Since there’s currently a lot of discussion at key levels within the EU about the future of data protection, you could be forgiven for assuming that any current amendments to the data protection laws
Since there’s currently a lot of discussion at key levels within the EU about the future of data protection, you could be forgiven for assuming that any current amendments to the data protection laws of member states will embrace some of the main progressive themes up for debate. And, to a certain extent, the new Hungarian Data Protection Act 2011 has lived up to this expectation. The new law brings in a stronger Data Protection Authority with powers (currently lacking) to impose fines and conduct audits of data controllers. Additionally, the new Act plugs a gaping hole in the current Act by including the legitimate interest ground as an additional legal basis.
However, all is not entirely what it seems. For one thing, initial indications are that the drafting around the legitimate interest condition actually requires a higher test than set out in the Directive. The data controller must be able to demonstrate that obtaining consent from individuals is impossible or disproportionally expensive before he can rely on the legitimate interest condition.
Additionally, legislators have not used this opportunity to remove the existing prohibition in the Act against the sub-processing of processing operations by data processors. A prohibition which clearly makes no sense in view of the blessing sub-processing by data processors has received from the EU Commission in its Decision 2010/87/EU on standard contractual clauses.
But perhaps of most concern is the omission of binding corporate rules and ad hoc contractual clauses for international data transfers as legitimate grounds under the new Act. It seems peculiarly short sighted of Hungarian legislators to omit these grounds and thus impliedly force data controllers to fall back on explicit consent, an adequacy decision by the EU or standard contractual clauses in order to legitimise international data transfers. It is also completely out of step with the discussions elsewhere in the EU about reforming the data protection framework around international transfers.
Finally, the other significant backward step concerns the new bureaucracy around the data protection register. Certain entities – financial institutions, public utility companies and telecom service providers – will be required to obtain prior authorisation from the Data Protection Authority (by 30 June 2012) in order to process personal data. Moreover, a fee is now charged for registrations and registrations must include a description of data processing applications. These further rules will require data controllers to review and amend existing filings by 8 January 2012.
An overview of the main points from the new Act is set out below:-
* New Data Protection Authority to be responsible for enforcement of data protection and freedom of information laws in Hungary and to be granted new powers to fine and conduct audits.
* New legal bases for processing data through the introduction of (i) the legitimate interest ground and (ii) where compliance with a legal obligation is necessary.
* The prohibition on sub-processing activity by processors remains.
* New rules on data security requirements are set out including the need to control and record data transfers as well as implement disaster recovery planning.
* Binding Corporate Rules and ad hoc contractual clauses are omitted from the grounds available to make international data transfers.
* New filing rules which require (i) authorisation from the Data Protection Authority in some instances for data controllers registering on the data protection register, (ii) the payment of fees and (iii) more detailed registrations.
However, all is not entirely what it seems. For one thing, initial indications are that the drafting around the legitimate interest condition actually requires a higher test than set out in the Directive. The data controller must be able to demonstrate that obtaining consent from individuals is impossible or disproportionally expensive before he can rely on the legitimate interest condition.
Additionally, legislators have not used this opportunity to remove the existing prohibition in the Act against the sub-processing of processing operations by data processors. A prohibition which clearly makes no sense in view of the blessing sub-processing by data processors has received from the EU Commission in its Decision 2010/87/EU on standard contractual clauses.
But perhaps of most concern is the omission of binding corporate rules and ad hoc contractual clauses for international data transfers as legitimate grounds under the new Act. It seems peculiarly short sighted of Hungarian legislators to omit these grounds and thus impliedly force data controllers to fall back on explicit consent, an adequacy decision by the EU or standard contractual clauses in order to legitimise international data transfers. It is also completely out of step with the discussions elsewhere in the EU about reforming the data protection framework around international transfers.
Finally, the other significant backward step concerns the new bureaucracy around the data protection register. Certain entities – financial institutions, public utility companies and telecom service providers – will be required to obtain prior authorisation from the Data Protection Authority (by 30 June 2012) in order to process personal data. Moreover, a fee is now charged for registrations and registrations must include a description of data processing applications. These further rules will require data controllers to review and amend existing filings by 8 January 2012.
An overview of the main points from the new Act is set out below:-
* New Data Protection Authority to be responsible for enforcement of data protection and freedom of information laws in Hungary and to be granted new powers to fine and conduct audits.
* New legal bases for processing data through the introduction of (i) the legitimate interest ground and (ii) where compliance with a legal obligation is necessary.
* The prohibition on sub-processing activity by processors remains.
* New rules on data security requirements are set out including the need to control and record data transfers as well as implement disaster recovery planning.
* Binding Corporate Rules and ad hoc contractual clauses are omitted from the grounds available to make international data transfers.
* New filing rules which require (i) authorisation from the Data Protection Authority in some instances for data controllers registering on the data protection register, (ii) the payment of fees and (iii) more detailed registrations.