The Hungarian data protection authority was conceived in sin
The judgment of the European Court on 8 April declared that the replacement of the institution of the data protection commissioner for the National Authority for Data Protection and Freedom of Information was unlawful. The ruling has made it clear: a two-thirds mandate does not absolve the Hungarian state from complying with European norms.
According to the decision of the European Court, in abolishing the institution of the data protection commissioner coincidentally with the entering into force of the Fundamental Law on 1 January, 2012, the Hungarian state violated the law of the European Union. Every Member State of the EU is obliged to operate an independent data protection authority. The independence of the organization responsible for data protection necessarily involves the obligation to respect the period of mandate of the same institution. Abolishing the authority implied the elimination of the mandate of the independent data protection commissioner, which occurred before András Jóri, who had been elected to this office for six years, had a chance to fulfill his mandate.
The European Commission started proceedings against Hungary. Prior to that, Eötvös Károly Institute had warned the government that the Commission would pursue infringement proceedings against Hungary and condemn it for abolishing the institution of the ombudsman. Also, Eötvös Károly Institute, HCLU and the Hungarian Helsinki Committee jointly called José Manuel Barrosso's attention to the unlawful action. Today's judgment is the final move in this process that started back in 2011.
It is highlighted by those three organizations that by violating the independence of the data protection commissioner, the Hungarian state committed a breach of rights not only against the ombudsman, but also against all Hungarian citizens who are entitled to enjoy information privacy in Europe protected by an independent agency. The operations of a new institution created coincidentally with the act of violating independence cannot remedy this injury, as the decisions of the National Authority for Data Protection and Freedom of Information are to be judged, in each specific case, by considering that this authority was established as a result of rights infringement, that is, it was conceived in sin.