EDPB Issues Statement on Hungary’s Decree to Suspend Rights Bestowed to Data Subjects Under the GDPR

Written by: Brett Lawrence, Esq.

On May 4, 2020, Hungary issued a governmental decree suspending the rights of data subjects under Articles 15 to 22 of the General Data Protection Regulation (“GDPR”) in an attempt to contain the spread of the COVID-19 pandemic. Such articles include giving individuals, whose personal data has been collected, the right to know where their data is being transported, the right to object to the processing of their data, and the right for their data to be deleted. The decree states that these measures will cease when the country’s state of emergency is revoked.

In limited circumstances, Article 23 of the GDPR allows for European Union (“EU”) member states, such as Hungary, to limit data subject rights where “necessary and proportionate” to safeguard essential structures of a democratic society, such as important objectives of general public interest, including public health. Although Hungary’s announcement expressed that its decree was temporary, the European Data Protection Board (“EDPB”)—the EU agency in charge of overseeing the GDPR—issued a statement on June 2nd censuring Hungary’s decree and providing guidance on the application of Article 23 in the wake of the pandemic.

Even in the current pandemic, the EDPB wrote, the protection of personal data is paramount and must be upheld when enacting emergency measures. The EDPB reiterated that the GDPR remains applicable and already allows for the efficient response to the pandemic, while simultaneously protecting fundamental rights and freedoms. Critically, among other proclamations, the EDPB said that the “mere existence of a pandemic or any other emergency situation alone is not a sufficient reason to provide for any kind of restriction on the rights of data subjects.” Rather, “any restriction must clearly contribute to the safeguard of an important objective of general public interest of the EU or of a Member State.” The EDPB concluded its statement by announcing that it would issue future guidelines on the use of Article 23 in the coming months.

The EDPB’s statement came following a joint letter sent to the EDPB by the Civil Liberties Union for Europe, the Hungarian Civil Liberties Union, and Access Now criticizing the Hungarian government’s decree. The joint letter remarked Hungary’s decision was “disproportionate, unjustified, and potentially harmful to the public’s response to fight the virus” for a variety reasons, including:

• Hungary’s state of emergency is indefinite and the effect of all government decrees, including this one, are automatically extended without a sunset clause;
• The decree makes no specific reference to a GDPR provision justifying its decision;
• The decree is an executive decision and therefore not a “legislative measure” as mandated by Article 23; and
• The decree fails to provide how its effect is necessary and proportionate with respect to protecting fundamental rights and freedoms.