knowledge 29 November 2022 |

Public access to beneficial ownership information restricted following CJEU decision to invalidate part of 5th AML Directive

Public access to a number of European beneficial ownership registers has been restricted, following a recent decision of the Court of Justice of the European Union¹.  In summary, the court held that an amendment made by the 5th AML Directive² (to the 4th AML Directive³), granting the general public greater access to registered personal information of beneficial owners, was invalid.  Member States will now need to consider what changes should be made to national laws and practices and, as at the time of writing, certain registers, including the Irish “RBO”, are not available for inspection as a result.

Background

The intersection between AML law and data protection law is an ongoing source of friction. This decision originates from two separate disputes in which requests were made to the Luxembourgish registrar to restrict access to certain beneficial ownership information.  The registrar refused and in subsequent legal proceedings the Luxembourgish court referred a series of questions to the Court of Justice of the European Union (“CJEU”) for preliminary decision. 

The key question was whether Article 1(15)(c) of the 5th AML Directive (which amended Article 30 of the 4th AML Directive to extend access by the general public to registered beneficial ownership information (“RBO information”)), was valid in light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the “Charter”).

Broadly summarised:

• the effect of Article 1(15)(c) of the 5th AML Directive was to reduce the criteria for access by the general public to RBO information from a requirement to show “legitimate interest” (as set out in the 4th AML Directive) to being close to unrestricted;

• Article 7 of the Charter guarantees everyone the right to respect for their private and family life, home and communications, while Article 8(1) guarantees everyone the right to the protection of personal data concerning them.

Decision of the CJEU

Serious interference

The court noted that the data available on the Register include information on identified individuals (beneficial owners of corporate entities) and therefore “the access of any member of the general public to those data affects the fundamental right to respect for private life, guaranteed in Article 7 of the Charter”.  The fact that the “data concerned may relate to activities of a professional nature” was irrelevant.  Additionally, “making available those data to the general public in that manner constitutes the processing of personal data falling under Article 8 of the Charter”.  

The court also commented that access was being granted to “a potentially unlimited number of persons” and the lack of any control over the use of data after it had been made available made it “difficult, or even illusory, for those data subjects to defend themselves effectively against abuse”. 

In light of the above, the court found that the general public’s access to information on beneficial ownership constitutes a “serious interference with the fundamental rights in Articles 7 and 8 of the Charter”.

Balancing exercise

The court pointed out, however, that the rights enshrined in the Charter “are not absolute rights, but must be considered in relation to their function in society”.  In conducting this balancing exercise the court identified the following as the principles/objectives to be considered in conducting a balancing exercise:

1. legality;

2. respect for the essence of fundamental rights guaranteed by Articles 7 and 8 of the Charter;

3. pursuit of a general interest recognised by the EU;

4. whether the interference at issue is appropriate, necessary and proportionate.

The court held that the first three principles/objectives had been satisfied but that the fourth had not.

In considering whether the interference with fundamental rights was appropriate, necessary and proportionate, the court held that it was not limited to what was strictly necessary.  The prior position (under the 4th AML Directive) whereby a person could get access to information if they had a legitimate interest was less onerous than the current position.  The court showed little sympathy for submissions made by the Commission that it had found it challenging to establish workable criteria for the concept of “legitimate interest” in this context.

Furthermore, the court held that the interference was not proportionate ie the provision did not strike a proper balance between furthering the objective of general interest (being the combating of money laundering and terrorist financing) and protecting the fundamental rights enshrined in the Charter.  

As a result of the foregoing, the court held that Article 1(15)(c) AMLD5 is invalid.  

Comment

Member States now have some work to do to ensure that RBO information is not being made available in a manner contrary to the CJEU decision.  As at the date of writing (29 November 2022) access to the principal Irish register (the RBO⁴) is suspended.  This may cause some interim administrative difficulties for entities (such as banks) that are subject to an AML obligation to check that a new customer’s beneficial ownership information has been registered prior to establishing a business relationship.

More generally, it remains to be seen how Member States will treat this decision.  While the decision only applies directly to the provision of the 5th AML Directive that was held to be invalid, the principles underpinning the decision (ie the balancing of public policy aims against privacy rights) may apply to a much broader range of registers, such as the Companies Registration Office, where information is routinely made available to the public.  Given the inherent tension between an individual’s right to privacy and the necessary limiting of same for purposes of the common good, this may not be the last decision of this nature handed down by the courts.

Also contributed by Jonathan Murchan