ON THE USE OF PERSONAL DATA AND
THE PERSONAL IDENTIFICATION NUMBER
THE NAME OF THE
basis of the petition an ex post facto review of the unconstitutionality of
legal rules currently in force, the
The Constitutional Court holds that Law Decree 10/1986 on the State Population Register as well as Decree 25/1986 (VII.8) MT issued by the Council of Ministers for the execution of this Law Decree and Decree 102/1990 (VII.3) MT issued by the Council of Ministers are unconstitutional; accordingly, the Court annuls the Law Decree and the decrees on its implementation.
The legal rules will lose force as of 31 December 1991, with the exception of the provisions listed hereunder which will lose force on the day of the publication of the present Decision in the Hungarian Official Gazette:
In the Law Decree: the second sentence of s. 4; s. 5(2); the second and third sentences of s. 6(2); s. 6(3); the second sentence s. 7(1); in s. 7(2): "unless otherwise regulated by the law...", "or its lawful interest...", and "or by one’s statement..."; and s. 7(4); as well as, in s. 10(3), the words: "by Law Decree or decree of the Council of Ministers...".
in the period between the publication of the
"Section 4: The state population register contains the citizen's PIN, his/her basic personal identification data and the address of his/her residence."
"Section 6(2): The PIN shall be used for the purposes of identification in the computerized registers which contain, among others, personal data as well."
"Section 7(1): The state population register provides private persons, and organizations with data for the performance of their duties.
(2) A private person may request from the state population register data and issue of documents pertinent to other persons to which he is entitled. The applicant shall verify this entitlement by a `written deed.`"
"Section 10(3): Data related to the citizen's person, family status and other circumstances may be made public only with the approval of the citizen concerned, or in cases determined by statute."
According to Art. 59 of the Constitution in the Republic of Hungary everyone is entitled to the protection of his/her reputation, and to privacy, including privacy of the home and to the protection of personal secrets and data.
Thus, the right to the protection of personal data, as guaranteed by Art. 59 of the Constitution, means that everyone has the right to decide about the disclosure and use of his/her personal data. Hence, approval by the person concerned is generally required to register and use personal data; the entire route of data processing and handling shall be made accessible to everyone, i.e. everyone has the right to know who, when, where and for what purpose uses his/her data. In exceptional cases, a statute exceptionally require the compulsory supply of personal data and prescribe the manner in which these data may be used. Such a statute restricts the fundamental right to informational self-determination, and it is constitutional only if it is in accordance with the requirements specified in Art. 8 of the Constitution.
Any legal rule which [....] is in conformity with Art. 59 of the Constitution if it contains guarantees that the person concerned is able to monitor the route of his/her data during the processing and to enforce his/her rights. [....]
Adherence to the purpose to be achieved is a condition of and at the same time the most important guarantee for exercising the right to informational self-determination. [....] It follows from the principle of adherence to the purpose to be achieved that collecting and storing data without a specific goal, "for the purpose of storage", for an unspecified future use are unconstitutional.
The other basic guarantee is the restriction on the forwarding and publication of data. [....]
Personal data may be made accessible to a third party, other than the concerned party and the original data user, and thereby to link up data processing systems, only if all the conditions required for data forwarding are fulfilled in relation to each item of data. [...]
The contested Law Decree is unconstitutional because it fails to meet the basic requirement of the adherence to the purpose to be achieved. Particularly,
- it does not specify the objective of data processing;
- in connection with this it does not determine precisely the scope of data to be processed;
- it allows the use of other unspecified records and registers for services related to the population register;
- it does not ensure adequately the rights of the affected person, in particular it does not contain sufficient guarantees for the protection of the affected party concerning data forwarding. [....]
2. The main provisions of the legal rules concerning the population register are also unconstitutional.
2.1 The definition of the objective specified in the Law Decree (s. 1(1): "to promote the enforcement of the citizens' rights and the fulfillment of their duties, is to provide assistance for the activity of state organs, economic and social organizations, associations and associations of private persons' (hereinafter `organizations`)") is completely inadequate in light of the fact that the establishment of a data-processing system affecting the entire population of the country is in question, and, furthermore, this system fundamentally affects personal data and the course of the rights related to it (see: PIN). This vague text is incapable of guiding data processing in a definite direction or of restricting it in any manner, i.e. it does not allow at all for the mention of any adherence to a purpose to be achieved. [....]
