Consideraciones generales sobre los delitos de abuso y agresión sexual

111. The right to privacy and the right to data protection are often mentioned together,³⁷⁴ and typically there is clearly a connection between these two rights.³⁷⁵ However, formally they are regulated in separate documents, and when it comes to their substantial scope, there exist different theories describing the relations between these two rights, and the additional role fulfilled by the right to data protection.³⁷⁶ What is clear is that besides privacy, data protection can also play an important role in protecting employees’ private lives, in consequence its analysis must be included in the dissertation.

112. The right to data protection does much more than simply protect personal data. Despite what its appellation might suggest, the right to data protection does not aim to protect personal data, but the individual to whom personal data relates.³⁷⁷ Pál Könyves Tóth emphasizes the connection between the right to data protection and human dignity, stating that it is an essential condition to human dignity that individuals be able to take decisions regarding the disclosure of personal data relating to them.³⁷⁸ Máté Dániel Szabó points out that personal data is more and more valued, as the individual’s personality can be increasingly expressed through personal data.³⁷⁹ To the outside world, the individual is more and more often perceived through (mainly) his/her personal data – instead of as a

374 See, for example, Article 1 of the DPD, and Convention 108.

375 Bygrave, L. A. (2001) The Place of Privacy in Data Protection Law. Available at: http://www.austlii.edu.au/au/journals/UNSWLJ/2001/6.html (Accessed: 28 February 2018).

376 Orla Lynskey identified three models of understanding the relation between privacy and data protection:

they can be understood as separate but complementary rights; data protection can be understood as a subset of privacy; or data protection can be perceived as a separate, independent right in service of different functions, but not limited to privacy.Source:Lynskey, O. (2015) The Foundations of EU Data Protection Law. Oxford: Oxford University Press. p. 90 and pp. 91-106.

377 Majtényi, L. (2002) ‘Az információs szabadságok és az adatvédelem határai’, Világosság, XLIII (2–3), pp. 57-58.

378 Könyves Tóth, P. (1990) ‘Adatvédelem és információszabadság’, Világosság, 31(8–9), p. 621.

379 Szabó, M. D. (2005) ‘Kísérlet a privacy fogalmának meghatározására a magyar jogrendszer fogalmaival’, Információs Társadalom, (2), p. 47.

82 physical person.³⁸⁰ Because of such an enhanced role, if the processing (e.g. collection and use of such information) does not take place according to the established guarantees and rules, the individual might suffer serious consequences.³⁸¹

113. The Section will first address what additional role data protection can fulfill in comparison to privacy, aiming to clarify the relations between these two rights. Then, it will present how exactly the individuals’ rights must be respected, through examining the most important points of the relevant legislation.

§1. Introduction to the right to data protection

114. The first data protection regulation appeared a few decades after the right to respect for private life,³⁸² followed by several other instruments both at the international and the national level. Although they will be addressed in detail in part §2, even at this point it must be noted that today data protection is subject to detailed regulations. For its importance, focus will be put on EU regulations: though ever since 1995 the question of data protection has been regulated,³⁸³ in 2016 the adoption of the GDPR brought considerable changes and became a central piece of legislation.

In the following part, first, (A) it will be explored what the reasons for the emergence of data protection rules were. Then, (B) it will be examined why there was a need when the right to respect for privacy had already existed. To put it differently, it will be explored in what regards there are substantial differences (if there are) between the two rights, which would justify the existence of two rights.

(A) The birth of the right to data protection

115. Origins of data protection. The right to data protection is a relatively recent right: it appeared in the 1970s. Similarly to the right to privacy, the right to data protection

380 Szabó, M. D. (2005) ‘Kísérlet a privacy fogalmának meghatározására a magyar jogrendszer fogalmaival’, Információs Társadalom, (2), p. 47.

381 For example, as it will be addressed in a later part of the dissertation, if the employer does not process personal data according to the pertinent regulations, it not only infringes the employees’ or prospective employees’ rights but can also have serious consequences for his/her employment – e.g. termination of employment or unfavorable hiring decision.

