Protecting religious minorities, journalists, civil society and sensitive personal data should be part of Hungary’s Article 7 recovery plan — and that requires new leadership at NAIH
Hungary’s democratic renewal cannot stop at courts, corruption, media freedom and EU funds. If Prime Minister Péter Magyar’s new administration wants to restore the rule of law, it must also rebuild trust in the state bodies that were supposed to protect citizens from abuse. That includes the National Authority for Data Protection and Freedom of Information, led by Attila Péterfalvi since 2012. From spyware and political-data misuse to freedom-of-information failures, biometric surveillance and disproportionate action affecting minority communities, Hungary now needs a privacy watchdog with the courage and credibility to defend fundamental rights.
A democratic reset must reach the institutions that failed to protect citizens
Hungary’s new political moment has created expectations in Brussels, Strasbourg, Geneva and Budapest. After years in which the country was treated as one of the European Union’s central rule-of-law problems, the government of Prime Minister Péter Magyar has promised to restore democratic standards, rebuild institutional independence and reopen a constructive relationship with the European Union.
That promise must now be tested not only in the visible arenas of constitutional reform, judicial independence, media freedom and anti-corruption policy. It must also be tested in the quieter machinery of the state: the authorities, regulators and watchdogs that were supposed to protect citizens from abuse when political power expanded.
One of those institutions is Hungary’s National Authority for Data Protection and Freedom of Information, known as NAIH. Formally, it is tasked with protecting two essential democratic rights: personal-data protection and freedom of information. In practice, however, the authority has become one of the institutions whose credibility should now be reviewed as part of Hungary’s wider rule-of-law reset.
This is not a technical issue. It is not a bureaucratic detail. A privacy and freedom-of-information authority sits at the heart of modern democracy. It is the body that should protect citizens when the state collects personal data, when political actors build databases, when journalists face surveillance, when public authorities refuse transparency, when biometric technologies expand, and when vulnerable communities are exposed to disproportionate administrative power.
In a democratic transition, changing ministers is not enough. A state governed by the rule of law must ask whether the institutions that were meant to restrain power actually did so. If they failed, their leadership must be reviewed. If they lost public trust, they must be renewed.
Article 7 should not become a ceremonial file
The European Union’s Article 7 procedure concerning Hungary remains open. On 16 June 2026, the General Affairs Council was again updated on the rule-of-law situation in Hungary. That matters. Article 7 should not be treated as a ceremonial file to be closed because a new administration has taken office. It should become a roadmap for genuine repair.
Hungarian civil-society organisations have made the same point. The Hungarian Helsinki Committee warned before the June 2026 Article 7 discussion that positive commitments by the new government should not be confused with completed reform. Implementation, not rhetoric, will determine whether Hungary has truly moved beyond the institutional practices that caused European concern in the first place.
That warning is essential. Article 7 is not only about judicial appointments, electoral laws, media capture or corruption. Article 2 of the Treaty on European Union protects human dignity, freedom, democracy, equality, the rule of law and human rights, including the rights of minorities. The protection of privacy, access to public information, freedom of expression, freedom of association and freedom of religion or belief all belong within that framework.
Hungary’s Article 7 recovery plan should therefore include a specific review of the authorities that handled sensitive data, public transparency, surveillance-related complaints and enforcement actions affecting civil society and minority communities. NAIH should be at the centre of that review.
The NAIH question
According to NAIH’s official description of its own authority, the institution monitors and promotes the enforcement of two fundamental rights: the right to the protection of personal data and the right to access data of public interest. Its president is appointed by the President of the Republic on the proposal of the Prime Minister for a nine-year term, with one possible reappointment.
The current president, Dr. Attila Péterfalvi, has led NAIH since 2012. His official curriculum vitae confirms his long tenure at the head of the authority.
Institutional independence is important. A data-protection authority must not become a political arm of any government. But independence cannot mean unaccountability. When an authority charged with protecting fundamental rights is repeatedly criticised for weak responses to surveillance, secrecy, political-data abuse, biometric expansion and disproportionate enforcement, the new democratic administration cannot pretend the question is merely administrative.
