from the startof the data control (the storage is also considered to be data control). The Constitutional Courtruled in its Decision that the legislator did not guarantee the content revision on the restrictionof freedom of information, and the possibility of the effective legal remedy. Due to theDP&FOI Act, the legal remedy refers only to formal aspects in the Act.
Peterfalvi A. The Legislation of the Right for Protection of Personal Data and the Right�
321×àñîïèñ Êè¿âñüêîãî óí³âåðñèòåòó ïðàâà � 2010/1
�The compelling reasons for limitation of publicity and/or the lack of legal redress of itsrevision, enable the unjustified limitation of access to data of public interest, i.e. of the con-stitutional right concerning publicity of data public on the grounds of public interest, depend-ing on the discretional decision of the organ processing the data.�The amendment to the DP&FOI Act in 200510 was justified by the abovementionedDecision of the Constitutional Court, the abolition of the unconstitutionality being manifestedin failure. At the same time it was a good opportunity to introduce precise definitions con-nected to processing of and access to data of public interest, as well as the rules of the powersand procedural rights of the Data Protection Commissioner.The 2005 Amendment Act refined the definition of data of public interest. It made clearthat any knowledge or recorded information � irrespective of the data carrier or of the mannerin which it was processed together with the independent or collected character of the data �was to be regarded data of public interest. The definition of data public on the grounds of pub-lic interest has also changed: it means any data, not falling within the definition of data of pub-lic interest, the making public or accessibility of which is provided for by an Act.The right of access to data of public interest can be limited because of legal proceedingsand, following the amendment of the DP&FOI Act, this limitation has now been extended tobinding administrative proceedings.Following the 2005 legislative amendment, the DP&FOI Act defines the personal data ofpersons exercising public duties � related to the tasks of these per-sons � as data public on thegrounds of public interest and has made the access to it free to anyone. At the same time, inthe case of public servants and civil servants, there are some data which still cannot beaccessed (e.g. the public servant, civil servant register). The explanation for this is that the�Act� in the definition of data public on the grounds of public interest does not refer to theDP&FOI Act, and neither the Act on Public Servants, nor the Act on Civil Servants providefor the publicity of or access to these data.The 2005 Act amending the DP&FOI Act gave a content definition to the scope of datawhich fall under the automatic limitation of publicity. The access to data which have been pre-pared before the decision-making by an organ or person exercising public functions in its/hisscope of duties and powers as well as the data �establishing the decision�, can be limited forten years. The notion �establishing the decision� refers to the aims of the preparation or therecording of data, there-fore its applicability does not depend on the fact whether there hasactually been a decision made or not on the basis of data establishing it. Following the deci-sion-making, the request to access can only be refused by the head of the organ according tothe Act, if he can prove that the access to data would endanger the lawful functioning of theorgan or the conduct of the scope of duties and powers of the organ, free from any externalunauthorised influence.According to the amended DP&FOI Act, everyone may request access to data of publicinterest in any form (orally, in writing or electronically). The access to data of public interestpublished electronically cannot be bound to registration; personal data can only be processedto the extent which is indispensable from a technical point of view. In the case of a request onthe basis of the purpose-bound nature of data processing, only those personal data can beprocessed which are necessary to the paying of the costs and the fulfilment of the request.The amended DP&FOI Act further elaborated the powers of the Data ProtectionCommissioner. On the basis of the DP&FOI Act, the Commissioner represents the Republicof Hungary in the joint supervisory bodies of the European Union. The amendment of theDP&FOI Act unambiguously clarified the procedural question not then settled: as a result, theData Protection Commissioner makes a decision after his investigation concerning unlawful-ly-processed personal data, the judicial review of which can be initiated according to the ruleson administrative proceedings in the Code on Civil Procedure.In 2005 with the legal regulation of electronic freedom of information11, citizens can moreeasily and more efficiently access data of public interest. The Act on Electronic Freedom ofinformation provides for the obligation of electronic publishing of data of public interest anddata public on grounds of public interests and its content, makes the legislative procedure moreopen with the help of the Internet, ensures access to the digital version of legal rules, and322
Ïðàâîâà ñèñòåìà Óêðà¿íè é ì³æíàðîäíå ïðàâî, ïîð³âíÿëüíå ïðàâîçíàâñòâî
