The EU’s fourth Anti-Money Laundering Directive established a new regime for public access to registers of beneficial owners of companies and other legal entities incorporated in member states, requiring their governments to obtain and maintain adequate, accurate and up-to-date information on beneficial owners. In Luxembourg, the directive was transposed by the law of January 13, 2019 establishing a register of beneficial owners.

Any member of the public has access to the information on beneficial owners contained in the registers without the requirement to prove a personal interest. Until this year, the validity of this regime in the light of the fundamental right of respect for privacy and family life and the protection of personal data, enshrined in articles 7 and 8 respectively of the EU Charter of Fundamental Rights of the European had never been examined.

However, Luxembourg’s district court (Tribunal d’arrondissement de et à Luxembourg) submitted two references for a preliminary ruling to the European Court of Justice questioning whether access to personal data complied with the principles of the European legislation and whether access provided sufficient protection for economic beneficiaries without representing illegal intrusion. The decision in these linked cases is of significant importance regarding potential restrictions applicable to information in the Register of Beneficial Owners.

Challenge to Luxembourg’s beneficial ownership register regime

Case C-37/20

In case C-37/20, an individual brought an action against Luxembourg Business Registers, the economic interest group that has been managing the country’s Register of Beneficial Owners (Registre des bénéficiaires effectifs or RBE) since March 1, 2019. The proceedings before the Luxembourg court were to limit access to information about the plaintiff, a corporate officer of an entity listed in the register. The applicant argued that publication of this information would expose him and his family to “a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”.

The legal ground for this action was article 15 of the 2019 law, which states that a registered entity or beneficial owner may request, on a case by case basis with appropriate justification, that the manager limit access to the information referred to in article 3 to national authorities, credit and financial institutions, and court bailiffs and notaries acting in their capacity as public officers, in exceptional circumstances where access would expose the beneficial owner to a disproportionate risk of fraud, abduction, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or is otherwise incapacitated.

The applicant argued that disclosure of the economic beneficiary information would place him in a dangerous position. He could become subject to the pressure of an economic struggle for control of his companies and endanger his safety due to his travels in hostile territories. However, the LBR rejected the application on the grounds that article 15 should be interpreted narrowly and that the applicant’s activities were in the public domain. The plaintiff appealed the decision before the Luxembourg district court.

Case C-601/20

In a parallel procedure, the alleged insufficient protection of information available at the register was also challenged by a Luxembourg company, SOVIM SA, which criticised the Luxembourg legislature for failing to incorporate adequate security measures to establish the identity of persons accessing the information in the register.

According to the claimant, Luxembourg’s beneficial ownership register regime would infringe the right to protection of the beneficial owner’s private and family life, as provided for in article 8 of the European Convention on Human Rights on protection of private and family life, home and correspondence, article 7 of the EU’s Charter of Fundamental Rights and article 11(3) of the Luxembourg Constitution.

SOVIM also asserted that public access to personal data contained in the register is a breach of various fundamental principles set out in the EU’s General Data Protection Regulation of April 27, regarding the processing and free movement of personal data.

Interpreting ‘exceptional circumstances’, ‘risk’, ‘data protection’ and ‘private family life’

Issues at stake

In case C-37/20, the Luxembourg judge, responding to the application for annulment of the decision not to restrict access to information regarding the claimant in the RBE, noted a divergence in interpretation of the scope of the exception provided for in article 15 of the 2019 law. Noting that the preparatory work of the EU directive did not allow exceptions to the publication of beneficial ownership information, in particular with regard to the concepts of exceptional circumstances and risk, the judge concluded it was necessary to refer the question to the ECJ for a preliminary ruling.

Furthermore, it was unclear whether publication of the information solely involved beneficial owners, or whether it also applied to the corporate officers of an entity, as in the C-37/20 case. The question at issue is therefor whether a corporate officer is entitled to invoke a derogation not to be listed in the register.

In case C-601/20, the issue concerned public access to the RBE and the claimants’ argument that open access is not necessary to achieve the goal of combating money laundering and financing of terrorism. They say the existing requirements entail a serious and disproportionate interference in the private lives of beneficial owners, criticising the Luxembourg law for not creating security measures to establish the identity of persons seeking access to the information in the register, for example by requiring them to create an account on its website.

They argued that any person could obtain access to the register in total anonymity with prejudice to the claimant, raising the risk of economic profiling – that the Register of Beneficial Owners could be exploited by private economic intelligence or strategy firms to conduct data mining, for example in view of a possible hostile takeover bid.

