The Hungarian Parliament is set to amend several acts in order to enhance the effectiveness of the state in combatting terrorism.
Previous versions of this bill would have banned end-to-end encryption, and imposed criminal sanctions for their users and providers. While the current version is much more moderate, there are several provisions that would impose disproportionate restrictions on fundamental rights.
The Hungarian Civil Liberties Union has made an assessment of the anti-terrorism legislative package submitted to the Parliament and shared its comments on important points.
Bill No T/10307
1. 1994 Police Act
Article 3 (of the bill): Authorization to install indoor and outdoor CCTV equipment at places that are critically important for the operation of the state, operated by the police, or identified by the government in order to secure institutions and public events.
HCLU comment: The authorization is too broad and vague. Such regulations should be stipulated only at the level of a parliamentary act.
Article 5: Storing and sharing of personal information for 30 days collected on a mandatory basis at the entry and exit points of places that are critically important for the operation of the state, operated by the police, or identified by the government in order to secure institutions and public events.
HCLU comment: The authorization is too broad and vague. Such regulations should be stipulated only at the level of a parliamentary act.
2. 1995 Act on National Intelligence Agencies
Article 22: Authorization for the national intelligence agencies to request data – that is necessary to fulfill the duties of the intelligence agency - from any kind of data management system and to look into systems and records. The requested data has to be forwarded electronically to the requestor intelligence agency via a secured electronic system, which is to be installed within six months after receiving the request.
HCLU: The continuous electronic connection makes outside control over data sharing impossible. The roles of the national intelligence agencies are regulated too broadly; in connection with secret information gathering and data sharing more narrow and precise regulations would be necessary.
Article 26: In order to fulfill a concrete task, intelligence agencies can connect their data management systems to each other and to other state controlled data management systems (except TIBEK). After having completed the concrete task, the connection between the different agencies must be terminated and the data generated as a result of the connection must be destroyed (except data necessary to fulfill the duties of the intelligence agencies). TIBEK can establish unlimited connections between its data management system and that of the other intelligence agencies.
HCLU: The roles of the national intelligence agencies are regulated too broadly; in connection with secret information gathering and data sharing more narrow and precise regulations would be necessary.
Article 27: Detailed regulations on the data management requirements and practices of TIBEK. Authorization for TIBEK to access, store (for five years) and manage passengers’ data electronically in order to assist in the investigation of terrorist acts, organized crimes and crimes connected to illegal migration and to prevent illegal migration. TIBEK informs the relevant investigative authorities or other state bodies of the findings of the passenger records’ analysis in case of suspicion of crime committed or planned by criminal groups, as well as in case of the potential risk of illegal migration. TIBEK can exchange passengers’ data with other EU Member States or international organizations established by the EU, as well as with third countries (non-EU) for the purpose of national security and crime investigation.
HCLU is missing effective data protection guarantees.
3. 2001 Act on Online Trade Services and Services Connected to the Information Society
Article 44: Service providers offering encrypted information exchange applications are required to provide access to the content of encrypted information generated by their clients for authorized intelligence agencies, if the communication is not end-to-end encrypted.
HCLU points out that under current regulations intelligence agencies can request such access without authorization from a judge, based only on ministerial authorization.
Article 46: Encrypted communication service providers are obligated to retain the encrypted messages and metadata of their clients for one year. Upon request from authorized intelligence agencies, the encrypted communication service providers are obligated to provide the client’s ID address, port identifying information, user name, and the start and end date/time of the service period.
HCLU is missing sufficient data protection guarantees for this provision.
4. 2011 Act on Disaster Management
Article 59: In case of a high terror alert situation, the minister of interior is authorized to issue decrees in which he can limit or ban the visitation of public places or the organization of public gatherings, except political demonstrations.
HCLU says that this enables the Government to arbitrarily restrict freedom.
5. 2013 Act on Certain Punishments and Pretrial Detention
Article 69: In the case of a designated high terror alert situation in penitentiary institutions, the national commander of prisons has the authority to curtail the rights of inmates.
HCLU claims that as the provision fails to specify what kind of rights can be curtailed and under what conditions, it is in violation of the constitution.