enables access to the anonymised decisions of the Supreme Court and the Courts of Appeal.The provisions of the Act on Electronic Freedom of information will take effect gradual-ly so as to give enough preparation time for each organ/organisation bound by the Act. It is theobligation of the organs bound by the Act to maintain a website, and to update data of publicinterest published there. The requirement for electronic dissemination extends to all those datawhich serve the entering into contact with the organs exercising public functions, the makinguse of their services, and the transparency of their operation/financial management. Of course,the obligation of dissemination does not exempt the organs exercising public functions frommaking available their specific data of public interest to the person so requesting.The Act on Electronic Freedom of Information provides that draft legislation is to be pub-lished on the website of the relevant Ministry with information on the status of the negotia-tions, in order to ensure the publicity of the legislative procedure. There are species of regula-tive subject-matter and interests which supersede the required publicity of the legislative pro-cedure, and here publishing can be omitted: these are listed by the Act. It cannot be expectedfrom the citizen using Internet that he knows which Ministry is responsible for which draft leg-islation and therefore the database of draft legislations has to be published on theGovernment's website.The third field which is regulated by the Act on Electronic Freedom of Information is thepublicity of legal rules, which is realised in the sense that the authentic text of the legal rulesis available on the Internet for everyone. The Act provides for the obligation of publicity onthe Internet of the Hungarian Official Gazette (Magyar Közlöny) and of the Official Journalsof the Ministries. For the practical application of the published legal rules and for learning thecase-law of the Supreme Court and the Courts of Appeal, the decisions on the merits of thecourt cases must be made available electronically (the Act exempts some decisions from theobligation of publication). The access to the published decisions can-not be limited, but thedecisions published have to be anonymised in order to protect rights to informational self-determination and personality rights.The Europol and the Schengen ConventionsThe transposition and application of these two Conventions into Hungarian legislation wasnot without difficulties from the point of view of the establishing of an independent nationalsupervisory authority. Because of the uncertainty of the procedural powers, conflicts of com-petence arose between the Europol Data Protection Supervisor and the Data ProtectionCommissioner during Hungary's representation in the European Union. The introduction of thelegislative procedure was therefore reasonable and it shows how this problem has been settledin the end and to what extent this has resulted in the change of powers of the Data ProtectionCommissioner.The Data Protection Commissioner in his 1997 Annual Report outlined three organisa-tional solutions for the Hungarian management of the international police, and law-enforce-ment information system regarding EU membership and with it accession to the Europol andSchengen Conventions. The task could have been fulfilled by the Data ProtectionCommissioner, who could have guaranteed the utmost independence. At that time theCommissioner did not find this solution expedient because �The soft powers of the ombuds-man would have to be accomplished by hard administrative powers, which in the case of a par-liamentary supervisory organ is a question concerning the system and balance of branches ofpower and gives rise to concerns about the organisation of the State and theConstitution�[�]12.The second solution was the establishment of a central government organsupervising administrative data processing, which would have been expensive and bureau-cratic as it would have meant an organisation split on different decision-making levels, and, asa result, its operation would not have been efficient enough. The third solution was that moreorgans of public authority, independent from the police, would have to be established in dif-ferent administrative branches and sectors.In the 1998 Annual Report, the Commissioner urged the fulfilment of legislative tasksconnected to the EU law-enforcement information system, because the Europol and SchengenConventions require the setting-up of a national information subsystem, the data protectionsupervision of which has to be carried out by an independent supervisory organ. Pursuant to
Peterfalvi A. The Legislation of the Right for Protection of Personal Data and the Right�
323×àñîïèñ Êè¿âñüêîãî óí³âåðñèòåòó ïðàâà � 2010/1
the elaborated draft legislation, the supervisory organ would be under the supervision of theGovernment, which solution brought into question its independence to a great extent.Act LIV of 1999 entered into force in 1999 as the result of legislative work relating to theaccession to the EU law-enforcement information network13. The earlier draft bill (accordingto which the supervisory organ to be established was to have been under the supervision of theGovernment) had been modified in a way that the Data Protection Supervisor appointed by thePrime Minister was responsible for the data protection supervision of the data-transferringactivities of Europol. The setting-up of an independent national authority had also not beenrealised with this legal provision because the employer's right, in connection with the publicservant legal relations of the Data Protection Supervisor (with the exception of appointmentand removal), was exercised by the Minister of the Interior; therefore the position had beenintegrated