Summary
On April 3, 2022, Hungary’s ruling Fidesz party won a fourth term in national elections, cementing its dominance with a two-thirds majority that will allow it to continue traveling what critics of the party and many others would describe as the path of centralizing power and rolling back democratic safeguards. International observers characterized the elections as free but raised serious concerns about their fairness. These included blurring the lines between the government and the ruling party in campaigning, which amplified the advantage of the ruling coalition, the absence of a level playing field, and lack of balance in campaign coverage in the press, on television, and on billboards.
Fidesz’s effective control over large sections of the media, undermining the independence of the judiciary and public institutions, and curbing of civil society has received considerable attention from international media and international observers. However, its misuse of people’s personal data, which helped the party reach voters in new, opaque ways, has received relatively little scrutiny. This report examines how data-driven campaigning in Hungary’s 2022 elections exacerbated an already uneven playing field and undermined the right to privacy. It also documents new forms of misuse of personal data collected by the government and used for political campaigning by Fidesz in the 2022 elections.
In recent elections, parties across the political spectrum in Hungary, as in other countries, have invested in data-driven campaigning, including building detailed voter databases, running online petitions and consultations to collect data, purchasing online political ads, deploying chatbots on social media, and conducting direct outreach to voters and supporters through robocalls, bulk SMS messaging, and emails.
Such use and exploitation of data helped to undermine privacy, and the right of Hungarians to participate in democratic elections, which relies on political parties having equality of opportunity to compete for voters’ support. State capture of institutions responsible for administering the elections, ensuring a level electoral playing field, and protecting people’s data has led to selective enforcement of laws that further benefit the ruling party. However, the parties and international observers have paid insufficient attention to how emerging campaigning tactics impact human rights, including the right to privacy.
Privacy is a human right recognized under international and regional human rights treaties. Comprehensive data protection laws are essential for protecting the right to privacy as well as the related freedoms that depend on our ability to make choices about how and with whom we share information about ourselves. International and regional standards also recognize the human right to participate in democratic elections. A level electoral playing field is a necessary condition for the enjoyment of this right. In line with this principle, public resources should not be used to tilt the electoral playing field in one party’s favor.
The report finds that data collected by the state for administering public services, such as registering for the Covid vaccine, administering tax benefits, and mandatory membership in professional associations, was repurposed to spread Fidesz’s campaign messages. Evidence indicates that the government of Hungary has collaborated with the ruling party in the way it has used personal data in political campaigns. This, combined with the severe weakening of the political institutions responsible for safeguarding people’s right to privacy and guaranteeing an even political playing field, raises serious human rights concerns.
This report also investigates how Hungary’s opposition parties used data in their campaigns. Unlike the ruling party, the opposition parties did not have access to broad swaths of voters’ data. Rather they relied on traditional data collection methods (such as in-person and online petitions and signature gathering) as well as the services of private digital campaigning companies and tools provided by social media platforms, in particular Facebook. The opposition parties processing of personal data lacked sufficient transparency and risked undermining privacy but unlike the ruling party there is no evidence that its handling of data created unfairness in the election process.
Data-driven technologies are increasingly becoming the norm in modern political campaigning across many countries and will likely grow as the availability of digital technologies and personal data on voters becomes more prevalent. International election observers, international and Hungarian nongovernmental organizations, and independent journalists have published reports which have raised concerns about Fidesz’s significant influence on local media, lack of independence of judicial institutions, and blurring of resources between state and party resources.
This report seeks to contribute to a growing body of research that situates the use—and misuse—of data in specific political contexts and to surface key human rights concerns around data-driven technologies and political campaigns. It does not assess the efficacy or desirability of the use of data-driven technologies in political campaigns. Nor does it imply that the use—or misuse—of data-driven campaigning was a decisive factor in the outcome of Hungary’s 2022 elections.
Social media platforms also played an important, albeit complex role, in the 2022 elections. On the one hand, online political ads created new opportunities for opposition campaigns to reach voters in an environment from which they are largely shut out of traditional advertising spaces. On the other hand, since domestic laws regulating campaign spending limits are not being applied to online ads, the availability of Facebook advertising in particular has tremendously benefitted Fidesz, which with its outsized resources outspent the opposition.
Platforms, including Facebook—the most widely used platform for online political ads in Hungary—provided a degree of transparency into campaign spending, by offering limited insight into spending on political ads with their ad libraries. However, many of the ways in which platforms allow political parties, including those in Hungary, to target political advertising are inherently opaque. As a result, it is impossible for independent watchdog organizations or regulators to reach a clear conclusion when investigating whether or not the targeting of online political ads was discriminatory in targeting or excluded someone by relying directly or indirectly on sensitive data. The data sharing and profiling involved in advertising targeting generally introduces heightened privacy concerns in an electoral context, and can be used to unduly influence individuals when it comes to political discourse and democratic electoral processes.
Under the United Nations Guiding Principles on Business and Human Rights, private companies have a responsibility to respect the right to privacy and to mitigate and remedy rights abuses, including those that contribute to the undermining of privacy and the right to participate in democratic elections.
The Hungarian government should end the use for electoral campaigns of personal data collected by the government while performing public functions and providing public services, and should guarantee a level playing field around elections. It should rectify the current shortcomings in laws, policies, and practices, including by ensuring the independence of institutions responsible for administering elections and protecting people’s data.
For too long, the European Union (EU) has responded in a muted manner to Hungary’s backtracking on the rule of law, refusing to acknowledge or speak out against the systematic erosion of democratic institutions and human rights. The EU should urgently assess whether the exploitation of personal data collected by the Hungarian government for political campaigning is consistent with EU laws. In particular, it should ensure that EU funds granted to support the digitization of public services in Hungary do not result in or contribute to violations of the EU General Data Protection Regulation and other EU law. The European Commission should bring infringement proceedings against Hungary for any violations of EU law.
Political parties in Hungary should be more transparent concerning how they collect and process voters’ data and demonstrate that they are taking their responsibility to respect people’s privacy seriously.
Social media platforms, which have become the de facto infrastructure of the global public square, should urgently take steps to release adequate information to voters in Hungary and elsewhere on why they are seeing an online political advertisement and which individual, or institution is responsible for placing it, both in advertising libraries and in real time. They should also ensure that ad targeting and delivery are not, indirectly or directly, based on observed or inferred special categories of data, including political opinions.
Failure to take adequate steps to ensure that personal data is not misused by political campaigns risks further eroding human rights, the rule of law, and democracy in Hungary.
While this report focuses on Hungary's unique political landscape around the 2022 election campaigns, the heightened dependence on data in electoral campaigns, and the increased digitization of public services raise serious human rights concerns, such as those documented in this report, in many countries.
Recommendations
To the Government of Hungary
- To guarantee a level playing field around elections, end the use for electoral campaigns of personal data collected by the government while performing public functions or providing public services. This requires respecting purpose limitation, the legal principle that personal data should be collected for a determined, specific, and legitimate purpose.
- Ensure that the legal and institutional frameworks, including Act XXXVI of 2013 on Election Procedure and the administrative and judicial bodies that oversee it, unambiguously prohibit the misuse of administrative resources, including personal data collected from citizens, in order to guarantee a level playing field in election campaigns.
- Ensure that any personal data collected by government agencies and institutions complies with data protection regulations, including purpose limitation, and delete any personal data collected without sufficient purpose limitation, including data that risks being repurposed for political campaigning.
- Broaden the competence of the National Election Commission to empower it to establish whether breaches of the Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information lead to violations of fundamental election principles.
- Adequately resource and ensure full independence of the National Authority for Data Protection and Freedom of Information (NAIH) to enable it to enforce applicable law, including the EU General Data Protection Regulation and Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, as they apply to political parties and candidates without prejudice.
- Adopt legislation that guarantees that the inclusion of personal data in party supporter databases is based on explicit, specific, fully informed, and freely given consent. In the case of online data collection, the data controller should ensure that a confirmation e-mail is sent to the data subject including information on the legal remedies available in relation to data processing and on further steps that the data subject can take to exercise their data rights (such as data erasure).
- Require the NAIH to have stricter and mandatory oversight over the collection, management, and use of voter data by political parties and candidates for political offices—regardless of their political ideology.
- Ensure that all domestic legislation that applies to political marketing is GDPR-compliant, in particular that people must opt in to have their data used for political marketing, not opt-out.
- Ratify the protocol amending and updating Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data and implement the Council of Europe’s Guidelines on the Protection of Individuals with regard to the Processing of Personal Data by and for Political Campaigns.
- Ensure that an enabling framework is provided for political parties and candidates for political offices—regardless of their political ideology—to enjoy an even playing field, particularly in relation to their ability to access funding and other resources, and to exercise the rights to freedom of expression, including through equitable access to the media. Greater transparency into campaign income and spending, as well as increased independence of the National Election Commission and State Audit Office, are key in this regard.
- Ensure that campaign spending on online political advertisements is factored into campaign finance spending limits. Act XXXVI of 2013 on Election Procedure should be amended to ensure that all advertising activities that aim to influence voter behavior or public policy opinion formation around the elections are included as political advertising, including online political ads. Political parties should be required to report on their spending on online political ads. Furthermore, the SAO should be required to take into account publicly available information from ad libraries published by platforms when auditing campaign expenditures.
- Ensure that public resources are not used to campaign for the ruling party by amending the Act XXXVI of 2013 on Election Procedure to prohibit campaigning activities arising from functions of state entities.
- State institutions, such as the judiciary, election administration bodies, and the data protection authority should be genuinely independent, impartial, and should not be used to further the electoral cause of the ruling party.
- Reform the State Audit Office to ensure its independence and strengthen its ability to audit political parties and candidate spending on campaigns, including online political ads.
- There should be a prohibition on the appointment of a president or vice president of the SAO who is a representative or leader of a political party.
- The SAO should be empowered to uncover and sanction questionable spending by political parties, who tend to underreport expenditure.
- The SAO should keep a public record of the results of the investigation of the reports received.
- During the campaign period, SAO should record an online database campaign spending by parties, including online political ads, containing the sender of the ad, the price of an ad, the amount paid for the ad, its period, link to the ad, and any identifying number. The owner of each platform displaying advertisements should also provide the SAO with similar data for the advertisements published on their platforms.
To European Union Institutions and Member States
- The EU Commission should initiate infringement proceedings against Hungary for the National Authority for Data Protection and Freedom of Information (NAIH) failing to meet the qualifications of an independent supervisory authority as required by Chapter VI of the General Data Protection Regulation.
- The EU Commission should assess whether EU funds used to support the digitization of public services in Hungary resulted in the violation of EU law, including Articles 5, 6, 7, and 9 of the General Data Protection Regulation.
- EU member states should immediately move Article 7 proceedings on Hungary forward, including by adopting specific rule-of-law recommendations and vote to determine that there is a clear risk of a serious breach of the values protected by the EU treaty.
- Adopt a regulation on the transparency and targeting of political advertising that:
- Applies to both ad targeting (how an advertiser determines who they would like to reach) and ad delivery (how the publisher of an ad determines who within the potential audience will actually see the ad).
- Mandates meaningful transparency through ad archives, as well as for live ads that enables audiences, regulators, individuals, and public interest groups to understand the ad targeting and delivery techniques used.
- Bans the targeting and delivery of political ads based on the processing of observed data and inferred data, and places restrictions around special categories of data and non-relevant provided personal data.
- The Commission should elaborate guidance addressed to national data protection authorities and governments to clarify how the GDPR should be applied to political advertising in consultations with experts and affected stakeholders, such as voting rights organizations.
To Hungarian Political Parties
- Ensure that the processing of any personal data of voters is compliant with the data protection principles of proportionality, lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and security including under EU GDPR standards. Processing should be proportionate in relation to the legitimate purposes of political campaigns, reflecting the rights and freedoms at stake. The collection of personal data on the opinions and preferences of voters should be proportionate to those defined purposes and should not lead to a disproportionate interference with the voter’s interests, rights and freedoms.
- Only process data for clearly stated, legitimate purposes of political campaigning, such as: canvassing political opinions; communicating about policies, events and opportunities for engagement; fundraising; conducting surveys and petitions; communication on political goals and policies via social; media, email and text; engaging in “get-out-the-vote” operations on election day.
- Enable voters to exercise their data rights, including by obtaining on request and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, and access to those data in an intelligible form, including any “score” assigned to them regarding their ideological orientation, as well as the ability to object to the processing of data, to request rectification or erasure, including for political advertising purposes, and to remedy violations of their rights.