2.2 The scope of the registered data is determined by s. 4 of the Law Decree: "The state population register contains the citizens' personal identification number, his/her basic identification and residence data. The scope of the data to be recorded is to be determined by the Council of Ministers."
This authorization is unconstitutional. [....]
Concerning the importance of a state population register, the Law Decree should have given a detailed list of the data to be included therein. Instead, the detailed determination of these data was left to the Council of Ministers in such a way that the scope of this authorization in its contents has not been determined. The term "basic personal identification data" is not specific enough to act as a guarantee. [....]
3. The universal and unified personal identification code (PIN) the use of which is unrestricted (i.e. the PINs assigned to all the citizens and residents of the country according to the same principle) is unconstitutional.
Section 6(2) of the Law Decree states: "The personal identification numbers shall be used as identification data in the computerized register system which contain other personal data; it shall be entered into official documents and records, and shall also be used in state administration and judicial procedures."
According to the restrictive interpretation of this passage the PINs shall be stored in the computers of the population register as identification codes, and that these PINs shall be entered into the files and records of the state population register. In its wider sense, however, this passage allows the use of PINs in any official document and record, moreover, these code numbers have been used for every sort of computerized register system on the grounds that s. 6 is made up of provisions broader than the scope of the state population register. The provision of the Law Decree concerning PINs is, thus, ambiguous; as indicated by actual experience, this provision has failed to restrict unambiguously the obligatory use of PINs.
This ambiguity, however, is only a consequence of the much more serious shortcoming of the regulation from the aspect of constitutional law: this is that s. 6 imposes no limitations or conditions whatsoever on the use of PINs.
3.1 The PIN, as regulated in the Law
Decree, is a universal, multi-purpose identification code that may, in
principle, be used in any register. It is also in this sense that the
The significance of the unified
personal identification code is that it allows an easy and reliable
identification of personal data of an individual as well as their collection by
means of a short and technically easily manageable code which is invariable and
may not be interchanged. Thus, the personal number is an obvious concomitant of
any sort of integrated record-keeping system; its introduction, both in
These technical advantages enhance the efficiency of data-processing systems utilizing personal numbers, and of the related administrative or service operations. Likewise, this system saves time and money for those subject to data supply because it makes the repeated furnishing of data avoidable.
These advantages, however, involve serious risks for personality rights and particularly from the aspect of the right to informational self-determination. The PIN is particularly dangerous to personality rights. If the data are acquired from variuos data bases, without "informing" the person concerned, bypassing him, then this person is precluded from the data flow, and he is either limited in, or deprived of the possibility of monitoring the route and use of his/her data. This method contradicts the basic principle of data protection that data should be obtained from the person concerned with his/her knowledge. The widespread use of PINs results in impairing the private sphere because even from the remotest data-storage systems established for different reasons may be used to establish a personality profile which is an artificial image extending to an arbitrarily- wide activity of the person and penetrating into the person's most private matters; this image, due to its construction from data torn out of their context, is most likely to be a distorted image as well. In spite of this, the data user will make its decisions on the basis of this image, will use this image to produce and forward further information concerning the person in question. The large amount of these interconnected data, of which the person in question generally has no knowledge, renders the person defenceless and creates unequal communication conditions. Where one party cannot know the information the other party possesses about him creates a humiliating situation, and prevents free decision-making. The power of the state administration in using PINs is markedly increased. If PINs may be used in areas outside the ambit of the administration, this increased the power not only of the data user over the parties concerned but also of the State because it further broadened the possible control through the use of such data. Taken together, they seriously jeopardize the right to self-determination and human dignity. The unlimited use of PINs might become a tool for totalitarian control.