382 It was adopted in 1970 in Germany. Source: Simitis, S. (2010) ‘Privacy - An Endless Debate’, California Law Review, 98(6), p. 1995.

383 See: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281, 23/11/1995 P. 0031 - 0050

83 also emerged as a reaction to technological development: owing to the appearance of computers, the collection, storage, transfer, etc. had never been easier, and the plan for establishing different state registers was evoked by the states. Under the shadow of how state registers had contributed to the horrible events of the Second World War,³⁸⁴ combined with the growing fear of a surveillance state,³⁸⁵ the public feared the consequences of unregulated automated processing of personal data. Still, prior to the 1960s and 1970s, technology did not make it possible to conduct automatic data processing; also, mass surveillance came at high costs, and thus the protection of the individual was naturally ensured.³⁸⁶ However, due to the technological development, the situation had changed, and as a response to the arising threats, data protection appeared,³⁸⁷ as these innovations offered unprecedented opportunities for the state to keep records in order to fulfil its functions (e.g. in relation to taxation, etc.).³⁸⁸ At the same time, plans appeared throughout Europe aiming to unify or to connect national databases.³⁸⁹ It was against this background that the first documents regulating data protection appeared. The world’s first data protection act was adopted in 1970, in the German federal state of Hesse,³⁹⁰ and was soon followed by other countries (Sweden in 1973, Germany in 1977, France in 1978).³⁹¹ After adopting these national data protection acts, it became also necessary to regulate the transborder flow of personal data, which led to the adoption of international data protection norms.³⁹²

116. French and Hungarian origins. France adopted its data protection act, the

“Loi informatique” in 1978 [Act No. 78-17 of 6 January 1978 on Information Technology,

384 Galántai, Z. (2003) E-privacy olvasókönyv. Dialógusok a privacyről és az internetről – meg a cyberpornóról, a megfigyelésekről és egyebekről. Available at: https://mek.oszk.hu/04100/04134/html/

(Accessed: 18 November 2019).

385 These fears are well illustrated in literature as well. Scholars usually refer to George Orwell’s “1984”, and Franz Kafka’s “The Trial”. In Hungary, scholars often cite a certain verse of a poem entitled “Air!” written by the famous Hungarian poet, Attila József in 1935: “They keep track of my phone calls,/ who I call and when and why./ They keep a transcript of my dreams/ and what they mean / and according to whom./ I don’t know what’s in my file of late/ but soon they’ll make a move/ and violate my rights.” Source: Hargitai, P.

(tran.) (2005) Attila József Selected Poems. New York: iUniverse, pp. 35-36.

386 Jóri, A. (2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó, p. 22.

387 Szőke, G. L. (2015) Az európai adatvédelmi jog megújítása. Tendenciák és lehetőségek az önszabályozás területén. Budapest: HVG-ORAC, p. 27

388 Sári, J. and Somody, B. (2008) Alapjogok. Budapest: Osiris Kiadó, p. 133.

389 Szőke, G. L. (2015) Az európai adatvédelmi jog megújítása. Tendenciák és lehetőségek az önszabályozás területén. Budapest: HVG-ORAC, p. 31.

390 Simitis, S. (2010) ‘Privacy - An Endless Debate’, California Law Review, 98(6), p. 1995.

391 On the history of data protection see more in: Szőke, G. L. (2015) Az európai adatvédelmi jog megújítása.

Tendenciák és lehetőségek az önszabályozás területén. Budapest: HVG-ORAC, pp. 27-34.; Jóri, A.

(2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó, pp. 21-66.

