Beneficial Ownership Register
Following the implementation of the EU’s Fifth Anti-Money Laundering Directive2 on 30 May 2018, all EU Member States must pass legislation maintaining publicly accessible beneficial ownership registers. Considering the beneficial ownership transparency rules in the context of data protection, it is evident that the publication of beneficial ownership information can meet data protection requirements. As stipulated within the Regulation, if a legal requirement exists for companies in jurisdictions with data protection laws to publish beneficial ownership data, companies will generally be protected from liability under data protection laws. Companies would still be allowed to disclose beneficial data on a voluntary basis under certain conditions even if there was no regulatory requirement.
Disclosure under the public interest
When considering the need for and effectiveness of public beneficial ownership registries, it is undeniable that the purpose is to combat fraudulent activity and improve commercial integrity. Such goals are both legitimate and beneficial to the public interest. Although there are legitimate concerns regarding the accuracy of data disclosed in public registers, such concerns are not unique to them; no public registry would have the resources or time to completely verify all information supplied to them.
The principles set forth in the Organisation for Economic Co-operation and Development ”OECD” Guidelines state that :
- collection of data be limited,
- any collection be for a specific purpose,
- onward use of data collected requires either the consent of the subject or legal authority
- and that individuals should have the right to obtain the personal data others hold on them and, with respect to errors or data which is held unlawfully, require amendment, rectification, or erasure.
The guidelines in conjunction with the GDPR and National Privacy Laws combined, raise a number of questions for which parties are actively seeking preliminary rulings from the European Court of Justice. Case C-601/20 referred to the Court of Justice of the European Union is of great importance as the concerned parties ( Applicant: SOVIM S Defendant: Luxembourg Business Registers ) are seeking preliminary rulings on the application of several articles ( mentioned below ) of the Directive (EU) 2018/843 ( 5th AML)
Questions referred to the Court of Justice of the European Union concerning Directive (EU) 2018/843
Question 1
Is Article 1(15)(c) of Directive (EU) 2018/843, 1 amending the first subparagraph of Article 30(5) of Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing …, 2 in so far as it requires Member States to make information on beneficial owners accessible to the general public in all cases, with no requirement for a legitimate interest to be shown, a valid provision:
in the light of the right to respect for private and family life guaranteed by Article 7 of the Charter of Fundamental Rights of the European Union (the ‘Charter’), interpreted in accordance with Article 8 of the European Convention on Human Rights, having regard to the objectives stated inter alia in recitals 30 and 31 of Directive 2018/843 relating, in particular, to efforts to combat money laundering and terrorist financing; and
in the light of the right to protection of personal data guaranteed by Article 8 of the Charter, in so far as it is intended, inter alia, to guarantee that personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject, that the purposes for which such data are collected are limited, and that the data are minimised?
Question 2
Is Article 1(15)(g) of Directive 2018/843 to be interpreted as meaning that the exceptional circumstances to which it refers, in which Member States can provide for exemptions from access to all or part of the information on beneficial owners, where access on the part of the general public would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, exist only where it is demonstrated that there is a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation which is exceptional, which is actually borne by the beneficial owner as an individual, and which is clear, real and present?
Should this be answered in the affirmative, is Article 1(15)(g) of Directive 2018/843, thus interpreted, a valid provision in the light of the right to respect to private and family life guaranteed by Article 7 of the Charter and the right to protection of personal data guaranteed by Article 8 of the Charter?
Question 3
Is Article 5(1)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC 3 (the ‘GDPR’), which requires data to be processed lawfully, fairly and in a transparent manner in relation to the data subject, to be interpreted as not precluding:
that the personal data of a beneficial owner, recorded in a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, are accessible to the general public, with no monitoring of access and no requirement for any member of the public to provide justification, and without any way for the data subject (the beneficial owner) to know who has accessed his personal data; or
that the data controller responsible for such a register of beneficial owners provides access to the personal data of beneficial owners to an unlimited and indeterminable number of persons?
Is Article 5(1)(b) of the GDPR, which requires the purposes of data processing to be limited, to be interpreted as not precluding that the personal data of a beneficial owner, recorded in a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, are accessible to the general public, in circumstances where the data controller cannot guarantee that those data will be used only for the purpose for which they were collected, which, in essence, is that of combating money laundering and terrorist financing – a purpose in relation to which the general public is not the responsible body from which compliance is required?
Is Article 5(1)(c) of the GDPR, which requires data to be minimised, to be interpreted as not precluding the general public from having access, through a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, to data indicating, in addition to the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his beneficial interests, also his day and place of birth?
Does Article 5(1)(f) of the GDPR, which requires data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and thus guarantees the integrity and confidentiality of such data, preclude access to the personal data of beneficial owners contained in a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, from being provided on an unlimited and unconditional basis, with no commitment to keep such data confidential?
Is Article 25(2) of the GDPR, which guarantees data protection by default, providing in particular that by default, personal data must not made accessible without the individual’s intervention to an indefinite number of natural persons, to be interpreted as not precluding:
that a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, does not require members of the general public consulting the personal data of a beneficial owner on its website to create an account; or
that no information concerning a consultation of personal data of a beneficial owner contained in such a register is disclosed to that beneficial owner; or
that no restriction on the extent and accessibility of the personal data at issue is applicable in the light of the purpose of their processing?
Are Articles 44 to 50 of the GDPR, under which the transfer of personal data to a third country is subject to strict conditions, to be interpreted as not precluding that the personal data of a beneficial owner, contained in a register of beneficial owners established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, are accessible in any circumstances to any member of the general public, with no requirement to demonstrate a legitimate interest and no limitations as to the location of that public?
____________
1 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (OJ 2018 L 156, p. 43).
2 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73).
3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1).