EU data watchdog ‘very worried’ by Hungary’s GDPR suspension

The Chair of the European Data Protection Board (edpb), Andrea Jelinek, speaks at a news conference on the entry into application of the General Data Protection Regulation (GDRP) at the Press Club in Brussels, Belgium, 25 May 2018. [EPA-EFE/STEPHANIE LECOCQ]

The European Data Protection Board, the EU’s umbrella organisation overseeing the application of EU data protection rules across the bloc, has voiced its concern over the suspension of EU data protection rights in Hungary.

In early May, the Hungarian government put forward plans to suspend obligations to a number of protections outlined in the General Data Protection Regulation (GDPR), as part its new emergency powers passed as a result of the coronavirus outbreak in the country.

Speaking to reporters on publication of the EDPB’s 2019 annual report on Monday (18 May), Chair Andrea Jelinek noted her concern at the recent move by the Hungarian authorities.

“I am personally very worried at the suspension of several articles of the GDPR by the Hungarian government,” Jelinek said, adding that suspending EU data protection law amid the current public health crisis is “not recommended” by the EDPB.

Specifically, the Hungarian government is seeking to put on hold a series of rights outlined in the GDPR, including rights to access and erasure of personal information.

There has also been a relaxation on the obligation of authorities to notify individuals when personal data is being collected, for the cause of coronavirus case prevention.

In addition, citizens who raise a complaint or seek a judicial remedy will have to wait until the end of the state of emergency period is over, before they can begin proceedings.

Responding to a question from EURACTIV on Monday, Jelinek also said that the Hungarian supervisory authority has informed the EDPB of the measures taken as part of the GDPR suspension, but that the board “considers further explanation necessary” on the “necessity and proportionality” of the new measures.

Jelinek added that the EDPB is currently in the process of developing further guidance on Article 23 of the GDPR, which allows for member states to introduce certain derogations to data protection law under circumstances.

The GDPR suspensions are one of the decrees passed by Viktor Orbán’s government since the Hungarian Parliament approved new emergency powers for the government on March 30, amid the coronavirus crisis in the country.

The new emergency powers allow the ruling Fidesz party the right to rule by decree, without a set time limit, for as long as the state of emergency is in effect – a timeline decided by the government.

Additional measures included as a result of the state of emergency see up to five years of imprisonment for those accused of spreading misinformation, as well as up to eight years for those found to be breaching the quarantine measures introduced as a means to stem the coronavirus outbreak in Hungary.

By-elections and referenda have also been put on hold for as long as the state of emergency is in play.

Commission Vice-President for Values and Transparency Vera Jourová told reporters last week that the executive is monitoring the situation in Hungary and that daily reports are coming in from Budapest in relation to the detention of individuals accused of spreading fake news.

“On a daily basis we are assessing whether we can take legal action,” said the Commissioner, who added that the Commission had decided not to open infringement procedure yet.

More broadly, as part of the 2019 annual report published on Monday, the organisation highlighted the importance of bolstering the EU’s data protection clout by sufficient resource allocation.

Jelinek told reporters on Monday that national data protection authorities across the EU “must be funded appropriately,” following a survey conducted by the board which found that most supervisory authorities “stated that resources made available to them are insufficient.”

In this vein, a recent report from the web browser Brave suggests that data regulators across the bloc are woefully understaffed with insufficient resources.

Of particular note in this context is the UK’s ICO, which, according to the study, only allocates 3% of its staff to ‘tech privacy problems,’ while the Irish Data Protection Commission, the lead authority for giants such as Google and Facebook in Europe, faces decelerating budgets and staff numbers.

Despite this, Jelinek praised 2019 as a proactive year for data protection on the bloc, and said that now would be “premature to revise the GDPR.”

On the whole, the 2019 annual report finds that in 2019, 807 breaches of the EU’s general data protection regulation were filed in the bloc’s internal market information system, used for information exchange between supervisory authorities, and use of GDPR’s ‘one-stop-shop’ mechanism used for filing cross-border cases gave rise to 79 final decisions.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters