DECISION 15/1991:
ON THE USE OF PERSONAL DATA AND
THE PERSONAL IDENTIFICATION NUMBER
IN
THE NAME OF THE
On the
basis of the petition an ex post facto review of the unconstitutionality of
legal rules currently in force, the
DECISION.
The
The
The
Constitutional Court holds that Law Decree 10/1986 on the State Population
Register as well as Decree 25/1986 (VII.8) MT issued by the Council of
Ministers for the execution of this Law Decree and Decree 102/1990 (VII.3) MT
issued by the Council of Ministers are unconstitutional; accordingly, the Court
annuls the Law Decree and the decrees on its implementation.
The
legal rules will lose force as of 31 December 1991, with the exception of the
provisions listed hereunder which will lose force on the day of the publication
of the present Decision in the Hungarian
Official Gazette:
In
the Law Decree: the second sentence of s. 4; s. 5(2); the second and third
sentences of s. 6(2); s. 6(3); the second sentence s. 7(1); in s. 7(2):
"unless otherwise regulated by the law...", "or its lawful
interest...", and "or by one’s statement..."; and s. 7(4); as
well as, in s. 10(3), the words: "by Law Decree or decree of the Council
of Ministers...".
Accordingly,
in the period between the publication of the
"Section 4: The state population register
contains the citizen's PIN, his/her basic personal identification data and the
address of his/her residence."
"Section 6(2): The PIN shall be used for
the purposes of identification in the computerized registers which contain,
among others, personal data as well."
"Section 7(1): The state population
register provides private persons, and organizations with data for the
performance of their duties.
(2) A private person may
request from the state population register data and issue of documents
pertinent to other persons to which he is entitled. The applicant shall verify
this entitlement by a `written deed.`"
"Section 10(3): Data related to the
citizen's person, family status and other circumstances may be made public only
with the approval of the citizen concerned, or in cases determined by
statute."
The
REASONING
II
According to Art.
59 of the Constitution in the Republic of Hungary everyone is entitled to the
protection of his/her reputation, and to privacy, including privacy of the home
and to the protection of personal secrets and data.
The
Thus, the right to
the protection of personal data, as guaranteed by Art. 59 of the Constitution, means that everyone has the right to decide
about the disclosure and use of his/her personal data. Hence, approval
by the person concerned is generally required to register and use personal
data; the entire route of data processing and handling shall be made accessible
to everyone, i.e. everyone has the
right to know who, when, where and for what purpose uses his/her data. In
exceptional cases, a statute exceptionally require the
compulsory supply of personal data and prescribe the manner in which these data
may be used. Such a statute restricts the fundamental right to informational
self-determination, and it is constitutional only if it is in accordance with
the requirements specified in Art. 8 of the Constitution.
Any legal rule
which [....] is in conformity with Art. 59 of the
Constitution if it contains guarantees that the person concerned is able to
monitor the route of his/her data during the processing and to enforce his/her
rights. [....]
Adherence to the purpose to be
achieved is a condition of and at the same time the most important guarantee
for exercising the right to informational self-determination. [....] It follows
from the principle of adherence to the purpose to be achieved that collecting
and storing data without a specific goal, "for the purpose of
storage", for an unspecified future use are unconstitutional.
The other basic guarantee is the
restriction on the forwarding and publication of data. [....]
Personal data may be made accessible
to a third party, other than the concerned party and the original data user,
and thereby to link up data processing systems, only if all the conditions
required for data forwarding are fulfilled in relation to each item of data.
[...]
III
The contested Law Decree is
unconstitutional because it fails to meet the basic requirement of the
adherence to the purpose to be achieved. Particularly,
- it does
not specify the objective of data processing;
- in
connection with this it does not determine precisely the scope of data to be
processed;
- it allows
the use of other unspecified records and registers for services related to the
population register;
- it does
not ensure adequately the rights of the affected person, in particular it does
not contain sufficient guarantees for the protection of the affected party
concerning data forwarding. [....]
2. The main provisions of the legal
rules concerning the population register are also unconstitutional.
