Hungary

Hungary is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Hungary’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and international data sharing agreements.

Overview

Hungary’s privacy landscape is defined by a fundamental contradiction: formal EU data protection compliance layered over an Orbán-era surveillance apparatus that the European Court of Human Rights has found lacks independent oversight. Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information, amended by Act XXXVIII of 2018 for GDPR implementation, is enforced by the Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) — the National Authority for Data Protection and Freedom of Information. NAIH’s independence has been questioned since 2012, when the CJEU ruled that Hungary’s abrupt termination of the previous data protection commissioner’s term violated EU law. President Attila Péterfalvi has led NAIH since its creation in 2012.^[1][2]

On the surveillance side, Hungary operates five national security services under Act CXXV of 1995, with the NBSZ (Nemzetbiztonsági Szakszolgálat) providing technical surveillance capabilities and the TEK (Terrorelhárítási Központ) wielding counter-terrorism surveillance powers so broad that the ECHR found in Szabó and Vissy v. Hungary (2016) they violated Article 8 ECHR. In July 2021, the Pegasus Project revealed that Hungary had purchased NSO Group’s Pegasus spyware and used it to target journalists, opposition politicians, and lawyers. The government admitted the purchase but claimed all use was lawful. NAIH investigated and classified its findings until December 31, 2050. The European Parliament triggered Article 7(1) TEU proceedings against Hungary in September 2018 over systemic rule-of-law concerns, and hearings remain ongoing.^[3][4][5]

Data Protection Authority: NAIH

The Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) is Hungary’s independent supervisory authority established under Act CXII of 2011 in accordance with GDPR Article 51. NAIH replaced the former Parliamentary Commissioner for Data Protection and Freedom of Information on January 1, 2012. Based in Budapest, NAIH handles complaints, conducts ex officio investigations, issues binding orders, and imposes administrative fines. Its jurisdiction extends to all data processing in Hungary regardless of public or private status, including law enforcement and national security sectors.^[1]

NAIH’s independence has been a persistent concern. In April 2014, the CJEU ruled in Case C-288/12 (Commission v. Hungary) that Hungary infringed the independence of its data protection authority by prematurely ending the previous commissioner’s term three years early in 2012. NAIH’s 2022 finding that all investigated Pegasus cases were lawful — with reasoning classified until 2050 — drew further criticism. A European Parliament question in 2022 directly challenged NAIH’s independence in the context of the Pegasus investigation.^[2][6]

Notable Enforcement Actions

In 2024, NAIH imposed a cumulative HUF 335M in fines across cases involving AI-based processing, data breaches, workplace surveillance, healthcare data, and public data transparency. NAIH has indicated its 2025 enforcement priorities will focus on the right to erasure in the banking sector, in coordination with the European Data Protection Board.^[10]

Key Legislation

Act CXII of 2011 on the Right of Informational Self-Determination and on the Freedom of Information (Info Act)

Hungary’s primary data protection law, enacted on July 26, 2011 and effective January 1, 2012. The Info Act established NAIH, defined fundamental data processing principles, and regulated both personal data protection and freedom of information. It was substantially amended by Act XXXVIII of 2018 for GDPR implementation, supplementing the GDPR with national provisions on procedural rules, public sector processing, and freedom of information matters not covered by the GDPR. The Info Act applies to all data processing in Hungary regardless of the controller’s public or private status.^[1]

Act CXXV of 1995 on National Security Services (Nbtv.)

The statutory basis for Hungary’s five national security services, amended 26 times since enactment. The Nbtv. authorizes both externally authorized surveillance (requiring approval from a designated judge or the Minister of Justice) and non-externally authorized surveillance. A 2020 amendment granted the NBSZ access to telecommunications metadata without external authorization. The ECHR found in Szabó and Vissy (2016) that the law’s surveillance provisions violated Article 8, yet more than eight years later Hungary has not brought domestic legislation into compliance with the ruling.^[3][11]

Act C of 2003 on Electronic Communications (Eht.)

