Case Study 10.2: Hungary and the Weaponization of Surveillance Against Democracy

Case Study 10.2: Hungary and the Weaponization of Surveillance Against Democracy

Overview

Hungary presents a distinctive and important case study in democratic backsliding and surveillance. Unlike Xinjiang — an extreme case of authoritarian surveillance from a country that does not claim to be a liberal democracy — Hungary is formally a member of the European Union, operates under EU law including the GDPR, and retains the formal institutional structure of a democratic state. Yet between 2010 and the present, under the Orbán government, Hungary has implemented surveillance practices and legal changes that European institutions and democratic scholars have characterized as fundamentally incompatible with democratic governance. The Hungarian case asks: what does it look like when surveillance is weaponized against democracy from within a democracy's own institutional framework?

The Political Context: Orbánism and the "Illiberal State"

Viktor Orbán, who returned to power in Hungary in 2010 after a previous term in the early 2000s, has governed through a political philosophy he explicitly labeled "illiberal democracy" in a 2014 speech — a model in which democratic form (elections, formal separation of powers) is maintained while the substantive constraints that liberalism imposes (independent judiciary, free press, protection of political opposition) are systematically weakened.

Over the following decade, the Orbán government: - Rewrote the constitution to concentrate power in the executive - Filled the constitutional court with loyalists, neutralizing its independence - Changed electoral laws in ways that benefited the ruling Fidesz party - Drove independent media to near-extinction through regulatory pressure, advertising market manipulation, and friendly buyouts - Restricted civil society organizations, particularly those receiving foreign funding, through legislation modeled on Russian "foreign agents" laws

In this political context, surveillance serves not as a tool of a stable authoritarian regime but as a tool in the ongoing project of democratic consolidation — using surveillance capability to monitor, intimidate, and undermine the political opposition, journalists, and civil society organizations that represent the remaining constraints on executive power.

Pegasus: Commercial Spyware as Political Tool

The most dramatic evidence of surveillance being weaponized in Hungary emerged through the Pegasus Project — a 2021 investigative journalism collaboration involving Forbidden Stories, Amnesty International, and 17 media partners who analyzed a leaked list of phone numbers that appeared to have been targeted by NSO Group's Pegasus spyware.

NSO Group is an Israeli company that sells Pegasus — a sophisticated commercial spyware tool — to government clients. Pegasus can gain complete access to a target's smartphone: messages, emails, calls, photographs, microphone, and camera. The company claims it sells only to verified government clients for use against criminals and terrorists.

The leaked data revealed that among the Pegasus targets in Hungary were:

Investigative journalists: Multiple journalists who had reported on government corruption, the Orbán government's spending of EU funds, and political allies of the prime minister appeared on the target list. At least five journalists, including editors of Hungary's leading investigative outlet (Direkt36), were targeted.

Political figures: An opposition politician and figures associated with opposition campaigns appeared on the list.

Business figures: Executives whose business interests had intersected with government decisions appeared on the list, suggesting use of surveillance for competitive intelligence as well as political intelligence.

The Hungarian government declined to confirm or deny using Pegasus but stated that any surveillance conducted was legal under Hungarian law. Hungary's surveillance law allows surveillance of individuals who pose a "threat to state security" without judicial authorization — a standard that, in the Hungarian legal environment, provides limited protection.

The Judicial Authorization Problem

Democratic legitimacy of surveillance depends substantially on independent judicial authorization. A judge who independently reviews the government's request for surveillance authorization and can say "no" provides a meaningful check on executive overreach. A judge who is part of a judicial system controlled by the executive — through partisan appointment, career pressure, or institutional capture — does not.

Hungary's judicial system has been progressively weakened as an independent check on executive power since 2010. The constitutional court was restructured; the administrative courts were brought under executive influence; the appointment of judges was centralized in ways that increased executive control over judicial careers.

In this context, the formal requirement of judicial authorization for surveillance does not provide the protection that a formal description would suggest. The theoretical check on executive surveillance exists; the institutional independence necessary for that check to function has been severely compromised.

This is what the "infrastructure problem" looks like in practice: Hungary has the formal institutional structure of a democratic surveillance state — including the GDPR protections that apply to all EU member states, and formal judicial authorization requirements for surveillance — but the institutional capacity to enforce those constraints has been hollowed out.

EU Responses and Their Limits

The European Union has responded to Hungary's democratic backsliding through several mechanisms:

Article 7 proceedings. The EU Treaty's Article 7 allows proceedings against member states that breach fundamental EU values, potentially leading to suspension of voting rights. Article 7 proceedings were initiated against Hungary in 2018. They have been stalled, partly because Article 7 sanctions require unanimous agreement among member states and Poland — also subject to rule-of-law concerns — has blocked escalation.

GDPR enforcement. Hungarian data protection authorities are responsible for enforcing the GDPR within Hungary. The effectiveness of that enforcement depends on the independence of those authorities. Critics have raised concerns that Hungarian data protection authorities' independence has been compromised along with other regulatory bodies.