- Carry out data protection audits and impact assessments concerning its processing of data for campaigning purposes and communicate findings. Data protection and privacy impact assessments should not only assess the specific impact on an individual voter’s rights but should also consider whether the processing is in the best interests of broader democratic values and the integrity of democratic elections.
- When acting as a coalition, ensure that voters’ data protection rights are respected and that voters are notified and informed about how a coalition group will be using their collected data.
To the National Authority for Data Protection and Freedom of Information (NAIH)
- Periodically and on the basis of a publicly accessible audit plan published in advance, investigate the data management practices of all political parties, without prejudice, regarding the personal data of their supporters. The findings of the investigation should be concluded and made public before the next elections.
To Local and International Election Observers, including from the Organization for Security and Co-operation in Europe
- Integrate privacy and data protection into election observation methodology and operationalize this monitoring in the election observation process.
To Meta
- Provide users with meaningful transparency on why they are seeing ads on Facebook and Instagram, and which individual or institution is responsible for placing it, so that they can sufficiently understand the ad targeting and delivery techniques used.
- Provide users with adequate information on how they can avoid being targeted with political ads on Facebook and Instagram.
- Provide users with information on any targeting or delivery criteria used in the dissemination of the political ads shown to them.
- Ensure that ad targeting and delivering are not, indirectly or directly, based on observed or inferred special categories of data, including political opinions.
To Digital Campaigning Companies
- Ensure that any services provided to political parties or campaigns are compliant with the data protection principles of proportionality, lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and security, recognizing the heightened privacy concerns in an electoral context.
Methodology
Based on research conducted between November 2021 and August 2022, this report documents how data-driven political campaigning in Hungary’s April 3, 2022, elections contributed to an already uneven playing field, with the ruling party enjoying undue advantage, and undermining the right to privacy and other rights. This report relies on a combination of desk research, interviews with experts and with people whose data was misused, and technical analysis.
In researching the report, Human Rights Watch analyzed court decisions and decisions from the data protection authority, reports by human rights organizations and legal aid service providers, election observation missions, academic articles, and media reports. Desk research informed the report’s understanding of the use of data in previous Hungarian elections, Hungary’s legal, political, and electoral framework, and the broader state of human rights and the rule of law in Hungary.
Between September 2021 and June 2022, Human Rights Watch interviewed 35 people, both inside and outside of Hungary, including experts on the rule of law, privacy and data protection, election integrity, and media freedom, as well as journalists, political consultants, and representatives of political parties and companies involved in data-driven campaigning in the April 2022 elections. Human Rights Watch interviewed 9 people whose data was misused in by political campaigns: 5 in person, and 4 over the phone.
All interviewees freely consented to the interviews, and Human Rights Watch explained to them the purpose of the interview and did not offer any remuneration. Human Rights Watch also explained to them that they could stop the interview at any time and decline to answer any question. All interviews were conducted in English or Hungarian with interpretation into English and covered a range of topics related to unsolicited and/or unwanted communications from political campaigns. The interpreter was identified by a Hungarian speaking staff member and interviewees were identified the others with the help of a Hungarian civil rights organization. The average length of each interview was approximately one hour.
The names of most people reporting misuse of their data interviewed for this report have been replaced with pseudonyms to protect their privacy and to protect against reprisal. These pseudonyms are indicated clearly as such with quotation marks on the first use. When real names of interviewees are used, Human Rights Watch obtained informed consent after discussing the potential risks.
The interviews with affected voters are presented as case studies, giving insight into the experiences of Hungarian voters and contributing evidence of the abuses documented. Interviews with experts informed the report’s understanding of the use of data in previous Hungarian elections, Hungary’s legal, political, and electoral framework, and the broader state of human rights and the rule of law in Hungary.
In April 2022 Human Rights Watch wrote to all major political parties and campaigns to request interviews. Human Rights Watch interviewed 5 political parties in May 2022 in person. All interviews were conducted in English or Hungarian with interpretation into English and covered a range of topics related to the party or campaign’s approach to data-driven campaigning, the importance of data-driven campaigning and online political ads in Hungarian elections, efforts taken to protect personal data collected and processed on voters. The average length of each interview was approximately one hour.
Right of Reply
Human Rights Watch sent follow-up letters to all major political parties in August and September 2022 to request additional information and to provide them with the right to reply. Three parties and campaigns responded, and 6 have not at time of writing. Human Rights Watch also wrote to companies implicated in the report between August and October 2022, and to relevant government institutions, including the National Election Commission (NEC), the National Authority for Data Protection and Freedom of Information (NAIH), and the State Audit Office (SAO) in October 2022. Their responses are incorporated into the report.
In November 2022, Human Rights Watch shared the main findings of this report with the Office of the Prime Minister of Hungary. We sought answers to specific questions, including concerning the government’s use of personal data in political campaigning and measures it has taken to ensure an equal electoral playing field and the full independence of relevant institutions. The officials have not responded to our letters at time of writing.
Technical Analysis of Websites
To understand how political parties and campaigns’ websites handle their users’ data, including potentially for campaign purposes, Human Rights Watch used Blacklight, a real-time website privacy inspector built by Surya Mattu, former senior data engineer and investigative data journalist at The Markup, a nonprofit newsroom that investigates how powerful institutions are using technology to change society.[1] The methodology Human Rights Watch used to conduct technical analysis of political parties and campaigns’ websites is described in detail in Section IV, “Website tracking by political parties.”Selection of Political Parties and Campaigns
The report focuses on the use of data-driven political campaigning by the main political forces contending in the 2022 elections. It includes the ruling coalition (made up of Fidesz and the Christian Democratic People's Party) and the six parties and political movement that comprised the joint opposition (United for Hungary)[2], and excludes smaller parties.
Selection of Data-Driven Campaigning Techniques
This report focuses on the data-driven campaign techniques that were most prevalent in political campaigns in Hungary’s 2022 elections. These include:
- Building and management of databases on voters, including the collection of personal data on voters and their political preferences
- Direct outreach to voters through email, SMS, and robocalls
- Online political advertising through social media platforms, in particular, Facebook
Human Rights Watch is aware of data protection abuses associated with so-called “business” or “fake” parties. In Hungary, candidates need to collect at least 500 supportive signatures in order to run a candidate for election,[3] and therefore, benefit from state subsidy for their campaigns.[4] These “business” or “fake” parties are alleged to have stolen personal data from various sources and copied them to the supportive sheets. Since these are not directly related to the main political blocs, they fall outside of the scope of this report.
Limitations
This report covers the use of databases and technical systems to which Human Rights Watch did not have direct access. As a result, the research relied on the following: examining and verifying campaign messages (primarily through interviews and reviewing screenshots); interviewing and writing to political parties and campaigns; relying on reports from whistleblowers and investigative journalists; reviewing analysis of publicly available data on online political ads placed on Facebook, conducting technical analysis of the websites of political parties and campaigns; and reviewing privacy policies of political parties and campaigns.
This methodology comes with certain limitations. Since Human Rights Watch did not have access to the underlying voter databases on which parties relied for their campaigns, the report is not able to independently verify what personal data on voters they contain. Because the research’s findings in part rely on responses from political parties and campaigns, it contains more information and insight into those that were more forthcoming. Since members of the United for Hungary coalition were more responsive to Human Rights Watch’s inquiries than Fidesz-KDNP, the report contains more detailed findings on some aspects of their campaigns.
Additionally, affected voters who came forward hesitated in sharing their personal experiences because they felt that what happened to them was happening at a widespread level and experienced a sense of resignation. Therefore, the interviews function as case studies or testimonies and do not aim to be representative or scale of abuses experienced.
Finally, Blacklight’s analysis is limited by the fact that the simulation may trigger different responses from the website under examination because it is a simulation of user behavior, not actual user behavior. Additionally, Blacklight’s analysis may include false negatives, it does not determine intent of collection, or how the data were used, and its results are only indicative of the test that was run at that point in time, under your simulated conditions. So, the results can vary for different people, or even for the same user across time. A detailed discussion of these technical limitations can be found in Blacklight’s methodology available online.[5]
I. Background
Hungary held national elections on April 3, 2022, which resulted in a decisive victory by the ruling party Fidesz (the Hungarian Civic Alliance), and a fourth term for prime minister Viktor Orbán, but there were serious concerns about the fairness of the elections.[6] An election monitoring mission from the Office for Democratic Institutions and Human Rights (ODIHR) of the Organization for Security and Co-operation in Europe (OSCE),[7] on April 4, 2022 noted a number of concerns in the lead-up to elections. They included blurring the lines between the government and the ruling party in campaigning, amplifying the advantage of the ruling coalition; the absence of a level playing field, and lack of balance in campaign coverage in the press, on television, and on billboards.[8]
The country’s main opposition parties put aside their differences to run as a united front against Fidesz and its coalition partner, the Christian Democratic People’s Party (KDNP). Changes to the electoral law in 2020 in effect forced opposition parties to join in running a single national list against Fidesz in order to meet the new minimum requirements.[9]
For the first time, Hungarian opposition parties decided to organize a “pre-election” to select a prime ministerial candidate and to select common candidates for single-member districts around which they could form a unified coalition in the parliamentary elections. The first round of the pre-election was held from September 12 to 27, 2021, and the second round from October 10 to 16, 2021.
The opposition coalition made up of the Democratic Coalition (Demokratikus Koalíció or DK), Jobbik (Jobbik Magyarországért Mozgalom), Momentum (Mozgalom Momentum), Hungarian Socialist Party (Magyar Szocialista Párt or MSZP), the Green Party (Magyarország Zöld Pártja or LMP), and Dialogue for Hungary (Párbeszéd Magyarországért), collectively became known as Egységben Magyarországért, or United for Hungary. The opposition candidate for prime minister, Péter Márki-Zay, came from a seventh entity, Mindenki Magyarországa Mozgalom (Everybody for Hungary Movement, or MMM), which joined efforts with United for Hungary.
Data as a Political Asset
Digital technologies have transformed key components of electoral and democratic processes, including campaigning by political parties. Personal data can be understood as a political asset. Political parties are creating their own datasets for two primary reasons: as political intelligence – to help inform campaign strategies and test and adapt campaign messaging – and as political influence.[10]
Data-driven campaigning consists of not just online political ads, but different ways in which personal data is used in efforts to understand, engage, and influence citizens in political campaigns.[11] For example, political campaigns build and maintain voter databases of personal data to help them gain insight into their base and potential new supporters, to learn what motivates voters, and to tailor messages to what they want to hear. They collect personal data on potential voters through canvassing, in-person and online petitions, polls, and events in order to expand their databases to stay in touch with supporters and mobilize them to vote on election day. Data-driven campaigning can facilitate new ways to reach potential supporters, such as through bulk SMS, email, phone calls, and social media. Political parties also make use of private platforms, like Facebook and Instagram, and data brokers to help them profile and target new supporters with political advertising.
Data Protection and Political Campaigning in Hungary
Privacy is a human right, as recognized by international and regional human rights treaties to which Hungary is party.[12] Privacy is also protected by Hungarian law.[13]
Comprehensive data protection laws are essential for protecting human rights – most obviously, the right to privacy, but also many related freedoms, such as freedom of opinion, expression, association, and assembly, that depend on people’s ability to make choices about how and with whom they share information about themselves.[14] Hungary is bound by the European Union General Data Protection Regulation (GDPR),[15] one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data by both governments and the private sector.[16] The processing of personal data in Hungary is regulated by Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information, as amended by Act XXXVIII of 2018 to implement the GDPR. [17]
Hungary is also party to the Council of Europe’s Convention 108, for the Protection of Individuals with regard to Automatic Processing of Personal Data[18] and a signatory to the 2018 protocol updating the Convention,[19] which is commonly referred to as Convention 108+. The Consultative Committee of Convention 108+ developed Guidelines on the Protection of Individuals with regard to the Processing of Personal Data by and for Political Campaigns to provide practical advice to supervisory authorities, regulators and political organizations about how the processing of personal data for political campaigning should comply with Convention 108+.[20] They offer a framework through which individual data protection authorities, and other regulators, may provide more precise guidance tailored to the unique political, institutional and cultural conditions of their own democratic states.