392 Jóri, A. (2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó, p. 28.

84 Data Files and Civil Liberties (“loi relative à l'informatique, aux fichiers et aux libertés”) hereinafter referred to as: FDPA – standing for French Data Protection Act],³⁹³ as a result of the SAFARI scandal concerning a project to interconnect certain files of the French administration – revealed to the public in an article in the newspaper Le Monde. ³⁹⁴ In 1978 the FDPA also established the French national data protection authority, named French National Commission on Informatics and Freedoms (“Commission nationale de l'informatique et des libertés”) (hereinafter referred to as: CNIL). The FDPA was significantly amended in 2004³⁹⁵ in order to transpose the EU’s data protection directive,³⁹⁶ and in 2016 by the Act for a Digital Republic aiming to address the new challenges of the information society.³⁹⁷ Although the GDPR is directly applicable, it did not repeal national data protection acts: in the case of conflicting provisions, the former will be applied.³⁹⁸The amendment of the FDPA was realized in June 2018 by Act No. 2018-493 of 20 June 2018 on the Protection of Personal Data (“Loi n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles”).³⁹⁹

117. While France was amongst the first countries in the world to adopt a data protection act in 1978, in Hungary this process was slower: Hungary adopted its first data protection act, Act LXIII of 1992 on the protection of personal data and access to data of public interest in 1992. The act also established the institution of the Hungarian data protection commissioner,⁴⁰⁰ who was first appointed in 1995. This act was amended due to

393 See more on French data protection and on the FDPA in: Desgens-Pasanau, G. (2012) La protection des données à caractère personnel: la loi ‘Informatique et libertés’. Paris: LexisNexis (Carré droit); Féral-Schuhl, C. (2018) Cyberdroit. Le droit à l’épreuve de l’Internet. 7th edn. Paris: Dalloz.; Forest, D.

(2011) Droit des données personnelles. Paris: Gualino (Droit en action).

394 Boucher, P. (1974) ‘« Safari » ou la chasse aux Français’, Le Monde, 21 March. p. 9.

395 Loi n° 2004-801 du 6 août 2004 relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel et modifiant la loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés

396 On the history of French data protection and the adoption of the FDPA see more in: Braibant, G.

(1998) Données personnelles et société de l’information: transposition en droit français de la directive n°

95-46. Paris: la Documentation française (Collection des rapports officiels). pp. 31-36. and Rey, B. (2012) La vie privée à l’ère du numérique. Cachan: Lavoisier. pp. 66-82.

397 See more on the Act for a Digital Republic in: Masnier-Boché, L. (2016) ‘Loi « pour une République numérique » : état des lieux en matière de protection des données personnelles’, Revue Lamy droit de l’immatériel ex Lamy droit de l’informatique, 131, pp. 50–55.; Richard, J. (2016). Le numérique et les données personnelles : quels risques, quelles potentialités ? Revue Du Droit Public (RDP), 1, 87–100.

398 Bourgeois, M. (2017) Droit de la donnée : principes théoriques et approche pratique. Paris: LexisNexis.

p. 13.

399 See more on the GDPR’s effect on the FDPA in: Beaugrand, T. et al. (2017) Protection des données personnelles : se mettre en conformité d’ici le 25 mai 2018. Montrouge: Editions législatives. pp. 76-79. On the amendment of the FDPA see more in: CNIL (2018) Rapport d’activité 2017. La documentation française.

pp. 34-37.

400 Section 23 of Act LXIII of 1992 on the protection of personal data and access to data of public interest

85 Hungary’s accession to the EU in 2003⁴⁰¹ and replaced in 2011 by Act CXII of 2011 on the Right to Informational Self-determination and Freedom of Information⁴⁰² (hereinafter referred to as: HDPA – standing for the Hungarian Data Protection Act⁴⁰³).⁴⁰⁴ The HDPA also introduced significant changes to the national data protection authority: it replaced the institution of the data protection commissioner by establishing the Hungarian National Authority for Data Protection and Freedom of Information (“Nemzeti Adatvédelmi és Információszabadság Hatóság ”, hereinafter referred to as: NAIH). After the entering into application of the GDPR, the Hungarian legislators adopted Act XXXIV of 2019 on legislative amendments required for the implementation of the European Union’s data protection reform (hereinafter referred to as: Enforcing Act) in April 2019, aiming to adapt the Hungarian legal system to the GDPR, by amending more than 80 acts.^{405, 406}