into the structure of the Ministry of the Interior. The 1999 Act addresses the mostimportant questions connected to data protection only generally, and does not even determinethe scope of data which can be processed by the international Law Enforcement Co-operationCentre (�ILECC"). The Commissioner objected to the draft legislation of the Ministry of theInterior on the functioning of the ILECC because �this organisation � according to the aim ofthe Act � is not an organisation entirely co-ordinating the international functioning of thepolice and other law-enforcement organs, but an organisation processing two definitely sepa-rated databases, which are not at all, or hardly known, today. The ILECC can only perform theexchange of information between the centres of Europol and Interpol and their national units,offices with very strict data protection control. Any further exchange of information delegat-ed to the ILECC conflicts with the provisions of the Act, questions the obligation of tracingand controlling the data transfers, and can make the operation of the 'independent' DataProtection Supervisor formal14.During the amendment of the DP&FOI Act in 2005 and in order to comply with Article24 of the Europol Convention, section 24 of the DP&FOI Act was supplemented with the pro-vision according to which the Data Protection Commissioner represents the Republic ofHungary in co-operation with organs and persons determined by a separate Act in the jointsupervisory bodies of the European Union. This provision amended section 11(3) of Act LIVof 199915 so that the Data Protection Commissioner now co-operates with the Data ProtectionSupervisor in fulfilling this representation.The draft Decision of the Council on the establishment, operation and use of the secondgeneration Schengen Information System (�SIS II") and the draft Regulation of the EuropeanParliament and of the Council provides that the independent supervisory authority � appoint-ed on the basis of article 28(1) of the 1995 Directive on the Protection of Individuals withregard to the Processing of Personal Data and on the Free Movement of such Data � super-vises the lawfulness of the processing of personal data in SIS II on the territory of the MemberState. The Office of the Data Protection Commissioner disposes over the organisational inde-pendence and powers which the Directive requires. The Data Protection Commissioner par-ticipated in the meetings of the joint supervisory bodies as an observer, in his capacity as theappointed supervisory authority.Act XIV of 2006 promulgated the Europol Convention16. The Convention states that, inthe field of police co-operation, particular attention is to be paid to the protection of individu-als' rights especially to the protection of personal data. Section 14 of the 2006 Act repeals sec-tions 11-15 of Act LIV of 199917, which provided for the legal status of the Data ProtectionSupervisor, as well as section 16 of the 1999 Act which states that the Data ProtectionCommissioner is responsible for the tasks under Article 23 of the Convention.18 Regulation648/2005/EC of the European Parliament and the Council provides for the application of thedata protection Directive for data-processing in connection with the Community's CustomsCode: therefore, in this field too, the national data protection authorities exercise supervisorytasks.The powers of the OmbudsmanLooking at the development of the DP&FOI Act, it is notable that the �soft� Ombudsmanpowers and role without binding effect have changed to a considerable extent during the last11 years. Today the Commissioner can order the blocking, suspension and deletion of data, i.e.,324
Ïðàâîâà ñèñòåìà Óêðà¿íè é ì³æíàðîäíå ïðàâî, ïîð³âíÿëüíå ïðàâîçíàâñòâî
he disposes over decisive authoritative powers. The analysis thereof, to what an extent theData Protection Commissioner and his Office fits into the institution of the ombudsman withthese new powers, as a result of the significant amendments of the Act, could be the subjectmatter of a specific essay. Experts of informational fundamental rights share different viewson this solution. Time has passed by and the experience gained since the amendment of theDP&FOI Act has been too short to declare unambiguously whether the change has taken usinto a good or bad direction.One can however state that, despite of the existence of strong powers, the Office of theData Protection Commissioner does not function as an �authority,� and even theCommissioner is very cautious about using his powers in this matter. Following the legislativeprocedure, it is clear that the initiative to establish the independent national supervisoryauthority outside the Ombudsman institution failed. The reasons for this are very complex andthe analysis of them can-not be accomplished in this essay. The Annual Reports of theCommissioner also reveal that, with the development of the information society, ever moresignificant data concentration efforts appear both on the side of the State and of the private sec-tor and the fight against these have not always been successful. One also has to mention thatthe amendments to the DP&FOI Act were closely connected to EU accession, to the harmon-isation of the national legislation with the acquis of the European Union: therefore thesechanges were not mere considerations, their implementation was obligatory. The DataProtection Commissioner and his supervisory tasks and powers and their transposition intoHungarian legislation are not unfamiliar to the solutions applied in the other Member States ofthe European Union.