Hungary does not have specific legislation regulating the use of personal data in electoral campaigns or by political parties. However, data protection law applies and has always applied, to the personal data processed by the organizations involved in political campaigning – including the political parties, their candidates, and the various data brokers, voter analytical companies, platforms, advertising and other companies that might process personal data on their behalf.[21] The GDPR and Hungary’s Act on the Right to Informational Self-Determination and Freedom of Information govern the protection of personal data, including tighter regulation of special categories of sensitive data, including information revealing someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.[22]
Additional non-data protection-specific laws are relevant to the use of data by political campaigns. For example, Section 149 of the Act XXXVI of 2013 on Election Procedure provides that the use of voter data, such as phone number and email address, to deliver election campaign materials directly to the voter requires explicit consent.[23] Under Section 89 of the same act, voters can request that their personal information in the voter registry (name and address) not be disclosed to political parties for campaign purposes.[24]
The E-Commerce Act[25] and the act on Electronic Communications (E-Comms) Act[26] are relevant to political marketing. The E-Commerce Act regulates the use of email addresses and SMSs, and the E-Comms act regulates phone calls (whether automated or not, using either randomly generated numbers or not). Receiving SMSs, emails and automated phone calls requires prior consent (opt-in), including by political campaigns, according to the E-Commerce and E-Comms acts, respectively. Receiving "live" phone calls, however, works under an opt-out regime, where users are by default listed in a "phone book" (either physical or digital), unless they request not to be listed or labeled as a person who would not like to receive advertisement despite their number being public.
Misuse of Data in Previous Hungarian Elections
In previous elections, the Hungarian Civil Liberties Union (HCLU), one of the country’s leading human rights NGOs, documented data protection violations, abuses, and irregularities with respect to the use of personal data by Fidesz in its electoral campaigns.[27] For example, in the 2019 European Parliament and municipal elections, the HCLU observed data protection violations it attributed to the construction and mobilization activities of the parties' databases, as well as to a specific public opinion
research company.
In 2020, a client of the HCLU won a lawsuit against Fidesz for the illegal handling of his data during the 2019 municipal elections.[28] The client claimed that he never gave his contact details to the party, yet Fidesz sent him campaign materials via email. Fidesz could not prove that it had obtained the data legally.
According to the HCLU, the Regional Court of Appeal’s verdict proved that Fidesz processed personal data illegally for the purpose of political marketing. Assuming this was not an individual case, the HCLU initiated a request for a comprehensive investigation of Fidesz's data management for political marketing purposes at the National Authority for Data Protection and Freedom of Information (NAIH). According to the information provided by the NAIH, the investigation of Fidesz's data management was already underway based on the request of other notifiers, who objected to the lawfulness of the data processing of the Fidesz-Hungarian Civic Alliance.[29]
Case Study: Fidesz’s Voter DatabaseFidesz, according to experts Human Rights Watch interviewed, has been known to maintain a database on voters for several years, with some independent media dating its existence back to 2004.[30] The database is commonly known as the “Kubatov list,” named after Fidesz’s party director Gábor Kubatov. Fidesz does not deny the existence of the database, but refers to it as a register of sympathizers and claims it is legal.[31] Efforts by the NAIH to investigate it have sidestepped the crucial question of whether the collection of storing data on voters’ preferences over time is illegal. In December 2012, a whistleblower named Gergely Tomanovics (who went by the pseudonym Gery Greyhound) made public[32] a 2009 video[33] produced by Fidesz, which explained how the Kubatov list system works at the campaign level. Tomanovics reportedly worked for Fidesz for years, making campaign videos. A 2018 Facebook video uploaded by Csaba Bartók,[34] the president of Fidesz in Szeged, a major Hungarian city in the south of the country, captures an online version of the Kubatov list, which includes the names, phone numbers and other information on Fidesz supporters. Journalists from 444.hu were able to capture the URL[35] and access the login screen (accessible through the WebArchive in August 2018[36] and November 2018[37]). But the site was either migrated to another domain or taken offline following the news report. The database reportedly includes detailed information on voters that goes beyond what is included in the country’s national voter registry, which includes basic voter information, like the name, date, address, and personal identifier of the voter.[38] According to experts interviewed by Human Rights Watch, while the content of the database has not been made public, its purpose is to collect information about the political views of the population in general and to determine whether each citizen supports Fidesz or not.[39] Party activists reportedly visit people’s homes, going door-to-door, and assign voters loyalty scores to Fidesz to help the party predict their behavior on election day, including whether they are likely to vote for the ruling party. [40] Below is a translation of the scores assigned to voters as reported by multiple Hungarian news outlets.[41] · T (support), · E (rejects), · B (uncertain), · N (not at home), · R (wrong address), · G (other), · M (disabled), · H (deceased), · K (moved). According to experts interviewed by Human Rights Watch and independent media, the database enables Fidesz to have detailed insights into the electorate[42] and when elections come, Fidesz sends each constituency the part of the database they can work with specific target numbers of voters to mobilize.[43] A key question concerning the Kubatov list is whether it contains data collected by Fidesz on their sympathizers with consent, or on the electorate more broadly, including those who did not consent.[44] According to the HCLU, the existence of a database that collects information on voter preferences without their knowledge or consent may undermine principles of fairness of the election and equal opportunities for candidates and nominating organizations required by the Act on the Election Procedure.[45] In addition to collecting information on voters’ political views through door-to-door canvassing, Fidesz also reportedly collects information on voters through “national consultations” and petitions. According to the Hungarian Helsinki Commission, a “national consultation” is a method introduced by Fidesz, by which the government sends out questionnaires with multiple-choice answers to citizens.[46] It is not equal to a referendum or a popular initiative, there is no participation requirement attached to it, and its result is not binding for the government. These are often conducted ahead of elections[47] and are viewed by experts as a way to collect information on voters to refresh and update the Kubatov list ahead of the polls.[48] Officially, the national consultations are conducted by the prime minister’s office, but as in many other areas, the line between state and party resources and activity is blurry. Tamas Bodoky, editor-in-chief of the investigative journalism outlet Átlátszó, told Human Rights Watch, “Fidesz is mixing state resources and state functions with party resources and party functions, so I would not be very surprised if they used the national consultation or other state databases to amend the party database.”[49] Previous national consultations have raised data protection concerns. In June 2011, the former Data Protection Commissioner issued a statement concluding that the protection of personal data was not ensured in the course of the data management related to the national consultation launched in May 2011 and, therefore, the questionnaires shall be destroyed after the responses have been recorded.[50] In this national consultation questionnaires were sent out with individual bar codes, which were unique and could be linked back to the recipient, both for those who did and did not respond.[51] Once the NAIH took over the position of the Data Protection Commissioner in 2012, the NAIH announced that it did not agree with the original decision of the Data Protection Commissioner and would issue a new decision. Finally, in July 2012, the questionnaires were destroyed. However, the former Data Protection Commissioner claimed that, according to his decision, the electronic database containing the personal data of those citizens who provided a response should have also been destroyed, but this did not happen.[52] Human Rights Watch could not independently verify whether national consultations fed into the database, but the allegation was stated consistently in multiple interviews with experts. In 2020, following a complaint by an independent member of parliament Ákos Hadházy, the NAIH launched an investigation into the Kubatov list.[53] The NAIH finished its investigation in December 2020. The NAIH found that Fidesz did not provide the data subjects with information that fully complies with the requirements of the GDPR during data management in connection with the periodic register related to the assessment of the intention to participate in the elections and directed Fidesz to make some adjustments in its data handling.[54] For example, the NAIH recommended that Fidesz increase the font size of the privacy notice on its signature collection forms to improve legibility, establish a procedure to objectively verify the deletion of all personal data contained in the periodic register of electoral intentions, and establish appropriate internal procedures and internal rules to ensure and facilitate the exercise of data subjects' rights.[55] However, according to Adam Remport, Legal Officer for the Hungarian Civil Liberties Union’s Privacy Project, “the [data protection authority] circumvented the main issue of collecting data on data subjects' political allegiances (at least on whether they are supportive of the governing party or not); the DPA only instructed Fidesz to give proper notification before collecting such data, but did not investigate the systematic mapping of voters’ political affiliation.”[56] Miklos Ligeti, Head of Legal Affairs for Transparency International- Hungary told Human Rights Watch that profiling voters based on their political preferences without obtaining valid consent is unlawful. Basic information on voters in order to get out the vote should be deleted after the elections, not retained for years.[57] |
Media reported that the opposition also engaged in data-driven campaigning around the 2019 elections. In particular its use of the digital campaigning company Datadat came under scrutiny. Datadat was founded by former government members ex-Prime Minister Gordon Bajnai, former Minister for Intelligence Ádám Ficsor, campaign strategist Viktor Szigetvári, and sociologist Tibor Dessewffy. Szigetvari, managing director of Datadat, told Human Rights Watch that the company “imagines itself as a progressive value aligned digital software as a service and consultancy company…[that does] data management [and] database building. We are experts of e-mail programs in a sense of how to design your e-mail plan until the day of election or in peacetime between actions. How to design your messenger game. How to [carry out] a fundraising program. How to enhance your database and reach your datasets and variables.”[58] Szigetvári stressed that they work in a GDPR-compliant way. The company has worked with multiple parties in Hungary on the opposition side, as well as municipal candidates. It has also worked in Romania, Italy, and other countries, according to Szigetvári.
According to the independent news outlet Átlátszó, which published an investigative piece on Datadat in 2020, the company ran a Facebook ad campaign that contributed to the electoral successes for the united opposition in the 2019 municipal elections.[59] The elections, in which the opposition had limited resources in the face of overwhelming political, financial, and media superiority by Fidesz, resulted in surprise wins for opposition groups in Budapest and several other large cities. Átlátszó reported that Datadat was responsible for targeting the Facebook ads of EzaLényeg, a newly established news site, whose reporting included carefully crafted and targeted messages aiming to resonate with various electoral groups. Átlátszó also reported that several DK candidates listed Datadat as their data processor.
The online news portal 24.hu reported that Datadat’s chatbot[60] allows campaigns that use it to record responses from users, enabling them to see what voters think about certain issues, how important these issues are to them, using more subtle methods than traditional political fault lines. In this way, political messages can be targeted very precisely and parties can also build a community with it.[61] Datadat declined to comment on 24.hu's report when Human Rights Watch reached out to them.
Rule of Law and Human Rights in Hungary
Fidesz’s victory can in part be attributed to an uneven playing field enabled by the hollowing out of democratic institutions since Orbán returned to power in 2010.[62] Successive Orbán governments undermined the independence of the judiciary, hijacked public institutions, concentrated the media landscape and subjected it to government control,[63] criminalized activities by civil society organizations,[64] harassed independent journalists,[65] and demonized vulnerable groups and minorities, in particular migrants, refugees, and LGBT people.[66] The Fidesz-KDNP majority has also tinkered with the electoral laws to serve its own interests, which allows them to rule with a majority in parliament, and thereby continue gutting Hungary’s democracy.[67] Government influence over key institutions has contributed to an uneven playing field, which gives the ruling party overwhelming superiority in its ability to campaign and impunity for its violations and abuses of national law and international human rights standards.
In 2018, the European Parliament voted to trigger the article 7 process to hold Hungary accountable for actions that threaten the rule of law, human rights, and democratic principles. Since the procedure was opened, EU member states have regularly scrutinized and debated the rule of law situation in the country but have fallen short of taking additional steps under the procedure. In September 2022, the European Parliament adopted a follow-up text to update its areas of concerns and press the EU Council to act, stating that there is growing consensus that “Hungary is no longer a democracy.”[68] On September 18, 2022, the European Commission recommended suspending around 7.5 billion euros in funding to Hungary under its Rule of Law Conditionality mechanism, citing corruption and breaches of EU rule of law standards.[69] EU member states are expected to vote on this proposal by December 2022.
Since 2020, Orbán’s government has declared two “states of danger” a special legal order granting overwhelming power to the executive to rule by decree. The first was in March 2020 in the context of the Covid-19 pandemic and extended in December 2020 and June 2021.[70] Under the special legal order, government may suspend application of acts of parliament, derogate from provisions of acts, and take other extraordinary measures. Since March 2020, the government issued over 250 decrees, most, but not all of them, related to the pandemic. On May 25, Hungary’s ruling party pushed through parliament a constitutional amendment allowing the government to declare a “state of danger” in the event of armed conflict or humanitarian disaster in a neighboring country.[71] Immediately, Prime Minister Orbán declared a second state of danger, citing the war in Ukraine. The state of danger gives Orbán sweeping powers to rule by decree, sidestep parliamentary debate, and suspend laws at short notice with very limited to no judicial oversight.
