DECISION 15/1991: 13 APRIL 1991







On the basis of the petition an ex post facto review of the unconstitutionality of legal rules currently in force, the Constitutional Court has made the following




            The Constitutional Court holds that the collection and processing of personal data in the absence of a definite purpose and for arbitrary future use are unconstitutional.

            The Constitutional Court holds that the universal and unified personal identification number ("PIN") available for unlimited use is unconstitutional.

            The Constitutional Court holds that Law Decree 10/1986 on the State Population Register as well as Decree 25/1986 (VII.8) MT issued by the Council of Ministers for the execution of this Law Decree and Decree 102/1990 (VII.3) MT issued by the Council of Ministers are unconstitutional; accordingly, the Court annuls the Law Decree and the decrees on its implementation.

            The legal rules will lose force as of 31 December 1991, with the exception of the provisions listed hereunder which will lose force on the day of the publication of the present Decision in the Hungarian Official Gazette:

            In the Law Decree: the second sentence of s. 4; s. 5(2); the second and third sentences of s. 6(2); s. 6(3); the second sentence s. 7(1); in s. 7(2): "unless otherwise regulated by the law...", "or its lawful interest...", and "or by one’s statement..."; and s. 7(4); as well as, in s. 10(3), the words: "by Law Decree or decree of the Council of Ministers...".

            Accordingly, in the period between the publication of the Constitutional Court Decision and 31 December 1991, ss. 4, 6(2), 7(1) and (2), and 10(3) of the Law Decree shall remain in force with the following texts:

            "Section 4: The state population register contains the citizen's PIN, his/her basic personal identification data and the address of his/her residence."

            "Section 6(2): The PIN shall be used for the purposes of identification in the computerized registers which contain, among others, personal data as well."

            "Section 7(1): The state population register provides private persons, and organizations with data for the performance of their duties.

            (2) A private person may request from the state population register data and issue of documents pertinent to other persons to which he is entitled. The applicant shall verify this entitlement by a `written deed.`"

            "Section 10(3): Data related to the citizen's person, family status and other circumstances may be made public only with the approval of the citizen concerned, or in cases determined by statute."

            The Constitutional Court orders the publication of its Decision in the Hungarian Official Gazette.







            According to Art. 59 of the Constitution in the Republic of Hungary everyone is entitled to the protection of his/her reputation, and to privacy, including privacy of the home and to the protection of personal secrets and data.

            The Constitutional Court, continuing to adhere to Dec. 20/1990 (X.4) AB (MK 1990/98; ABH 1990, 69), does not interpret the right to the protection of personal data as a traditional protective right, but as an informational right to self-determination, with regard to the active aspect of this right.

            Thus, the right to the protection of personal data, as guaranteed by Art. 59 of the Constitution, means that everyone has the right to decide about the disclosure and use of his/her personal data. Hence, approval by the person concerned is generally required to register and use personal data; the entire route of data processing and handling shall be made accessible to everyone, i.e. everyone has the right to know who, when, where and for what purpose uses his/her data. In exceptional cases, a statute exceptionally require the compulsory supply of personal data and prescribe the manner in which these data may be used. Such a statute restricts the fundamental right to informational self-determination, and it is constitutional only if it is in accordance with the requirements specified in Art. 8 of the Constitution.

            Any legal rule which [....] is in conformity with Art. 59 of the Constitution if it contains guarantees that the person concerned is able to monitor the route of his/her data during the processing and to enforce his/her rights. [....]

            Adherence to the purpose to be achieved is a condition of and at the same time the most important guarantee for exercising the right to informational self-determination. [....] It follows from the principle of adherence to the purpose to be achieved that collecting and storing data without a specific goal, "for the purpose of storage", for an unspecified future use are unconstitutional.

            The other basic guarantee is the restriction on the forwarding and publication of data. [....]

            Personal data may be made accessible to a third party, other than the concerned party and the original data user, and thereby to link up data processing systems, only if all the conditions required for data forwarding are fulfilled in relation to each item of data. [...]




            The contested Law Decree is unconstitutional because it fails to meet the basic requirement of the adherence to the purpose to be achieved. Particularly,

            - it does not specify the objective of data processing;

            - in connection with this it does not determine precisely the scope of data to be processed;

            - it allows the use of other unspecified records and registers for services related to the population register;

            - it does not ensure adequately the rights of the affected person, in particular it does not contain sufficient guarantees for the protection of the affected party concerning data forwarding. [....]