Hungary’s telecommunications regulatory framework, governing lawful interception obligations, data retention requirements, and service provider duties. Amended in July 2020 to implement the European Electronic Communications Code. The Act requires service providers to retain traffic and location data for six months and mandates technical capabilities for lawful interception. The National Media and Infocommunications Authority (NMHH) serves as the sector regulator.^[12]

Act LXXXVIII of 2023 on the Protection of National Sovereignty

Enacted in December 2023, this law established the Sovereignty Protection Office (SPO) with powers to investigate organizations receiving foreign funding, demand documents and data from civil society groups and media organizations, and request assistance from Hungary’s secret services. The European Commission initiated infringement proceedings in October 2024, arguing the law violates privacy and data protection rights, freedom of expression and association, and the right to a fair trial. The Venice Commission issued a critical opinion, and the European Parliament formally condemned the Act in April 2024.^[13][14]

Surveillance and Intelligence

Intelligence Agencies

Hungary operates five national security services under Act CXXV of 1995:

• NBSZ (Nemzetbiztonsági Szakszolgálat) — Special Service for National Security. Provides technical surveillance capabilities to all other services, including telephone and computer monitoring, interception, and the operational deployment of Pegasus spyware. Under the Ministry of Interior.^[15]
• AH (Alkotmányvédelmi Hivatal) — Constitution Protection Office. Hungary’s domestic intelligence agency responsible for counterintelligence, anticorruption, economic security, and threats to the constitutional order. Active since 2010.^[16]
• IH (Információs Hivatal) — Information Office. Hungary’s civilian foreign intelligence service, tasked with gathering and analyzing national security information of foreign origin. Recently implicated in allegations of spying on EU institutions and officials.^[17]
• KNBSZ (Katonai Nemzetbiztonsági Szolgálat) — Military National Security Service. Formed January 1, 2012 by merging the former Military Intelligence Office and Military Security Office. Performs military intelligence, counter-espionage, and counter-terrorism under the Ministry of Defence.^[18]
• TEK (Terrorelhárítási Központ) — Counter Terrorism Centre. Under the Ministry of Interior with virtually unlimited surveillance powers. A 2011 amendment to the Police Law granted TEK the right to surveil individuals without demonstrating they were engaged in terrorist or national-security-threatening activity. The ECHR condemned these powers in Szabó and Vissy v. Hungary (2016).^[19]

Parliamentary oversight is exercised by the National Security Committee. The Minister of Justice authorizes secret surveillance operations, rather than an independent judicial authority — a structural deficiency identified by the ECHR. NAIH and the Commissioner for Fundamental Rights also have supervisory roles.^[11]

Pegasus Spyware Scandal (2021)

On July 18, 2021, the Pegasus Project — a collaboration of 80+ journalists from 17 media organizations coordinated by Forbidden Stories — revealed that Hungary had deployed NSO Group’s Pegasus spyware against domestic targets. Forensic analysis by Citizen Lab (University of Toronto) and Amnesty International’s Security Lab confirmed infections on the phones of at least two Direkt36 investigative journalists, Szabolcs Panyi and András Szabó. Additional targets included opposition politicians, János Bánáti (president of the Hungarian Bar Association) and nine other lawyers, media company owners, former government officials, top national security officers, and even President János Áder’s bodyguards.^[4][20]

The Hungarian government admitted purchasing Pegasus and claimed all use was lawful. NAIH President Péterfalvi investigated approximately 100 surveillance permits issued by the Ministry of Justice and declared every case “legitimate and justified.” However, the investigation’s reasoning was classified as a national security secret until December 31, 2050. In October 2022, the ECHR ruled in a related case that Hungary lacks independent external oversight of surveillance, and that NAIH was not fit for this oversight purpose. The European Parliament’s PEGA Committee conducted a mission to Budapest in February 2023.^[6][21]

Szabó and Vissy v. Hungary (ECHR, 2016)

On January 12, 2016, the ECHR ruled that Hungary’s anti-terrorism surveillance legislation violated Article 8 ECHR on four grounds: the scope of surveillance “could include virtually anyone”; authorization was carried out by the executive branch without judicial assessment of strict necessity; the government intercepted masses of data on persons outside the original scope; and there was no effective ex post facto judicial supervision. The judgment became final on June 6, 2016 after Hungary’s appeal was rejected. As of late 2024, Hungary had not amended its domestic legislation to comply with the ruling.^[3]

Internet Infrastructure and Transit Exposure

Budapest Internet Exchange (BIX)

The Budapest Internet Exchange (BIX) is Hungary’s primary internet exchange point, established in 1995 by the Council of Hungarian Internet Providers (ISZT). BIX is a carrier-neutral, non-profit exchange operating three points of presence in Budapest and one in Vienna, interconnected through a redundant optical backbone using 400G and nx100G bandwidths. BIX has approximately 138 member networks and a total switching capacity of approximately 7.3 Tbps.^[22]

