Draft Hungarian Law on the Data Breach Notification Framework and the New Cookie Consent Rule

On 10 June 2011 Fidesz MP Antal Rogán has submitted to the Hungarian Parliament the draft bill on the amendment of the Act Nr C. of 2003 on electronic communications, which will transpose, inter alia, the personal data breach provisions as well as the new cookie consent rule of the recently amended European ePrivacy Directive.

1. Personal Data Breach Notification

The draft bill limits the scope of the mandatory data breach notification to providers of electronic communication services in Hungary and it assigns the supervision of data breach cases to the Hungarian Media and Communications Agency which shall, within its competence, cooperate with the Office of the Data Protection Commissioner. Once the service provider reports a data breach and it did not provide a notice on data breach to its customers, the Agency may – upon consideration of the risk of possible detrimental consequences of the security breach – impose an obligation on the service provider to notify its customers after the Agency has obtained the opinion of the Data Protection Commissioner. The Agency would be empowered to release a guidance on data breach notification as well as on the best practices relating to the security requirements of data processing.

2. New Cookie Law

The draft bill also implements the New Cookie Law (new Article 5(3) of the Privacy and Electronic Communications Directive) which requires prior consent and notice to the storage of cookies in the users terminal equipment.

The draft bill will replace the former Section 155 (4) of the Act on electronic communications which lays down thatdata obtained via electronic communications networks may be stored on electronic communication terminal equipment, or accessed, only upon the end-users’ and subscribers’ consent granted after provision of clear and comprehensive information.

The new provision to be introduced by the draft legislation (under Section 155 (4)) provides that “data may be stored or accessed on the terminal equipment of the subject end-user or subscriber after the provision of clear and comprehensive information – including the purpose of data processing –  if prior consent of the end-user or subscriber has been granted hereto.”

The most important change is that the draft legislation would require prior consent to the storage of or access to cookies, further, the notice should also cover the purpose of such data processing.

We note that the ministerial reasoning of the draft bill is silent how the above requirement should be interpreted in practice and whether the browser settings would comply with the new cookie consent rule. In that regard, we expect that the Hungarian Media and Communications Agency would release a comprehensive guidance on this topic.

The new draft bill is scheduled to enter into force within 15 days after its publication in the Official Gazette.