Hungary’s unorthodox approach to personal privacy

Abstract

Hungary’s special approach to political and social questions is frequently analysed by the media. Taking a closer look at the details of the privacy regulations, we can also identify several unique features. For Hungary, the era of socialism ended with the proclamation of the new Republic of Hungary on 23rd October, 1989. The substantially renewed constitution was entered into force on the same day. The fundamental rights defined in the European Convention of Human Rights were included in it and, in addition, the right to the protection of personal data. The main characteristic of the legal system is that politicians understand the constitution so that it would always require passing a new law whenever they want a public authority to collect personal data for some purpose. By now, Hungary has several hundred laws and decrees in effect on the obligatory collection and transfer of personal data. The nature of such types of regulation ab ovo excludes the possibility of objection and challenging a regulation before the court. Turning our attention to healthcare, we see that medical authorities and researchers are authorized by the law to collect personal medical data without providing information and the right to object to data subjects. The author has been studying the changes in the medical privacy regulations since 2004. Here, he gives an account of the key characteristics of the Hungarian legislation and provides a comparison with the relevant European Union legislation in relation to medical data. When the EU General Data Protection Regulation came into force, the conflict between the two became obvious. This paper gives the reader an expert’s view of the Hungarian data protection policy, while attempting to pave the way to stimulate social debate concerning the necessity for better, and more privacy aware legislation.

1 Introduction

Travelling backwards in time we can see that Hungary has always been battling with a superpower since the beginning of the sixteenth century. In 1526, the Turkish Empire subjugated the central part of Hungary. Since then, Hungarians have always been rebellious and have been fighting for their sovereignty and freedom. This is described in a well-known history book by Brian Cartledge [1]. When the Austrian Empire expelled the Turkish troops, Hungary was annexed as a new province. There were then two remarkable uprisings against the Habsburg-Austrian Empire, namely the Rákóczi Uprising between 1703 and 1711 and the revolution in 1848–1849. Both of them failed. In 1956, Hungary was among the first the socialist countries to protest against Soviet repression.

1.1 The right to the protection of personal data and the Hungarian constitution

At the end of World War II Hungary was occupied by the Red Army while battling with the German forces. This fact substantially determined the social development of the country. The socialist constitution, Act XX of 1949, entered into force on 20th August, 1949. The publisher of the Official Gazette compiled a Special Issue on the history of the Constitution to celebrate the twentieth anniversary of the proclamation of the new Hungarian Republic in 2009 [2]. This Issue contains all amendments to the Constitution from 1949 to 2009. According to the Special Issue, the Hungarian People’s Republic from the beginning provided the workers with among other things the right to work, right to a free education, right to healthcare, right to recreation,¹ freedom of religion, right to a nationality, unrestricted use of the mother tongue for nationalities, and outlawed discrimination. In Article 57, it provided the right to liberty, personal security, and respect for home and correspondence.

Hungary joined the United Nations Organisation (UNO) in 1955 due to the dispute between the USA and the Soviet Union over the acceptance of the former Axis Powers. The General Assembly of the UNO had adopted the Universal Declaration of Human Rights, and later its legally binding counterpart, the International Covenant on Civil and Political Rights. Hungary officially acceded to the covenant in 1974. Prior to this, the Hungarian Constitution underwent a major revision. The occurrences of the term workers in the Hungarian Constitution were systematically replaced by the term citizens. Article 54 of the amended Constitution declared that Hungary respects human rights; human rights must be executed in accordance with the interests of the socialist society; the execution of rights is inseparable from the performance of duties; and regulations on rights and duties are laid down by Hungarian laws.

The latter means that international treaties do not have a direct influence on the Hungarian legislation. There is ‘an airlock’ between them. The task of the Hungarian Parliament and the Ministries is to suitably adapt the existing regulation so as to implement international legal acts. This way, the state administration and the courts function solely according to national laws. The doctrine of two separate legal systems (dualism) is considered valid even today [3].

The second important amendment took place in 1989, when Hungary began to establish a new pluralist democratic society and decided to accede to the European Convention on Human Rights (ECHR). Although the rights enlisted in the ECHR were inserted into the Hungarian Constitution, Hungary pondered on how the insertion would affect national sovereignty, relating to the implementation of these rights. In Article 8, the Constitution declared that Hungary recognises the inviolable and inalienable fundamental rights of individuals and the respect and protection of these rights are foremost obligations of the state; regulations on fundamental rights and duties can be enacted by constitutional acts. The Article 8, Paragraph 2 “there shall be no interference by the above mentioned constitutional act with the exercise of the fundamental rights except such as is necessary in the interests of national security, public safety, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others” – taken from the ECHR – was also put in, but it was soon deleted on 25th June, 1990 and has never been reinserted because it would have contradicted the doctrine of two separate legal systems. Article 59 of the 1989 constitution declared that in the Hungarian Republic, everyone has the right to a good reputation, to respect home and private life and to the protection of personal data.

The Hungarian Constitutional Court was established by the 1989 amendment. Act XXXII of 1989 on the Constitutional Court regulated the election of judges, the various types of applications, the submission of applications and the decision process. This law introduced the institution of actio popularis. This meant that any citizen who felt that a law harms the rights declared in the Constitution was allowed to submit a complaint and ask for the deletion of the given regulation. Complainants did not need to be subject to the regulation. The author (a mathematician) submitted a couple of complaints as well, related to medical privacy. Some of them successfully overturned regulations. This pioneering institution and its international counterparts were discussed by Gárdos and Orosz in The Hungarian Constitutional Court in Transition – from Actio Popularis to Constitutional Complaint in detail when the actio popularis was finally abolished in 2012 [4].

The doctrine of two separate legal systems was applied to the Constitutional Court from the beginning. Ordinary people have not been allowed to refer to international human rights treaties in their complaints, but could refer only to the Hungarian Constitution and laws. Only the Hungarian Parliament, a Parliamentary Committee, a Member of Parliament (MP), the president of Hungary, the government, a member of the government, the President of the State Audit Office of Hungary, the President of the Supreme Court, or the Chief Prosecutor were authorised to challenge a regulation before the Constitutional Court, stating that it violates an international treaty. Needless to say, they never did so.²

In 2011 the ruling party elaborated on a new Fundamental Law which entered into force on 1st January of 2012 [5]. The authors of the law claimed that the text refers to the Charter of Fundamental Rights of the European Union [6], but again Hungary reserved the right to implement them based on conditions of propriety and sovereignty. Article I, Paragraph 3 of the Fundamental Law declares that “The rules relating to fundamental rights and obligations shall be laid down in Acts. A fundamental right may only be restricted in order to allow the exercise of another fundamental right or to protect a constitutional value, to the extent that is absolutely necessary, proportionately to the objective pursued, and respecting the essential content of such a fundamental right.”³ Some rights mentioned in the Charter were not included in the Fundamental Law. As for medicine-related human rights, the prohibition of eugenics, commercialisation of human body parts and tissues, and human cloning were included in the Fundamental Law, but the right to mental and physical integrity and the right to free and informed consent in medicine were not mentioned (cf. Article III in the Fundamental Law and Article 3 in the Charter). Article 8, paragraph 2 of the Charter [6] says that “Such [personal] data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” This is also missing from the Fundamental Law.