A previous European Times analysis argued that Hungary’s privacy watchdog needs a reset and that Attila Péterfalvi should not continue to lead it. That conclusion is stronger today because the problem is broader than any single case. Péterfalvi has become a symbol of institutional continuity at a time when Hungary needs institutional renewal.
Why Péterfalvi has become a rule-of-law problem
The case for leadership change at NAIH does not rest on one controversy. It rests on a pattern of lost confidence.
NAIH is not an ordinary regulator. It should stand between citizens and abuses of power. It should be one of the first institutions to ask hard questions when the state collects personal data, when political campaigns use information gathered through public services, when journalists are surveilled, when public documents are withheld, when facial-recognition systems expand, or when sensitive community records become the target of irreversible administrative action.
Under Attila Péterfalvi, however, NAIH has repeatedly failed to become the visible democratic shield Hungary needed.
The Pegasus spyware affair remains one of the clearest examples. After allegations that journalists and other public figures had been targeted with invasive surveillance technology, NAIH’s investigation found no proof that the bodies authorised to conduct secret surveillance had used Pegasus for purposes other than those specified by law. But the authority’s conclusion that Pegasus use met the legal criteria did not end public concern. On the contrary, media-freedom and human-rights organisations continued to warn that spyware surveillance chilled journalistic work, endangered source protection and deepened the climate of fear around independent reporting.
The problem was not only the legal conclusion. It was the absence of public confidence. A privacy authority worthy of a democratic state should have demanded maximum transparency, rigorous safeguards and meaningful reassurance for citizens. Instead, the Pegasus outcome reinforced doubts about whether NAIH was willing or able to confront the security state.
The same concern arises in the field of political data. Human Rights Watch documented the exploitation of personal data in Hungary’s 2022 elections, including the use of data collected through state functions for political campaigning. The report recommended stronger oversight of political-party databases, voter data, campaign communications and sensitive political profiling. In a country where state-held data and political campaigning became dangerously intertwined, the data-protection authority should have been one of the most assertive democratic safeguards.
Freedom of information is another test. The European Commission’s 2025 Rule of Law Report identified continuing concerns in Hungary over transparency, access to public information, restrictions affecting civil society and effective remedies. NAIH cannot be blamed for every legislative failure. But after more than a decade under the same leadership, the authority cannot be separated from the broader weakness of Hungary’s transparency architecture.
Biometric surveillance adds a forward-looking concern. Civil-society organisations have warned that Hungary’s expansion of facial-recognition technology created serious risks for privacy, assembly and protest rights. The European Center for Not-for-Profit Law argued that Hungary’s new biometric surveillance laws violate the EU AI Act, noting that amendments adopted in 2025 dramatically expanded the use of facial-recognition technology in the context of minor infractions and peaceful assemblies. A country facing this kind of surveillance debate needs a privacy authority with exceptional credibility. NAIH does not currently have it.
There is also an institutional-history problem. In 2014, the Court of Justice of the European Union ruled in Commission v Hungary that Hungary violated EU law by prematurely ending the mandate of the previous Data Protection Supervisor. Péterfalvi became head of the new authority created in that institutional transition and has remained in office ever since. That history does not make him personally responsible for every act of the legislature. But it does mean that he represents continuity with a system whose independence, credibility and democratic safeguards have long been questioned.
The new government therefore faces a simple question: can Hungary rebuild trust in privacy, transparency and freedom-of-information enforcement while leaving the same leadership in place?
The answer should be no.
Confidential records are not ordinary paperwork
The issue is not limited to one community, one proceeding or one category of documents. It concerns the power of the state to seize, retain, copy, order the erasure of, or destroy sensitive records without adequate safeguards before the harm becomes irreversible.
In a democracy, confidential records may involve religious life, political opinions, journalistic sources, civil-society activity, legal advice, medical information, personal associations, or communications between individuals and the communities that give meaning to their lives. These records may contain personal data, and that data must be protected. But protection cannot become a pretext for disproportionate state action.