2.1 The definition of the objective
specified in the Law Decree (s. 1(1): "to promote the enforcement of the
citizens' rights and the fulfillment of their duties, is to provide assistance
for the activity of state organs, economic and social organizations,
associations and associations of private persons' (hereinafter
`organizations`)") is completely inadequate in light of the fact that the
establishment of a data-processing system affecting the entire population of
the country is in question, and, furthermore, this system fundamentally affects
personal data and the course of the rights related to it (see: PIN). This vague
text is incapable of guiding data processing in a definite direction or of
restricting it in any manner, i.e. it
does not allow at all for the mention of any adherence to a purpose to be
achieved. [....]
2.2 The scope of the registered data
is determined by s. 4 of the Law Decree: "The state population register
contains the citizens' personal identification number, his/her basic
identification and residence data. The scope of the data to be recorded is to
be determined by the Council of Ministers."
This authorization is unconstitutional.
[....]
Concerning the importance of a state
population register, the Law Decree should have given a detailed list of the
data to be included therein. Instead, the detailed determination of these data
was left to the Council of Ministers in such a way that the scope of this
authorization in its contents has not been determined. The term "basic
personal identification data" is not specific enough to act as a
guarantee. [....]
3. The universal and unified
personal identification code (PIN) the use of which is unrestricted (i.e. the PINs
assigned to all the citizens and residents of the country according to the same
principle) is unconstitutional.
Section 6(2) of the Law Decree
states: "The personal identification numbers shall be used as identification
data in the computerized register system which contain
other personal data; it shall be entered into official documents and records,
and shall also be used in state administration and judicial procedures."
According to the restrictive interpretation
of this passage the PINs shall be stored in the
computers of the population register as identification codes, and that these PINs shall be entered into the files and records of the
state population register. In its wider sense, however, this passage allows the
use of PINs in any official document and record,
moreover, these code numbers have been used for every sort of computerized
register system on the grounds that s. 6 is made up of provisions broader than
the scope of the state population register. The provision of the Law Decree
concerning PINs is, thus, ambiguous; as indicated by
actual experience, this provision has failed to restrict unambiguously the
obligatory use of PINs.
This ambiguity, however, is only a
consequence of the much more serious shortcoming of the regulation from the
aspect of constitutional law: this is that s. 6 imposes no limitations or
conditions whatsoever on the use of PINs.
3.1 The PIN, as regulated in the Law
Decree, is a universal, multi-purpose identification code that may, in
principle, be used in any register. It is also in this sense that the
The significance of the unified
personal identification code is that it allows an easy and reliable
identification of personal data of an individual as well as their collection by
means of a short and technically easily manageable code which is invariable and
may not be interchanged. Thus, the personal number is an obvious concomitant of
any sort of integrated record-keeping system; its introduction, both in
These technical advantages enhance
the efficiency of data-processing systems utilizing personal numbers, and of
the related administrative or service operations. Likewise, this system saves
time and money for those subject to data supply because it makes the repeated
furnishing of data avoidable.
These advantages, however, involve
serious risks for personality rights and particularly from the aspect of the
right to informational self-determination. The PIN is particularly dangerous to
personality rights. If the data are acquired from variuos
data bases, without "informing" the person concerned, bypassing him,
then this person is precluded from the data flow, and he is either limited in,
or deprived of the possibility of monitoring the route and use of his/her data.
This method contradicts the basic principle of data protection that data should
be obtained from the person concerned with his/her knowledge. The widespread
use of PINs results in impairing the private sphere
because even from the remotest data-storage systems established for different
reasons may be used to establish a personality profile which is an artificial
image extending to an arbitrarily- wide activity of the person and penetrating
into the person's most private matters; this image, due to its construction
from data torn out of their context, is most likely to be a distorted image as
well. In spite of this, the data user will make its decisions on the basis of
this image, will use this image to produce and forward
further information concerning the person in question. The large amount of
these interconnected data, of which the person in question generally has no knowledge,
renders the person defenceless and creates unequal
communication conditions. Where one party cannot know the information the other
party possesses about him creates a humiliating situation, and prevents free
decision-making. The power of the state administration in using PINs is markedly increased. If PINs
may be used in areas outside the ambit of the administration, this increased
the power not only of the data user over the parties concerned but also of the
State because it further broadened the possible control through the use of such
data. Taken together, they seriously jeopardize the right to self-determination
and human dignity. The unlimited use of PINs might
become a tool for totalitarian control.