The logic of PINs is thus contrary to the constituent elements of the right to data protection, to the principle of divided information systems with adherence to the purpose to be achieved and to the principal rule that data should be acquired from persons concerned with their knowledge and consent. If the principles of data protection are applied consistently, the personal identification number loses its significance because the "advantages" inherent in it cannot be made utilized.
The PIN is the technically most advantageous tool to reliable link-ups of personal data as far as the currently existing data-processing techniques are concerned. Personal data may, of course, be connected to names, and, if necessary, to supplementary identification items like mother's name and residential address. Given the computer capacities available today, the extent of these shall not create a serious problem. "Natural" data might, however, change (e.g. names by marriage or name changes), and it might happen that further data are needed to make distinctions; furthermore, in case of variable data (like residential addresses) the permanent updating and monitoring of data is necessary. The difficulties and expenditure involved might constitute a significant item in the cost-and-benefit analysis of data processing, thus creating a natural brake on unjustified data collection which might otherwise be encouraged by the readily available PINs. The limitations arising from the right to informational self-determination apply, of course, to any data acquisition and processing. Due to their technical perfection, the PINs require the introduction of special safeguards in accordance with the increased risks. If personal data are updated by a central record-keeping system available through the PINs, then the data-processing body in charge of this operation, like the population register, acquires a key position which, therefore, requires an especially precise regulation of guarantees.
3.2 The PINs, therefore, by their very nature pose a particular danger to personal rights. It follows from the primary duty of the state concerning the protection of fundamental rights (Constitution, Art. 8) that this risk shall be reduced to a minimum, i.e. the use of the PINs shall be restricted by security regulations. This can be done in two ways: either the use of the PINs is to be restricted to precisely defined data-processing operations, or strict conditions and controlling measures are to be imposed on the availability of information connected to PINs and on the link-up of record-keeping systems using PINs. On the other hand, it must not be ignored that any limitation of the unified and universal code results in losing the essence of the code. A PIN available only for limited use is no longer a PIN in the sense of the Law Decree.
3.3 The use of PIN varies widely
from country to country. In a number of countries there are de facto universal PINs as a result of
the unhindered introduction and application of an identification code
originally adopted for definite purposes. The number itself
was originally introduced for the purposes of the population register or as a
social security number. Examples for the former one are
The German Federal Constitutional Court declared as early as in 1969 that the "registration and catalogue-listing of citizens which affect the entire person of those citizens" are incompatible with the fundamental right to human dignity to which the state has no right even under the anonymity of statistical data acquisition (BVerfGE 27, 1, 6), the so-called population census decision, which in 1983 formulated the right to informational self-determination, considers PIN as a "decisive step" leading to personality profiles the avoidance of which shall be accepted even by other means of limitation on informational self-determination (BVerfGE 65, 1, 27, 53, 57).
Between the two extremes are those
states where some personal numbers serving certain purposes are used for
purposes other than the original one: however, these were successfully
prevented from becoming universal codes. (This was the case in
The dangers of electronic data processing to the autonomy of personality became widely recognized in the 70s. From this time on, the PIN has become a symbol for the total control of citizens, and for an approach to efficiency alone and for the treatment of persons as objects.
Although the PIN is only a tool, and
its role may only be appreciated in the entire context of data-processing
regulation, yet its introduction or application was sufficient to trigger the
clash of the two value systems, the preference of technical possibilities or of
personality rights. This resulted in the precise legal regulation, that is the
limitation of the use of PINs becoming a general
requirement, and this process started even in countries where the PINs had been introduced before the age of consciousness of
data protection. (See, e.g.,
the report of the Data Protection Expert Committee of the Council of Europe:
"Introduction and Use of Personal Identification Number: Issues of Data
Protection," Strasbourg, 15 December 1989.) Even the application of the general principles of data protection similar to
any other personal data present a limitation of the use of PINs. This means that legal authorization is required for
anybody who demands the disclosure of the PIN; in the absence of such, no one
may be disadvantaged for refusing to disclose his/her PIN. The PIN must not
contain sensitive data (e.g.
ethnicity or religion) but there is an increasing demand that it should not be
a "talking number" either, i.e.
one that provides such information as the date or place of birth.The
use of personal numbers shall be exactly specified and limited by statute, and
its use shall be controlled and supervised by an independent data protection
commissioner. However, beyond these general requirements, the risks inherent in
PINs must be counterbalanced by separate safeguards
as well. For example, the establishment of data and record
storage units operating with PINs are subject
to a special permission in
The safeguards related to PINs shall prevail in case of identification documents that may be used similarly (e.g. identity card, passport or driving licence number), and with adequate modifications in case of personal codes used in other special areas (pension and social security numbers).
