Mónika MERCZ: From the Privacy Act to the GDPR – A Brief Introduction
“Az Infotörvénytől a GDPR-ig” has been published in Hungarian by the Ludovika Egyetemi Kiadó (National University of Public Service) in 2021.
From the Privacy Act to the GDPR is an impressive volume of more than 270 pages and is the first of its kind in Hungary. It is a body of work which contains complex, easily understandable and transparent information regarding the changes in the relevant legislation and how these shifts in regulations affected the daily life and tasks of those working in this particular field of law. The aim of the volume is to present the events of the last decade from a data protection point of view, through the writings of eyewitnesses. Each of the authors of this handbook was a witness to important changes in the sectors they represent. The book sets out to provide an honest overview of an entire decade, focusing on its key steps. The volume is not a textbook with a desire to describe what is to be interpreted, what is right, and what is not right. Rather, it is a series of professional, scholarly studies. The text was written with the intention of avoiding dry and difficult language and concepts. It takes a look at the past, looks to the future, and takes inventory of all factors contributing to today’s regulation. In addition, it illustrates and explains broader concepts of change in the relevant legislation. It has the benefit of showing us different sides of the same issue as well as exploring a wide range of topics that have a connection to the overarching theme of the book.
The book opens with a foreword from former minister of justice and European Commissioner for Education, Culture, Youth and Sport, Tibor Navracsics. Altogether, the handbook has 16 authors. All of them provide a unique outlook on the events of the last decade, as they all come from different careers. Some of the authors are experts on data protection, working for the Hungarian National Authority for Data Protection and Freedom of Information (hereinafter: DPA), while others are attorneys, lecturers at universities, coworkers at firms or even work for the Hungarian Constitutional Court. Because of their diverse background, this body of work comprises many unique viewpoints and approaches, incorporating different personal and professional opinions.
The volume contains four main chapters, each of which is made up of several articles written by different experts of law.
Papers in the first chapter (“Institutional and regulatory changes in Hungary”) focus on the effect of the changes that took place in the last decade on different institutions. Viktor György Árvay reports on his own impressions of the changes that took place while he was working for the Hungarian DPA. His opinion is that reporting incidents involving privacy became a very useful innovation of GDPR. His suggestion is that the legislator should require an increased level of data security on the basis of a more precise set of criteria and a model provided at legislative level. This is necessary so that there is no significant difference in the quality of data protection when it comes to different companies and other processors of data.
Tamás Sulyok, Krisztián Villám and Gergely Deli co-authored a paper on how the events of the last decade shaped the Hungarian Constitutional Court’s practice regarding data protection. Their conclusion is that the need to limit the right to the protection of personal data must be examined in the conceptual framework of purpose and, in the context of proportionality, the implementation of additional data protection principles in a specific situation must be taken into account.
Gábor Dudás reports on the main findings of judicial decisions in data protection. He notes that, since the GDPR entered into force, data protection litigation has slowly become a separate area of law requiring special legal expertise. In addition, a kind of parallel has emerged with competition law decisions. This is also reflected in the fact that the decisions of the Hungarian DPA, like the decisions of the Hungarian Competition Authority, have become more and more market-regulating in their nature.
Papers in the second chapter (“The EU’s perspective on data protection”) describe the shifts in EU thinking about data protection. Péter Nikolicza writes about the one-stop-shop mechanism (a system of cooperation and consistency procedures designed to simplify the administrative process when it comes to data protection). The question the author poses is whether this mechanism is more beneficial to the complainant or to large companies processing data. He concludes that the application of the one-stop-shop is increasingly being pushed into the background, probably due to its complex application.
Katinka Bojnár recounts a rather important decision of the Court of Justice of the European Union and explores how it relates to data protection. As an employee of the Hungarian Authority for Data Protection and Freedom of Information, she was the one responsible for the Weltimmo case (Case C-230/14 of 1 October 2015). She reports not only on how the proceedings took place in this instance, but also how the case affected her personal life.
Lastly, Endre Győző Szabó, editor of this book and vice president of DPA, takes a look at how the regulations of GDPR can be applied from the point of view of the Hungarian DPA. He concludes that GDPR has created a new framework for the protection of personal data. To the question of whether the new model is successful or not, a clear answer cannot yet be given.
