Hungary’s Sovereignty Protection Office requested information on private bank accounts

According to documents obtained by Atlatszo by order of a Hungarian court, requests made by the Sovereignty Protection Office to several institutions appear to exceed the legal mandate of the organization. The SPO has sent several letters to state or state-regulated bodies asking that they collect information for them on an ongoing basis. Other SPO requests seem to violate financial privacy, attorney-client privilege, and auditor confidentiality rules.

Heads of several key Hungarian state institutions responded positively to requests from the Sovereignty Protection Office asking them to have their respective organizations collect data on threats to sovereignty, Atlatszo reported based on copies of written exchanges obtained under a court order.

The central bank, the data protection authority, and the media authority have all sent replies welcoming the requests of the Sovereignty Protection Office (SPO). The tax authority informed Atlatszo that “development” of their “cooperation” with the SPO is currently underway.

Many requests appear to go beyond the legal mandate of the SPO, which obliges public bodies to provide information to the office only in the case of specific investigations. In several letters, the SPO asked other state bodies to collect information on activities “violating or endangering sovereignty” on an ongoing basis and to pass it on to the SPO.

Some requests pertain to data that are otherwise protected by laws which the SPO has no dispensation to overrule. This includes information protected under financial privacy, attorney-client privilege, and auditor confidentiality rules.

Some SPO requests to the National Bank of Hungary (NBH) were aimed at obtaining reports “construed from the perspective of the law on protecting national sovereignty” on money transfers to bank accounts of individuals and companies.

After Atlatszo’s initial reporting on the matter, the central bank wrote in an email that “currently there is no cooperation agreement between the NBH and the SPO”. In the email, the NBH also reiterated its commitment to financial privacy.

The Hungarian Bar Association refused complying with requests aiming to breach attorney-client privilege. The Hungarian Chamber of Auditors informed Atlatszo that it does not plan to comply with the SPO’s requests.

Written exchanges between the SPO and other organizations were obtained by Atlatszo under a court order, after successfully suing to overturn a denied freedom of information request.

Six institutions, four replies

At the end of March this year, Tamás Lánczi, president of the SPO – which has been established by February – sent a letter to the heads of six state institutions and other organizations governed by law. In each message, Lánczi made specific requests to the recipients. In several cases, the requests included ongoing information gathering on “sovereignty protection” matters and handing the collected data over to the SPO.

The six requests, as well as the replies of four organizations, have been obtained by Atlatszo. Atlatszo sent questions to the other two organizations asking about their replies to Lánczi’s letter. Of the six requests for cooperation, only the correspondence with the president of the Hungarian Bar Association (HBA) has so far been publicly known.

Four of the public bodies contacted – the NBH, the National Authority for Data Protection and Freedom of Information (NAIH), the National Tax and Customs Administration (NAV) and the National Media and Infocommunications Authority (NMHH) – have either responded in the main positively to the request, have started to “develop” a framework for cooperation, or both.

The HBA and the Hungarian Chamber of Auditors (HCA) have essentially refused the requests, citing respectively the confidentiality obligations of lawyers and auditors under the law.

Central bank: information on private accounts

Lánczi has made four requests to the National Bank of Hungary, which in addition to its central bank function also performs a role supervising the commercial banking sector. First, that the way in which they will receive future SPO requests are adapted to “specific IT infrastructure and procedures” of commercial banks.

Second, a way to extracting data on transfers made to bank accounts held at commercial banks. Thirdly, that based on this data, SPO is provided with reporting “with respect to project companies and individuals in an ad hoc manner” and “construed from the perspective of the law on protecting national sovereignty”.

The fourth request was asking that artificial intelligence is employed “to detect patterns and hidden correlations” in the banking data.

In his reply at the end of April, central bank governor György Matolcsy expressed his thanks over the request and referred the SPO to Ákos Farkas, director of supervisory coordination at the NBH, to “work out the concrete elements” of working together.

In his reply letter, the NBH governor indicated that a cooperation agreement would be concluded between the two institutions. Atlatszo sent questions to Farkas and the central bank asking about the specifics of the cooperation, which went unanswered until after Atlatszo’s story on the SPO’s requests ran on Monday.

In its reply to Atlatszo, the NBH wrote that “currently there is no cooperation agreement between them and the SPO” and that any such agreement in the future would be published on their website. In the email, the central bank reiterated its commitment to rules protecting financial privacy.

Data protection authority: data collection

Lánczi has addressed three requests to Attila Péterfalvi, the president of the data protection authority NAIH. First, that “any reports received by the NAIH of activities that infringe or threaten its sovereignty” should be forwarded to the office “without delay”. Secondly, that “the NAIH informs the Office of the investigations it has launched when requested”.

The third request was for the NAIH to appoint a contact person “responsible for collecting” and passing on “information pertaining to the protection of sovereignty”.

In his reply, Péterfalvi expressed his thanks for the letter and agreed to all three requests – adding that personal data would be anonymized in the submissions sent to the office.

In the spirit of “cooperation”, Péterfalvi also called Lánczi’s attention to two petition sites of an international background but operating in Hungarian, and in a manner that raises privacy concerns: peticiok.com, which is operated by the Finnish Petitions24 Oy, and US-based Action Network, whose set of campaigning appliances include a petitioning tool. Action Network’s tools are used by several players in the Hungarian opposition, and the website is already in the crosshairs of the Fidesz-allied media.