            2. The main provisions of the legal rules concerning the population register are also unconstitutional.

            2.1 The definition of the objective specified in the Law Decree (s. 1(1): "to promote the enforcement of the citizens' rights and the fulfillment of their duties, is to provide assistance for the activity of state organs, economic and social organizations, associations and associations of private persons' (hereinafter `organizations`)") is completely inadequate in light of the fact that the establishment of a data-processing system affecting the entire population of the country is in question, and, furthermore, this system fundamentally affects personal data and the course of the rights related to it (see: PIN). This vague text is incapable of guiding data processing in a definite direction or of restricting it in any manner, i.e. it does not allow at all for the mention of any adherence to a purpose to be achieved. [....]

            2.2 The scope of the registered data is determined by s. 4 of the Law Decree: "The state population register contains the citizens' personal identification number, his/her basic identification and residence data. The scope of the data to be recorded is to be determined by the Council of Ministers."

            This authorization is unconstitutional. [....]

            Concerning the importance of a state population register, the Law Decree should have given a detailed list of the data to be included therein. Instead, the detailed determination of these data was left to the Council of Ministers in such a way that the scope of this authorization in its contents has not been determined. The term "basic personal identification data" is not specific enough to act as a guarantee. [....]

            3. The universal and unified personal identification code (PIN) the use of which is unrestricted (i.e. the PINs assigned to all the citizens and residents of the country according to the same principle) is unconstitutional.

            Section 6(2) of the Law Decree states: "The personal identification numbers shall be used as identification data in the computerized register system which contain other personal data; it shall be entered into official documents and records, and shall also be used in state administration and judicial procedures."

            According to the restrictive interpretation of this passage the PINs shall be stored in the computers of the population register as identification codes, and that these PINs shall be entered into the files and records of the state population register. In its wider sense, however, this passage allows the use of PINs in any official document and record, moreover, these code numbers have been used for every sort of computerized register system on the grounds that s. 6 is made up of provisions broader than the scope of the state population register. The provision of the Law Decree concerning PINs is, thus, ambiguous; as indicated by actual experience, this provision has failed to restrict unambiguously the obligatory use of PINs.

            This ambiguity, however, is only a consequence of the much more serious shortcoming of the regulation from the aspect of constitutional law: this is that s. 6 imposes no limitations or conditions whatsoever on the use of PINs.

            3.1 The PIN, as regulated in the Law Decree, is a universal, multi-purpose identification code that may, in principle, be used in any register. It is also in this sense that the Constitutional Court applies the concept of PIN in the reasoning of this Decision and in the discussion not strictly related to the Law Decree. (Another type of PIN is an identification number which serves only the purpose of a given data processing and which may be used only for that, such as, the pension number or account number. These personal numbers of limited use raise other legal problems related to data protection. The current legal problem of the relationship between the two types of personal number is that legislation prevents the general use of such one-purpose personal number.)

            The significance of the unified personal identification code is that it allows an easy and reliable identification of personal data of an individual as well as their collection by means of a short and technically easily manageable code which is invariable and may not be interchanged. Thus, the personal number is an obvious concomitant of any sort of integrated record-keeping system; its introduction, both in Hungary and abroad, was a part of the plan to install large, central storage data banks. In addition, the unified personal code is perfectly suitable to the occasional link of personal data available in different registers. Through its use, the data are easily accessible, and may be checked against one another.

            These technical advantages enhance the efficiency of data-processing systems utilizing personal numbers, and of the related administrative or service operations. Likewise, this system saves time and money for those subject to data supply because it makes the repeated furnishing of data avoidable.

            These advantages, however, involve serious risks for personality rights and particularly from the aspect of the right to informational self-determination. The PIN is particularly dangerous to personality rights. If the data are acquired from variuos data bases, without "informing" the person concerned, bypassing him, then this person is precluded from the data flow, and he is either limited in, or deprived of the possibility of monitoring the route and use of his/her data. This method contradicts the basic principle of data protection that data should be obtained from the person concerned with his/her knowledge. The widespread use of PINs results in impairing the private sphere because even from the remotest data-storage systems established for different reasons may be used to establish a personality profile which is an artificial image extending to an arbitrarily- wide activity of the person and penetrating into the person's most private matters; this image, due to its construction from data torn out of their context, is most likely to be a distorted image as well. In spite of this, the data user will make its decisions on the basis of this image, will use this image to produce and forward further information concerning the person in question. The large amount of these interconnected data, of which the person in question generally has no knowledge, renders the person defenceless and creates unequal communication conditions. Where one party cannot know the information the other party possesses about him creates a humiliating situation, and prevents free decision-making. The power of the state administration in using PINs is markedly increased. If PINs may be used in areas outside the ambit of the administration, this increased the power not only of the data user over the parties concerned but also of the State because it further broadened the possible control through the use of such data. Taken together, they seriously jeopardize the right to self-determination and human dignity. The unlimited use of PINs might become a tool for totalitarian control.