National Authority for Data Protection and Freedom of Information (NAIH)
The National Authority for Data Protection and Freedom of Information (NAIH) is the public authority responsible for monitoring and enforcing the rights to the protection of personal data and freedom of information. The NAIH’s head is chosen by the prime minister and appointed by the president. The president has a purely ceremonial role and can only deny nominees under very narrow conditions.[72]
When faced with complaints that implicate government abuse of personal data, the NAIH has demonstrated that it is not always willing or able to act as an independent authority. For example, its credibility was marred by its investigation into the use of Pegasus spyware by the Hungarian authorities targeting journalists, lawyers, politicians and other public figures.[73] The NAIH concluded on January 31, 2022, that there was no “information indicating that the persons requesting and conducting the surveillance had violated any laws or regulations, ... as the spy software can be used on the grounds of national security risk”.[74] The NAIH then went on to investigate one of the investigative journalists, Szabolcs Panyi, who broke the story and was himself confirmed to be targeted with Pegasus because of his reporting on Pegasus following a complaint by an intelligence officer who was likely the spyware's operator.[75] After four months, the NAIH determined that the investigation against Panyi was unfounded, and the proceedings against him were terminated.
“The data protection authority [NAIH] is normally strict on data protection, but in politically sensitive cases the NAIH President does not challenge the interests of the government parties. However, it has spoken up in smaller cases against opposition parties. At the same time, in his capacity as the institution responsible for the enforcement of the right to freedom of information, he has made statements that are critical of the government,” Sandor Lederer, co-founder and director of K-Monitor, a non-profit public funds watchdog based in Budapest, told Human Rights Watch.[76]
With regard to election-related data protection abuses, the NAIH has conducted itself in a selective manner, subjecting opposition parties to close scrutiny. For example, in a positive step, in February 2021 the NAIH issued extensive guidance on data protection requirements concerning the processing of personal data by political parties and organizations. [77] However, its enforcement has mainly focused on opposition parties and when it came to credible allegations of Fidesz’s maintaining a database of voters’ personal data containing their political views, the NAIH failed to adequately investigate. (See Case Study: Fidesz’s voter database)
On May 4, 2020, the government published a decree limiting the exercise of certain rights and measures under the GDPR “in order to prevent, identify and detect coronavirus cases, as well as prevent its spread, including the organization of the coordinated performance of tasks by the public bodies in relation to this”.[78] The Data Protection Decree (179/2020 V.4) suspended some articles of the GDPR on the processing of personal data “in order to prevent, identify and detect coronavirus cases, as well as prevent its spread, including the organization of the coordinated performance of tasks by the public bodies in relation to this.” [79] This replaced the strict notification requirements, by which public bodies are obliged to notify individuals when collecting their personal data, with general information simply published electronically on purpose and scope of processing.
The suspension of aspects of GDPR drew criticism from the Chair of the European Data Protection Board,[80] and was characterized by civil society as disproportionate, unjustified, and potentially harmful to the public’s response to fight the virus.[81] An independent legal opinion found that the Data Protection Decree is inconsistent with the GDPR, and thus contrary to EU law, and likely to give rise to breaches of the Charter.[82] The Data Protection Decree was no longer in force as of June 18, 2020, when the first “state of danger” was terminated, and the GDPR-related suspensions contained in 179/2020 V.4 were not reintroduced when the subsequent “state of danger” was declared in November 2020.[83] The International Commission of Jurists described these measures as “contrary to the [GDPR] and arguably fall short of the legitimate purpose and necessity requirements for emergency measures to comply with international law”.[84]
In response to Human Rights Watch’s questions about the NAIH’s independence, the NAIH President expressed his confidence that the NAIH’s activities fully comply with the independence requirements of international and EU law, as well as the Hungarian Constitution, and noted that there has been no finding from a forum relevant in this regard refuting this. It also cited a 2012 Venice Commission report without addressing that report’s conclusion that the mode of designation of the President of the NAIH “which entirely excludes the Parliament, does not offer sufficient guarantees of independence.”[85]
Media Environment
Hungary’s media landscape is now largely controlled directly or indirectly by Orbán and his government.[86] Since coming into power in 2010, Orbán’s government has amended media laws to ensure that it controlled appointments to the main media regulatory body and introduced vague content restrictions with the possibility of high fines, all of which has had a chilling effect on press freedom.[87] Between 2011 and 2016, in five waves of dismissals, the state broadcaster, closely linked to the government, fired over 1,600 employees, including journalists who were not willing to toe the government line.[88]
The editors-in-chief of Origo and Index, two major independent media outlets at the time, were fired, in 2014 and 2020, respectively. The two publications have since adopted a pro-government editorial line.[89] In 2016, Hungary’s biggest opposition daily, Nepszabadsag, was shut down.[90] The closure followed publication of a series of articles that exposed incriminating details of alleged public sector corruption involving some of Orbán’s closest colleagues.
The 2018 merger of more than 400 media outlets into one nonprofit conglomerate loyal to the government, sidestepping competition laws, ended media pluralism in the country.[91] According to data from the Mérték Institute, an independent Hungarian media monitoring project, from 2019, 79 percent of the media was concentrated in pro-Fidesz hands.[92]
In the context of elections, the government’s domination of the media means that Fidesz overwhelmingly enjoys superiority in favorable coverage. The opposition has little opportunity to get its message out. The OSCE election observation mission found:
“The pervasive bias in the news and current-affairs programs of the majority of broadcasters […] combined with extensive government advertising campaigns provided the ruling party with an undue advantage. This deprived voter of the possibility to receive accurate and impartial information about the main contestants, thus limiting their opportunity to make an informed choice”. [93]
The OSCE election observation mission’s final report added that coverage on some public and government-affiliated private media displayed a clear bias in favor of the government and Fidesz, and “[a]s a rule…lacked any clear distinction between coverage of the government and the ruling party”.[94]
Judiciary
Over its 12 years in power, the Orbán government introduced a series of legal and constitutional changes that have limited the independence of the judiciary and interfered with the administration of the courts.[95] For example, it has packed the Constitutional Court with its preferred justices, forced 400 judges into retirement, and imposed limitations on the Constitutional Court’s ability to review laws and complaints.[96] According to Amnesty International Hungary, between 2010 and 2020, the government took several steps that amount to a systemic attack against the independence of Hungary’s judicial institutions.[97] The National Judicial Office (NJO) responsible for the administration of the courts and overseeing judicial appointments, continues to undermine the independence of the judiciary. The European Commission and the Venice Commission of the Council of Europe have said the head of the NJO, a political appointee, holds too much power and is subject to too few checks and balances.[98] There is also concern about nepotism, as relatively unqualified friends and family of well-connected politicians are appointed to senior posts in the court system. A recent investigation by the Hungarian Helsinki Committee found that the President of the Kúria, Hungary’s supreme court, accelerated the executive’s take-over of the judiciary.[99]
According to Áron Demeter, program director at Amnesty International Hungary, “If you go against the government or your case interferes with political goals, there is definitely a chance that [the government] can put either formal or informal pressure on the court.”[100]
National Election Commission
Authorities charged with overseeing the administration and integrity of the elections, such as the National Election Commission (NEC), are dominated by appointees of the ruling majority.[101] According to the OSCE’s election report, half of the filed complaints and appeals were denied consideration by the NEC on technical grounds, and some dismissals on merit lacked necessary examination or sound reasoning. While some election disputes were adequately resolved, the handling of most cases by the adjudicating bodies fell short of providing effective legal remedy, contrary to OSCE commitments. The NEC also issued fines against CSOs that had encouraged voters through social media and online websites to invalidate their ballots on the anti-LGBT rights referendum.[102] All of the complaints against government-linked bodies or the ruling party were among those the NEC rejected.[103] Almost all of the cases in which the NEC found violations had unknown violators but were linked to the opposition.
In a letter to Human Rights Watch, the President of the NEC said that the OSCE’s report lacked specifics concerning questions about its independence and clarified the process for electing and delegating its members. The NEC President also defended the NEC’s dismissal of the requests for legal remedies in all cases as being in compliance with the legal requirements and pointed out that it was also possible to appeal to the Court of Appeals with a review request against the decisions of the NEC, which the parties involved made use of in many cases.[104]
State Audit Office
The State Audit Office (SAO) is mandated to oversee the accountability of the use of public funds and audit political parties.[105] It has the power to verify the information submitted to it but has been unwilling to fully exercise its investigative capacity to ascertain actual campaign spending.[106] Campaign finance regulations are vague and do not require parties to report in enough detail to provide meaningful insight into their finances.[107] The regulations do not define what content the reports parties and campaigns are required to submit must include, so they sometimes only include a few lines saying how much money was spent.[108]
The OSCE characterizes the SAO as falling short of international standards related to the oversight of campaign finance. Its report also notes that the SAO has a track record of identifying irregularities primarily in the finances of opposition parties and that between 2010 and July 2022, the SAO was headed by a former MP and deputy leader of the Fidesz parliamentary faction, who resigned from his political positions after his appointment to the SAO. [109] These concerns were compounded by the absence of legal processes to contest the SAO’s findings and conclusions.[110] In a letter to Human Rights Watch, the President of the SAO wrote that the SAO "has fully complied and will continue to comply with its statutory audit obligations regarding the audit of election campaign expenditures” and that in carrying out its audits it “acts in accordance with the law, the audit programme, the professional rules and methods of auditing and ethical standards”.[111]
Hungarian civil society organizations have documented how the SAO has for decades been underusing its powers and has proven incapable to uncover and sanction questionable spending by political parties, who tend to underreport expenditure.[112] They have also documented a pattern of the SAO imposing excessive fines on opposition parties, which is seen by many as the misuse of powers.[113]
In a letter to Human Rights Watch, the SAO clarified that while “political advertising on social media is a campaign tool not specified in the Act on Election Procedure … its use during the campaign period is considered campaign activity” because it is capable of influencing or attempting to influence the will of voters. As such, “candidates and nominating parties participating in parliamentary elections have an even higher responsibility to account for political advertising on social media, therefore the provisions relevant to campaign spending activity of the Act on Election Procedure also apply to content published on social media during the campaign period”, according to the SAO.[114] However, effectively, campaign spending on online political ads does not factor into official accounting for campaign expenditures unless parties proactively report it to the SAO.
II. Fidesz and Government Misuse/Abuse of Personal Data in the 2022 Elections
As in previous years, the Kubatov list was reportedly used in the 2022 elections. The investigative journalism non-profit Direkt36 reported in March 2022 that possessing an up-to-date database with their own voters remained a central element of Fidesz’s election strategy for the 2022 national elections. A government official told Direkt36, “There is a huge belief in the management of Fidesz that in the end, that is all that matters. On the day of the elections, you have to stand there in the door until you convince citizens to go to vote.” The source added that Fidesz put a lot of energy into updating the list and this year Fidesz activists will follow on tablets which doors there are still to knock on and just like food couriers they would “always just receive the next name and address.”[115]
In 2018, the independent news outlet 444.hu also reported that some Fidesz party supporters canvassed with iPads distributed by the party, which served the dual purpose of providing an up-to-the-minute update of the Kubatov list and making it possible to check whether the canvasser actually visited the address assigned to them on the list.[116] Human Rights Watch was not able to independently confirm what software or application Fidesz may be supporting the Kubatov list, but the fact that iPads and tablets may have been given some form of access to the list, or parts of the list, raises question about data security.
In its December 1, 2022, response to Human Rights Watch, the Hungarian government denied it has misused personal data for political purposes leading up to the 2022 elections, in particular claiming people agreed to be contacted by the government when they signed up for a newsletter on the vaccine registration website and that the government did not violate regulations on sending unsolicited SMS/Automated calls.
Unwanted Calls and Messaging
Voters told Human Rights Watch they were bombarded with political campaign messages through email, SMS, robocalls, and online political ads, in addition to traditional forms of campaigning. Some were outraged by the unsolicited campaign messages and propaganda from the ruling party that they received as a result of signing up for public services, like registering for a Covid vaccination, applying for tax benefits, or joining a professional association.