The logic of PINs
is thus contrary to the constituent elements of the right to data protection,
to the principle of divided information systems with adherence to the purpose
to be achieved and to the principal rule that data should be acquired from
persons concerned with their knowledge and consent. If the principles of data
protection are applied consistently, the personal identification number loses
its significance because the "advantages" inherent in it cannot be
made utilized.
The PIN is the technically most
advantageous tool to reliable link-ups of personal data as far as the currently
existing data-processing techniques are concerned. Personal data may, of
course, be connected to names, and, if necessary, to supplementary
identification items like mother's name and residential address. Given the
computer capacities available today, the extent of these shall not create a
serious problem. "Natural" data might, however, change (e.g. names by marriage or name changes),
and it might happen that further data are needed to make distinctions; furthermore,
in case of variable data (like residential addresses) the permanent updating
and monitoring of data is necessary. The difficulties and expenditure involved
might constitute a significant item in the cost-and-benefit analysis of data
processing, thus creating a natural brake on unjustified data collection which
might otherwise be encouraged by the readily available PINs.
The limitations arising from the right to informational self-determination
apply, of course, to any data acquisition and processing. Due to their
technical perfection, the PINs require the
introduction of special safeguards in accordance with the increased risks. If
personal data are updated by a central record-keeping system available through
the PINs, then the data-processing body in charge of
this operation, like the population register, acquires a key position which,
therefore, requires an especially precise regulation of guarantees.
3.2 The PINs,
therefore, by their very nature pose a particular danger to personal rights. It
follows from the primary duty of the state concerning the protection of
fundamental rights (Constitution, Art. 8) that this risk shall be reduced to a
minimum, i.e. the use of the PINs shall be restricted by security regulations. This can
be done in two ways: either the use of the PINs is to
be restricted to precisely defined data-processing operations,
or strict conditions and controlling measures are to be imposed on the
availability of information connected to PINs and on
the link-up of record-keeping systems using PINs. On
the other hand, it must not be ignored that any limitation of the unified and
universal code results in losing the essence of the code. A PIN available only
for limited use is no longer a PIN in the sense of the Law Decree.
3.3 The use of PIN varies widely
from country to country. In a number of countries there are de facto universal PINs as a result of
the unhindered introduction and application of an identification code
originally adopted for definite purposes. The number itself
was originally introduced for the purposes of the population register or as a
social security number. Examples for the former one are
The German Federal Constitutional
Court declared as early as in 1969 that the "registration and
catalogue-listing of citizens which affect the entire person of those
citizens" are incompatible with the fundamental right to human dignity to
which the state has no right even under the anonymity of statistical data
acquisition (BVerfGE 27, 1, 6), the so-called
population census decision, which in 1983 formulated the right to informational
self-determination, considers PIN as a "decisive step" leading to
personality profiles the avoidance of which shall be accepted even by other
means of limitation on informational self-determination (BVerfGE
65, 1, 27, 53, 57).
Between the two extremes are those
states where some personal numbers serving certain purposes are used for
purposes other than the original one: however, these were successfully
prevented from becoming universal codes. (This was the case in
The dangers of electronic data
processing to the autonomy of personality became widely recognized in the 70s.
From this time on, the PIN has become a symbol for the total control of citizens, and for an approach to efficiency alone and for
the treatment of persons as objects.
Although the PIN is only a tool, and
its role may only be appreciated in the entire context of data-processing
regulation, yet its introduction or application was sufficient to trigger the
clash of the two value systems, the preference of technical possibilities or of
personality rights. This resulted in the precise legal regulation, that is the
limitation of the use of PINs becoming a general
requirement, and this process started even in countries where the PINs had been introduced before the age of consciousness of
data protection. (See, e.g.,
the report of the Data Protection Expert Committee of the Council of Europe:
"Introduction and Use of Personal Identification Number: Issues of Data
Protection," Strasbourg, 15 December 1989.) Even the application of the general principles of data protection similar to
any other personal data present a limitation of the use of PINs. This means that legal authorization is required for
anybody who demands the disclosure of the PIN; in the absence of such, no one
may be disadvantaged for refusing to disclose his/her PIN. The PIN must not
contain sensitive data (e.g.
ethnicity or religion) but there is an increasing demand that it should not be
a "talking number" either, i.e.
one that provides such information as the date or place of birth.The
use of personal numbers shall be exactly specified and limited by statute, and
its use shall be controlled and supervised by an independent data protection
commissioner. However, beyond these general requirements, the risks inherent in
PINs must be counterbalanced by separate safeguards
as well. For example, the establishment of data and record
storage units operating with PINs are subject
to a special permission in
The safeguards related to PINs shall prevail in case of identification documents that
may be used similarly (e.g. identity
card, passport or driving licence number), and with
adequate modifications in case of personal codes used in other special areas
(pension and social security numbers).