3.4 The current regulation of the PINs is unconstitutional because s. 6 of the Law Decree allowed their unlimited use or made their unlimited use compulsory for state organs without providing safeguards against the dangers inherent in them.
Hungarian law allowed for all the dangers arising from the nature of PINs to be realized when it failed to regulate the use of such numbers, and introduced them in an unconditional way into such a legal environment where the fundamental guarantees of the right to data protection were unknown. (Only one of these safeguards, the right of inspection by the person concerned, was regulated: however, this being out of its context, it has never become a „living” right.) The issue of the possibility of limiting the data flow within the state administration has never been raised by officials, and the handing out of PINs was made a condition for the availability of services even outside the state sphere.
These circumstances resulted in a multitude of registers operating with PINs, frequently without the knowledge of the persons concerned, and with unimpeded communication between the various systems; today no one can know who, where and to what of his/her personal data has access.
In the face of such dangers the Civil Code and other legal provisions on the protection of personality and secrecy are insufficient. It was with regard to the population register and PIN system set up in 1974 that through a modification of the Civil Code in 1977, a general clause was enacted to the effect that no computerized data processing may violate personality rights, and introduced the right to correction of the person concerned, and forbid the information supply to unauthorized persons (Civil Code, art. 83).
However, up to the present time
there has not been a single legal rule or court decision which gave substance
to the abovementioned general clause, or indicated the constituent elements of
the right to informational self-determination or of the right to data
protection. Data users were not, therefore, impeded either by adherence to the
purpose to be achieved or by rules on data acquisition or forwarding, and the
persons concerned could not be aware of their rights either. (The persons
concerned have no legal possibility even today to learn about which registries
they might be recorded in, and hence the practice of the right of inspection is
illusory.) The independent control and supervision of data processing have been
completely missing. Only the Law Decree contained provisions concerning the
more detailed regulation of the flow of personal data and of their protection.
This Act has, however, been proved by the
Based on these considerations, the legal rules in force concerning the use of PINs violate the Constitution: these provisions are contrary to the right to the protection of personal data (Constitution, Art. 59), and limit these rights in a disproportionate and unnecessary manner.
3.5 It is the duty of the legislator
to create an Act, in accordance with Arts. 59 and 61 of the Constitution, concerning
the protection of personal data and the accessibility of information of public
interest, and to give a concrete form in so-called area-specific statutes to
the basic principles laid down in the abovementioned Act. It is the
legislature's responsibility to decide whether to introduce, within certain
limitations, the PINs which were annulled in their
current form, and to specify the limitations and special controlling measures
on the use of these PINs. In the present case, the
4. The Law Decree and its executing
decrees create or maintain such a seriously unconstitutional situation that
would justify their immediate invalidation. On the other hand, the
Constitutional Court has taken into account the fact that an abrupt
reorientation of the registers created by these legal rules into a personal
identification system which conforms to the Constitution would present a transitional
but significant set-back to the operation of the state administration. In
In order to allow the performance of this limited scope of duty and to facilitate the reorganization, the decision leaves the scope of data acquisition intact until the end of this year, only the potential to expansion of this activity by a decree has been made impossible with immediate effect.
Due to the seriously
unconstitutional character of the current use of PINs,
The abolition of the unconstitutional situation is the duty of everyone who kept PINs on records; this applies to both the state-run and the non state-run data users, the latter have thus far used the PINs at their own risk theoretically depending on the consent of the persons concerned.
Only the state population register
is entitled to issue new PINs until
5. This decision of the