The HCLU reported that several people turned to them for legal help during the 2022 election period.[117] The HCLU said as of August 2022, the organization received between 40 and 50 election-related data protection complaints for the 2022 election cycle. As in previous years, complaints included unsolicited phone calls from political campaigns encouraging them to vote. The NEC received at least 18 complaints alleging campaign calls and SMSs to citizens by political parties.[118] The NAIH told Human Rights Watch that it received several notifications (without specifying the number) from people who complained about receiving unwanted SMS messages in support of Fidesz, and that it launched an official investigation, which is ongoing at time of writing. The NAIH also said it received two complaints objecting to unwanted campaign calls from the ruling party, one of which is under investigation at time of writing.[119]
Human Rights Watch was not able to determine how widespread this phenomenon was. Of the nine people who shared their experiences with Human Rights Watch concerning misuse of their data, four said they received unwanted phone calls and text messages from Fidesz encouraging them to vote for the party on election day, without recalling that they have provided their phone numbers for campaigning purposes. The fact that it was documented in previous years suggests these are not isolated incidents.
Case Study: Unwanted Calls from FideszAlex B., a 27-year-old male voter from Szeged, told Human Rights Watch that he received multiple phone calls on his mobile phone from three different phone numbers with a recorded message from a Fidesz candidate encouraging him to support the candidate by going out and voting on election day and also to remember the achievements of Fidesz.[120] He checked the numbers displayed on his mobile phone when he received the calls, and put them through the telecom registry, which showed that all three were registered to Fidesz. Alex B. also received three text messages on election day from Fidesz urging him to vote for Fidesz, asserting that the opposition candidate would drive the country to war, and that only Fidesz can preserve the peace and security of the country. Alex B. told Human Rights Watch that he did not consent to his number being used by Fidesz for campaigning purposes. He filed two complaints about the misuse of his data, one to the address for the Fidesz office in Nyíregyháza, a city in northeast Hungary and the county capital of Szabolcs-Szatmár-Bereg, with which the phone numbers were associated, according to the telecom registry,[121] and the other to the central office of Fidesz in Budapest. The complaint sent to the Nyíregyháza office was returned through the postal service due to an incorrect address and the second received a response from Fidesz that the party is not processing his data in any way.[122] “Being contacted by a party, that I’m not member of or follower, when I didn’t give my phone number to them…It kind of pissed me off,” said Alex B. ‘Csaba’, a 48-year-old male voter from Pest county, a county in central Hungary that surrounds Budapest, received an automated phone call from Prime Minister Viktor Orbán in the week before the elections encouraging him to support Fidesz.[123] “There was so much communication in the last five to six days before the elections,” said ‘Csaba’, ‘Csaba’ told Human Rights Watch that he had given his number to the Chamber of Agriculture to register his business and speculated that this may be the reason why he was the Prime Minister’s campaign was able to call him. ‘Ágnes Kovács’, 35, a Hungarian voter who lives abroad, told Human Rights Watch that she received a phone call on her Hungarian phone number on April 1, two days before the election, urging her to vote for Fidesz.[124] “I picked up the phone, and heard a deep, deep voice on the other end say ‘Hello, good afternoon.’ I responded, ‘Who are you looking for?’ In the meantime, the voice responded, ‘I'm Viktor Orbán.” ‘Ágnes Kovács’ told Human Rights Watch that she " definitely didn't provide [her] phone number to the party or campaign in any way." She noted that she has limited interactions with the Hungarian government because she lives abroad. The only instance in which she recalls providing her phone number was when registering for the Covid-19 vaccine. |
Covid Vaccination Registration System Turned Campaign Machine
Human Rights Watch documented new forms of misuse of personal data collected by the government and used for political campaigning by Fidesz in the 2022 elections. Numerous Hungarians and foreigners living in Hungary received campaign propaganda as a result of their signing up to register for the Covid-19 vaccine (with their email and phone number, as well as other personal data). The NEC reportedly received three cases alleging that government campaign emails to citizens breached data protection rules.[125] That the government sent out the messages was not in question. Rather, the debate focused on whether these messages violated electoral or privacy laws.[126]
On December 7, 2020, the Hungarian government launched a website for Hungarian citizens and residents to register for the Covid-19 vaccine.[127] When signing up on the site, people were directed to accept the privacy policy[128] and were given the option to opt-in and consent to the processing of contact details for future contact purposes, until they withdrew their consent. In the first year, the vast majority of the emails that the Coronavirus Information Centre, which is managed by the Government Information Center managed by the Office of the Prime Minister, sent out to its distribution list were related to the vaccination registration effort. Human Rights Watch reviewed 16 emails sent to the distribution list in 2021. Fourteen emails provided information on Covid vaccination, one email provided information about an upcoming national consultation on life after the pandemic, which covered a range of topics, and one email contained political messaging on matters unrelated to Covid.
Starting January 2022, the emails began shifting from vaccine related information toward political messaging, including relating to the upcoming elections. For example, on January 8, 2022, the Government Information Center sent out an email informing recipients “In 2022, several changes will come into effect. Below we summarize the most important ones,” which listed the government’s programs that will benefit citizens, completely unrelated to the Covid response.[129] For example, the email communicated that from January 1, the minimum wage will rise to 200,000 forints (approximately 455 USD) and the minimum wage for skilled workers to 260,000 forints (approximately 590 USD). It also announced new tax cuts, reducing the tax paid by employers from 17 to 13 percent. Additionally, extra financial support for elderly and young citizens was announced, in the form of changes to pensions and income taxes, and for families with children, through income tax returns and subsidies.
Following the January 8 email through June 2022, only one further email that Human Rights Watch reviewed was related to Covid vaccinations. The list of people who signed up for communications related to Covid vaccinations were now being fed with government information, with some messages intended to influence the upcoming elections by espousing positions aligned with Fidesz’s campaign. For example, a March 28 email solicited support for the anti-LGBT referendum, which was held the same day as the parliamentary elections on April 3. The email concluded, “We can stop sexual propaganda aimed at children now! So we ask you to take part in the referendum and vote 4 nays! Protect our children!”[130] Another email, dated February 24, sought to discredit the opposition by misrepresenting its position on the war in Ukraine, specifically stating “we consider it irresponsible and do not support the opposition position that Hungary should send soldiers and weapons into Ukraine. We will also not support proposals that jeopardize our country's gas supply and the reduction of gas prices.”[131]
By using personal data submitted to the government for the purpose of being informed about Covid vaccines to disseminate political and electoral messaging, the government misused citizens’ personal data.
Several people Human Rights Watch interviewed reported feeling like they were taken advantage of by the government in a particularly vulnerable and fearful moment. Some reported that they were typically hesitant to share their personal information with the government but did so in order to register for the Covid vaccine because they felt they had no choice.
Borbála F., a 44-year-old voter from Budapest, told Human Rights Watch, “If you don't register for this form, it was unclear if you could get the vaccine. At this time, people were afraid of COVID, and wanted the vaccine as soon as possible.” She added, “I don't want to give my personal info in any case when it's not absolutely important. We were put in a position where we felt our lives were in danger [from the pandemic/Covid], and had to give our information [in order to get the vaccine]. I don't want that to happen again. If I give my personal info it should only be used for that purpose.”[132]
Maria G., a 67-year-old voter from Budapest, signed up in early 2021 when the registration site was first opened: “I definitely wanted to be vaccinated and I remember that at first.”[133] She explained, in the first wave of promoting the vaccine, they said that “only those who register will be vaccinated.” Later on, it became more relaxed, “but at the beginning they made registration a condition of receiving vaccination.” Maria G., also said she is generally suspicious of signing up for things with the government, but “fear [of the virus] overcame my suspicion,” she said.
‘Zsofia’, a 36-year-old Hungarian woman from the Budapest metropolitan area, told Human Rights Watch that in the context of the fear and uncertainty caused by Covid-19, when she saw the question about further contact with the government, she had “this feeling that you cannot do otherwise, I have to be vaccinated… This was not a free choice and that’s why I was so angry.”[134]
‘Dave,’ a 48-year-old American living in Budapest, told Human Rights Watch, “I’m a private person, but I’m not reluctant to hand over my data when it’s for something important. It’s not a deal breaker for me and getting the vaccine was important to me… I think people were eager to get vaccinated. I wanted to know how and when to get the vaccine, and I was happy to give my contact information to get that information.”[135]
Other State and Civic Institutions Co-opted by Fidesz
The government used other channels of communication it has with citizens based on personal data they collected for other purposes to disseminate political messages related to the elections.
For example, in early February, the National Tax and Customs Authority sent a letter in the mail to citizens who applied for a tax benefit for families with children. The letter, signed by Prime Minister Orbán, contained political messaging aimed at undercutting the opposition. It said, "During the Gyurcsány era, family benefits were significantly cut", and “we are "convinced that money should not be taken from people in difficult times…Hungary is moving forward, not backward!"
The “Gyurcsány era” refers to Ferenc Gyurcsány, the former prime minister, who is affiliated with Democratic Coalition (DK), and previously with the socialist party (MSZP), two major opposition parties in Hungary that made up part of the opposition coalition that ran against Fidesz-KNDP in the elections. Additionally, the communication closely tracked a key Fidesz slogan, “let’s go forwards, not backwards.”[136]
The NAIH informed Human Rights Watch that it received three complaints about the Hungarian Government having sent out a government campaign letter by post in relation to VAT refund. In two of these cases, the procedure was terminated because the complainant did not respond to requests for additional information, and in the third case, the Authority did not identify any breach of law.[137]
Additionally, the government sent out political communications to people who had registered with professional associations like the Chamber of Agriculture. As Csaba, the voter from Pest county who owns a small business in the food industry, explained, “In Hungary, you need to give your email address and contact information to certain parties and organizations if you’re a member. For my business registration with the Chamber of Agriculture is compulsory. But these are supposed to be non-governmental. Then I got direct emails and phone calls from the government [and] prime minister.”[138]
On April 1, two days before the elections Csaba received an email from the Chamber of Agriculture, signed by Prime Minister Orbán about the war in Ukraine, which reinforced Fidesz campaign messages. It also referred to the need to “keep our mutual achievements” and asserted that “we must follow the values that made Hungary successful in the last 12 years.” The email was sent from the same email address as other emails from the Chamber of Agriculture and sent to the same email address through which he regularly receives emails from the Chamber of Agriculture.
“I was pissed off,” Csaba said, “because that’s not what I expect from an organization like this, to send political communications. This is outrageous [to me]…In this country, you don’t get surprised…Practically, government communications uses every possibility to reach people with its messages. [It controls] the majority of the media. [But this communication] is significant because it’s so outrageous that the government would communicate through a professional association in which membership is mandatory.”
The NAIH informed Human Rights Watch that it received two complaints about a letter sent by the Chamber of Agriculture and bearing the signature of Viktor Orbán. It closed one case because the complainant did not respond to a request for additional information. In the other case, the NAIH identified a breach of law committed by the Chamber of Agriculture and issued a warning[139], but did not issue guidelines to say what the controller should do to avoid future breaches.
The NEC rejected a complaint about the email sent by the Chamber of Agriculture because in its opinion the communication cannot be considered a campaign tool under the 2013 Act on Election Procedure.[140]
Government and Fidesz Misuse of Personal Data Contributed to an Uneven Playing Field and Undermined Privacy
The repurposing of personal data collected by the government to provide public services relating to Covid vaccine registration, tax benefit administration, and business registration, to disseminate the ruling party’s campaign messaging contributed to an unequal playing field with respect to the 2022 elections and undermined privacy. The unsolicited phone calls by Fidesz may be unlawful under the GDPR.