Transit Exposure

As a landlocked country, Hungary has no submarine cable landings. All international internet traffic must transit through neighboring states. Hungarian traffic flows primarily westward through Austria to DE-CIX Frankfurt and other major European exchange points, with Magyar Telekom’s international infrastructure routing through Vienna, Frankfurt, and other Central European hubs. BIX’s Vienna point of presence reflects this westward transit dependency. Hungary also has fiber connectivity to Romania, Serbia, Slovakia, and Ukraine, though these routes carry less international traffic volume.^[22][23]

This transit structure creates surveillance exposure. Hungarian internet traffic passing through DE-CIX Frankfurt is subject to BND cable interception, while traffic transiting Austria may be accessible to the DSN. Hungary’s domestic broadband infrastructure has expanded substantially, but the country’s international connectivity remains dependent on foreign transit infrastructure.^[23]

Data Retention

Hungary’s Act C of 2003 on Electronic Communications requires service providers to retain telephone and internet communications traffic data for six months. Unlike Austria, which struck down its data retention law after the CJEU’s 2014 Digital Rights Ireland ruling, Hungary’s implementing legislation remains in force despite the invalidation of the EU Data Retention Directive.^[12][24]

Hungary went further after Digital Rights Ireland. The government amended the Act on Electronic Commercial Services to expand data retention obligations, introducing requirements for electronic and IT service providers — including those offering encrypted communications — to store all metadata for one year. This expansion directly contradicts the CJEU’s proportionality analysis and has been criticized by Privacy International as unlawful blanket retention.^[24]

International Data Sharing Agreements

NSA Third Party Cooperation

Hungary is classified as an NSA Third Party partner based on a formal bilateral Memorandum of Understanding. Hungary participates in the CROSSHAIR program, a worldwide network of antennas for High Frequency Direction-Finding (HFDF) implemented on October 1, 1993. Hungary is among 16 Third Party countries participating in CROSSHAIR, alongside Austria, Denmark, Israel, Italy, Japan, the Netherlands, Norway, Sweden, and others. As with all Third Party partners, Hungary can be and is targeted by NSA collection despite the cooperative relationship.^[25]

Club de Berne and Counter-Terrorism Group

Hungary is a member of the Club de Berne, the intelligence-sharing forum of EU member states’ domestic security services plus Norway and Switzerland. Hungary also participates in the Counter-Terrorism Group (CTG), the post-9/11 operational counterterrorism offshoot of the Club de Berne, which generates threat assessments and facilitates operational cooperation among EU security services.^[26]

NATO

Hungary joined NATO on March 12, 1999, gaining access to Alliance intelligence-sharing structures including the NATO Intelligence Fusion Centre and the NATO Communications and Information Agency. Hungary hosts the NATO Force Integration Unit in Székesfehérvár.

Visegrád Group (V4)

Hungary is a founding member of the Visegrád Group (V4) alongside Czechia, Poland, and Slovakia. V4 defence cooperation includes a 2014 joint strategy, the Central European Cyber Security Platform (launched 2013 with Austria), and coordination on EU security policy. V4 states share intelligence bilaterally and through EU structures, and have coordinated positions on surveillance-related EU legislation including the proposed CSA Regulation (Chat Control).^[27]

EU Law Enforcement Cooperation

Hungary participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Prüm Convention for automated DNA, fingerprint, and vehicle data exchange, and Europol/Eurojust cooperation. Hungary joined the Schengen Area in 2007.

EU Article 7 and Rule-of-Law Proceedings

On September 12, 2018, the European Parliament voted 448–197 to trigger Article 7(1) TEU proceedings against Hungary based on the Sargentini Report, citing systemic threats to EU values including judicial independence, media freedom, corruption, and surveillance. This was the first time Parliament invoked Article 7 against a member state. Council hearings remain ongoing. In September 2022, the Parliament declared Hungary could “no longer be considered a full democracy” and characterized it as a “hybrid regime of electoral autocracy.” In November 2025, Parliament sounded a further alarm over Hungary’s “deepening rule of law crisis.”^[5][28]

Hungary’s EU Council Presidency and Chat Control

During its 2024 EU Council Presidency, Hungary pushed for adoption of the proposed CSA Regulation (“Chat Control”), which would require client-side scanning of encrypted communications. Hungary scheduled multiple Council votes but was forced to cancel each one — in June and October 2024 — after failing to secure a qualified majority, with the Netherlands’ last-minute opposition providing the decisive block. Despite this, Hungary continued to seek compromise language throughout its presidency.

