1468559738172
Data Privacy & Security

Hungary introduces new surveillance and encryption regulations affecting online communications


As of 17 July 2016, new surveillance and encryption rules embedded in Hungary's E-Commerce Act will start to apply. The legislative amendments introduce intrusive surveillance rights for Hungarian authorities in relation to online communications.

With an unusually broad extraterritorial scope, the new rules will apply to companies that make available to Hungarian private and business users any online or other electronic communication channels, regardless of whether such company is domiciled in Hungary. Companies providing web or mobile based audio or video communications, e-mail, instant messaging or social media services will likely be most affected by the new rules.

Companies subject to the new rules will be required to retain certain metadata (such as user IDs, times of registration and access, and IP addresses) for one year and disclose such data in response to targeted data / surveillance requests from Hungarian authorities. The retention and disclosure obligations apply regardless of product features. Consequently, companies might be required to change product features in order to get access to their users' metadata. It seems that metadata can't be end-to-end encrypted anymore.

That said, companies will be able to choose whether or not they encrypt end-to-end the actual content of communications and influence their disclosure obligations by doing so. Online communications companies whose service is deemed non end-to-end encrypted for purposes of the new legislation can be requested to monitor specific users' full text, audio or video communications content and to disclose it to the authorities. By way of contrast, companies that encrypt end-to-end the actual content of communications will only be required to disclose the metadata mentioned above.

Companies failing to follow the new rules face a new regulatory enforcement procedure and fines of up to HUF 10 million (approximately US$35.000) per offence. That said, it is yet unclear how exactly the new surveillance and data retention rules will be enforced. Detailed rules for cooperating with the authorities during any enforcement action are yet to be introduced by a government decree expected to be passed in the near future.

We strongly recommend that companies providing online communications services to Hungarian users monitor the legislation and assess how they will likely be affected.

Contributor: Jozsef Antal