Hungarian data protection authority warns of risks around parties storing data outside EU

A professional error and negligence by the subcontractor that designed the website of the government’s public survey was to blame for the website running a Russian analytical code, the head of the data protection authority (NAIH) said on Thursday. “Political parties’ “storing personal data concerning (people’s) political opinion in a third country may involve risks”, he said.

NAIH conducted an inspection of the website after press reports indicated that the website’s code included a data collection code from Yandex, a Russian internet company, which sent the personal data of Hungarians to Russian servers.

The Government Information Centre said then that the analytical codes running on the website served to improve the website’s efficiency.

Outlining the results of NAIH’s investigation, Attila Péterfalvi said the investigation had found that the company that had developed the website was to blame for Yandex’s code running on the site. The staff member overseeing the website turned off the data collection code but failed to delete it from the website’s html code, so users’ data were forwarded to Yandex, Péterfalvi said.

He said Yandex had told the authority that since the data collection code was turned off, its Netherlands-based server did not receive any of the users’ data.

We wrote before, the government’s public survey dubbed “national consultation” now under way could be used to influence next year’s parliamentary election, an opposition Socialist MP said.

Péterfalvi told a press conference on Thursday that his authority had evaluated online forms by the LMP and Liberal parties, and found, in the latter case, that the menu directed users to a website operated by a US company, which may suggest that the party stores member data in another country. He added that storing data “in a country which has applied a broad surveillance programme in the past years and decades” is especially risky.

As for LMP, NAIH similarly found that one of its online surfaces forwards personal data to servers in the US. Péterfalvi noted that while LMP had not violated any effective regulations, in light of regulations to take effect in 2018, LMP “should evaluate what risks may be involved”. LMP has reacted that it would eliminate the surface in question.

Source: MTI