Péterfalvi’s letter notably omitted mentioning petition website CitizenGO, which also has a non-Hungarian background and whose data management practices have also raised questions in the past. CitizenGO’s launch was reportedly backed by a substantial donation from Russian oligarch Konstantin Malofeyev, while the Hungarian team of the multilingual petition platform has links to Hungarian governing party Fidesz.

Tax authority: intelligence for sovereignty protection

Lánczi has asked the tax authority – which is empowered to run investigations, including covert ones, into financial crime – that it documents information relating to “activities that violate or threaten sovereignty” detected during its “intelligence analysis and assessment activities” and immediately passes it on to “counterparts”.

Atlatszo does not know the contents of the reply letter. In an email replying to Atlatszo’s questions, NAV replied that “development of the design of the cooperation initiated by the SPO is currently “underway”.

Media authority: analyses, consumer reports

Lánczi asked András Koltay, who chairs the media authority, that NMHH’s broadcast monitoring and analysis department carries out analyses “on the appearance of content that violates national sovereignty”, and that the authority sets up a system to receive reports from the public on such content. These analyses and reports are to be sent to the SPO “without delay”.

Lánczi also called for the NMHH to designate someone for the collecting and passing on sovereignty–related information, and that the authority comes up with new “professional and disciplinary rules enhancing sovereignty protection” to be added to its regulations.

Auditors: requests not supported

Lánczi asked the Hungarian Chamber of Auditors to notify the SPO whenever auditors witness “conduct violating the law on protecting sovereignty”.

Another request was that the Chamber issue guidance to auditors “on the reporting of information”, that the SPO add new rules to its regulations on “duties and responsibilities of auditors pertaining to sovereignty protection” and that the SPO is given a direct contact person in each of the Chamber’s county branches.

These requests are the same as those sent by Lánczi to the Hungarian Bar Association, most of which were rejected by the HBA on the grounds of attorney-client privilege.

Atlatszo does not know the contents of the reply letter. Replying to Atlatszo’s question, the HCA wrote that the law “imposes on auditors an absolute obligation of confidentiality, to which any possible addition – related to sovereignty protection – (which is, incidentally, not supported by the HCA) requires the consent of the finance ministry.”

“In view of the circumspect and general nature of the SPO’s request and the fact that no response has been received to the Chamber’s reply letter sent at the end of April 2024, we did not consider it timely to inform the Chamber’s membership/public in the absence of concrete information,” the Chamber wrote.

Deliberately imprecise concepts

The requests made in Tamás Lánczi’s letters seem to go beyond the legal mandate of the SPO, which on the one hand obliges public bodies to provide information in the case of specific investigations, and on the other hand gives the SPO the possibility to “conclude agreements with other public bodies and non-public bodies in order to provide the information necessary for the performance of its tasks”.

The law does not provide that public bodies should collect information on an ongoing basis precisely in accordance with the requests of the SPO. Nor does it empower the SPO to overrule laws protecting financial privacy, attorney-client privilege, and auditor confidentiality.

Replies by the HCA and the HBA show that at least these two organizations believed that they cannot legally comply with most of Lánczi’s requests

The SPO was established by the law on protecting sovereignty, which in turn was adopted in December 2023 by Fidesz’s parliamentary supermajority “in order to protect constitutional self-identity”. SPO president Tamás Lánczi – a political analyst who in the past had worked for the Fidesz parliamentary group – was appointed by PM Viktor Orbán.

The law was criticized by Hungarian NGOs before and after its adoption. According to the Hungarian Civic Liberties Union, the text of the law is “deliberately imprecise and full of broadly interpretable, partisan concepts”, which the new office can use to “obtain and copy any sensitive data”.

In February, the European Commission launched an infringement procedure against the Orbán government, claiming that the law on protecting sovereignty violates fundamental EU rights.

Documents obtained under court order

In May, after the HBA rebuffed Lánczi’s requests, the SPO wrote in a public statement that it had approached several other state or state-regulated institutions with requests of cooperation. The SPO added that they had received “positive responses” from and already started cooperating with “all of the contacted organizations”.

In a freedom of information request submitted on the same day, Atlatszo asked for SPO’s correspondence seeking cooperation and for (any) agreements and contracts concluded.

After the SPO refused to comply with the request, Atlatszo – successfully – sued the SPO for the documents created before. The documents released under the order of the court include some correspondence and contracts unrelated to the requests for cooperation.

The set of documents released to Atlatszo are likely to be incomplete on at least one count. While the court ordered the release of all documents created before 17 May, released documents did not include the HCA’s reply letter, which was posted “at the end of April” according to the Chamber.

Atlatszo therefore has no confident knowledge on whether any written agreements on cooperation have been concluded and what their contents might be.

The full text of the documents we have obtained is available here (PDFs)

Atlatszo investigated after suing over FOI

Transparency International Hungary and Atlatszo are the first ever targets of “individual and comprehensive” investigations by the SPO, both of which are currently ongoing. The SPO informed Atlatszo of its investigation in a letter sent after it was sued by Atlatszo over its refused freedom of information request.

SPO’s letter included several intrusive requests for Atlatszo’s confidential information. Atlatszo has refuted that it had obligation to hand over such data, arguing that it does not engage in political campaigning, the legal equivalent of “activity aimed at influencing the will of voters”, which is the reason SPO gave for its investigation.

Following our response letter, SPO sent a follow-up to Atlatszo stating that our legal reasoning was “based on an erroneous legal reference and an erroneous conclusion”. In any event, we stand by the statement and will continue to not cooperate with the Sovereignty Protection Office.

Written and translated by Márton Sarkadi Nagy. The Hungarian version of this story is available here.