The National Election Commission (NEC), the Supreme Court (Kúria), and Constitutional Court considered the legality of the Government Information Center using the emails collected for Covid vaccine registration to send out political and campaign messages. The focus of their review was electoral law, not data protection law. The NEC received multiple complaints against the Government of Hungary for using State resources to campaign against the opposition, seeking to give an electoral advantage to the governing parties. One complaint contended that the Government of Hungary was using a tool for this activity which the oppositional organizations were objectively not in a position to use, in violation of applicable data protection rules and the electoral law (Act XXXVI of 2013 on Election Procedure). The NEC decided on February 28 that the February 24 communication from the Government Information Center did not violate Act XXXVI of 2013 on Election Procedure since it considered the communication within the scope of the government's function and not a campaign communication. It refused to examine the question of whether data protection rules were violated, citing lack of competence.[141]
The Supreme Court partially reversed the NEC’s decision on March 5, deciding that the February 24 email violated the law on the electoral procedure regarding equal opportunities and proper exercise of rights. The Supreme Court issued a procedural fee to be paid by the state and its decision noted there shall be no appeal against the order.[142]
On March 11, the Constitutional Court annulled the Supreme Court’s decision, saying that the email in question "was not in itself aimed at supporting parties or candidates in the 2022 parliamentary elections, but served a public interest purpose”.[143] Citing the “unforeseen, extraordinary situation” of a war in Hungary’s immediate neighborhood, the Constitutional Court decided “citizens have the right to know, and the Government has the duty, also based on Article IX (2) of the Fundamental Law, to communicate its position on the situation”. The NAIH concluded in an April 2 opinion that no unlawful processing of data took place. Its rationale was that the data subject unambiguously consented to their data being processed for the purposes of receiving the newsletter, according to the privacy notice, and that the stated purpose of the processing of data was “subsequent contact,” not sending out newsletters exclusively related to Covid-19 or vaccination.[144] However, according to the privacy notice, the purpose of the website is to provide information “about the possibility of requesting vaccination against the coronavirus”,[145] so defining the purpose of data processing so broad as to effectively allow the government to contact people for any purpose is misleading to data subjects and at odds with the principle of purpose limitation.[146]
The NAIH’s conclusion is inconsistent with the data protection principle of purpose-bound data management, which is codified in Hungarian and EU law: it accepted that the government is given a blank authorization to provide information on any topic simply because, according to the data management information, consent to any " subsequent contact” extends. In other words, it concluded that the government could write the policy as broadly as they wished, effectively with no purpose limitation.[147]
The NAIH also established that the government did not ask for consent to process data for the to transmit information about vaccines and the epidemic situation - which is the exact opposite of what the privacy notice stated. In fact, the persons concerned consented to further contact on the vaccine registration page, in the context of the vaccination, so the data management does not have a specific purpose, and due to the circumstances, the data management is also unfair.
People that Human Rights Watch interviewed did not believe that they were consenting to general government communications when they registered on the vaccine website and were angered by the use of the vaccine registration data for political and electoral campaigning.
Concerning the March 28 email that solicited support for the anti-LGBT referendum, the Hungarian Helsinki Committee, Amnesty International Hungary, and Háttér Association, which coordinated the ‘invalid vote’ campaign[148] and some private individuals submitted separate objections to the NEC referring to the misuse of data, unlawful referendum campaigning by the government, and unequal chances for the NGOs to disseminate their campaign messages.[149] The NEC joined the objections and rejected all of them. Its decision regarded the provision of information and referendum campaigning as constituting the same type of action despite clear, separate legal definitions. The NEC ruled that the government had acted lawfully.[150] The Supreme Court ruled that the emails were indeed campaign tools but did not find a violation of law claiming in its decision that (i) the applicant did not substantiate the alleged violation of the fairness of the referendum; (ii) the competing campaigns may reach through other channels the same people whom the email reached, and (iii) neither the NEC nor the Supreme Court has the competence to examine whether the usage of personal data had been lawful.[151] The Supreme Court did not react to some of the arguments of the applicant, including that it was unrealistic that the organizers of the ‘invalid vote’ campaign could reach the same people that were on the vaccine registration newsletter (approximately 6.5 million voters).
Case Study: Voter Reactions to Misuse of Covid Vaccine Newsletter‘Zsofia’ told Human Rights Watch that for years she had exercised her right to block direct marketing activities and communications, such as national consultations, from the government, and had managed to avoid receiving propaganda.[152] Then in January 2022, she received an email with the government’s priorities sent to the email address she used to register for the vaccine. “It was in that was the moment I felt that there is a misuse of the power of the government,” ‘Zsofia’ said. A lawyer herself, she read the privacy notice and consent to future contact, but after doing so, said she still had no idea what that future contact meant. “I didn't want to miss anything, so there was so much uncertainty around vaccines,” she said. “I just think that there are people who are who could be reached only this way… because you know they are so busy they don't watch TV then don't read [the news] but, do read their emails” "I was really, really mad,” said Borbála F. “I don't care about propaganda, I receive information from many sources. I was really mad because hundreds of thousands or maybe millions of voters received this letter, and they don't have other sources of information. They think, the prime minister is sending them the letter and they believe what it says.”[153] “I was surprised at getting emails from the government. I’d never received political messages from the government. It really pissed me off. I felt they were abusing my privacy,” said “Dave”.[154] “What's so frustrating about this, it seems to be such clear violations. Nothing will come of [complaints to the data protection authority] because the system is skewed,” said ‘Ágnes Kovács’. “I’m pretty familiar with limitations [of] DPAs investigations into the central [ruling] party. It’s not the first misuse of personal data. Don't have much faith it will be remedied by data protection measures”.[155] |
Similarly, by sending political communications to citizens, the National Tax and Customs Authority not only misused data collected for the purposes of administering taxes, it specifically targeted people based on the data it held on them, by sending the letter only to citizens who benefited from the tax break for families with children, and not to those that did not. The legal basis for this was Decree 5/2022, issued under the government's special powers during the state of emergency, which ordered the tax authority to inform taxpayers eligible for different kinds of tax refunds and reliefs if they were raising children.[156] The decree was meant to inform people on the benefits available during the pandemic. However, the government failed to confine the scope of their letter to the limits that they had set for themselves in sending out campaign related messages.
Likewise, the Chamber of Agriculture may only process the data of chamber members for the purpose specified by law, may not transmit it, and may not use it to convey government messages to members.[157]
It is worth noting that there is no shortage of sources of data on citizens for the government, since in recent years the government has migrated many public services online. For example, ügyfélkapu is an online portal that citizens use to access a wide range of public services, including administration of pensions, drivers' licenses, business licenses, and more.[158] The citizen who brought the successful case against the government for illegal use of his data cited above says that the email on which he received political campaign messages from the government was an address that he doesn't normally share with anyone but used to register for ügyfélkapu. Other examples of government-run databases include the Healthcare Services' Electronic Space (EESZT), a database of all patients and their medical records who have state insurance (technically everyone in Hungary),[159] databases of the state healthcare insurance office (NEAK),[160] the database of personal data and addresses (lakcímnyilvántartás),[161] State Treasury (Államkincstár),[162] which administers pensions, and has reportedly sent out campaign material in support of the government.[163] Given the blurred line between government and party resources and a lack of independence in the data protection authority, the digitization of public services in Hungary appears to be a source of data for Fidesz’s political campaigning.
Regarding the Kubatov list and the unsolicited phone calls, personal data revealing political opinions is a special category of data under the GDPR. Under Hungarian and EU law, the processing of such data is prohibited and is subject to narrowly interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals – and this prohibition extends to contacting voters over the phone.[164] Those who turned to the HCLU complaining of unsolicited contact from Fidesz unanimously stated that they were sure that the ruling party could not have legally accessed their data and said they did not make it available to Fidesz themselves, especially not for campaign or mobilization purposes.
Under the GDPR, phone numbers cannot be obtained legally from any register for campaign purposes unless voters have given valid consent. Telephone campaigning is likely to be unlawful if the voter has not given express consent for their data to be used for this purpose under Hungarian law.
III. United for Hungary’s Data Driven Campaign
Digital campaigning was also a key feature of the opposition’s campaign strategy. In the pre-election period, United for Hungary (Egységben Magyarországért), the six parties that made up the united opposition, decided to pool their supporters’ data to increase their ability to reach and mobilize voters.
Several experts told Human Rights Watch that the opposition has aimed to build a database on voters’ preferences, similar to Fidesz’s Kubatov list, but that doing so has been impossible because of the asymmetry in resources between opposition parties and the ruling party. [165] Furthermore, unlike the ruling party, the opposition parties did not have access to citizens’ data collected for the purposes of providing public services to disseminate campaign messages. Rather, they relied on traditional data collection methods (such as in-person and online petitions and signature gathering). As a result, the opposition’s data-driven campaigning efforts were dwarfed by those of Fidesz. Additionally, opposition parties are under scrutiny from the NAIH to respect data protection regulations.
Opposition parties told Human Rights Watch they considered digital campaigning important in Hungarian elections and expected its importance will continue to increase moving forward. This is in large part because of media dominated by pro-Fidesz players and provides little opportunity for opposition candidates to get their message out.[166] Candidates are entitled by law to five minutes in the public media during the election campaign, and some members of the opposition have complained that they have had less than five minutes of airtime over the last four years in total, let alone in the campaign period.[167] Opposition parties described their ambitions to run more sophisticated data-driven campaigns, and one party revealed that it developed a scoring system for voters based on the intensity of their supporters’ activity.
How the Joint Data Efforts Worked
Ahead of the pre-election period, the six opposition parties put in place an agreement to create a common database to share the data of supporters collected by their respective signature gathering efforts.[168] Voters who indicated their support for the opposition in the pre-election needed to provide their ID number and signature. They were also invited to provide their contact details (phone number and/or email addresses). By providing their contact details, voters consented to being contacted by the joint opposition. It was not compulsory to provide this information, but if supporters did, they were automatically added to the joint contact list of the united opposition.
There was no legal entity formed as United for Hungary. Rather, legally, the six parties were jointly responsible for the database and all decisions on the use of the data were made together, according to opposition parties. Each party signed the contract agreeing that no one will use the database on its own terms. United for Hungary’s privacy policy included a physical address, e-mail address, and, in the case of all except one party, a phone number for the data protection officer for each of the six parties, which people could contact to request that their data be deleted.[169] Data protection officers from each party coordinated the management of complaints using a Google spreadsheet.[170]
The joint database had multiple purposes, including to mobilize voters to support the opposition on election day, to solicit volunteers to support campaign activities, and to mobilize supporters of one opposition party to vote for a candidate from another opposition party in a particular constituency/district where the joint opposition was running a candidate.[171] According to MSZP, the joint database was its most trusted and up-to-date database in the campaign.
Under the agreement, opposition parties said data collected for this election were channeled into a database that was separate from, and not merged with, the individual databases that respective parties held.[172] During the campaign this database was used to send out e-mail messages, make automatic telephone calls, and text messages to the people who had shared their contact information.[173]
In addition to signatures during the pre-election, opposition parties collected contact information of supporters online and in-person in the lead up to the April elections. Opposition campaigners and volunteers were on the street requesting support for petitions and referendums. If voters shared their contact information, that information could be used by United for Hungary to engage them in the campaign. There was some awareness among supporters that they were giving their data to the campaign, but many people signed petitions without much understanding of how their data would be used.[174]
According to LMP and MSZP, around 800,000 people participated in the pre-election signature campaign, with around one third sharing their contact information (mobile numbers or e-mail addresses).
Role of Datadat
United for Hungary worked with Datadat to support its campaign efforts in the April 2022 elections. Human Rights Watch learned that Datadat stored and managed the joint database as data processors and operated a tech stack that allowed United for Hungary to collect further data via landing pages (forms) into the database with digitally documented consent for each individual. This included Action Network as a CRM, as an emailer and an action page (form) platform. Datadat reached an agreement with the six parties after having presented them with its tech stack. It then formalized the agreement into a contract with the alliance represented by one of the participating parties which was named as the member dealing with IT matters. However, Human Rights Watch was not able to independently verify or corroborate this.
According to opposition parties that Human Rights Watch spoke with Datadat also contracted with individual opposition parties and candidates to optimize their advertisements to voters on social media.[175] Some candidates also signed up for Datadat’s Facebook automated chatbot to engage directly with voters.[176]
Unsolicited Communications and Unclear Data Practices
Some voters told Human Rights Watch that they received calls from United for Hungary, and they did not know how the campaign got their phone numbers. For example, Borbála F. said she received an automated call from the wife of the candidate for prime minister, Felícia Vincze Márki-Zayné, on behalf of United for Hungary, which made the case for why she should vote for them.[177] This first happened during the pre-election period and with that first call they asked whether she consented to receiving more calls. She said "Yes" at the time but doesn't know how they got her phone number in the first place.
The HCLU also received reports from voters who received unwanted calls from the opposition. According to the HCLU, the NAIH appears to already be dealing with telephone campaign abuses during the 2022 elections but has so far singled out only the opposition side of the parties.[178] The NAIH informed Human Rights Watch that it received 250 complaints regarding unsolicited SMS and phone calls in favor of opposition parties in the days leading up to the election. It confirmed that it opened official investigations into these complaints, which are ongoing at time of writing.[179]
The NEC issued decisions in response to objections against this direct campaigning of the United for Hungary, ruling that the text messages and calls violated the Act on Election Procedure.[180] For example, it found that the call with the message from Felícia Vincze Márki-Zayné violated Article 149 of the Act on Election Procedure, which requires explicit consent for sending campaign materials directly to voters.[181] The violators were unknown in almost all cases. In six cases the NEC found violations, identifying the offenders in
two cases.[182]
An MMM representative told Human Rights Watch that almost 90 percent of the complaints they received from data subjects were about phone calls, not emails.[183] If people unsubscribed from the emails, that usually worked, according to MMM. Individuals reported that unsubscribing from telephone lists was burdensome, requiring a search for contact information. MMM also said that voters complained of receiving several phone calls, three or four times a day from candidates they had never heard of, or candidates who were not even their local candidate.