3.4 The current regulation of the PINs is unconstitutional because s. 6 of the Law Decree
allowed their unlimited use or made their unlimited use compulsory for state
organs without providing safeguards against the dangers inherent in them.
Hungarian law allowed for all the
dangers arising from the nature of PINs to be
realized when it failed to regulate the use of such numbers, and introduced
them in an unconditional way into such a legal environment where the fundamental
guarantees of the right to data protection were unknown. (Only one of these
safeguards, the right of inspection by the person concerned, was regulated:
however, this being out of its context, it has never become a „living” right.)
The issue of the possibility of limiting the data flow within the state
administration has never been raised by officials, and the handing out of PINs was made a condition for the availability of services
even outside the state sphere.
These circumstances resulted in a
multitude of registers operating with PINs,
frequently without the knowledge of the persons concerned, and with unimpeded
communication between the various systems; today no one can know who, where and
to what of his/her personal data has access.
In the face of such dangers the
Civil Code and other legal provisions on the protection of personality and
secrecy are insufficient. It was with regard to the population register and PIN
system set up in 1974 that through a modification of the Civil Code in 1977, a
general clause was enacted to the effect that no computerized data processing
may violate personality rights, and introduced the right to correction of the
person concerned, and forbid the information supply to unauthorized persons
(Civil Code, art. 83).
However, up to the present time
there has not been a single legal rule or court decision which gave substance
to the abovementioned general clause, or indicated the constituent elements of
the right to informational self-determination or of the right to data
protection. Data users were not, therefore, impeded either by adherence to the
purpose to be achieved or by rules on data acquisition or forwarding, and the
persons concerned could not be aware of their rights either. (The persons
concerned have no legal possibility even today to learn about which registries
they might be recorded in, and hence the practice of the right of inspection is
illusory.) The independent control and supervision of data processing have been
completely missing. Only the Law Decree contained provisions concerning the
more detailed regulation of the flow of personal data and of their protection.
This Act has, however, been proved by the
Based on these considerations, the
legal rules in force concerning the use of PINs
violate the Constitution: these provisions are contrary to the right to the
protection of personal data (Constitution, Art. 59), and limit these rights in
a disproportionate and unnecessary manner.
3.5 It is the duty of the legislator
to create an Act, in accordance with Arts. 59 and 61 of the Constitution, concerning
the protection of personal data and the accessibility of information of public
interest, and to give a concrete form in so-called area-specific statutes to
the basic principles laid down in the abovementioned Act. It is the
legislature's responsibility to decide whether to introduce, within certain
limitations, the PINs which were annulled in their
current form, and to specify the limitations and special controlling measures
on the use of these PINs. In the present case, the
The
4. The Law Decree and its executing
decrees create or maintain such a seriously unconstitutional situation that
would justify their immediate invalidation. On the other hand, the
Constitutional Court has taken into account the fact that an abrupt
reorientation of the registers created by these legal rules into a personal
identification system which conforms to the Constitution would present a transitional
but significant set-back to the operation of the state administration. In
addition, the
In order to allow the performance of
this limited scope of duty and to facilitate the reorganization, the decision
leaves the scope of data acquisition intact until the end of this year, only
the potential to expansion of this activity by a decree has been made
impossible with immediate effect.
Due to the seriously
unconstitutional character of the current use of PINs,
the
The
The abolition of the
unconstitutional situation is the duty of everyone who kept PINs
on records; this applies to both the state-run and the non state-run data
users, the latter have thus far used the PINs at
their own risk theoretically depending on the consent of the persons concerned.
Only the state population register
is entitled to issue new PINs until
5. This decision of the