118. Generations of data protection regulations. Despite the recent birth of the right to data protection, scholars already distinguish between different generations of data protection regulations. However, these generations are not universal, different authors established different stages in the history of data protection regulations. According to Michael D. Birnhack, the first stage was the very appearance of these regulations, the second was the appearance of international regimes instead of solely national regulation and the third was the emphasis being put on the transfer of personal data instead of the collection.⁴⁰⁷ In 2005, law professor Yves Poullet differentiated between three generations

401 By Act XLVIII of 2003 on the amendment of Act LXIII of 1992 on the protection of personal data and access to data of public interest. Source: Könyves Tóth, P. (2010) ‘Az adatvédelmi törvény metamorfózisai’, Fundamentum, (2), p. 55.

402 On the history of Hungarian data protection regulation se more in: Péterfalvi, A. (ed.) (2012) Adatvédelem és információszabadság a mindennapokban. Budapest: HVG-ORAC, pp. 50-55.; Könyves Tóth, P. (2010)

‘Az adatvédelmi törvény metamorfózisai’, Fundamentum, (2), pp. 53–61.

403 Although the Hungarian data protection authority employed the expression “Privacy Act” when referring to the data protection act, the use of such an expression is unfortunate, with regard to the adoption of the Privacy Act (act on the protection of private life). For this reason, the acronym HDPA will be employed in the dissertation.

404 In Hungary as well, the adoption of a landmark decision in the field of data protection is connected to a so-called universal identification number and its suppression by the Constitutional Court in Decision No.

15/1991. (IV. 13.).

405 On the most important changes occurring in 2019 see more in: Bölcskei, K. (2019) GDPR Kézikönyv 2.0.

Budapest: Vezinfó Kiadó és Tanácsadó Kft.

406 On Hungarian data protection see more in: Jóri, A. (2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó.; Majtényi, L. (2006) Az információs szabadságok: adatvédelem és a közérdekű adatok nyilvánossága.

Budapest: Complex.; Jóri, A., Hegedűs, B. and Kerekes, Z. (eds) (2010) Adatvédelem és információszabadság a gyakorlatban. Budapest: Complex.; Könyves Tóth, P. (2010) ‘Az adatvédelmi törvény metamorfózisai’, Fundamentum, (2), pp. 53–61.; Péterfalvi, A. (ed.) (2012) Adatvédelem és információszabadság a mindennapokban. Budapest: HVG-ORAC.; Jóri, A. and Soós, A. K.

(2016) Adatvédelmi jog: magyar és európai szabályozás. Budapest: HVG-ORAC.

407 Birnhack, M. D. (2008) ‘The EU Data Protection Directive: An engine of a global regime.’, Computer Law & Security Review, 24(6), pp. 511-512.

86 of data protection regulations, starting with Article 8 of the ECHR, continuing with the EU’s Data Protection Directive and the CoE’s Convention 108, and ending with the EU’s E-privacy Directive.⁴⁰⁸ Back in 1997, Viktor Mayer-Schönberger already distinguished four generations of data protection regulations. The first one dates back to the very appearance of data protection laws, when these acts aimed to regulate the technology, when processing was conducted only by a few controllers. Then, when processing became differentiated and available not only for states but for businesses too, data protection regulations shifted from regulating technology to guaranteeing individual liberty. The third generation is characterized by the right to informational self-determination, while the fourth (e.g. the EU Data Protection Directive) manifests an intention to strengthen the rights of the individual and to create a mandatory protection of certain data, and a shift and an opening towards sectoral regulation.⁴⁰⁹

119. Gergely László Szőke differentiates between three generations: the first generation is characterized by the aim of regulating the automated processing of certain data controllers (mainly the state) who processed a huge amount of personal data. With the appearance and spread of the personal computer in the 1980s, this landscape changed, as the processing of personal data became available to a wider audience (to businesses or to private individuals): a second type of regulation was needed. These regulations are characterized by the aim of providing the individual the right to informational self-determination in general, instead of regulating the processing of only a few data controllers. The European Data Protection Directive, the OECD Guidelines, the CoE’s Convention 108 are typical examples of the second generation of data protection regulations. However, since then, technology has not stopped evolving: the mass adoption of the Internet, social network sites, profiling, the use of mobile devices, etc. have evoked the necessity for a third generation of regulation.According to Szőke, the EU’s General Data Protection Regulation (then proposal) represents new tendencies in personal data protection, by taking into account the obligations of data controllers (instead of the individual’s right to self-determination), differentiating between certain types of