Some parties told Human Rights Watch that they received several emails or phone calls each day from people who complained about being contacted or requesting to be unsubscribed or have their data deleted.[184] These irregularities raise limitations of informed consent in practice, as well as the need to make the process for unsubscribing or opting out easier and faster.
United for Hungary’s Processing of Personal Data Lacked Transparency and Risked Undermining Privacy
United for Hungary clearly considered data-driven campaigning a core part of their electoral efforts, however it was not always transparent with how voters’ personal data was used in the campaign. For example, some members of United for Hungary told Human Rights Watch that United for Hungary as a whole had a contract with Datadat to manage aspects of its data-driven campaign efforts. However, neither United for Hungary, nor any of the six opposition parties mention Datadat as a data processor in their privacy policies.
Both Datadat and parties that Human Rights Watch spoke with described the role of Datadat as that of a data processor and could not explain why the company was not listed in their privacy policies, except to say that the relationship was temporary, meaning only for the election period.
Lack of Clarity around MMM’s Access to the Joint Database
The prime ministerial candidate did not come from one of the six opposition parties that were in the initial data sharing agreement. As a result, when data was collected during the pre-election period, supporters consented to sharing it with the six parties, but not with MMM. LMP told Human Rights Watch that the six parties of United for Hungary did not share the data with the MMM and did not enter into an agreement with MMM over data access.[185] MMM confirmed that the six parties of United for Hungary objected to MMM taking part in the joint database since it was an NGO and not a party. As such, according to MMM, it did not share any personal data of its supporters with the six parties and did not act as a controller for the database.[186]
MMM told Human Rights Watch it acted as a processor for the database, since MMM activists “only collected voter personal data” and did not contribute any.[187] MMM is not listed as a data processor in United for Hungary’s privacy policy.
Unclear Legal Basis for Unsolicited Automated Calls
As noted earlier, parties and campaigns can only legally use voters’ data for automated phone calls if voters specifically provided their data for campaign purposes.
MSZP told Human Rights Watch that United for Hungary worked with a contracted third party, SzondaPhone Kft,[188] a telemarketing company to run a robocall and SMS campaign. If SzondaPhone’s database included phone numbers of voters beyond those who had provided their phone number to United for Hungary, this may explain the unsolicited robocalls. However, this raises at least two problems. First, according to the E-Commerce and E-Comms acts, respectively, receiving SMSs, emails and automated phone calls requires prior consent (opt-in).[189] Second, United for Hungary does not list SzondaPhone as a data processor, nor do any of the six parties except for DK. If United for Hungary contracted SzondaPhone to send out campaign messages, the company should be listed as a data processor. SzondaPhone did not respond to Human Rights Watch's request for comment at time of publication.
The importance of data-driven and digital campaigning for opposition parties was evident, in no small part due to the extent to which Fidesz dominates traditional media and advertising industries and its access to vast resources. But it also provides new potential for rights abuses, including privacy violations and discriminatory profiling of voters. While opposition parties are investing in digital campaigning, they are not sufficiently transparent in their use of voters’ data.
Members of the United for Hungary opposition demonstrated that they took the processing of the personal data of voters seriously. However, in practice when acting jointly there appeared to be gaps in their efforts to effectively inform voters how their data was being used. But unlike the ruling party, there is no evidence that its handling of data created unfairness in election process.
None of the parties Human Rights Watch interviewed currently carry out privacy or data protection impact assessments for their digital campaign strategies as a whole or before contracting an external firm. Three opposition parties did not respond to Human Rights Watch’s request for an interview or request for comment about their efforts to protect voters’ data in the elections. Only two opposition parties responded to Human Rights Watch’s follow-up questions and request for comment.
IV. Role of Private Platforms and Advertising Technology Companies
Political Advertising on Facebook
Political campaigns from across the political spectrum spent heavily on online political advertising, primarily on Facebook,[190] since–as one political party told Human Rights Watch–“Hungary is a Facebook country.”[191] Facebook is the most widely used social network in Hungary. In an increasingly tightly controlled media environment, social media platforms provide the opposition with the ability to communicate directly with supporters and voters. Facebook usage is high in Hungary, with approximately 7.35 million users[192] as of June 2022 out of a population of around 9.6 million people,[193] While some parties invested in advertising on Google or YouTube and experimented with political ads on Instagram, TikTok, and Twitter, none told Human Rights Watch that those were as significant platforms for campaigning as Facebook.
The impact of heavy spending on Facebook is twofold: first, because the State Audit Office (SAO) does not consider spending on political advertising on social media in its oversight of campaign finance (unless parties proactively disclose this information), campaigns can effectively spend as much as they would like on online advertising. Given vastly different access to resources between the ruling party and the opposition, this provided further advantage to Fidesz.[194] Second, Facebook’s ad targeting and delivery tools, which Hungarian political campaigns make use of can lead to the profiling of voters based on their political affiliations or beliefs,[195] or other sensitive characteristics.[196]
Facebook’s ad targeting is the result of a complex process that depends on many inputs, including information the platform gathers on the users’ demographic characteristics, interests, and behaviors, inferred from their activities on Facebook (e.g., the information they provide in their profiles, the pages they like, their social interactions, emotional reactions to content, clicking and reading patterns), as well as information Facebook collects about users’ activities outside Facebook (e.g., which sites users browse) and information advertisers provide (e.g., lists of customers, newsletter subscribers, and supporters to be matched against Facebook users).[197] These multiple data points, coupled with algorithmic processing and big data analysis, enable Facebook to infer political opinions and other characteristics, which can be used for political persuasion.
Spending on Facebook During the 2022 Election Cycle
Based on Facebook advertising disclosures in its Ad Library,[198] several Hungarian and international media organizations and non-governmental organizations calculated how much political parties and campaigns spent on political ads on Facebook in advance of the 2022 elections. For example, the Hungarian news portal Telex, the US government funded non-governmental organization Radio Free Europe/Radio Liberty (RFE/RL), and the OSCE each published analysis of spending by political parties, campaigns, and third-party entities associated with parties based on data made available in Facebook’s Ad Library. Their calculations differed depending on the period covered and how they considered spending by politically aligned third-party actors, a well-known problem in Hungary.[199] In addition to official spending by political parties and campaigns, in Hungary think tanks, government-organized non-governmental organizations (GONGOs), media outlets, and other organizations explicitly or implicitly seek to promote the governmental parties’ or the opposition parties’ political messages on social media. However, each analysis of campaign spending on Facebook found that the Fidesz-KDNP coalition and third parties associated with it outspent United for Hungary and third parties associated with it.[200] The further back the analysis goes, the larger the gap between spending by the two political blocs on Facebook becomes. RFE/RL’s analysis, which covers the longest period (July 2019-April 2022), calculated that Fidesz/KDNP and associated third parties outspent United for Hungary and associated third parties on Facebook by more than two to one.[201]
Facebook’s Advertising Targeting Tools Lack Transparency
There are two ways in which targeted political advertising on Facebook adds an additional element of opacity to campaigning. First, it is unclear to Facebook users and to researchers why a user receives a Facebook ad or how targeting works. Second, some of the targeting techniques offered by the platform are inherently opaque.
Facebook introduced a publicly accessible advertising library (Ad Library) in May 2018. At time of writing the library documents all active advertisements, as well as inactive “issues, elections or politics” advertisements on Facebook and Instagram. In the absence of campaign finance laws in Hungary that require political campaigns to report their online spending, the Ad Library increased transparency about political online ads spending during the 2022 elections.
At the same time, however, academic research has found that ad libraries are not always reliable, and that the information they provide leaves “much to be desired”,[202] currently lacking information about the ways in which advertisements were targeted, or providing misleading and vague explanations about targeting.[203] When users of Facebook see a political advertisement, they are not provided with information that could sufficiently explain why they have been targeted with a particular ad.[204] The way Facebook’s ad explanations appear to be built—showing only the most prevalent attribute—may exclude attributes that are inferred from sensitive data. They also don’t offer a complete explanation. A voter may suspect that an advertiser relied on sensitive personal data, such as their sexual orientation or political beliefs to target an advertisement to them, but in the absence of more information, this is impossible to prove.
This lack of transparency also makes it difficult, if not impossible, for independent journalists, watchdog organizations, or regulators to conclusively determine whether any political party has engaged in advertising targeting that violates people’s privacy rights, or otherwise undermined the democratic process. Profiling people based on their political opinions without their consent is contrary to Article 9 of the GDPR, which prohibits the processing of data on political opinions and other special categories of personal data as a general rule, unless specific criteria are met, including obtaining explicit consent from the data subject for one or more specific purposes.[205]
The opacity of certain ad targeting and delivery techniques provided by Facebook also risk targeting people (directly or indirectly) based on their political opinions (provided or inferred), further violating their right to privacy and undermining the democratic process.[206]
Both the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) have highlighted the risk of the use of personal data beyond their initial purpose, including to unduly influence individuals when it comes to political discourse and democratic electoral processes. The EDPS cited specific and detrimental effects on citizens’ fundamental rights and freedoms with regard to the processing of their personal data and their freedom to receive objective information, to form their opinion, to make political decisions, and exercise their voting rights, as well as for the democratic process.[207] The EDPB Guidelines 8/2020 on the targeting of social media users warn that targeting of social media users may involve criteria that, directly or indirectly, have discriminatory effects relating to an individual’s racial or ethnic origin, health status or sexual orientation, or other protected qualities of the individual concerned.[208] The Guidelines also state that assumptions or inferences from data which is not special category data in its own right, becomes so when combined with other data; for instance when it results in an inference (correct or incorrect) that a person is likely to vote for a certain party after visiting a page preaching liberal opinions.
There are several ways in which ads on Facebook can be targeted. In addition to traditional targeting parameters, such as gender, interests, or location, Facebook provides advertisers with targeting tools, like “custom” and “lookalike” audiences. These, as well as ad delivery tools, are designed to refine ad targeting and reach a more specific audience.
Two of the four members of United for Hungary told Human Rights Watch that they used “custom” and “lookalike” audiences to target online political ads in Hungary.[209] A report by Civil Liberties Union for Europe, based on joint research by the Hungarian Civil Liberties Union, Lakmusz.hu, and Who Targets Me, found that Hungarian political parties, and aligned entities, from across the political spectrum extensively used “lookalike” audiences during the electoral campaign.[210] Who Targets Me is a browser extension that records the political ads the user has been targeted with on Facebook. It captures both the ads Facebook users are targeted with and matches those ads against a list of political advertisers previously researched and the personalized data that Facebook displays to users that explains which advertiser is targeting them and based on which criteria. The information Facebook provides under “Why am I seeing this ad?” can include what the “core criteria” used were (e.g., interests, age, and location) and whether “custom” or “lookalike” audiences were used.[211] The Who Targets Me browser extension collects and anonymizes this information to gain insight into the big picture.
Facebook’s “custom” audience tool allows advertisers who have their own sources of data, such as customer lists, tracking data from their websites or apps, newsletter subscribers, and lists of supporters, to upload them to Facebook.[212] Facebook then matches this uploaded information (e.g. emails and phone numbers) with its own data about users without revealing the list of individual profiles to advertisers, which enables advertisers (in this case, political parties) to retarget them with political ads on Facebook.
In addition to the incomplete information Facebook provides in disclaimers and in the Ad Library, some targeting techniques are opaque, for instance due to the fact that they rely on machine learning or the fact that the targeting is dynamic and relies on continuous optimization. The delivery of advertisements are typically automatically “optimized” after an advertiser has determined targeting criteria or chosen a targeting tool.[213] Facebook’s “lookalike” audience tool enables advertisers to target users who are similar to a source audience (i.e., the “custom” audience) by identifying people who Facebook predicts share characteristics with the source audience based on inferred common qualities.[214] It is not known how exactly Facebook optimizes ads, or how exactly the “lookalike” algorithm works.