Papers in chapter three (“Global fault-lines on the fronts of technology, privacy and competition law”) unveil those events and trends that contribute to the unraveling of data protection rules on a global scale and necessitate answers. Márton Domokos addressed the Cambridge Analytica in a unique, practice-oriented approach. He believes that after the case, a number of positive changes have taken place: the data management information of the organizations has become much more transparent. Since the GDPR entered into force, cross-border data processing has had to be regulated in a cross-border way. However, the world of the Internet still requires new regulations and careful handling.
In the next paper, Dániel Eszteri asks questions and provides possible solutions regarding blockchain and artificial intelligence. His aim with this work is to start a discourse about the legal compliance of these systems in regards to data protection, as worrying developments have already appeared on the market.
András Tóth, vice president of the Hungarian Competition Authority, discusses the ups and downs of data monopolies. The purpose of his paper is to showcase the circumstances and shortcomings of the fight against these anomalies. He concludes that the Digital Services Act can only provide a higher level of protection for users' data through competition law.
Chapter four (“The world of data protection experts”) contains much more personal accounts of day-to-day work with data protection regulation in different sectors. Balázs Révész and Péter Buzás discuss the work of both the Office of the Data Protection Commissioner and the Hungarian National Authority for Data Protection and Freedom of Information from the point of view of a data protection consulting firm. They believe that while a career in data protection has become more popular in recent years, the competition will motivate experts to improve their professional skills.
Gábor Dudás, appearing for a second time among the authors, discusses how GDPR impacted the work of attorneys. He predicts that a new group of attorneys will emerge, specialising in data protection.
Márton Domokos, in his second contribution to the volume, discusses how he himself experienced the effects of GDPR in his practice. In his opinion, not all data protection circumstances can be met, the real challenge is rather to continuously identify the right priorities.
Péter Báldy and Gábor Pataki reminisce about the education of data protection experts during the last decade. In light of the recent pandemic, they are of the opinion that data protection experts will be more and more needed in our largely online existence.
Closing this chapter, Sára Trócsányi provides a detailed journal about her experience during the Covid-19 pandemic. She mentions several cases where she sees the regulations of GDPR expanding to meet newer and newer expectations arising out of the continued use of the online space.
This body of work undoubtedly fills a niche in the market with its unique viewpoints regarding the happenings of the last decade when it comes to data protection. It is a handbook which is useful not just for experts but for anyone interested in learning more about the topic. While it is easy to understand, it provides the reader with an unmatched experience of gaining new and useful information. As a law student and prospective researcher who is interested in this field of law, I am extremely thankful that a volume like this exists. It presents current events and sheds light on the challenges of the situation in Hungary. The more subjective papers help us see how everydays of experts in this field of law are. With the help of this book, we get a better insight into the problems to be solved, which can inspire entire future research topics. I can wholeheartedly recommend this work to every fellow law student or PhD student who is interested in any aspect of the topics explored, as it is both educational and interesting reading material.
I would suggest that more works like this be written in the future, as this is how those on the outside can get a look into the specifics of the field. I especially appreciated how attorneys, judges and academics were all involved. This had the benefit of making the book diverse in its presentation. It opened the door for many topics to be explored in depth. The handbook is coherent in its overarching theme of exploring how the last decade changed data protection law in its entirety, but I would like to emphasize how it did not feel the need to explore the same exact issue from different sides. Rather, the book allowed all papers to showcase issues relevant to the specific authors, thus allowing the reader to get a little bit of everything from the issues relating to the Constitutional Court to the fight against data monopolies. This has the benefit of catching the attention of a wide audience, including everyone who can relate to even one segment of this handbook.
Overall, I have been convinced, both as a reviewer and reader, that the “From the Privacy Act to the GDPR” will be suitable for the purpose originally conceived by the editor.
Mónika MERCZ is a Hungarian fourth year law student at the University of Miskolc, currently in her last semester of an English Legal Translation Course. Mónika is the Secretary General of European Law Students’ Association (ELSA) Miskolc, a recipient of the National Higher Education Scholarship 2020, and is currently taking part in Aurum Foundation’s Mentoring Program. Having done several publications, her work mainly focuses on environmental law, constitutional law and data protection. She is a member of the Constitutional Discourse’s Editorial Board.