            The logic of PINs is thus contrary to the constituent elements of the right to data protection, to the principle of divided information systems with adherence to the purpose to be achieved and to the principal rule that data should be acquired from persons concerned with their knowledge and consent. If the principles of data protection are applied consistently, the personal identification number loses its significance because the "advantages" inherent in it cannot be made utilized.

            The PIN is the technically most advantageous tool to reliable link-ups of personal data as far as the currently existing data-processing techniques are concerned. Personal data may, of course, be connected to names, and, if necessary, to supplementary identification items like mother's name and residential address. Given the computer capacities available today, the extent of these shall not create a serious problem. "Natural" data might, however, change (e.g. names by marriage or name changes), and it might happen that further data are needed to make distinctions; furthermore, in case of variable data (like residential addresses) the permanent updating and monitoring of data is necessary. The difficulties and expenditure involved might constitute a significant item in the cost-and-benefit analysis of data processing, thus creating a natural brake on unjustified data collection which might otherwise be encouraged by the readily available PINs. The limitations arising from the right to informational self-determination apply, of course, to any data acquisition and processing. Due to their technical perfection, the PINs require the introduction of special safeguards in accordance with the increased risks. If personal data are updated by a central record-keeping system available through the PINs, then the data-processing body in charge of this operation, like the population register, acquires a key position which, therefore, requires an especially precise regulation of guarantees.

            3.2 The PINs, therefore, by their very nature pose a particular danger to personal rights. It follows from the primary duty of the state concerning the protection of fundamental rights (Constitution, Art. 8) that this risk shall be reduced to a minimum, i.e. the use of the PINs shall be restricted by security regulations. This can be done in two ways: either the use of the PINs is to be restricted to precisely defined data-processing operations, or strict conditions and controlling measures are to be imposed on the availability of information connected to PINs and on the link-up of record-keeping systems using PINs. On the other hand, it must not be ignored that any limitation of the unified and universal code results in losing the essence of the code. A PIN available only for limited use is no longer a PIN in the sense of the Law Decree.

            3.3 The use of PIN varies widely from country to country. In a number of countries there are de facto universal PINs as a result of the unhindered introduction and application of an identification code originally adopted for definite purposes. The number itself was originally introduced for the purposes of the population register or as a social security number. Examples for the former one are Belgium, Denmark, Iceland, the Netherlands and Norway, while for the latter Finland or Switzerland. The Swedish personal number, considered as a copybook example of the universal personal number, was originally a registration number in the birth certificate records. In other countries, personal numbers are forbidden or even considered unconstitutional. In Portugal, a 1973 Act of Parliament ordered the introduction of the universal PIN starting in 1975. On the other hand, Art. 35(2) of the 1976 Constitution, issued after the downfall of the fascist regime, forbids the link-up of personal data storage systems, and according to para. (5): "It is forbidden to assign nationally uniform personal numbers to citizens." In France and in the Federal Republic of Germany, public opposition to the idea of a population register using PINs led in 1978 to the promulgation of the Law Decrees on Data Protection and to the abandonment of integrated data storage systems and PINs.

            The German Federal Constitutional Court declared as early as in 1969 that the "registration and catalogue-listing of citizens which affect the entire person of those citizens" are incompatible with the fundamental right to human dignity to which the state has no right even under the anonymity of statistical data acquisition (BVerfGE 27, 1, 6), the so-called population census decision, which in 1983 formulated the right to informational self-determination, considers PIN as a "decisive step" leading to personality profiles the avoidance of which shall be accepted even by other means of limitation on informational self-determination (BVerfGE 65, 1, 27, 53, 57).

            Between the two extremes are those states where some personal numbers serving certain purposes are used for purposes other than the original one: however, these were successfully prevented from becoming universal codes. (This was the case in France, for example, where the identification number assigned to everyone born in France by the National Economic and Statistical Research Centre did not become a universal PIN; similar legal constraints were imposed on the use of social security numbers in Canada.)