Each time restrictions of fundamental rights have been introduced through laws, it has meant that individuals in society would have no legal remedy if their rights were infringed upon – by the laws themselves. Moreover, they have no opportunity before the Constitutional Court because the Fundamental Law gives the Hungarian Parliament a free hand on how it should implement these fundamental rights. In the case of personal data, on the question of fundamental rights, this means that every time the Hungarian Parliament wants to create a new database containing information about people, the only action the Hungarian Parliament has to take is to pass a law (or an amendment to an existing law) that restricts the right to the protection of personal data. A new law could then designate a data controller, oblige it to collect personal data items as described in the same law, either from other data controllers, or from the data subjects themselves, keep the data stored for a given period, and satisfy other data controllers’ requests according to law. From the perspective of data subjects and the data controller, such processing is obligatory. Currently, more than 700 legal rulings⁴ in effect relate to obligatory personal data processing – many of them in healthcare – and there seems to exist no obstacles to introducing more new databases. Managing such amounts of continuously changing legal text is a challenge to the ministries that are requested to schedule amendments of decrees and laws in time and always keep the regulations up-to-date. Citizens cannot follow what sorts of personal data relating to them are being transferred, at a given time, to an authority, and for what reason. The resulting situation resembles anarchy and chaos from a human rights perspective.

The general opinion in the community of legal scholars, academics, faculties of law, all of the judges, the Data Protection Authority, and the Hungarian Parliament is that this kind of legislation is the best to their knowledge.

2 The rise and decline of the right to protection of personal data

The preparatory work of the data protection act began in the 1980’s in the Hungarian Central Statistical Office. With the permission of the President of the Cabinet, a working group consisting of legal and IT experts was set up, and began to function. The group elaborated a draft bill, which was then submitted to the Hungarian Parliament in 1990 [7]. The draft was a so-called first-generation data protection law. Mayer-Schönberger [8] classified data protection regulations according their chief characteristics. He identified four generations in the development of data protection norms. The dramatic societal changes and the enormous increase in the amount and speed of data processing, required new approaches to be addressed in legislation. First generation laws were characteristic to the 1970’s. They were enacted in response to the electronic processing of personal data by government and large companies. The structure of the data-protection laws was tailored to regulate the envisioned data centres. Few gigantic data banks were anticipated, and were regulated. Data processing was always obligatory in these cases. Hungary was twenty years behind most of the western countries in the matter of computerisation, so it was natural to begin with a first-generation data protection law. When the German Constitutional Court introduced the concept of informational self-determination in 1983, it had an impact on other countries including Hungary.⁵ Because of this, in the second and later generations of the data protection laws, the right to protection of personal data was treated as a fundamental right. The best remedy was thought to be for the citizens to fight for privacy themselves with the help of strong, even constitutionally protected individual rights.

2.1 The birth of the data protection act

Perhaps the most sensitive privacy issue of the 1980’s was the introduction of a unique personal identification number by Hungarian Edict X of 1986. It was natural that one legal expert from the working group should turn to the Constitutional Court and challenge the edict. He referred to the renewed Constitution of 1989, which had already contained the right to the protection of personal data. The personal identifier was already widely used in Hungary; in banks, at workplaces, in public administration, education, and health institutions. There was a real threat that the state could eventually combine these data with the help of the personal identifier. Since there were no precedents on how the right to the protection of personal data should be interpreted, the court decided to review international examples. They soon found the Decision on Census (Volkszählungsurteil) delivered by the German Constitutional Court (Bundesverfassungsgericht). The concept of informational self-determination was taken from the German decision. The Hungarian Constitutional Court stressed in decision no. 15/1991 that: “The right to the protection of personal data, known as the right to informational self-determination, as guaranteed under Article 59 of the Constitution, permits everyone the freedom to decide about the disclosure and use of their personal data to the extent that the approval of the person concerned is generally required to register and use it. In addition, Article 59 of the Constitution ensures that such person can monitor the entire route of data processing, thereby guaranteeing the right to know who used the data and when, where and for what purpose it was used. A statute could exceptionally require the compulsory supply of personal data and prescribe the manner of its use provided it complied with Article 8 of the Constitution.” The ruling was that the application of a unique personal identifier for unspecified, unforeseeable future use is unconstitutional [9]. Act LXIII of 1992 on the Protection of Personal Data and Accessibility of Data of Public Interest (the old Data Protection Act) was adopted by the Hungarian Parliament in the following year. Section 7, paragraph 2 contained the statement that the application of a general and uniform personal identifier, which can be used without restriction, is prohibited.⁶ The old Data Protection Act established the office of the Data Protection Commissioner, who was one of the Parliamentary Ombudsmen. The first Commissioner took his office in 1995.

After the above decision had been made, it took four years to discontinue the use of the personal identifier. In 1996, the Hungarian Parliament approved a law on new personal identifiers. It created three different identifiers, namely one for tax administration, one for social security and one for public administration. Every person received their social security (health, family support, and pension) identifier in 1996 and 1997.

Article 8, paragraph 2 of the Constitution of 1989 contained the statement that in the Hungarian Republic the rules relating to fundamental rights and obligations shall be laid down in Acts. This is why Section 3 of the old Data Protection Act stated that personal data may be processed if the person concerned agrees thereto, or it is ordered by an act or a local government decree on the basis of the authorization of an act, within the limits defined therein [10]. In fact, this regulation principle is applied even today even though social circumstances have changed a lot. In 1992, only a few laws restricted the right to the protection of personal data, but now there are several hundred. The collection and processing of personal data by a secondary act beyond the old Data Protection Act means that the essence of the ECHR, the main basic principle of non-interference with privacy rights, was removed from the Hungarian legislation. The Hungarian Constitution does not contain any type of limitation like Article 8. Paragraph 2 in the ECHR mentioned above, which prevents the state from interfering with the exercise of fundamental rights. In fact, the state is forced by the power of the Constitution and the Data Protection Act to make laws if it wants to create a new database containing personal data. If the state decides so, people do not have privacy rights before an authority. Almost any kinds of personal data can be collected, including medical data, for any reason.⁷ The absence of a legal remedy and the absolute vulnerability of data subjects may be considered unwanted side effects.

Comparing the Data Protection Act with the EU Data Protection Directive 95/46/EC [11], it is apparent that the Hungarian legislation does not contain points b), e) and f) of Article 7 of the EU Directive 95/46/EC. In these points, the Directive allows data controllers to process personal data if processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1). The Hungarian Data Protection Act in contrast suggests that if personal data is required for the performance of a contract, then the data subject should give consent. In the other two cases (public task, legitimate interest) the Hungarian Parliament should pass a law. Pursuant to Article 14 point a) of the Directive [11], Member States shall grant the data subject the right at least in the cases referred to in Article 7 (e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data. This means that according to EU law, in public administration, where the processing of personal data is necessary for the performance of a public task, and if the processing of data is necessary for the purposes of the legitimate interests of the data controller, or a third party, data subjects generally have the right to object excepting those cases where the national legislation provides otherwise. In Hungary, the national legislation denies the data subjects’ right to object. Although the Article 22 of the Directive says that data subjects have right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question, this does not give them enough power to challenge a regulation before the court that obliges a medical service provider to transfer medical data to an authority.