Conditionality on EU funds. The EU has increasingly linked disbursement of EU structural funds to rule-of-law compliance. This mechanism has produced some concessions from Hungary on specific issues but has not reversed the broader democratic backsliding.

The Pegasus response. The European Parliament established a special committee — PEGA — to investigate use of Pegasus and similar spyware in EU member states. The committee's 2022 report found that Hungary had used Pegasus for political surveillance and called for a ban on use of such spyware until a legal framework compatible with EU fundamental rights was established. Hungary's government rejected the findings.

What Hungary Reveals About Democratic Surveillance Architecture

The Hungary case illuminates several dynamics relevant to the chapter's broader analysis:

Formal democratic institutions can be retained while substantive democratic governance is eliminated. Hungary's surveillance laws formally require judicial authorization; in practice, the independence of the judicial authorization process has been compromised. The formal structure of democratic surveillance exists; its functional substance has been hollowed out. This is a more sophisticated form of democratic erosion than the simple elimination of formal constraints — it maintains the appearance of democratic governance while eliminating its function.

Commercial surveillance technology enables democratic backsliding. Pegasus — a commercially available product sold by a private company — enabled a government to conduct surveillance at a level of sophistication previously available only to major intelligence agencies. Commercial surveillance technology has democratized sophisticated surveillance capability in a deeply problematic sense: governments that lack the resources or technical capacity to build their own advanced surveillance tools can purchase that capability from the market.

The EU framework has limited effectiveness against democratic backsliding by member states. The GDPR and EU fundamental rights framework were designed for a situation in which member states are in compliance with democratic values and the legal frameworks enforce those values. When a member state's government systematically undermines the institutional capacity to enforce legal protections, the formal legal framework provides diminishing protection.

Political opposition and journalists as the primary surveillance targets. In Hungary, the primary uses of advanced surveillance capability appear to have been against the actors who constitute the democratic check on executive power — investigative journalists who expose corruption, political opponents who challenge the government, civil society organizations that advocate for democratic norms. This is surveillance in service of democratic erosion, using the tools of state power against the mechanisms of democratic accountability.

Comparative Reflection: Hungary, Xinjiang, and Democratic Surveillance

The three contexts examined across this chapter's case studies — Xinjiang's total surveillance, Hungary's weaponized surveillance, and (implicitly) the democratic surveillance examined in Chapters 6–9 — represent points on a spectrum.

Xinjiang represents surveillance deployed without democratic constraint against a specific ethnic group for purposes of cultural elimination and political control. Hungary represents surveillance deployed within a formally democratic context against political opponents and journalists for purposes of democratic consolidation — maintaining power by eliminating the mechanisms that threaten it. Democratic surveillance, as examined in earlier chapters, represents surveillance deployed with imperfect but meaningful democratic constraints against targets defined primarily by security rather than political criteria.

The movement from democratic to Hungarian to Xinjiang surveillance is not a sudden transition — it is a gradient. Each step maintains some formal features of the previous arrangement while eliminating some substantive constraints. The question that the Hungary case poses is whether the gradient can be arrested — whether the formal institutions of democratic governance, once weakened, can be restored, and what is required to restore them.

Discussion Questions

The Orbán government formally describes Hungary as a "democracy" — it holds elections, maintains formal separation of powers, and operates within the EU's legal framework including GDPR. At what point does surveillance of political opposition and journalists cross from legitimate state security activity into something that delegitimizes the democratic characterization of the government? What criteria would you apply?
NSO Group markets Pegasus as a counterterrorism and law enforcement tool, sold only to government clients. Hungary's use of Pegasus against investigative journalists and political figures represents a clear departure from this marketing. What obligations, if any, does NSO Group have to prevent misuse of its products? What mechanisms would be necessary for a commercial spyware company to effectively prevent its products from being used for political surveillance?
The EU's response to Hungary's Pegasus surveillance has been substantial in its rhetorical condemnation but limited in its practical effect. What explains this gap between rhetorical commitment to democratic values and practical inability to enforce them against a member state? What reforms to the EU's institutional structure would give it more effective tools to respond to democratic backsliding by member states?
Jordan asks Dr. Osei: "Hungary is an EU member state, subject to GDPR, subject to the European Convention on Human Rights, and it still used commercial spyware against journalists. What does that tell us about the effectiveness of legal frameworks in preventing surveillance abuse?" How should Dr. Osei respond?
The case study identifies Hungary as a country in which "formal institutional structure" of democratic surveillance exists but its "institutional capacity to enforce protections has been hollowed out." Can you identify analogous dynamics in any aspect of U.S. surveillance governance — areas where the formal structure of democratic oversight exists but the institutional capacity to enforce it is weaker than the formal structure suggests?
The European Parliament's PEGA committee called for a ban on the use of commercial spyware like Pegasus until a legal framework compatible with EU fundamental rights is established. Evaluate this proposal: (a) what would a compliant legal framework need to include? (b) is a blanket ban on commercial spyware the right approach, or are there legitimate uses that should be preserved? (c) would a ban be effective given that spyware developers outside the EU are not bound by EU regulation?

Case Study 10.2 | Chapter 10: Authoritarianism and Total Surveillance | Part 2: State Surveillance