Attila Szabó, PhD
Head of Legal Aid
Service, Hungarian Civil Liberties Union
*The author
assisted the lawyer representing the person concerned as an advisor in the
Hungarian case analyzed in the text. The
author also used artificial intelligence to prepare the English version of the
text.
Photo credit: Jorge Franganillo, via Wikimedia
commons
In recent years, the Court of Justice of the European Union has increasingly engaged with trans rights. European constitutional community has followed this development.
It appears that
despite the consolidation of a GDPR interpretation aligned with trans rights,
and thus with human dignity, Hungarian courts fail to understand that gender
identity is not only a matter of self-determination, but also one of data
accuracy. If someone presents and lives as a woman, then from the perspective
of data accuracy she must also be treated as a woman, since this is the
accurate data. The highest Hungarian court, however, sees this differently, and
with its decision on the matter, it violates EU law.
Between 2024 and 2025, the Court of Justice of the European Union (CJEU) reshaped the landscape of trans rights in the EU through a remarkable line of cases: Mirin, Mousse, Deldits and Shipov. Taken together, these rulings reveal a structural shift in the CJEU’s approach. The Court increasingly speaks the language of “gender identity” rather than “gender reassignment,” signalling a move away from medicalised understandings of trans status and opening space for non-binary recognition. It integrates ECtHR standards as a constitutional floor while embedding trans rights across multiple doctrinal pillars: EU citizenship, free movement, privacy, equality, and data protection. What emerges is not a single breakthrough, but a coherent jurisprudential arc. One that justifies speaking of a significant doctrinal shift of trans rights in EU law.
Summary of the
Hungarian Kúria’s Decision
The claimant
requested the rectification of the “sex” entry in the Hungarian personal data
and address register from “male” (as recorded in the civil registry at birth)
to “female,” relying primarily on Article 16 GDPR (right to rectification) and
explicitly invoking the CJEU’s judgment in Deldits. The claimant argued that
the register in question records “sex”, not “sex at birth,” and therefore
should reflect lived (social) gender identity. Since her appearance and social
relations objectively correspond to a female identity, the currently recorded
data were inaccurate within the meaning of Article 5 (1) d) and Article 16 of
GDPR. She maintained that the data protection authority should assess whether
the recorded data correspond to reality as experienced and perceived, and that
EU law requires rectification even if domestic civil registry law remains
unchanged.
Both the
first-instance court and, on review, the Kúria (Hungarian Supreme Court)
rejected the claim. (The decisions have not yet been made public; this blog
post provides the first summary of them.) The decisive reasoning was
structural: the personal data and address register is a secondary,
derivative register whose “sex” entry is based directly on the birth registry.
Under Hungarian law, the birth registry records “sex at birth,” defined
biologically. Since the personal data register derives this data from the civil
registry, it cannot diverge from it without undermining legal certainty and the
authenticity of public registers. The Kúria held that the register does not
record “lived gender identity” at all; therefore, the data cannot be considered
inaccurate merely because the claimant’s current gender identity differs from
the birth record. In its reading of Deldits, the GDPR right to
rectification applies only to data that are inaccurate within the meaning
and function of the specific register concerned. Article 16 GDPR cannot be
interpreted as obliging an authority to insert new categories of data (e.g.
lived gender identity) without explicit statutory authorisation, nor to assign
a different substantive meaning to an existing category (“sex at birth”). The
Court therefore concluded that no inaccuracy existed and that rectification was
not required.
Mistakes in the
decision
The conceptual
distinction between “sex at birth” and “sex” undermines the exclusivity claim.
The birth registry records a historical biological fact at the time of birth.
By contrast, the personal data and address register functions as an operational
identification database used for everyday legal and administrative
interactions. Accuracy in this context serves identification and legal
certainty in present-day relations. If the data recorded there do not reflect
the individual’s lived and socially recognised gender, they may fail the
accuracy requirement precisely because they hinder reliable identification. The
fact that one dataset originates historically from another does not transform
the original entry into an immutable legal truth for all future processing
contexts.
Secondly, Hungarian
law itself does not establish that the civil registry is the sole permissible
source of “sex” data in all registers. If it would have been so it would be
absolutely unchangeable. However it is not, since the statutory framework
governing the personal data and address register allows updates based on
legally valid rectification requests. It is fully in line with GDPR. Moreover,
even Hungarian constitutional jurisprudence has
recognised that legal acknowledgment of gender identity, at least outside the
civil registry context, may be compatible with the Hungarian Fundamental Law.