In the EU law, therefore, the two-thousand-year old traditions of civil law, such as right to turn to the courts, right to appeal a verdict, right to seek remedies if rights have been infringed or harmed, and a framework to ensure the expected balanced relations between civil parties, and all parties involved in transactions act in a good faith, are made properly applicable to most personal data processing cases. This is absent from the current Hungarian legislation. In Hungary, data subjects can obtain terms and conditions relating to data protection explanatory information in advance or later from the data controller, a copy of the subject’s data, and they may seek a rectification in the data concerning them. However, data subjects are unable to challenge the amount of collected data, the length of the retention period, the recipients to whom the data about them is transferred to, and, or the purpose of any such transfer. In short, data subjects cannot determine what happens with the data relating to them, but at least they can get to know if the data relating to them has been used in some way.

The old Data Protection Act had two major amendments in 1999 and in 2003 [7]. In 1999, the concept of the data controller and the data processor was clarified and the amendment regulated their responsibilities. Hungary joined the European Union on 1st May in 2004. Prior to this, the data protection act had a comprehensive amendment to ensure its compatibility with the Directive because it was one condition of the accession treaty.⁸ The amendment contained a revised definition list, tightened the responsibilities of the data controllers and data processors, and clarified the rules of provision of preliminary data protection information. It inserted the data subjects’ right to object whenever processing is not obligatory. Knowing that there exists only obligatory data processing in Hungary not counting the case where the data subject consents to the data processing, this right has little practical worth.⁹ Frankly speaking, Hungarian law allows a citizen to object to processing some sorts of data only in specific cases (fewer than ten). In these cases,¹⁰ data subjects may prohibit transferring the data relating to them to another data controller, but the other conditions will continue to be mandatory. When the processing is based on consent, the data subject may revoke his consent so there is no need to object. In 1998, Hungary acceded to the Council of Europe’s Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS-108) [13]. It agreed to apply the convention to the paper-based registries. This commitment was also included in the old Data Protection Act in 2003.

2.2 The new data protection act

The Hungarian Parliament passed the Act CXII of 2011 on the Right of Informational Self-Determination and Freedom of Information. The purpose of the act was to re-organise the data protection authority, and dismiss the existing Commissioner.¹¹ The Commissioner had hindered the processing of the completed questionnaires containing the people’s opinions relating to actual political questions in personally identifiable form.¹² The bipolar nature of the regulation (consent or law) remained the same, and Section 5 of the new Data Protection Act says: Personal data may be processed under the following circumstances: a) when the data subject has given his consent, or b) when processing is necessary as decreed by law or by a local authority based on authorization conferred by law concerning specific data defined therein for the performance of a task carried out in the public interest (hereinafter referred to as “mandatory processing”). [30]

The new Data Protection Act established a renewed authority called the Hungarian National Authority for Data Protection and Freedom of Information. From 2012, it has the power to fine data controllers if they violate the right to the protection of personal data laid down in the acts. The new law regulates data transfer to foreign countries, the approval of Binding Corporate Rules (BCR), the data protection audit, and incident reporting. At present, local Data Protection Officers must keep records of the incidents of privacy breaches and must inform data subjects upon request. A novelty of the act is the so-called Google Street View (GSV) amendment. Upon the intervention of the United States Government, the Hungarian Parliament partially implemented Article 7, point f) of the EU Directive, and this enabled companies like Google to process personal data for the purposes of their legitimate interest, if obtaining consent is impossible, or when it would require disproportionate effort.¹³ See Section 6 paragraph 1 b) in the new Data Protection Act [30]. Without this amendment, GSV should have been banned.¹⁴

The GSV amendment introduced a new type of legislation, when processing of personal data was allowed by the Hungarian law and was not obligatory. Therefore, data subjects can turn to the court, and seek legal remedies for possible violations. However, the GSV amendment is applicable only when consent cannot be obtained. In theory, this amendment could be used as a legal basis for processing medical data in the legitimate interests of a company or an institution. But only in those cases where patients are not present and obtaining their consent would be impossible or would require disproportional effort. Such cases may occur, for example, in medical research. In regular healthcare, the Hungarian Parliament still insists on passing new laws that demand obligatory data processing, and removes the risk that someone might object and turn to the courts for remedy.

The new Data Protection Act no longer contains the prohibition of a unique personal identifier and Hungarian Parliament invalidated all decisions that the Constitutional Court had made, referring to the old Constitution. In response, the Constitutional Court ruled that the Court would still use the old rulings to support the reasoning and adjudications in cases where the content of the fundamental right has not changed. In this way, the introduction of a unique personal identifier has been removed from the agenda. Since then, the government has decided to standardise the format of the resident addresses in the population registry to ease the electronic interconnection of databases with the help of natural personal identifiers (name, place and date of birth, and resident address). The Hungarian state established a national database of facial image hash codes of all citizens and an electronic facial recognition system in order to identify any suspicious individual, which is used by the police and security services. The country created a database of all loan agreements that contain the personal data of all debtors and their total and monthly balance, and also a database of cars and their owners, to which all automotive services send data about things like major repairs, mileage, and technical compliance. What is more, telecommunication companies in Hungary keep records of all phone call metadata for seven years.

The Hungarian State Treasury is installing an online IT system that will collect all payment records from the local councils. The wages of all current public servants (860 thousand people, teachers, policemen, soldiers, fire fighters, physicians, lecturers, officers, etc.) are paid by the treasury, so the state knows well the financial position of each employee.

The National Bank of Hungary bought Giro Zrt., a company, which maintains the national centre for bank transfers.¹⁵ From this it follows that the government can indirectly follow anyone’s bank payments and transactions. The Tax and Customs Administration Authority may have access to citizens’ banking accounts when making an inspection. In the case of an investigation, the police can request any sort of data from any database, in accordance with Act XIX of 1998, on the code of Criminal Procedure. In certain cases, investigative and law enforcement entities need an approval from the investigative judge.

3 Medical privacy regulations

After World War II the first regulation that went into force relating to healthcare was Act II of 1972 on Healthcare [14]. It was adopted just after the amendment of the Constitution in 1972, as mentioned in the Introduction. The main purpose of the law was to combat epidemics like polio, tuberculosis, smallpox, measles, and Sexually Transmitted Diseases (STDs). The law established a strong public health institution, and obligatory screening and vaccination programmes. The authority could officially oblige individuals to get preventive immunisation, and suspected infectious patients to appear at a compulsory medical examination. If they proved to be infectious, then they could isolate them in closed hospital wards, or place them in quarantine.

Sections 77 and 78 of this law regulated medical secrecy. Section 77 said that a medical doctor could only inform the patient, a relative of the patient, and – where necessary – a caregiver. A relative could be informed – with the exception of STDs – in those cases where the patient is a minor, is incapacitated, or is a person with limited capacity. A relative may be informed – with the exception of STDs – in those cases where the patient is an adult and the information is necessary for his or her effective treatment. A pharmacologist or another health worker may not inform anyone about the patient’s health status. Section 78 stated that a medical doctor is exempt from the obligation of secrecy if he or she is obliged to disclose the data as required by law; in the case of medical research, publications may contain medical data so long as it does not reveal the identity of any patient.