Where state authorities handle sensitive records, the standard must be high. The state must show a legitimate aim. It must prove necessity. It must choose the least intrusive measure. It must hear the affected persons. It must provide independent judicial review before irreversible harm occurs. And it must never use the language of legality to produce an injustice that cannot later be repaired.
This is why the reform of Hungary’s data-protection authority is not a technical matter. It is a rule-of-law question. A privacy watchdog must protect citizens from both private abuse and state overreach. It must defend sensitive data without becoming an instrument through which sensitive communities, journalists, political actors, civil-society organisations or minority believers are exposed to disproportionate power.
Religious freedom belongs in the rule-of-law reset
Hungary’s democratic renewal must also include freedom of religion or belief. The protection of religious minorities is not a separate or secondary issue. It is one of the clearest tests of whether a state respects pluralism in practice.
When observers describe Hungary’s democratic backsliding, they often focus on captured media, weakened courts, politicised institutions, corruption, public procurement and pressure on civil society. Those issues are real. But the treatment of minority religious communities also belongs in the same discussion.
FOREF Europe has called for a religious-liberty framework in Hungary based on neutrality, objective criteria, equal treatment and effective remedies. That is the right direction. Hungary should ensure that no religious community is left vulnerable because it lacks historic status, political influence or social popularity.
The principle is simple: a democratic state does not rank beliefs. It does not use administrative discretion to favour some faiths and burden others. It does not hide behind neutral language when enforcement falls disproportionately on unpopular communities. And it does not allow irreversible action against sensitive religious or community records without strict safeguards and meaningful remedies.
Prime Minister Magyar’s administration has an opportunity to change that. Hungary can move from politically managed religion to genuine religious freedom. It can replace selective tolerance with equal legal protection. It can show that minority faith communities are not second-class participants in public life.
That will require more than dialogue. It will require legislative reform, administrative safeguards and accountability for institutions that failed to protect rights.
Removal must be lawful — but it must be real
A democratic government cannot restore the rule of law by violating it. Péterfalvi should not be removed through revenge, public spectacle or improvised political pressure. But lawful accountability is not retaliation. It is the condition for institutional recovery.
The new Prime Minister should initiate a lawful and transparent review of NAIH’s conduct in cases involving surveillance, political-data use, access to public information, biometric monitoring, civil-society organisations, religious communities, journalists and other vulnerable targets of state power.
That review should ask direct questions. Did the authority defend citizens from overreach? Did it insist on proportionality? Did it ensure effective remedies before irreversible harm occurred? Did it challenge excessive secrecy? Did it meaningfully protect journalists, voters, civil-society actors and minority communities? Did it use its institutional independence to confront power, or mainly to accommodate it?
If the review confirms serious failures, Parliament and the government should use every lawful constitutional mechanism available to secure Péterfalvi’s resignation or removal. The same principle should apply to any official, judge, administrator or institutional actor whose record shows validation of rights failures while denying meaningful remedies.
This is not a call for vengeance. It is a call for democratic hygiene.
No official should remain in a rights-protection post if the public can no longer trust that he will protect rights. No institution can be credibly reformed while its leadership is identified with the failures reform is supposed to correct.
What a new government would look like
The Magyar administration would include the renewal and reform of NAIH and the protection of sensitive personal data in its formal Article 7 reform package. The package should not be vague. It should contain measurable commitments.
First, review and reforme the NAIH’s record under Péterfalvi
Hungary should establish an independent review (and then reform) of NAIH’s handling of surveillance complaints, political-data concerns, freedom-of-information disputes, biometric surveillance risks and enforcement actions affecting civil society and minority communities. The review should be public, evidence-based and protected from partisan manipulation.
Second, renew NAIH leadership
NAIH should be independent in law and credible in practice. Leadership renewal is necessary. Péterfalvi should resign or be removed through lawful procedures as he failed to provide effective safeguards in major rights-sensitive areas. Future appointments should be transparent, merit-based and subject to meaningful parliamentary scrutiny.
