Hungary

Overview

EU Member State: Hungary is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page.

Hungary deploys Pegasus spyware against investigative journalists (Direkt36), opposition politicians, lawyers, and the Bar Association president, with NAIH classifying its findings until December 31, 2050. Five security services operate under Act CXXV/1995, with TEK wielding surveillance powers so broad the ECHR found them “virtually unlimited” (Szabó and Vissy, 2016). The Sovereignty Protection Office (SPO), created by the Protection of National Sovereignty Act (2023), targets civil society and foreign-funded NGOs. NAIH independence has been questioned since a 2012 CJEU ruling that Hungary’s termination of the prior commissioner violated EU law. Article 7(1) TEU proceedings (triggered September 2018) remain ongoing. NSA CROSSHAIR partner.^[1][2]

Privacy Framework

The NAIH (led by President Attila Péterfalvi since 2012) enforces Act CXII of 2011 (Info Act, amended 2018 for GDPR). The EU Rule of Law Report 2025 (July 8) documents ongoing judicial independence failures. The Act on the Protection of National Sovereignty (2023) created the SPO with powers to investigate individuals and organisations receiving foreign funding — Constitutional Court upheld it (November 2024); CJEU referral under accelerated procedure; new draft NGO targeting law proposed May 2025.^[3][4]

Surveillance and Intelligence

Five Security Services

AH (Alkotmányvédelmi Hivatal): Domestic counterintelligence. IH (Információs Hivatal): Foreign intelligence. KNBSZ (Katonai Nemzetbiztonsági Szolgálat): Military intelligence/counterintelligence. NBSZ (Nemzetbiztonsági Szakszolgálat): Technical surveillance capabilities. TEK (Terrorelhárítási Központ): Counter-terrorism with surveillance powers the ECHR found “virtually unlimited” and subject to ministerial (not judicial) authorisation.^[5]

Pegasus Spyware (2021)

The Pegasus Project revealed Hungary purchased NSO Group’s Pegasus, deployed against investigative journalists at Direkt36, opposition politicians, lawyers, and the president of the Budapest Bar Association. The government admitted the purchase, claiming all use was lawful. NAIH classified its findings until 2050. Pegasus targets are now pursuing ECHR applications. The PEGA Committee mission to Budapest (February 2023) found systemic oversight failures.^[2][6]

Szabó and Vissy v. Hungary (ECHR, 2016)

The Court found TEK’s surveillance regime violated Article 8 ECHR: authorisation by the Justice Minister (not a judge) was insufficiently independent, and the virtually unlimited scope of secret intelligence gathering lacked adequate safeguards. Still not remedied as of early 2026.^[5]

Internet Infrastructure and Transit Exposure

BIX (Budapest Internet Exchange): Over 260 connected networks. As a landlocked country, all international traffic transits through Austria and Germany, both with intelligence infrastructure (HNA Königswarte; BND/DE-CIX cable interception). Hungarian traffic through DE-CIX Frankfurt is subject to BND bulk monitoring.^[7]

Data Retention

1-year mandatory metadata retention under Act C of 2003 (Electronic Communications Act). Five security services can access metadata with ministerial (not judicial) authorisation. The ECHR Szabó ruling found this authorisation model insufficient, but reforms have not been enacted.^[8]

International Data Sharing Agreements

Mutual Legal Assistance

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, EIO, Prüm. Council of Europe (50 signatory states): European Convention on MLA 1959 + Protocols. US-Hungary MLAT: Signed December 1, 1994, in force March 18, 1997. Hungary also maintains bilateral MLA agreements inherited from the pre-1989 treaty network with countries including Mongolia, Bulgaria, China, Cuba, Russia, Romania, Poland, and Turkey, supplemented by newer agreements with Australia and Canada.^[9]

Intelligence Cooperation

NSA CROSSHAIR partner. NATO member since 1999. Club de Berne and Counter-Terrorism Group. Visegrad Group (V4) intelligence cooperation with Poland, Czechia, and Slovakia. During its 2024 EU Council Presidency, Hungary blocked Chat Control mandatory scanning proposals.^[10]

EU and Multilateral Frameworks

SIS II, EIO, Prüm, Europol/Eurojust. EU-US Umbrella Agreement, SWIFT/TFTP, PNR. Interpol I-24/7. Egmont Group.

The Privacy Backdoor Effect

Despite formal GDPR compliance, systemic alternative access exists:

• Pegasus: Government-deployed spyware against journalists and opposition, findings classified until 2050
• TEK: “Virtually unlimited” surveillance with ministerial authorisation, ECHR violation unremedied
• Sovereignty Protection Office: Investigates foreign-funded civil society outside GDPR oversight
• NSA CROSSHAIR: Bilateral SIGINT partnership
• EU Framework: Hungarian data in SIS II, Prüm, EIO accessible to 27 EU states
• Article 7: Ongoing proceedings confirm systemic rule-of-law concerns affecting enforcement credibility

Recent Developments

Sovereignty Protection Office Constitutional Challenge: Constitutional Court upheld SPO Act (November 2024). CJEU referral under accelerated procedure. New draft NGO targeting law proposed May 2025.^[4]

EU Rule of Law Report 2025 (July 8): Documents ongoing judicial independence failures and systemic concerns.^[3]

European Parliament Rule-of-Law Alarm (November 2025): Deepened concerns over democratic backsliding and surveillance abuse.^[3]

Chat Control Blocked (2024): Hungary blocked mandatory scanning as Council president, contributing to failure to reach qualified majority.^[10]

Pegasus ECHR Applications: Targets now pursuing Strasbourg applications. PEGA Committee found Hungary failed to conduct adequate investigation.^[6]

Sources