This demonstrates that the legal system does not treat the birth entry as
metaphysically definitive, but as one administrative record among others.
Finally, the
“hierarchy of registers” argument reverses the logic of legal certainty. Legal
certainty is not preserved by maintaining inter-database consistency at the
price of factual inaccuracy. Rather, certainty requires that state records
correspond to verifiable social and legal reality. If necessary, consistency
between registers can be achieved by differentiating between “sex at birth”
(retained in the birth registry) and current “sex” or gender identity
(reflected in identification databases). EU law does not require uniformity of
terminology across all databases; it requires accuracy, proportionality, and
effective protection of fundamental rights. Therefore, the proposition that
only the birth registry may serve as the lawful source of sex-related data is
neither compelled by domestic law nor compatible with the GDPR as interpreted
by the Court of Justice.
The Decision in the Context of European Law
This ruling stands in
notable tension with the emerging CJEU jurisprudence represented by the Deldits,
Mirin, Mousse and Shipov cases. In Deldits, the
CJEU held that where a register contains personal data relating to gender
identity, that data must be rectified if inaccurate, and that Member States may
not impose disproportionate evidentiary burdens (such as proof of surgery). The
Hungarian Kúria distinguished Deldits on the basis that the asylum register
there functioned as a primary identity register, whereas the Hungarian personal
data register merely mirrors the civil registry’s birth-sex entry. The core of
Kúria's reasoning is therefore ontological: if a register is designed to record
biological sex at birth, then a divergence from lived gender identity does not
render it “inaccurate.”
This is, of course, a
misconception: the personal data register, which is distinct from the civil
(birth) registry, exists precisely to record the data necessary for
identification. In most cases, those data derive from the civil registry;
however, in the case of trans persons, they do not necessarily follow from the
birth registry but from factual circumstances that, through a rectification
procedure, could also become officially documented facts. This state database
can record birth sex data and accurate, actual data too, in parallel. Kúria
argues that the registry only processes data relating to "sex" and
cannot process data relating to birth gender and current gender without a
change in legislation. This is true, of course, but the data controller can, in
such cases, process only data relating to current gender in the registry that
exists alongside the birth registry system.
Nor is Kúria's
argument persuasive that it cannot order the processing of “new” data. The
personal data register can, within the existing legal framework, be modified
technically and administratively if in its current form it does not comply with
the requirements flowing from the GDPR and EU law. The Kúria therefore did not
give effect to EU law, but rather to domestic practical constraints: it
effectively treated a functional system as if it were a legal norm, even though
in reality such a system should adapt to legal norms, not prevent their
enforcement.
From an EU law
perspective, however, this formalistic register-based distinction raises deeper
questions. The recent CJEU trend has emphasised substance over classification:
Mirin prioritised the practical effectiveness of EU citizenship and identity
coherence across registers; Mousse treated gender-related data as protected
personal data subject to strict necessity and proportionality review; and
Deldits framed gender identity as a legally relevant dimension of accuracy
under the GDPR. Against this background, the Hungarian decision represents a
restrictive reading of Article 16 GDPR, confining rectification to internal
consistency within a nationally defined registry hierarchy.
In this case, we will
still turn to the Hungarian Constitutional Court. However, if that body also
fails to restore the possibility of effective legal enforcement under the
Hungarian Fundamental Law and the binding EU law applicable on that basis,
then, besides applying to the European Court of Human Rights, the only
remaining option will be for the European Commission to initiate infringement
proceedings and thereby compel Hungary to comply with the binding requirements
of the GDPR and the Charter of Fundamental Rights. And yes, if necessary, let
them add another field to the personal data register system.
Following the very
recent Shipov
decision, the situation is even clearer: the position of the Hungarian
Supreme Court is completely untenable. In that case, the court ruled that it
violates the right to free movement if a person is unable to identify
themselves in another Member State with an identity document corresponding to
their true gender. The current Hungarian case highlights that this violates not
only the right to free movement but also the GDPR’s data accuracy rules. After
all, inaccuracy is not only a problem when someone travels to another Member
State. The two cases are thus based on different legal arguments, but they
point to the same thing: inaccuracy causes privacy difficulties that violate
the right to private life protected by the Charter of Fundamental Rights.
.jpg){kind=link}
No comments:
Post a Comment