Third, protect sensitive records from irreversible harm
Hungary should review all cases in which public authorities ordered seizure, retention, copying, erasure, destruction or forced disclosure of sensitive records. That includes records connected to journalism, politics, civil society, religion, legal advice, medical information and private association. No irreversible action should occur without strict necessity, proportionality and effective judicial remedy.
Fourth, strengthen freedom of information
NAIH must become a real defender of access to public-interest information. Court orders requiring disclosure should be enforced. Public funding should not disappear into opacity. Citizens, journalists and civil-society organisations should not face artificial barriers when seeking information about the use of public power or public money.
Fifth, confront surveillance and biometric overreach
Hungary needs clear safeguards on spyware, secret surveillance, facial-recognition technology and other intrusive tools. These safeguards must include independent oversight, judicial control, transparency where possible, remedies for victims and special protection for journalists, lawyers, opposition actors, civil-society organisations and minority communities.
Sixth, protect religious minorities as part of Article 7 compliance
The new administration should ensure that freedom of religion or belief is not treated as a cultural afterthought. It should be part of Hungary’s rule-of-law repair. Religious communities should have equal legal status, objective recognition criteria, transparent remedies and protection from disproportionate administrative enforcement.
Brussels should ask direct questions
The European Union should not treat NAIH as a technical body outside the Article 7 discussion. The Council, Commission and European Parliament should ask direct questions.
What safeguards prevent Hungarian authorities from misusing personal data for political advantage? What remedies exist for citizens targeted by surveillance? How does Hungary ensure that spyware or biometric technologies are not used against journalists, protesters, lawyers, civil society or minority groups? How are freedom-of-information requests enforced when authorities resist disclosure? What role did NAIH play in major rights-sensitive controversies? What steps will the new government take to renew the authority’s leadership and restore public trust?
These questions belong inside Article 7 because they concern the rule of law in its most concrete form: whether a citizen can stop the state before the state causes harm that cannot later be repaired.
They also belong in the European Commission’s annual rule-of-law monitoring. If privacy, transparency and access to information are weak, democracy becomes formal rather than real. Elections may still occur, courts may still issue judgments, and authorities may still publish annual reports — but citizens remain exposed to power without effective protection.
The Prime Minister’s opportunity
Péter Magyar has presented his government as more than a change of leadership. In an interview with Le Monde, he said he was not elected simply to change the government, but to change the regime. The Guardian has also reported on his government’s early constitutional reform agenda and its effort to restore democratic checks and balances.
Changing a regime, however, means more than replacing ministers. It means dismantling the habits of power that made rights violations possible. It means ensuring that no authority can hide behind formal legality while producing substantive injustice. It means protecting citizens before they are harmed by surveillance, secrecy, political profiling, administrative discretion or procedural delay.
If the new Prime Minister wants Hungary to return to the European democratic mainstream, he should make privacy, transparency and freedom of religion or belief visible parts of his rule-of-law agenda. He should protect journalists, voters, civil society and minority faith communities. He should restore remedies where remedies were denied. He should halt any remaining irreversible measures affecting sensitive records. And he should remove from office those whose leadership has become incompatible with rights protection.
That includes Attila Péterfalvi.
Restoring trust requires visible accountability
Hungary now has a rare opportunity. It can show Europe that democratic renewal is not selective. It can show citizens that personal data will no longer be treated as a political resource. It can show journalists that source protection matters. It can show civil-society organisations that transparency will not be replaced by secrecy. It can show religious minorities that equality before the law is not reserved for large, historic or politically convenient churches.
But trust will not return through speeches alone. It will return when institutions that failed are reviewed, when victims are heard, when remedies are restored, and when officials responsible for rights failures are no longer allowed to supervise the next phase of reform.
Article 7 should not be bypassed. It should be used. It should become the framework through which Hungary proves that it has moved from promises to accountability.
The new administration’s message should be clear: sensitive personal data is not a weapon; public information is not private property of the state; religious minorities are not second-class communities; and no public official, however long-serving, is above review when fundamental rights have been placed at risk.
Hungary’s privacy watchdog needs more than a new mandate. It needs new trust. And new trust requires new leadership.