The position of the court’s advocate-general

The court’s advocate-general, Giovanni Pitruzzella, noted in his opinion that the principle of transparency, as enshrined in European primary law, can lead to a delicate balancing act. He also recalled that the philosophy of the EU directive was to “set out a comprehensive and effective legal framework to combat the collection of property or money for terrorist purposes, requiring member states to identify, understand and mitigate the risks of money laundering and financing of terrorism”.

The advocate-general concluded that the actions to identify beneficial owners do constitute an infringement of the fundamental rights guaranteed in articles 7 and 8 of the Charter of Fundamental Rights. However, he pointed out that the data available in register is linked to the civil (date of birth, name) and economic (interest shares) status of the beneficial owner and therefore appears less sensitive than other categories of personal data.

Although access to such data may provide a limited view of a person’s wealth, it does not generally allow accurate conclusions to be drawn regarding the individual’s total wealth nor to draw precise conclusions about their investment profile. Therefore, according to the advocate-general, the potentially harm to persons affected by such infringement may be regarded as moderate.

Nonetheless, Mr Pitruzzella pointed out that member states may, under certain conditions determined by national law, give access to additional information allowing the identification of the beneficial owner (at least, date of birth or contact details, depending on data protection rules). This ability to extend the amount of data concerning beneficial owners that is accessible to the public could potentially give rise to additional infringement of the fundamental rights guaranteed in articles 7 and 8 of the charter.

He concluded that the provision under which member states may make additional data available to the general public, which is not precisely defined or determinable, does not satisfy the requirement that the information is sufficiently precise, as laid down by the directive itself. As a result, his opinion was that the fourth Anti-Money Laundering Directive is invalid in this respect.

Turning to the data protection issue, the advocate-general concluded that the GDPR does not object as such to the creation of a register containing personal data that is accessible to the general public, therefore to an unlimited and indeterminate number of persons, without control and justification, and without the subject of the data being able to know who has access to it.

On the question of the proportionality of disclosure of data on beneficial owners, Mr Pitruzzella referred to the principle of data minimisation. He considered that indicating the name, month and year of birth can be considered a minimum and sufficient set of data to precisely identify the beneficial owner, while nationality appears relevant and necessary information for determining potential money laundering or financing of terrorism risks.

Regarding the indication of the nature and extent of beneficial interests held, these constitute a minimum and sufficient set of data to identify the scope of the investment or participation, which is also relevant for the assessment of the risk of misuse of companies and other legal entities for money laundering or financing of terrorism. In the advocate-general’s view, this regime does not result in disproportionate interference with the fundamental rights of the subjects of the data, in particular their right to respect for private life and the protection of personal data, as guaranteed by articles 7 and 8 of the charter.

The provisions of the GDPR must also be interpreted as not precluding a register from being partially accessible to the public, without any requirement to demonstrate a legitimate interest or limitation as to the location of those accessing data, he concluded. However, according to Mr Pitruzzella, the transfer of data from a register may be carried out only in accordance with article 49(1)(g) of the GDPR, if the conditions for consultation of the register provided for by law are fulfilled and provided that the consultation does not involve the entire register.

On interpretation of the notion of exceptional circumstances, the advocate-general advised that the Luxembourg judge is required to interpret the AML directive in a manner consistent with the fundamental rights guaranteed by the charter, specifying that the derogations are of strict interpretation.

Potential consequences for Luxembourg’s RBE regime

The advocate-general concludes, first, that article 30(5a) of the fourth Anti-Money Laundering Directive, read in the light of articles 7, 8 and 52(1) of the Charter of Fundamental Rights, must be interpreted as meaning it is incumbent on member states to ensure that the national bodies or authorities responsible for keeping registers of beneficial owners are aware of the identity of individuals or entities that access the register. The open data system of the Luxembourg register could be illegal in this respect.

Secondly, the existence and disproportionate or otherwise nature of such a risk may be determined by considering links between the beneficial owner in question with companies and other legal entities, as well as with trusts and legal arrangements with a similar structure or functions, in their capacity as beneficial owner of such entities, other than the one for which an exemption from public access to information concerning them is requested.

It is for the beneficiary or entity requesting an exemption from public access to information to demonstrate that these links constitute a factor that justifies or supports the existence of a disproportionate risk of harm to the fundamental rights of the beneficial owner. Article 30(9) excludes the granting of an exemption from public access to information concerning a beneficial owner where that information is easily accessible to third parties through other information channels.

To conclude, if the European Court of Justice follows the reasoning of the advocate-general, it is likely that new identification measures will be required to obtain access to the Luxembourg Register of Beneficial Owners. The derogation provided for in article 30(9) will not be granted if the economic links and interests of the beneficial owners are accessible to third parties through other information sources such as newspaper articles or online news.

A final decision from the European Court of Justice is expected shortly.