The Act II of 1972 on Healthcare did not regulate access rights to medical data for secondary (e.g. research) purposes. By default, doctors may have used data or tissue without informing research subjects and obtaining their permission. There were no ethics committees providing an oversight in such matters, and consequently no ethics approval was needed. However, medical research was in its infancy, so there was no great demand for human tissue and associated medical data.

The law is said to be paternalistic because of the hierarchy between doctors and patients. In the course of the provision of care, the patient is like a child who should always obey his parents’ (doctors) instructions. After all, physicians are highly educated professionals who are intimately aware of what sorts of treatment are best for the patient, and therefore their recommendations should not be contested. Although, the law requested medical professionals to verbally inform patients about their health conditions and treatment, doctors could decide on the extent of information themselves. The consent was almost always implied and formal.¹⁶ There were neither codified patients’ rights, nor a supervisory authority where patients could have sent complaints.

The nationwide electronic collection of medical data began in 1996, when citizens received their Social Security Identifier (SSI)¹⁷ and the social security service started to process paper prescriptions for accounting and supervision purposes. The service transported the paper prescriptions from the pharmacies to computer centres by car and administrators recorded the data. The data protection commissioner perceived that if the prescription records are keyed by SSI, then what they do is processing of personal data and he asked for a law to regulate this process [15].

1997 brought significant changes in health legislation. The Hungarian Parliament first established a standalone National Health Insurance Fund (OEP)¹⁸ and the National Pension Insurance Fund¹⁹ with separate budgets. The services provided by the health insurance fund, the methods of accounting, the payment of subsidies, and the supervision methods were also regulated by law. In order to allow personal data transfer between the healthcare providers and the insurance fund, the Hungarian Parliament approved Act XLVII of 1997 on Health Data Processing and Protection. The legislative intent remained the same, i.e. physicians could waive the obligation of secrecy when the law requires them to disclose medical data. Sending health insurance accounting data (SSI, date and time, treating physician, institute, ICD-10, ICMI etc.) was the first such obligatory data transfer. Later it was followed by the establishment of national patient registries,²⁰ then the vaccination register, adverse event register, disease registers,²¹ and several other registers.²² National databases store personal health data as the records always contain the SSI (with the exception of the Tauffer Register and the Itemized Medical Database, which contain pseudonymized data), and in many cases the name, birth data, mother’s name, and resident address. Patients are never informed about the data transfer, they are not allowed to object, and cannot challenge the regulation before the court since the transfer of the data is a legal obligation.

The Hungarian Parliament renewed the healthcare act and adopted Act CLIV of 1997 on Healthcare. The first chapter of the law concerns patients’ privacy rights and their obligations. The principles of the new regulation originated from international ethical and legal documents. The law introduced the right to deny an intervention, right to receive a copy of medical documentation, right to leave the institution, right to have a living will, required consent to invasive interventions, and for any use of human tissue excepting the direct treatment of the patient. However, the law did not create a supervisory authority with sufficient power so it is difficult to execute these rights even today. Moreover, the law soon began to erode. This will be discussed below.

The author and other activists²³ challenged several regulations before the Constitutional Court. Appealing to a normal court was useless since these all were legal obligations from the perspective of patients. The most important decisions are listed in Table 1 above. When the decision was uploaded to the CODICES database, it is noted in the table.²⁴ The last column indicates that the given decision restricted (−) or extended (+) medical privacy in the author’s opinion. When the author could not decide, the decision was marked by (?). For the author, it seems that the court at the beginning was progressive and considered foreign case law, but there came a change and it abruptly changed its policy. The court rigorously began to apply the doctrine of two separate legal systems and ab ovo refused to take into account the foreign examples, it lost its sense of proportion, and then the decisions made became a matter of chance. On many occasions the court favoured loyalty to the government and did not want to intervene in the legislation process. The most sensitive cases have lain in the drawer for many years.

Table 1 Decisions by the Hungarian Constitutional Court related to medical privacy

The following examples illustrate how Hungarian medical privacy rights have been eroded bit by bit. A comprehensive surveillance system has been built that collects information about every medical care event. The Act XLVII of 1997 on Health Data Processing and Protection became a means by which the state can collect all sorts of medical information about citizens without giving them any chance to oppose it. Medical secrecy has ceased to exist. The planned national EHR database will be the crowning glory of the work. It obliges all medical service providers, including private ones to upload all relevant medical documents to a database to which medical and several other public authorities as well as the police, secret services and courts can get access to besides medical doctors. The necessary amendment of the law was adopted by the Hungarian Parliament at the end of 2015.

3.1 The medical privacy in Hungary

Act CLIV of 1997 on Healthcare, Section 15, paragraph 2 states that patients are entitled to have the right to self-determination, which means they can freely make decisions about their medical treatments, what kind of interventions they give consent to and what kind of interventions they do not. Section 20, paragraph 1 provides the right to object to any medical intervention excepting where the denial would endanger the life or health of a third person. Despite these beautiful rights, there is a sophisticated system of obligatory medical examinations and check-ups that routinely contravene personal rights. In general, a decree of the minister responsible for health affairs instructs doctors to execute obligatory examinations, but it is not clear what happens when patients do not cooperate.²⁵ When patients are minors, the accustomed procedure imposes a fine on parents if they fail to appear on time at the examination or vaccination place together with the child, because of the reasoning that the parents are endangering the health of their child by practicing avoidance behaviour. Several cases were reported when a doctor, a policeman, or a school teacher applied physical force against youngsters.

When a child is born, within 72 hours, a blood sample is taken and the Guthrie test is performed on the sample. The test checks for phenylketonuria (PKU) and three other metabolic diseases. The result could be lifesaving since the adequate treatment could begin without delay, right after the test. The Guthrie test is widely applied in the developed world. However, recently, the scope of the test was extended to twenty diseases, which may be considered as excessive testing. The blood samples are not destroyed, and at present the two major state-owned laboratory centres²⁶ have samples taken from 2 million citizens, beginning from 1990. Since collecting the samples is obligatory, the laboratories behave as if the processing of the samples for research purposes would also be obligatory; hence research subjects have no self-determination rights with their samples.

At the age of three, all children must go to nursery school and then to primary school where they receive annual medical check-ups. Although the legal representatives of a child are their parents, this fact is not taken into account with respect to the obligatory medical check-ups. The general procedure is that the school paediatrician arrives, examines the children, makes notes, and leaves. The parents are not informed about the date, the purpose, and the results of the check-up. Looking into the legal details, the doctors seem to adopt the children and so give permission to the examination themselves.²⁷ The school paediatrician also gives the timely vaccines to the children. In 2010, the minister responsible for health affairs decided to change the scope of the examination and augmented it with the evaluation of the grade of sexual development of children on the Tanner scale. What a hernia check is for American children, the Tanner classification is for the Hungarian children. In 2010 the Ombudsman of Hungary commenced an investigation because several school paediatricians applied physical force to perform the Tanner classification and the parents reported them to the police, suspecting the doctors of sexual harassment or even rape. The Ombudsman declared that applying physical force was unacceptable, but did not question the existence and medical necessity of the obligatory examinations [16].