            The dangers of electronic data processing to the autonomy of personality became widely recognized in the 70s. From this time on, the PIN has become a symbol for the total control of citizens, and for an approach to efficiency alone and for the treatment of persons as objects.

            Although the PIN is only a tool, and its role may only be appreciated in the entire context of data-processing regulation, yet its introduction or application was sufficient to trigger the clash of the two value systems, the preference of technical possibilities or of personality rights. This resulted in the precise legal regulation, that is the limitation of the use of PINs becoming a general requirement, and this process started even in countries where the PINs had been introduced before the age of consciousness of data protection. (See, e.g., the report of the Data Protection Expert Committee of the Council of Europe: "Introduction and Use of Personal Identification Number: Issues of Data Protection," Strasbourg, 15 December 1989.) Even the application of the general principles of data protection similar to any other personal data present a limitation of the use of PINs. This means that legal authorization is required for anybody who demands the disclosure of the PIN; in the absence of such, no one may be disadvantaged for refusing to disclose his/her PIN. The PIN must not contain sensitive data (e.g. ethnicity or religion) but there is an increasing demand that it should not be a "talking number" either, i.e. one that provides such information as the date or place of birth.The use of personal numbers shall be exactly specified and limited by statute, and its use shall be controlled and supervised by an independent data protection commissioner. However, beyond these general requirements, the risks inherent in PINs must be counterbalanced by separate safeguards as well. For example, the establishment of data and record storage units operating with PINs are subject to a special permission in Norway, and in certain record-keeping units the use of this number is forbidden. The link-up of registers operating with PINs shall be subject to particularly strict conditions and supervision, and shall be made accessible to the persons concerned as well. These safeguards were introduced, e.g., by the Swedish data protection office.

            The safeguards related to PINs shall prevail in case of identification documents that may be used similarly (e.g. identity card, passport or driving licence number), and with adequate modifications in case of personal codes used in other special areas (pension and social security numbers).

            3.4 The current regulation of the PINs is unconstitutional because s. 6 of the Law Decree allowed their unlimited use or made their unlimited use compulsory for state organs without providing safeguards against the dangers inherent in them.

            Hungarian law allowed for all the dangers arising from the nature of PINs to be realized when it failed to regulate the use of such numbers, and introduced them in an unconditional way into such a legal environment where the fundamental guarantees of the right to data protection were unknown. (Only one of these safeguards, the right of inspection by the person concerned, was regulated: however, this being out of its context, it has never become a „living” right.) The issue of the possibility of limiting the data flow within the state administration has never been raised by officials, and the handing out of PINs was made a condition for the availability of services even outside the state sphere.

            These circumstances resulted in a multitude of registers operating with PINs, frequently without the knowledge of the persons concerned, and with unimpeded communication between the various systems; today no one can know who, where and to what of his/her personal data has access.

            In the face of such dangers the Civil Code and other legal provisions on the protection of personality and secrecy are insufficient. It was with regard to the population register and PIN system set up in 1974 that through a modification of the Civil Code in 1977, a general clause was enacted to the effect that no computerized data processing may violate personality rights, and introduced the right to correction of the person concerned, and forbid the information supply to unauthorized persons (Civil Code, art. 83).

            However, up to the present time there has not been a single legal rule or court decision which gave substance to the abovementioned general clause, or indicated the constituent elements of the right to informational self-determination or of the right to data protection. Data users were not, therefore, impeded either by adherence to the purpose to be achieved or by rules on data acquisition or forwarding, and the persons concerned could not be aware of their rights either. (The persons concerned have no legal possibility even today to learn about which registries they might be recorded in, and hence the practice of the right of inspection is illusory.) The independent control and supervision of data processing have been completely missing. Only the Law Decree contained provisions concerning the more detailed regulation of the flow of personal data and of their protection. This Act has, however, been proved by the Constitutional Court to fall short of the requirements of constitutionality. The abovementioned, and generally insufficient safeguards are in no way capable of counterbalancing the peculiar risks inherent in the nature of the PINs. Neither the Law Decree nor other legal rule in Hungarian law contains measures directed at fending off the dangers inherent in PINs either by prescribing conditions for their use, or by allowing the control of the use of such numbers.

