CJEU - C‑769/22 - European Commission v Hungary
| CJEU - C‑769/22 European Commission v Hungary | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 10 GDPR |
| Decided: | |
| Parties: | The European Commission |
| Case Number/Name: | C‑769/22 European Commission v Hungary |
| European Case Law Identifier: | ECLI:EU:C:2025:408 |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | AG Opinion |
| Initial Contributor: | cci |
In a case involving the Commission, the Advocate General opined that a Hungarian law allowing the disclosure of personal data relative to convictions for sexual offences against children, did not correctly balance the protection of minors against the right to data protection. Specifically, the allowed access to the data based on a self-declaration, resulting in excessively broad access to the information.
English Summary
Facts
The background
In 2021 Hungary adopted "Law LXXIX of 2021 adopting stricter measures against persons convicted of paedophilia and amending certain laws for the protection of children" ("the amending law"). The law introduced a number of rules to restrict the access of minors to content portraying or promoting gender identities that do not correspond to the sex assigned at birth, sex reassignment or homosexuality. The law also introduced new rules for access to public documents, requiring public bodies to allow broad access to information about individuals convicted of sexual offences against children. The alleged purpose of the law was to protect minors.
In 2021 the Commission sent a formal letter to Hungary contesting the amending law's compliance with EU law. After some unproductive back-and-forth, the Commission escalated the case to the CJEU, requesting the CJEU to declare the amending law incompatible with EU law.
The European Commission filed four pleas, claiming that Hungary violated of a long list of provisions from primary and secondary EU law[1]. Only the Commission's fourth plea invokes data protection law- specifically, Article 8(2) CFREU ("Protection of personal data") and Article 10 GDPR ("Processing of personal data relating to criminal convictions and offences").
The fourth plea: Article 10 GDPR
The alleged violation of the GDPR relates to the amended law's rules on access to information about individuals convicted of sexual offences against children. The law amended the "Law on the criminal record system" and made documents about sexual offences accessible to a broad audience. Under the new rules, any adult who is either a relative or a guardian of a minor ("authorised person"), has the right to access and share information about individuals convicted of sexual offences against children (the data subjects) from bodies with access to registered data.
The Commission claimed that the amended law failed to specify with sufficient clarity who is authorised to submit a data request and, therefore, did not provide sufficient guarantees for the rights and freedoms of data subjects regarding the conditions of access to their personal data. On these grounds, the Commission claimed that the amended law infringed Article 10 of the GDPR (as well as Art. 8(2) GDPR).
In its defense, Hungary argued that the law accurately identified "authorised persons" when read in light of the definition of "relatives" in the Hungarian civil code. Additionally, Hungary claimed that there were two additional criteria access to personal data under Hungarian law: the authorised person must consider the relevant data to be probably necessary, and it must be disproportionately difficult for them to access the subjects' data if they are not disclosed.
In other words, Hungary argued that when interpreted correctly, Hungarian law provided for three cumulative criteria for the disclosure of data about convictions for sex offences against children:
- (i) the disclosure was requested by an authorized person (i.e. "any adult who is either a relative of, or educates, supervises or cares for, a person who has not attained 18 years of age"- where "relative" was to be understood in the well-defined sense of Hungarian civil law);
- (ii) the disclosure was probably necessary to keep the minor safe;
- (iii) it was disproportionately difficult for the authorized person to access the data otherwise.
Hungary claimed that these criteria were clearly defined and provided sufficient safeguards for data subjects. On this basis, Hungary argued that the amended law complied with Article 10 GDPR and 8(2) CFREU.
Advocate General Opinion
AG Cápeta clarified that, according to CJEU case law, the GDPR did not impose an absolute ban on the disclosure of personal data from public authorities. The GDPR did, however, require a balancing between the purpose of such disclosures, and the rights and freedoms of data subjects. In particular, the disclosure of personal data regarding criminal convictions, required strict justification and clear legal safeguards, because of the sensitive nature of such data.
In the case at hand, the AG conceded that the data disclosure pursued an important public interest (the protection of minors). So, the question was whether the amending law correctly balanced this interest against the right to data protection.
The AG opined that the amending law failed to do so and exceeded what was strictly necessary to protect minors, for two reasons.
First, the GA agreed with the Commission that the notion of "authorised persons" was too broad and unclearly defined under the amending law, even when the amending law was interpreted in light of domestic civil law.
In this regard, the GA pointed to the CJEU case law on the access to personal data from national authorities: in order to satisfy the requirement of proportionality, national law that allowed for such access "must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards". The GA further opined that such criteria would also apply to access from private citizens, as in the case at hand.
Second, the GA considered that requirements (ii) and (iii) (i.e.: the probable necessity of the disclosure, and the difficulty of otherwise accessing the data) were overly generic and were to be assessed by the authorized person themselves. The AG argued that such a self-declaratoty regime lent itself to abuse and deprived the disclosing body of any control over the necessity and proportionality of the disclosure. For this reason, the AG opined that the amending law failed to provide the required safeguards for data subjects.
On these grounds, the AG opined that the amended law was disproportionate and violated Article 10 GDPR as well as Article 8(2) CFREU.
Holding
TBD
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
- ↑ The Commission alleged the violation of Articles 1, 7, 8(2), 11 and 21 CFREU; Article 2 TEU; Article 56 TFEU; Article 3(2) of the Directive on electronic commerce; Articles 16 and 19 of the Services Directive, Article 9(1)(c)(ii) of the AVMS Directive; and Article 10 GDPR.
