Hungary’s democratic transition will not be judged only by elections, speeches or symbolic gestures. It will be judged by whether institutions that failed to protect citizens during years of surveillance, secrecy and political pressure are finally held accountable. That includes Hungary’s data protection authority — and its long-serving president, Attila Péterfalvi.
When Péter Magyar was sworn in as Hungary’s new prime minister, ending Viktor Orbán’s long period in power, he promised democratic renewal, institutional repair and a return to European standards. International reporting described the moment as a political rupture, with Magyar pledging to restore the rule of law, rebuild public trust and reorient Hungary toward the European Union. The Associated Press reported that the new government has promised sweeping reforms after years of democratic backsliding.
But Hungary’s democratic reset cannot stop at parliament, prosecutors, public media or anti-corruption offices. It must also reach the institutions that were supposed to protect citizens when state power became intrusive. Few institutions matter more in that respect than Hungary’s National Authority for Data Protection and Freedom of Information, known as NAIH.
That authority is meant to defend citizens against the abuse of personal data, secret surveillance, unlawful information-gathering and state opacity. It should be one of the most important democratic safeguards in the country. Under Attila Péterfalvi, however, Hungary’s privacy watchdog came to symbolize a deeper institutional problem: excessive caution when courage was required, formalism when rights were at stake, and silence when the public needed a defender.
The Pegasus Test
The clearest test was Pegasus. The Pegasus Project revealed the global abuse of military-grade spyware, capable of penetrating mobile phones and accessing messages, calls, locations and encrypted communications. Hungary was among the countries connected to the scandal, and reporting pointed to journalists, lawyers, business figures and political critics as possible targets.
For any serious data protection authority, this should have been treated as a constitutional emergency. The question was not simply whether a secret authorization existed somewhere in the machinery of the state. The real question was whether surveillance was necessary, proportionate, independently controlled and protected from political misuse.
A privacy watchdog worthy of public confidence would have made those questions unavoidable. It would have demanded transparency to the maximum extent compatible with national security. It would have placed the rights of citizens, journalists and lawyers at the centre of the public debate. Instead, Péterfalvi’s authority failed to become the visible democratic shield Hungary needed.
The matter became even more troubling when investigative journalist Szabolcs Panyi, previously reported as a Pegasus target, later faced espionage accusations under the Orbán government. The Associated Press reported on the case, which critics viewed as politically motivated. In such a climate, a data protection authority cannot hide behind procedure. When journalists are surveilled and then criminally accused, silence is not neutrality. It is failure.
Facial Recognition and the Pride Ban
Another test came with Hungary’s crackdown on LGBTQ rights and public assembly. In 2025, Orbán’s Hungary moved to ban Pride events and allow facial recognition technology to identify and fine participants. The Guardian reported that the measures would permit police to use facial recognition against people attending banned Pride events.
This was not a technical issue. It was a fundamental-rights issue. Biometric surveillance used against peaceful demonstrators is exactly the kind of danger a data protection authority exists to confront. It touches privacy, freedom of assembly, freedom of expression and the protection of minorities from state intimidation.
A strong watchdog would have warned clearly against the transformation of biometric identification into a tool of political and cultural pressure. Yet Hungary did not see its privacy regulator become a robust public defender of citizens against that danger. The result was another example of an authority that appeared institutionally present but democratically absent.
The European Union has now underlined the gravity of Hungary’s anti-LGBTQ legal framework. In April 2026, the Court of Justice of the European Union ruled against Hungary’s anti-LGBTQ legislation, and Reuters reported that Hungary’s new government must revise those laws to comply with European standards. The ruling confirms what should have been evident long before: rights cannot be restricted through stigmatizing laws dressed up as administrative necessity.
The Problem Is Institutional Credibility
Péterfalvi’s defenders may argue that independent authorities must not be removed simply because a new government takes power. That principle is correct. A data protection authority must be independent, and its leadership should not be replaced merely for political convenience.
But independence is not the same as immunity from accountability. An independent watchdog that fails to defend citizens during democratic decline cannot simply claim independence as a shield against public judgment. The real issue is not whether a new government should capture NAIH. It should not. The issue is whether Attila Péterfalvi can credibly lead it through a democratic restoration after years in which the authority did not become a visible barrier against surveillance abuse, secrecy and rights erosion.
Hungary now needs a data protection authority that citizens can trust. That means leadership with the moral authority to confront state surveillance, protect journalists and lawyers, defend freedom of information, resist biometric overreach and apply European data protection law without fear or political convenience.
Péterfalvi no longer represents that reset. He represents continuity.
Resignation Would Be Accountability, Not Revenge
Calling for Péterfalvi to step aside is not a call for political revenge. It is a call for institutional repair. Hungary does not need a captured privacy authority under new management. It needs a genuinely independent authority rebuilt around public confidence, transparency and fundamental rights.
Resignation would be the cleanest route. It would allow Hungary to renew NAIH without turning the process into a partisan purge. It would send a message that democratic institutions are not only legal structures but also moral responsibilities. When a watchdog fails to bark while rights are being weakened, citizens are entitled to ask whether that watchdog can still do the job.
Prime Minister Péter Magyar has promised a break with the Orbán era. If that promise is to mean anything, Hungary must look not only at those who directly made authoritarian decisions, but also at those who occupied protective institutions while those decisions advanced.
The rule of law is not restored only by changing statutes. It is restored by changing the institutional culture that allowed surveillance to look routine, secrecy to look lawful and discrimination to look administrative.
Attila Péterfalvi had years to prove that Hungary’s data protection authority could be a democratic firewall. At the decisive moments, it was not. For the sake of public trust, he should go.