1 Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information2001, page 153.2 2099/2002. (III.29.) government resolution3 Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information2002, page 128.4 Act XLVIII of 2003 on the Amendments to Act LXIII of 1992 on the Protection of Personal Data andthe Disclosure of Information of Public Interest (the "amended DP&FOI Act").5 Act XXIV of 2003 on the Amendment of Specific Acts related to the Publicity, Transparency andControl of the Appropriation of Public Funds and the Use of Public Property.6 After the adoption of the �Glass-pocket Programme," the Government adopted Government Decree95/2003 (VII.15) Korm. on the Amendment of Government Decree 217/1998 (XII.30) Korm. on theFunctioning of Government, together with Government Decision 1096/2003 (VII. 15) on the Tasks serving theModernisation of the Government's System of Information and Functions deriving from the �Glass-pockets"Programme in the Application of Public Funds, as well as on the Publicity of the Application of PublicProperty, on its Clarification, and on the Extension of the Scope of Supervision/Controls/Checks.7 Act LIII of 2003 on Amendments to Act LXV of 1995 on State and Official Secrets (�the amendedSecrets Act�).8 Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information2003, Budapest, at page 165.9 Decision 12/2004 (IV.7) AB.10 Act XIX of 2005 on the Amendment to Act LXIII of 1992 on the Protection of Personal Data and theDisclosure of Information of Public Interest.11 Act XC of 2005 on Electronic Freedom of Information.12 Annual Report of the Data Protection Commissioner 1997, Budapest, at page 33.13 Act LIV of 1999 on Co-operation and Exchange of Information in the Framework of the EuropeanUnion law-enforcement information network and of the International Criminal Police Organisation.14 Annual Report of the Parliamentary Commissioner for Data Protection and Freedom of Information1999, Budapest, at page 158.15 On Co-operation and Exchange of Information in the Framework of the Law-enforcement InformationNetwork of the European Union and the International Criminal Police Organisation.16 On the Promulgation of the Convention based on Article K.3 of the Treaty on European Union on theestablishment of a European Police Office (Europol Convention) and its Protocols and on the Amendment toAct XXXIV of 1994 on the Police.
Peterfalvi A. The Legislation of the Right for Protection of Personal Data and the Right�
325×àñîïèñ Êè¿âñüêîãî óí³âåðñèòåòó ïðàâà � 2010/1
17 On Co-operation and Exchange of Information in the Framework of the Law-enforcement InformationNetwork of the European Union and the International Criminal Police Organisation.18 Article 23 of the Convention states: �Each Member State shall designate a national supervisory body,the task of which shall be to monitor independently, the permissibility of the input, the retrieval and any com-munication to Europol of personal data by the Member State concerned and to examine whether this violatesthe rights of the data subject.�
Ðåçþìå
 ñòàòò³ ðîçãëÿäàþòüñÿ îáñòàâèíè, ùî ñïîíóêàëè äî åâîëþö³¿ ó âðåãóëþâàííÿõ ïèòàíü ùîäî çàõè-ñòó äàíèõ, ñâîáîäè ³íôîðìàö³¿, òà îáñòàâèíè, ÿê³ ñïîíóêàëè äî ôîðìóâàííÿ Îìáóäñìåíñüêîãî ³íñòèòó-òó. Êîíñòèòóö³ÿ, ïðèéíÿòà ï³ñëÿ çì³í ó 1989 ð., âèçíà÷èëà ïðàâî íà çàõèñò ïåðñîíàëüíèõ äàíèõ ³ ñâîáî-äè ³íôîðìàö³¿, ÿê êîíñòèòóö³éíå ïðàâî. Àëå ìèíóëî òðè ðîêè, ïåðø í³æ áóâ çàòâåðäæåíèé â³äïîâ³äíèéÑòàòóò, ³ ùå òðè ðîêè ïåðø í³æ áóëî ñòâîðåíî ïàðëàìåíòñüêó êîì³ñ³þ, ÿêà ïîâèííà áóëà çàáåçïå÷óâàòèäîòðèìàííÿ öüîãî êîíñòèòóö³éíîãî ïðàâà. Õî÷à ðîáîòà ç ï³äãîòîâêè çàêîíîïðîåêòó ïðî ñâîáîäó ³íôîð-ìàö³¿ ïî÷àëàñÿ â ñåðåäí³ 80-õ ðîê³â, îñòàòî÷íî çàêîí áóëî ïðèéíÿòî ëèøå â 1992 ð., ï³ñëÿ ÷îãî Ïàðëà-ìåíòñüêà êîì³ñ³ÿ ïðèñòóïèëà äî âèêîíàííÿ ñâî¿õ îáîâ�ÿçê³â. Êëþ÷îâ³ ñëîâà: çàõèñò äàíèõ, çàêîí ïðî ñâîáîäó ³íôîðìàö³¿, êîäèô³êàö³ÿ ðîáîòè, ðàòèô³êàö³ÿ,êîíâåíö³ÿ, äèðåêòèâà, ³íòåãðàö³ÿ êðèòåð³¿â, îìáóäñìåí, êîíòðîëåð äàíèõ.