Research has indicated that “lookalike” audiences carry—to a certain extent—the biases of the source audience in terms of race and political affiliation.[215] When used in the context of political advertising, “lookalike” audiences can lead to the profiling of voters based on their political opinions, which is inferred by their activities on Facebook and determined by Facebook’s opaque targeting algorithms. In 2022 Facebook prohibited advertisers from directly targeting potential customers or voters based on their sensitive data, including political beliefs, social issues, causes, organizations, and support for political figures.[216] However, it is unclear whether in creating “lookalike” audiences Facebook’s algorithms indirectly rely on such data.[217] For example, if a political party uploads a list of people whose common characteristic is that they share neo-fascist beliefs or support LGBTQI+ rights, and use Facebook’s lookalike audience, it is possible that Facebook will find an audience for the ad that it has determined to be neo-fascist or support LGBTQI+ rights.
Human Rights Watch wrote to Meta in October 2022 with questions regarding its ad targeting techniques, including whether Meta draws inferences from people’s sensitive data, and what due diligence it conducted prior to the 2022 Hungarian elections to assess the risk that its platforms could be used to undermine democratic processes. Meta declined to respond.
Website Tracking by Political Parties
Like other advertising technology (AdTech) companies, Facebook offers a tool called Facebook Pixel, which is a piece of code that advertisers can place on websites to track users’ activities and then target their visitors later with ads on Facebook.[218] Facebook can also retain and use this data for its own advertising purposes.[219] Facebook Pixel allows Facebook to track people across the internet and build user profiles on people, even matching them and their data to their respective Facebook or Instagram profiles, if they have one, and even if they are not logged into Facebook at the time when they were accessing a website with an embedded Facebook Pixel.[220] Facebook Pixel could also enable the company to collect personal data and create shadow profiles on people who have never used their services or signed up for an account.[221]
The use of Facebook Pixel and third-party trackers, which HRW found to be sending data to Facebook and known AdTech companies from Hungarian political parties and campaigns, possibly without user consent, contributes to an ecosystem that tracks people’s online activity across the internet, which is incompatible with the right to privacy and can lead to discrimination and other human rights abuses.[222] Privacy relies on the presumption that people should have an area of autonomous development, interaction and liberty; a ‘private sphere’ with or without interaction with others.[223] The right to privacy entails freedom from intrusion into our private lives, the right to control information about ourselves, and the right to a space in which we can freely express our identities without pervasive tracking.[224]
Websites include code from third-party services for a range of reasons, including tracking crash reports, measuring user engagement through analytics, connecting to social networks, and generating revenue by monetizing user data and display targeted ads.[225] Third parties whose code is embedded in websites receive data about users that can be linked and combined to provide incredibly detailed insights into people’s lives, including their habits, interests, locations, opinions and beliefs. This sharing of user data is highly problematic from a privacy perspective.
European data protection and privacy laws require that websites obtain user consent before placing third-party trackers, subject to limited exemptions. For consent to be valid it has to be freely given, specific, informed and unambiguous, by way of a clear affirmative action. If special category data is processed (for instance, data concerning political opinion), the consent also needs to be explicit.[226]
To understand how the websites of political parties handle user data, in late March/early April and October 2022 Human Rights Watch used Blacklight,[227] a real-time website privacy inspector built by the investigative journalism outlet The Markup.[228] Released in September 2020, Blacklight emulates how a user might be surveilled while browsing the web.[229] The tool scans any website, runs tests for seven known types of surveillance, and returns an instant privacy analysis of the inspected site. Built on the foundation of robust privacy census tools built over the past decade, Blacklight monitors scripts and network requests to observe when and how user data is being collected, and records when this data is being sent to known third-party AdTech companies.[230]
Blacklight exists in two formats: as a user-friendly interface on The Markup’s website, and as an open-source command-line tool.[231] Human Rights Watch chose the latter, as it provides the flexibility to adapt the tool to provide customized analysis, as well as a higher observational power that yields fine-grained evidence of the surveillance it detects on websites. In order to recreate the experience of how the data of a Hungarian voter might be collected, handled, and sent to third parties, Human Rights Watch conducted all technical tests while running a virtual private network (VPN) set to Hungary.[232]
Human Rights Watch selected for examination websites that are associated with the main political parties and campaigns in Hungary, as well as the election-specific website run by United for Hungary, the joint opposition.
Human Rights Watch found that all members of the united opposition and the KDNP, which is part of the ruling coalition with Fidesz, had embedded Facebook Pixel on their websites, including campaign-related pages. Human Rights Watch detected data being sent to third parties from the websites of all parties covered in this report, including Fidesz, through the use of third-party trackers, including known AdTech companies.[233]
MMM, Momentum, and MSZP told Human Rights Watch that if their websites embed Facebook Pixel and other third-party trackers, they should only collect and transmit data to Facebook and known AdTech Companies once a user gives consent.[234] However, Blacklight monitors scripts and network requests on inspected sites to observe when and how user data is being collected, and records when this data is being sent to third-party trackers the moment someone opens a website.[235]
LMP told Human Rights Watch that the websites managed by LMP were set up by the web developers/agencies that created them and that the data from any potential external tracking attempts were not used by LMP for advertising campaigns or data analysis. Data will only be entered into the LMP database following the receipt of the paper-based or electronic declaration of consent of the person concerned. LMP told Human Rights Watch that it undertakes to review its websites and adjust its settings, as well as to update accordingly its information sheets.[236]
V. Legal Standards
Right to Participate in Democratic Elections
Article 25 of the International Covenant on Civil and Political Rights (ICCPR) provides:
Every citizen shall have the right and the opportunity, without any of the distinctions mentioned in article 2 and without unreasonable restrictions:
(a) To take part in the conduct of public affairs, directly or through freely chosen representatives;
(b) To vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors;
(c) To have access, on general terms of equality, to public service in his country.[237]
Political parties are entitled to a level playing field in order to compete fairly
in the electoral contest. As the UN Special Rapporteur on the rights to freedom of peaceful assembly and of association has observed:
“All parties complying with international human rights norms and standards are entitled to equality of opportunity. As such, at a minimum, no political party should be discriminated against, unfairly advantaged or disadvantaged by the State….[238]
“More broadly, party resources should be differentiated from public resources. Public resources should not be used to tilt the electoral playing field in a party’s favor and in particular the incumbent party or its candidates. This principle extends to the use of State institutions, such as police forces, the judiciary, the prosecutorial authority, law enforcement agencies and others, which should be impartial when controlling or limiting the activities of political parties, such as by initiating politically motivated court cases against rival candidates, in effect, preventing them from engaging in campaign activities.” [239]
The Special Rapporteur on the rights to freedom of opinion and expression has explained:
“The State has a duty to provide a regulatory environment that facilitates a diverse range of political positions…This may require the imposition of regulations that stipulate restrictions on campaigning, advertising, polling, spending and financing. Such restrictions must be designed to achieve the objective of providing a pluralistic and fair playing field, upon which political groups can communicate their ideas, and must have at their heart the protection and promotion of freedom of opinion and expression”.[240]
Hungary holds national elections every four years. Hungary’s electoral legal framework consists primarily of the 2011 Fundamental Law (Constitution),[241] the 2011 Act on the Elections of Members of Parliament, the 2013 Act on Election Procedure,[242] and the 2013 Act on the Transparency of Campaign Costs. Legislation is supplemented by decrees issued by the Minister of Justice and non-binding guidelines to election commissions issued by the National Election Commission.
Right to Privacy
Article 17 of the ICCPR establishes that “[n]o one shall be subjected to arbitrary or unlawful interference with his privacy ... home or correspondence…. Everyone has the right to the protection of the law against such interference or attacks.” The United Nations Human Rights Committee, the treaty body charged with monitoring implementation of the ICCPR, has found that restrictions on the right to privacy must take place only “in cases envisaged by the law.”[243] Restrictions must also be “proportionate to the end sought, and ... necessary in the circumstances of any given case.”[244]
Comprehensive data protection laws are essential for protecting human rights – most obviously, the right to privacy, but also many related freedoms that depend on our ability to make choices about how and with whom we share information about ourselves.[245] As early as 1988, the UN Human Rights Committee recognized the need for data protection laws to safeguard the fundamental right to privacy recognized by Article 17 of the ICCPR.[246] In 2018, the UN Office of the High Commissioner for Human Rights recommended that all States “[a]dopt strong, robust and comprehensive privacy legislation, including on data privacy, that complies with international human rights law in terms of safeguards, oversight and remedies to effectively protect the right to privacy.”[247]
The processing of personal data in Hungary is regulated by Act CXII of 2011[248] on the Right to Informational Self-Determination and Freedom of Information as amended by Act XXXVIII of 2018 to implement the European Union General Data Protection Regulation (GDPR).[249] The GDPR, which applies to private and public sector entities, including government agencies, companies, political parties, and non-governmental organizations, treats personal data revealing political opinions as a special category of data.[250] As a general principle, the processing of such data is prohibited and is subject to narrowly interpreted conditions, such as the explicit, specific, fully informed, and freely given consent of the individuals.[251]
According to the European Data Protection Board, an independent body whose mandate is to ensure that the GDPR is consistently applied in the EU countries, compliance with data protection rules in the context of electoral activities and political campaigns, is essential to protect democracy. The EDPB recommends:
Even where the processing is lawful, organisations need to observe their other duties pursuant to the GDPR, including the duty to be transparent and provide sufficient information to the individuals who are being analyzed and whose personal data are being processed, whether data has been obtained directly or indirectly. Political parties and candidates must stand ready to demonstrate how they have complied with data protection principles, especially the principles of lawfulness, fairness and transparency.[252]
Hungary is also a state party to the Council of Europe’s Convention 108, for the Protection of Individuals with regard to Automatic Processing of Personal Data[253] and a signatory to the Convention 108+, a 2018 protocol updating the Convention.[254] The CoE Consultative Committee on Convention 108 has issued Guidelines on the Protection of Individuals with regard to the Processing of Personal Data by and for Political Campaigns,[255] which are applicable and relevant.
According to the Guidelines, “[t]he processing of personal data revealing political opinions entails severe risks of voter discrimination, leading to voter suppression and intimidation. Knowledge of who has, and has not, supported a governing party can also affect the provision of government services. The processing of special categories of personal data needs to be accompanied by safeguards appropriate to the risks at stake of voter discrimination and the interests, rights and freedoms protected.”[256]
Acknowledgments
This report was researched and written by Deborah Brown, senior technology and human rights researcher at Human Rights Watch. This report was edited by Frederike Kaltheuner, technology and human rights director at Human Rights Watch. Lydia Gall, senior Europe and Central Asia researcher provided research support and contributed to editing of the report. Michael Bochenek, senior counsel, children’s rights, and Babatunde Olugboji, deputy program director, provided legal and program reviews. Expert reviews were provided by: Fred Abrahams, deputy program director; Kayum Ahmed, special advisor on health and human rights; Philippe Dam, European Union director; Hye Jung Han, researcher and advocate in the Children’s Rights Division; and Benjamin Ward, deputy director for Europe and Central Asia.
Technical analysis of political parties’ websites was conducted by Gabi Ivens, head of open source research at Human Rights Watch, using an adapted version of Blacklight, the real-time website privacy inspector built by Surya Mattu, former Senior Data Engineer and Investigative Data Journalist of The Markup.
Hina Fathima, producer in the Multimedia Division, produced the micro video accompanying the report. Travis Carr, publications officer, provided support for the selection and layout of the photographs in the report. Illustration was provided by Brian Stauffer. The report was prepared for publication by Fitzroy Hepkins, administrative manager.
Editorial and production assistance was provided by Kerin Shilla, associate in the Tech and Human Rights Division; Jack Spehn, associate in the Economic Justice and Rights Division; and Klara Funke, associate in Europe and Central Asia Division.
Human Rights Watch also benefited greatly from expert input from and collaboration with by the Hungarian Civil Liberties Union, in particular the Privacy Project and Political Freedoms Project, which provided expert review of the research and connected Human Rights Watch with their clients whose testimonies enriched the research. We are grateful to human rights organizations and individual activists and journalists who provided input into and support for this research and analysis. These organizations include, but are not limited to, K-Monitor, Hungarian Helsinki Commission, Lakmusz, Mertek Media Monitor, Political Capital, Radio Free Europe/Radio Liberty, Transparency International – Hungary, Access Now, noyb, Privacy International, and Tactical Tech.
External legal review was provided by Elizabeth Wang, founder of Elizabeth Wang Law Offices.
Human Rights Watch would like to thank the Hungarian researchers, lawyers, activists, civil society members, and translators who contributed to this report by granting interviews and providing Human Rights Watch with information. They cannot be named to protect their safety, but their work and support has been invaluable.