The Privacy Backdoor Effect

Despite NAIH GDPR enforcement and Hungary’s EU membership, extensive intelligence sharing relationships and surveillance infrastructure create pathways for accessing Hungarian person data entirely outside GDPR — while Hungarian intelligence law authorizes surveillance of foreign nationals without data protection constraints:

• NSA Third Party Cooperation: Hungary’s SIGINT relationship with the NSA (as a Third Party partner) enables bilateral intelligence sharing about Hungarian nationals outside GDPR-compatible frameworks.
• Pegasus Extraterritoriality: NSO Group’s Pegasus, purchased by Hungary, operates under Israeli export license and US foreign surveillance authorities where data transits US infrastructure — not under GDPR or Hungarian constitutional protections. The NAIH’s investigation was classified until 2050, preventing any meaningful accountability.
• Club de Berne / EU INTCEN: AH intelligence shared with EU INTCEN and 31 European services flows outside GDPR; despite EU rule-of-law proceedings against Hungary, intelligence cooperation continues at the technical level.
• V4 Intelligence Cooperation: Visegrad Group security cooperation shares assessments involving Hungarian nationals with Polish, Czech, and Slovak intelligence services outside GDPR.
• EU Framework Sharing: Hungarian person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI — even as EU institutions pursue Article 7 proceedings against Hungary.
• SWIFT/PNR Dragnet: International financial transactions and air travel data subject to US access.

For Hungarian persons, GDPR and the Info Act nominally protect personal data processed by controllers subject to Hungarian jurisdiction — but AH, IH, NBSZ, and TEK operate under Act CXXV of 1995 on National Security Services, explicitly exempt from data protection supervision. Foreign nationals whose communications transit Budapest’s BIX internet exchange or Hungarian networks are subject to NBSZ and TEK collection authorities without GDPR protection. GDPR Article 2(2) excludes national security processing from its scope; Article 7 TEU rule-of-law proceedings apply to democratic standards, not to the intelligence data protection gap.

Recent Developments

European Parliament Deepening Rule-of-Law Alarm (November 2025)

The European Parliament adopted a resolution sounding the alarm over Hungary’s “deepening rule of law crisis,” including concerns about surveillance practices, judicial independence, media freedom, and the Sovereignty Protection Office.^[28]

European Commission Infringement Proceedings on Sovereignty Act (October 2024)

The Commission initiated proceedings against Hungary over Act LXXXVIII of 2023, arguing it violates privacy and data protection rights, freedom of expression, and the right to a fair trial.^[14]

Chat Control Council Votes Fail (2024)

Hungary’s EU Council Presidency attempted twice to pass the CSA Regulation mandating client-side scanning of encrypted messages, but failed to achieve a qualified majority in both June and October 2024.

Sovereignty Protection Office Investigations (2024)

In June 2024, the Sovereignty Protection Office launched investigations against investigative outlet Átlátszó and Transparency International Hungary, drawing international condemnation.^[13]

PEGA Committee Mission to Budapest (February 2023)

The European Parliament’s PEGA Committee on spyware visited Budapest to investigate Hungary’s use of Pegasus and the adequacy of surveillance oversight mechanisms.^[21]

NAIH Pegasus Investigation Classified Until 2050 (February 2022)

NAIH President Péterfalvi declared all ~100 investigated Pegasus surveillance cases “legitimate and justified” but classified the reasoning as a national security secret until December 31, 2050.^[6]

Pegasus Project Revelations (July 2021)

Direkt36 and the Pegasus Project consortium revealed that Hungary deployed NSO Group’s Pegasus spyware against journalists, opposition politicians, lawyers, and other domestic targets. Citizen Lab and Amnesty International confirmed infections forensically.^[4]

Article 7(1) TEU Proceedings Triggered (September 2018)

The European Parliament voted 448–197 to invoke Article 7 proceedings against Hungary based on the Sargentini Report, marking the first time Parliament used this mechanism against a member state.^[5]

Szabó and Vissy v. Hungary (January 2016)

The ECHR ruled Hungary’s anti-terrorism surveillance legislation violated Article 8 ECHR, finding surveillance scope “could include virtually anyone,” executive-branch authorization lacked judicial oversight, and there was no effective ex post facto review. Hungary has not complied with the judgment.^[3]

Sources