In 2006, the Ministry of Health amended the decree on the pre-employment and the regular employment check-ups.²⁸ Since then all employees must undergo regular medical examinations. All employers must have a service contract with an occupational medicine clinic, and can employ only those employees who have valid certification on medical fitness. The purpose of the examination is to decide the employee’s fitness for the job. The decree about the examination declares that only those tests can be applied that are absolutely necessary for the decision. The decree also requires employees to hand over copies of their recent medical documents to the physician. For a large portion of the employees, there are no medical preconditions for the employment, but they are still examined. In fact, the employment doctor blackmails the employee²⁹ by saying that if they do not consent to the examination, they will not receive a certification of fitness. The author challenged the decree concerning the obligatory examination made without medical indication before the Constitutional Court, referring to the new Act CLIV of 1997 on Health and privacy rights of the patients. The Constitutional Court decided that another act (Act XCIII of 1993 on Occupational Health and Safety) permits such types of examinations. If one is honest, one must concede that occupational medicine is a prospering business. Employment doctors specialising and practising in the aforementioned context who offer services to the employers receive a fee after each examined patient, and it is in their interest to maintain this examination and fitness certification practice.

In Hungary, there are organised and voluntary cancer screenings. People reaching a certain age receive an invitation letter to cancer screening based on a schedule. Breast cancer, cervical cancer, and later colorectal cancer is screened in an organised manner. In addition to this, people may themselves visit a specialist for other types of screening like prosthetic cancer and lung cancer. These tests are voluntary now, but the Government is always threatening people who do not attend screening with the introduction of some sort of penalty.³⁰ The testing centres are obliged to report patients’ attendance and results to the public health authority, which keeps records on all tests and results about each patient for thirty years. P. Hanti, a General Practitioner in Székesfehérvár mentioned in his book [17] that he had received a Microsoft Excel spreadsheet from the public health authority³¹ containing cancer screening examinations and results identified by patient names and their SSIs. Several other GPs confirmed that they had also received a list of test results, but did not want to give their names to a complaint against the office of the government. Since the Data Protection Commissioner also found this data transfer unlawful, this practice has been stopped.³² A similar case surfaced in 2004, when the National Health Insurance Fund decided to send data related to dispensed medicines each month to GPs, when ordered by another physician and given to the GP’s patient. Following up on a complaint submitted by a General Practitioner, the Data Protection Authority declared that such data transfer in absence of legal authorisation requires written permission from the patient.³³

Section 19 of the new Act CLIV of 1997 on Healthcare declares that written consent is required from the patient for any types of uses of cells, tissues, organs, and body parts removed by medical intervention from that patient during his life. Destruction of samples can be done without consent. Kinga Németh mentioned in her article Transferable disease and human rights [18] that Hungarian medical laboratories are regularly using blood samples after the requested tests are performed, to estimate the empirical distribution of HIV+ persons in the population, including those patients who do not know they are infected. Here, the samples are anonymised beforehand, but patients are not informed about this practice.

The Constitutional Court ruled in 2009 that medical prescriptions must not contain the SSI identifier in the case of the unsubsidised medicines.³⁴ The reason was that pharmacies were recording medical data from each prescription and sending the data to the National Health Insurance Fund which had stored them for 15 years. The court found that the personal data of unsubsidised medicines are not necessary for the fulfilment of the task of the insurance fund. In the same year, the minister responsible for health affairs issued an amendment to the decree³⁵ that obliged vendors of prescribing software to modify their program so that they should print a barcode on each prescription that includes among others the SSI, the ICD-10 code, the medicine code without printing its numeric equivalent under the barcode, contrary to the above decision. The Chief Prosecutor of Hungary later forwarded the complaint of GP’s to the Data Protection Authority. The data protection authority denied banning the unlawful application of barcodes, stating that this caused only negligible harm to patients. So, seven years after the decision, prescriptions still contain the SSI identifiers, pharmacists still read the barcode containing the SSI and transfer the sensitive medical data to the insurance fund. The only difference is that the fund does not store the data of unsubsidised medicines together with the SSI identifier.

3.2 Medical research

Ethical rules for medical research involving human subjects can be found in several international documents. UNESCO has a Universal Declaration on Bioethics and Human Rights,³⁶ and Council for International Organisations of Medical Sciences (CIOMS) has an International Ethical Guidelines for Biomedical Research Involving Human Subjects. Probably³⁷ the World Medical Association’s (WMA) Declaration of Helsinki [19] adopted in 1964 was the first pioneering declaration on medical research ethics. Hungary joined the WMA in 1989.

The Declaration of Helsinki created ethics committees that oversee and approve the submitted research plans. It gave research subjects the right to preliminary information, right to object, right to give and revoke consent, right to minimise burdens, and so on. After the amendment of 2000, it explicitly declared that research on identifiable biological samples or data is research involving human subjects, consequently the declaration is to be applied in these cases as well. A similar regulation can be found in the Council of Europe’s Oviedo Treaty [20]. Hungary acceded to the Oviedo Treaty in 2002.

The author criticised Hungary in 2006 [21] for still not applying the Declaration of Helsinki when research is conducted without medical intervention. At that time tissues and medical data were processed without consent and ethics committee approval. The regulation was changed in 2007 so that ethical approval is required thenceforth, but privacy rights of subjects are explicitly denied. According to the amended law, neither preliminary information shall be provided, nor is consent required from the data subjects. The Constitutional Court decided (case no. 129/B/2008, see Table 1.) that this is appropriate, because the state can deliberately restrict privacy rights when it is necessary for a public task like scientific research. Afterwards a dozen new patient registries were created by amendments to the Act on Health Data Processing and Protection.³⁸ Although the new Data Protection Act Section 21, paragraph 1 b) grants the right to object [30] when the purpose of the processing is scientific research, this right is revoked by another law.

Medical research databases raise concerns even if they do not contain direct identifiers to patients such as name, mother’s name, or resident address. Sweeny demonstrated by the US Census data that the majority of the population can be uniquely identified by their demographic data (birth date, ZIP code of their residence, and the gender) [22]. The author studied the identification risk on a research dataset obtained from the Hungarian National Population Registry [23]. The results showed that demographic data identifies 78.43% of the population uniquely. If the target person can always be chosen from two possible persons, then the re-identification risk is 95%.

When the possibility of re-identification from demographic data became known in the USA, the government decided to pass a federal law on medical data processing. This was the HIPAA, the Health Insurance Portability and Accountability Act. The act contains the so-called privacy rule [24]. If researchers apply this rule on medical databases, then it almost always produces an anonymised database. The privacy rule is continuously being validated on (i.e. checked against) the US Census data.