408 Poullet, Y. (2005) ‘Pour une troisième génération de réglementations de protection des données’, Jusletter. Available at: http://www.crid.be/pdf/public/5188.pdf (Accessed: 24 February 2018).

pp.4-8.

409 Mayer-Schönberger, V. (1997) ‘Generational Development of Data Protection in Europe’, in Agre, P. E.

and Rotenberg, M. (eds) Technology and Privacy: The New Landscape. Cambridge: MIT Press, pp. 221-233.

87 controllers, aiming to regulate technology and strengthening the role of the internal regulations of controllers.⁴¹⁰

120. Either categorization we agree with, it is undisputed that the changes posed by the mass adoption of the Internet, social media, mobile devices and the shift in users’

behaviour represent a challenge both for the right to privacy and for the right to data protection. As the dissertation focuses on labour law, it is beyond the dissertation’s scope and aim to propose another classification of the generations of data protection regulations, for the purposes of the dissertation it is sufficient to identify the common characteristics of the development of data protection regulations.

121. From the generations identified above, it can be observed that data protection went through different phases: since its appearance in the second half of the 20^th century, the technological, societal and legal environment has been completely transformed. The conclusion that can be drawn from these generations is that data protection as well should be adequately adjusted to the given circumstances. While data protection at the beginning was regulated at the national level, it was soon recognized that the absence of an international legal framework would inhibit the international transfer of personal data⁴¹¹ –, resulting in the adoption and existence of a complex regulation. While at the beginning data protection regulations had to cope with a limited number of huge databases, nowadays data processings have multiplied due to the rapid advancement of technological development. These changes had an effect on the regulations as well, as at the beginning these regulations constituted mainly technical regulations, but later shifted towards guaranteeing the freedom of the individual.⁴¹² Existing rules are constantly challenged – for example by social media and SNSs, as it will be examined under Title 2.

(B) Defining data protection: substantial delimitation from the right to privacy

410Szőke, G. L. (2013) ‘Az adatvédelem szabályozásának történeti áttekintése’, Infokommunikáció és jog, (3), pp. 108-111. In his article Szőke also refers to the different existing theories amongst Hungarian scholars. According to László Majtényi, the first generation consists of norms regulating data processing by computers, while the second generation is technology-neutral, and the third focuses on challenges arising in different sectors. (Majtényi, L. (2008) ‘Az információs jogok’, in Halmai, G. and Tóth, G. A. (eds) Emberi jogok. Budapest: Osiris Kiadó, pp. 582-583.) According to András Jóri, the first generation of norms focuses on big data controllers and processing by computers, the second generation is centred around the right to informational self-determination, while the third one is concentrated on the new arising challenges. (Jóri, A.

(2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó, pp. 23-66.)

411 Jóri, A. (2005) Adatvédelmi kézikönvy. Budapest: Osiris Kiadó, p. 28.

412 Marta Otto referring to Mark Freedland in: Otto, M. (2016) The Right to Privacy in Employment: a Comparative Analysis. Oxford, Portland: Hart Publishing, pp. 106-107.

88 122. It was already established how privacy is understood in the dissertation. As a starting point, data protection can be comprehended as “the regulation and organisation of the conditions under which personal data can be lawfully processed.”⁴¹³ However, it must also be established what is data protection and what is its relation to privacy? There is

88 122. It was already established how privacy is understood in the dissertation. As a starting point, data protection can be comprehended as “the regulation and organisation of the conditions under which personal data can be lawfully processed.”⁴¹³ However, it must also be established what is data protection and what is its relation to privacy? There is