Ðåçþìå
 ñòàòüå ðàññìàòðèâàþòñÿ îáñòîÿòåëüñòâà, êîòîðûå ïðèâåëè ê ýâîëþöèè â âîïðîñàõ êàñàþùèõñÿçàùèòû äàííûõ, à òàêæå îáñòîÿòåëüñòâà ïðåäøåñòâóþùèå ôîðìèðîâàíèþ Îìáóäñìåíñêîãî óïðàâëå-íèÿ. Êîíñòèòóöèÿ, ïðèíÿòàÿ ïîñëå èçìåíåíèé â 1989 ãîäó, îïðåäåëÿåò ïðàâî çàùèòû ïåðñîíàëüíûõäàííûõ è ñâîáîäû èíôîðìàöèè, êàê Êîíñòèòóöèîííîå ïðàâî. Ïîñëå ýòîãî ïðîéäåò òðè ãîäà, ïðåæäå÷åì ñîîòâåòñòâóþùèé Óñòàâ áóäåò óòâåðæäåí, è åùå òðè ãîäà, ïðåæäå ÷åì áóäåò ñîçäàíà ïàðëàìåíòñêàÿêîìèññèÿ, çàäà÷à êîòîðîé êîíòðîëèðîâàòü èñïîëíåíèå ýòîãî êîíñòèòóöèîííîãî ïðàâà. Õîòÿ ðàáîòà íàääàííûì çàêîíîïðîåêòîì íà÷àëàñü â ñåðåäèíå 1980-õ, ïðèíÿò îí áûë 1992 ã., ïîñëå ÷åãî, ïàðëàìåíòñêàÿêîìèññèÿ ïðèñòóïèëà ê ñâîèì îáÿçàííîñòÿì.Êëþ÷åâûå ñëîâà: çàùèòà äàííûõ, çàêîí î ñâîáîäå èíôîðìàöèè, êîäèôèêàöèÿ ðàáîòè, ðàòèôè-êàöèÿ, êîíûåíöèÿ, äèðåêòèâà, èíòåãðàöèÿ êðèòåðèåâ, îèáóäñìåí, êîíòðîëåð äàííûõ.
Summary
In the article examined the circumstances that led to the evolution in the settlement of issues concerningdata protection, and the circumstances of the formation of the Ombudsman's Office. The Constitution enact-ed after the change of regime in 1989 guaranteed the right to protection of personal data and freedom of infor-mation as a constitutional right. After that, three years were to pass before the relevant statute was enacted andthree further years before the Parliamentary Commissioners who were to supervise the enforcement of thisconstitutional right would be confirmed in their positions. Although the process for preparation of the Actstarted in the mid 1980s, he was only promulgated in 1992, then Parliamentary Commission to commence hisduties.Key words: data protection, law right to disclosure of information, codification of work, ratifying,Convention, directive, integration criteria ombudsman, data controller. Îòðèìàíî 1.03.2010
326
Ïðàâîâà ñèñòåìà Óêðà¿íè é ì³æíàðîäíå ïðàâî, ïîð³âíÿëüíå ïðàâîçíàâñòâî
|