Hungary maintains the IMD (Itemised Medical Database) which was established by an amendment to the Act XLVII of 1997 on Health Data Processing and Protection and a decree of the Minister. The health insurance fund is obliged to send pseudonymised accounting data every quarter to the IMD, where the data is stored indefinitely by force of law. IMD records of medical care events contain demographic data, exact dates, doctors’ licence numbers, institutions, ICD-10 codes and medicine codes. The National Health Insurance Fund maintains the mapping table between the pseudonyms and the individuals indefinitely. Even though this database obviously contains indirectly identifiable personal data, the law says that it is anonymous and therefore data subjects have no privacy rights. The author finally decided to file a lawsuit so as to prove that IMD is a collection of personal data. The Data Processor of the IMD denied before the Szeged Court of Law and the Szeged High Court that it processes personal data.

Since the Data Protection Commissioner has been failing to act against the IMD database for years, such avoidance to act resulted in the fact that several Hungarian and foreign companies involved in health informatics began to purchase pseudonymised prescription data from pharmacies and clinics openly.³⁹ The collected data do not include the SSI, but include demographic information (date of birth, ZIP code of the residence, gender). Although it raises serious concerns to privacy, the Commissioner did not act upon anything, and put himself into a corner. In addition, prescription data contain a number that could be a unique identifier to family members of the prescriber.⁴⁰ The number of a pro familia prescription together with the date of birth can uniquely identify the spouse, the children and the parents of the doctor.

Several bioethicists like Rothstein proposed [25] that researchers should ask for permission from patients even if they anonymise biomedical samples or data before further use. He referred to a survey where 57% of the respondents said that researchers should be required to obtain permission, while 43% of the respondents said that researchers should at least notify potential research subjects about the use of their biological samples or data rendered anonymous.

3.3 The national EHR system

The Hungarian state has been developing a national health surveillance system since the year 2000. The general health insurance system is a good excuse to organise a nationwide data collection network that covers all in- and outpatient care data and prescription data related to patients. In 2005, the Government closed the independent network of STD clinics and merged them with the normal health service. Upon this consolidation, the National Health Insurance Fund obtained data about patients suffering from STDs. In 2006, all GPs were obliged to report all patient attendances to the National Health Insurance Fund. In both cases the Data Protection Commissioner unsuccessfully opposed the changes due to privacy concerns.

The work on the creation of the national EHR system was funded by the European Union. The money was soon used up, the system was developed, but the legal basis that describes the operations of the system in detail is still absent. An amendment was inserted into Act XLVII of 1997 on Health Data Processing and Protection at the end of 2015, but the decrees on the detailed regulations are missing. As one might think, the national EHR system works in an obligatory manner and the law obliges all doctors to upload medical documents, lab results, findings, referrals, and prescriptions to the central system. The right to object is denied to the patients, and the data will be stored for five additional years after their death. Patients can restrict access to the documents except where an authority (court, police, security service, public health, health insurance fund etc.) requires the data in accordance with a law, or a medical doctor in the case of an obligatory medical fitness exam, or in the case of an emergency. The minister responsible for health affairs is authorised to create extracts from the database by a decree for the purposes of medical research.

The author criticised the above plans, referring to privacy rights for example in “Privacy questions concerning the Electronic Health Cooperation Service Space in the light of the legal regulation” (in Hungarian) [26]. The Article 29 Working Party of the European Commission issued a Working document on the processing of personal data relating to health in Electronic Health Records (EHR), which was adopted on 15th February 2007 [27]. In this document, they analysed Article 8 of the EU 95/46/EC Directive that concerns special categories of personal data, and found that national EHR systems can process medical data by consent (Article 7, a)) or for the purposes of a public task (Article 7, e)). The Working document of the data protection advisory group of the European Commission excluded the application of Article 7, point c) i.e. the mandatory collection of medical data in a national EHR system.

4 Court cases concerning the regulation of privacy

Thanks to the actio popularis, several activists sent complaints to the Constitutional Court prior to 2012. The new Act CLI of 2011 on the Constitutional Court required that the applicant personally be subject to the challenged regulation and exhaust all possible remedies before the normal courts. Fortunately, however, upon the constitutional complaint⁴¹ by the author, the Court ruled in its decision No. 3110/2013 (4th June, 2013) that in the case of obligatory medical data processing, everybody is a potential subject of such a regulation and it need not be certified since they can get ill at any time, and the court recognised that there is no possible remedy before the normal courts, hence applicants may turn directly to the Constitutional Court. One drawback at the same time is that the emphasis on sovereignty is appearing more and more.

The following example demonstrates this, although it relates to another fundamental right, namely the right to peaceful assembly (Constitutional Court case no.: 13/2016 and 14/2016, on 18th July 2016). Evidently, the Hungarian state has been violating the right to peaceful assembly since 1989, with a law that enabled the police to ban a demonstration if it is expected to impede the traffic. This flexible rule provided sufficient leeway for autocratic decisions which were routinely exploited by the ruling governments. The Constitutional Court waited for years until the ECtHR finally delivered its decision in the case of Körtvélyessy vs. Hungary 7871/10 on 5th April, 2016 and only then made its own decision in a case that was presented in 2010.

The author also has a pending case from 2011 before the court challenging the Health Data Processing and Protection Act, referring to the decisions C-468/10 and C-469/10 of the Court of Justice of the EU, which applies to Hungary as well.

It is disquieting that if the Constitutional Court for some reason rejects a complaint then it provides an incentive to the government to further increase the restrictions to privacy. This happened in the case of medical scientific research, case no. 129/B/2008 (see Table 1). The court decided, contrary to the internationally accepted ethical rules, that personal health data can be processed for research purposes without any restrictions. There is no need to inform patients and the data can be collected from different sources by force of law. This resulted in a boom in the number of patient registries that collect personal data by name, birth data, resident address, SSI, which are required to be stored for 50 years after the last data entry – in an obligatory manner.

The new law on Constitutional Court further delimited the number of those dignitaries who can turn to the court and claim that a Hungarian regulation violates an international treaty. Only a quarter of the MP’s, the government, the President of the Supreme Court, the Chief Prosecutor or the Ombudsman of Hungary can submit such an application. In order to test the readiness of the Ombudsman to intervene upon the above authorization in the interests of the people, the author asked him to challenge the new Data Protection Law, referring to decisions C-468/10 and C-469/10 of the CJEU. In these decisions, the CJEU obliged all member states to implement identically and without any restrictions the EU 95/46/EC Directive, Article 7, point f). The author argued that medical institutions should process medical personal data in their legitimate interests instead of the currently used legal obligation. The Ombudsman later rejected the request.

Article 35, paragraph 3 b) of the ECHR declares: The ECtHR shall declare inadmissible any individual application submitted under Article 34 if it considers that the applicant has not suffered a significant disadvantage, unless respect for human rights as defined in the Convention and the Protocols thereto requires an examination of the application on the merits and provided that no case may be rejected on this ground which has not been duly considered by a domestic tribunal. The court rejected two applications connected with Hungarian medical privacy regulations in 2012 and 2013. In the aforementioned cases, the court found that the applicant did not prove or did not suffer a significant disadvantage due to the obligatory processing of his medical data. Sometimes it is very hard to express, qualify and evaluate the disadvantages when personal data is processed.