            Based on these considerations, the legal rules in force concerning the use of PINs violate the Constitution: these provisions are contrary to the right to the protection of personal data (Constitution, Art. 59), and limit these rights in a disproportionate and unnecessary manner.

            3.5 It is the duty of the legislator to create an Act, in accordance with Arts. 59 and 61 of the Constitution, concerning the protection of personal data and the accessibility of information of public interest, and to give a concrete form in so-called area-specific statutes to the basic principles laid down in the abovementioned Act. It is the legislature's responsibility to decide whether to introduce, within certain limitations, the PINs which were annulled in their current form, and to specify the limitations and special controlling measures on the use of these PINs. In the present case, the Constitutional Court has declared the PIN-system to be unconstitutional because the Law Decree contains no limitation whatsoever on the use of PINs. This, however, does not mean that any sort of restriction or limitation is sufficient to render the use of PINs constitutional. The Constitutional Court, therefore, summarizes its opinions expressed above on the limits within which personal identification codes are considered to be in conformity with the Constitution.

            The Constitutional Court establishes that the universal personal identification number is, by its very nature, contrary to the right to informational self-determination. Only the use of an identification number limited for data processing with a specific purpose is, therefore, compatible with the Constitution. The Law Decree introducing such "personal numbers" limited in use shall provide regulatory and control guarantees that preclude the use of this number for other purposes and in other contexts. Neither the "state sphere", nor the entirety of state administration may be considered a unity within which a single, unified personal identification code shall be introduced or used.

            4. The Law Decree and its executing decrees create or maintain such a seriously unconstitutional situation that would justify their immediate invalidation. On the other hand, the Constitutional Court has taken into account the fact that an abrupt reorientation of the registers created by these legal rules into a personal identification system which conforms to the Constitution would present a transitional but significant set-back to the operation of the state administration. In addition, the Constitutional Court has also considered the fact that the reform of these systems is already under way, and that the Act on Data Protection will be enacted within a foreseeable time. In order to facilitate the switch to a personal registration system that is constitutional, the Constitutional Court decided that those parts of the Law Decree on the basis of which the state population register may perform data furnishing absolutely necessary for the protection of citizens' rights and the operation of administration will remain in effect until the end of this year. Data service may continue on a provisional basis to private persons if they certify in writing their entitlement to the data and to administrative bodies entitled by the decrees of the Council of Ministers to regular data supply. (See Point 2.3. above for the reasoning of this.) Data forwarding to private persons claiming only lawful interests, or unable to certify their right in writing, and to any organizations other than the above-mentioned is, however, discontinued with immediate effect.

            In order to allow the performance of this limited scope of duty and to facilitate the reorganization, the decision leaves the scope of data acquisition intact until the end of this year, only the potential to expansion of this activity by a decree has been made impossible with immediate effect.

            Due to the seriously unconstitutional character of the current use of PINs, the Constitutional Court annuls with immediate effect the Decree making the use of PINs compulsory in official documents, registers, during administrative and judicial proceedings as well as the Decree which had prescribed the entry of PIN into the identity cards. From the time of publication of this Decision, no one has the right to require the furnishing of the PIN, or to make the exercise of any right or the grant of a service dependent on the furnishing of such number.

            The Constitutional Court takes into account that the already existing PINs will not be deleted from the state-managed registers before the introduction of the new codes by an Act. It points out, however, that new persons may no longer be registered with PINs, and that the link-up of various registers by the PINs is beyond the limit of tolerance within which the already existing PINs, used solely as internal indicators, are not to be deleted in the interim period. This danger involved in such limited use of the otherwise unconstitutional PIN is offset by the fact that, by its nature, this usage is doomed to be phased out: since the unified character of the systems is necessarily destroyed by the ban to register new data with the PIN, and by the fact that the persons concerned will not supply their former PINs.

            The abolition of the unconstitutional situation is the duty of everyone who kept PINs on records; this applies to both the state-run and the non state-run data users, the latter have thus far used the PINs at their own risk theoretically depending on the consent of the persons concerned.

            Only the state population register is entitled to issue new PINs until 31 December 1991 and to use them, along with the existing ones, as internal identification codes. This is necessary in order to keep the data base intact until the legislator makes its decision concerning the constitutional successor of the population register.

            5. This decision of the Constitutional Court will be promulgated in the Hungarian Official Gazette, in accordance with s. 41 of Law Decree XXXII/1989 on the Constitutional Court.