In the USA, the Electronic Privacy Information Centre (EPIC), a public interest research centre on privacy in Washington DC, is taking part in the litigation procedure (Spokeo Inc. vs. Robins) before the US Supreme Court. They elaborated an Amici Curiae document – an expert opinion – supporting Robins’ claim. Spokeo Inc. is a consumer reporting agency and collects public data about individuals residing in the United States. If an individual visits Spokeo’s website and inputs a person’s name, Spokeo conducts a computerized search in a wide variety of databases and provides information about the subject. Spokeo performed such a search for information about Robins, and some of the information it gathered and then disseminated was incorrect. When Robins learned of these inaccuracies, he filed a complaint on his own behalf, and on behalf of a class of similarly situated individuals. Robins asked for compensation, stating that he probably suffered intangible harm due to the incorrect information in the job market when he sought a new job for himself. The Supreme Court delivered its decision on 17th June 2016. The judgement was that the Robins was entitled to receive compensation, because his complaint was sufficiently concrete and particularised [28]. Earlier, the lower level court failed to prove the opposite. Consequently, he may get compensation from Spokeo Inc. The decision may affect the European jurisdiction, but the author would not like to make any predictions here.

The Strasbourg Court in the Copland vs. United Kingdom, 62617/00, in paragraph 43 of the decision stated that the storing of personal data relating to the private life of an individual also falls within the application of Article 8 § 1. Thus, it is irrelevant that the data held by the College were not disclosed or used against the applicant in disciplinary or other proceedings. This could be a good argument in the future cases being sent to the ECtHR. De Hert and Gutwirth published a comprehensive study about the decisions of the Strasbourg and the Luxemburg Courts in data protection cases [29].

On the basis of infringement, an applicant asked the European Commission to investigate the Hungarian data protection legislation in 2012. After an exchange of correspondence, the investigation arrived at an impasse when the Hungarian Data Protection Authority sent a falsified English translation of the new Data Protection Act which suggested that special categories of data are processed upon the authorisation given in Article 7 e) of the Directive, and consequently data subjects may object, and may have remedy. This is not true. The wrong text can still be read on the homepage of the authority. In Section 5, paragraph 2 c) the clause “a law provides for” is still missing [30], cf. paragraph 1 b) which contains a faithful translation.

The European Commission for Democracy through Law (Venice Commission) investigated the Hungarian Data Protection Act in connection with the dismissal of the commissioner in office in September 2012. The commission publicised its Opinion 672/2012 and an English translation of the new Data Protection Act. The text appeared in this document can be considered a faithful translation regarding all the legal bases of processing special categories of personal data. The Article 5, paragraph 2 goes like this: “(2) Special data may be controlled in cases specified in Article 6 or if (…) c) it is provided for by law for purposes in the public interest in the case of data listed in Article 3, point 3. b)”.⁴² Later, in 2013 the text suddenly changed, the clause provided for by law was erased (see Fig. 1). The author warned the authority that the text is not faithful, but they refused to correct it, saying that the text in this form is more like the Data Protection Act of the United Kingdom and the difference is stylistically negligible, case number: NAIH-2293-2/2013/V.

Fig. 1

The English translation of the new Hungarian DPA on the homepage of the Data Protection Authority

The bodies of the European Union frequently come up against inconsistencies when member states apply the community legal acts. In order to increase the coherence among member states, the European Union in the TFEU treaty [31] established a direct connection between national courts and the CJEU. Article 267 of the treaty established the preliminary ruling procedure as follows: the Court of Justice of the European Union shall have jurisdiction to give preliminary rulings concerning: (a) the interpretation of the Treaties; (b) the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union;

Where such a question is raised before any court or tribunal of a Member State, that court or tribunal may, if it considers that a decision on the question is necessary to enable it to give judgment, request the Court to give a ruling thereon. Where any such question is raised in a case pending before a court or tribunal of a Member State against whose decisions there is no judicial remedy under national law, that court or tribunal shall bring the matter before the Court.

If either party in a civil procedure requests the court to turn to the CJEU and ask whether an EU legal act is applicable in the current case, then the national court must do it (if the court delivers the final decisions). Act CLI of 2011 on the Constitutional Court Section 32, paragraph 2 says: Judges shall suspend judicial proceedings and initiate Constitutional Court proceedings if, in the course of the adjudication of a concrete case, they are bound to apply a legal regulation that they perceive to be contrary to an international treaty. ⁴³

The author initiated two medical privacy civil court cases to test the above roadmap. One case was filed in 2014, the other in 2015. These are still pending. One intermediate result might be that the Szeged High Court, instead of turning to the CJEU, ruled that the Charter of Fundamental Rights, Article 8, paragraph 2 is applicable in Hungary and the matter need not be decided by the CJEU. This paragraph is missing from the Fundamental Law (cf. Introduction). The aim of the first lawsuit is to request the court to rule that indirectly identifiable data – are personal data as well. In any case, it should be followed from the definition of personal data. The author challenged the IMD database stating that this “anonymous” registry contains personal data. The aim of the second lawsuit is to request the court to rule that according to the EU 95/46/EC Directive, the National Health Insurance Fund processes personal data for purposes of the fulfilment of a public task (Article 7, e)) and citizens are allowed to object to disproportional restrictions to their rights pursuant to Article 14 of the 95/46/EC Directive. The Hungarian Parliament increased the retention time of the health insurance accounting (medical) data from 5 to 10, then to 15, and later to 30 years retrospectively. The author considers this to be disproportional, autocratic and an excessive use of power.

5 The adoption of the new EU data protection regulation may open ways to legal dispute

When all the EU member states signed the Lisbon Treaty (TFEU) on 1st December in 2009 [31], the Charter of Fundamental Rights became legally binding to all European institutions and governments. The charter made the right to the protection of personal data and the right to the private and family life a fundamental right across European Union. Unfortunately, at that time there was no such legal text that would have regulated the right to the personal data protection identically in member states. The Court of Justice of the EU delivered decisions, one after another, that used the only document, the 95/46/EC Directive as a reference in the reasoning of their judgements. In the end, the Directive or at least some parts of it that were not legally binding by intention became firm, legally binding community acts. This was one reason why the European Parliament decided that the new data protection regulation would be the type of community legal act that must be applied directly in all member states.

The preparatory work of the new data protection regulation began in 2009. The old 95/46/EC Directive of 1995 became outdated for many reasons. Since 1995, many new phenomena have appeared like cloud services and social networks, and the amount of accumulated data in big data warehouses have grown enormously. Governments, public institutions, and companies have taken advantage of the databases, but data subjects have only been able to execute their rights with increasing difficulty. After long discussions and compromises the European Parliament adopted the text of the GDPR (General Data Protection Regulation) on 27th April, 2016, and the Official Journal published it on 25th May, 2016. The regulation has been in effect since that day,⁴⁴ but member states are obliged to fully apply it only from 25th May, 2018 onwards [32]. On the same day the European Parliament adopted the Directive 680/2016 on the protection of natural persons with regard to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offences [33]. The latter is a directive which requires secondary legislation from member states that implements the directive locally. In rare occasions, medical data is allowed to be processed for the purposes of prevention, investigation, detection or prosecution of criminal offences. This is described in Article 10 of the 680/2016 Directive: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person”s sex life or sexual orientation shall be allowed only where strictly necessary, subject to appropriate safeguards for the rights and freedoms of the data subject, and only:

1. (a)

   where authorised by Union or Member State law;

2. (b)

   to protect the vital interests of the data subject or of another natural person; or

3. (c)

   where such processing relates to data which are manifestly made public by the data subject.

Going back to the GDPR, it provides several new rights to data subjects, namely it ensures that they can receive a copy of personal data relating to them in a portable electronic format like XML, the right to object, and right to be forgotten (right to oblivion). The GDPR dramatically increased the maximum fine that the Data Protection Authority (DPA) may impose. The data controller is obliged to notify the DPA about each data breach incident as well as data subjects. In healthcare, all data controllers must prepare a Privacy Impact Assessment (PIA) which analyses the possible risks and dangers to the execution of privacy rights that may occur while it processes personal data. The PIA shall be approved by the DPA, and all measures shall be taken to avoid the known risks.

The GDPR states that pseudonymised data are considered identifiable personal data in recital (26): The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. Several member states like Hungary simply deny privacy rights from data subjects, if data relating to them were pseudonymised beforehand, while the mapping table is retained, which means that individuals can be potentially traced back. This practice is being outlawed by the GDPR.

The regulation clarified the concept of consent. Consent shall be free, informed, and specific. Whenever it has obtained under pressure, with undue influence, or cannot be freely withdraw, then it has not been given freely; consequently in this case consent should not be used as the basis of the data processing. Several member states like Hungary improperly apply consent as a legal basis for processing personal data for example, in the employment sphere, in the healthcare sector, in the public services sector, and in public administration sector, because here consent is given in a dependent relationship, and therefore it is not free.

The GDPR explicitly specifies that medical data for primary purposes (i.e. it means treatment of the data subject) can be processed by permission of the patient and if processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity. For secondary purposes such as accounting insurance bills, audit, organisation and optimisation of work, research, public health and so on, the legal basis is the public interest. This is explicitly defined in the recitals 52 and 53 of the GDPR. This means that the data controllers should always inform the data subject about the conditions and circumstances of all different types of processing. If the data subject finds that the data controller disproportionally restricts his or her rights, he or she may object to the processing at any time. In the case the objection is contested, the parties can turn to a court for a decision.

Processing medical data for the purposes of preventing transborder epidemics and in the interests of public health, relevant national and European statistics may be obligatory. The meaning of public health is defined in recital 54 of the GDPR. Hungary often refers to this notion when it processes longitudinal health data that have been collected for decades, where data subjects are identified by name, date of birth, and resident address. Csáky-Szunyogh, Vereczkey, et al. in their paper Maternal hypertension with nifedipine treatment associated with a higher risk for right-sided obstructive defects of the heart: a population-based case-control study [34] processed data found in the mandatory Hungarian Congenital Abnormality Registry. They requested additional medical information from research subjects, but the latter was based on informed consent. Similar settings were applied by Vermes, László, et al. in their research Maternal factors in the origin of isolated anorectal malformations [35]. According to recital 54, this activity cannot be considered the protection of public health. In fact, it is medical research. Public health in this context means health statistics of factors like life expectancy, incidence of some diseases, environment, housing and employment, as defined in Regulation 1338/2008 of the European Parliament.

Article 17 of the GDPR regulates the right to be forgotten. There might be reasons where the request from the data subject can be denied: for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing. The author would like to remind the reader that the Declaration of Helsinki, which contains the ethical principles of medical research, was amended in 2013. From that time onwards, the ethics committees are not authorised to issue waivers that exempt researchers from obtaining consent, stating that objections are likely to render impossible or seriously impair the realisation of the objectives. This reveals the strength of the health industry lobbyists in the European Parliament; and it shows that they were able to achieve the passage of such a regulation, which is contrary to internationally accepted ethical rules.

The work of data protection authorities is synchronised and supervised by the European Data Protection Board that will replace the former Article 29 Working Party. The new board issues recommendations, opinions, and guidelines for the national authorities, and the European Commission. It also provides a forum for exchanging ideas, and promotes cooperation between national authorities. National authorities are obliged to respond to all complaints. The statements of national authorities may be challenged before the national courts and applicants can ask for a preliminary ruling procedure of the CJEU. The opinion of the board may also be challenged before the CJEU. This opens up a possibility for legal disputes of a nature that is unprecedented in Hungarian legal history. The process of judicial remedy is described in detail in the recitals between 117 and 146. Articles 17, 18, and 21 state how one can exercise the right to be forgotten, the right to restriction of processing, and the right to object. Article 23 of the GDPR recognises that member states or the EU itself can restrict these rights, but restrictions must be necessary and proportionate.

6 Conclusions

Hungary has been a subordinated nation for hundreds of years. It has finally achieved its independence after continuous struggle. No wonder then, that expressions of sovereignty are reflected in the legislation. However, the matter of sovereignty itself should never be a reason behind any country consciously violating fundamental rights. The way that a national law regulated the implementation of these rights excluded the legal remedy and disabled the checks and balances. Three decades have elapsed from the time of the insertion of the right to protection of personal data in the Constitution since 1989, but Hungary still does not have data protection case law. The courts are uncertain of how to apply even the definition of personal data, and how data subjects can execute their right to access to data relating to them. The ruling party also consciously codified the doctrine of two separate legal systems in the Fundamental Law in 2012. Afterwards, the Constitutional Court de jure lost its capacity to provide any protection against excesses of the state.

In the case of data privacy it is often hard to estimate the damage caused by the violation of one’s right to private and family life; sometimes it is simply impossible. The Strasbourg Court, for instance, seems to be ineffective in protecting the citizen’s right to medical privacy. The EU General Data Protection Regulation could eventually address data privacy issues mentioned above with the efficacious help of the CJEU and the European Data Protection Board. Unfortunately, other medical privacy issues, as in the matter of obligatory examinations, and the substantially restricted living will,⁴⁵ may remain unsolved. [36] Since Hungary excluded the case law of the ECtHR, it means that the implementation of privacy rights has stalled at the 1950’s level.

As personal data processing methods and techniques develop, people slowly begin to lose the thread. Ordinary people do not understand even general matters such as data flow, information processing like data mining, artificial intelligence, learning algorithms, and pseudonymisation. It is simply over their heads. From this, it follows that they are likely to lose interest, and offer consent to everything without question. They will probably be unable to follow the rapid law making process, and cannot properly defend themselves. Stated briefly, many societies have not kept pace with the advanced information acquisition and processing techniques available today. These factors coupled with the absence of checks and balances mean that the average citizen is more vulnerable than ever before.

Hungary should completely revise the regulation concerning the right to protection of personal data. First, those cases where the purpose of personal data processing is the execution of a public task, or carrying out an activity that is in the public interest, must be identified. In such cases, the regulation must be amended in such a way that data subjects may object to the processing of personal data relating to them. This task includes amending hundreds of existing legal texts and also requires a radical change in the attitude of the Government toward personal data, otherwise there is a danger that a flood of complaints will be lodged with the Hungarian national Data Protection Authority, the EU Data Protection Board, and the CJEU.