ECJ ruling on access to beneficial ownership information: Balancing transparency and privacy

23 February 2023
A recent ruling from the European Court of Justice enables beneficial owners of EU companies to limit the ability of corporations and individuals to retrieve information about them from government databases, granting owners greater privacy protections.

The ruling invalidates a 2018 amendment to the EU’s Anti-Money Laundering Directive (AMLD), which had granted the general public access to EU countries’ beneficial ownership registries. The amendment was passed to promote transparency, deter financial crime and increase public confidence in the integrity of participating companies.

In accordance with the amendment, Luxembourg, like other EU states, enacted a law in 2019 to create a public registry of beneficial ownership data. Luxembourg’s law also allowed the registry’s administrator to grant anonymity in certain cases. But when a business owner asked that his personal information be excluded, arguing that exposure could lead to risks of fraud, kidnapping or death, his request was denied.

After a local court upheld the denial, the owner appealed to the European Court of Justice (ECJ). In November, the court decided to rescind the AMLD’s public access amendment, determining that it conflicts with privacy rights established by the EU’s Charter of Fundamental Rights. Specifically, the court ruled that “the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data.”

Balancing act

The court’s action illustrates the difficulty of balancing business transparency with data privacy rights. The European Community has long been a pioneer in both. The Anti Money Laundering Directive was first issued in 1991, two years before the establishment of the EU itself, and has been refined with amendments five times since. In 2016, the EU passed the landmark General Data Protection Regulation (GDPR), safeguarding customer information and detailing when and how companies can use information. Since the GDPR became effective in 2018, other jurisdictions, including the UK and some US states, have used it as a guidepost for establishing data privacy laws of their own.

In its current ruling, the ECJ says that while transparency is important in fighting money laundering and terrorism, the amendment goes too far, opening a Pandora’s box of private information about beneficial owners that could be disseminated to anyone, possibly for nefarious purposes, and once released, can never be called back.

The ruling has earned praise from privacy advocates and criticism from anti-corruption organizations such as Transparency International and the Organized Crime and Corruption Reporting Project. Almost immediately after the ruling, several EU states, including Luxembourg, Austria, Belgium, the Netherlands and Malta, began blocking access to their registries. However, in early December, the Ministry of Justice in Luxembourg, where the controversy originated, restored access to “a certain number of professionals” who had used it previously, adding that the ministry would soon open the database to journalists and professionals fighting money laundering and terrorist financing as well.

The ECJ has not yet ruled on another, similar Luxembourg case on its docket, and several outside organisations are submitting briefs to the court arguing for the restoration of broad access to beneficial ownership data.

The UK and US: Focusing on transparency

The ECJ ruling does not apply to the post-Brexit UK, which is developing legislation to increase transparency in its own business registry, Companies House. A new bill, expected to pass in spring 2023, would require beneficial owners to submit more information and allow third parties to verify it.

Outside Europe, some jurisdictions are passing legislation to promote transparency, with Brazil and other countries passing laws requiring beneficial ownership disclosure.

In the US, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has proposed a new rule that would require most corporations, limited liability companies and others registered for business in the US to report information about their beneficial owners. The reporting requirement, created to implement the 2021 Corporate Transparency Act, is set to go into effect in January 2024, and would give both banks and legal authorities varying degrees of access to the collected data.

Like the EJC ruling, the proposed FinCEN reporting requirement generated controversy. A small business group has filed a lawsuit, alleging it’s unconstitutional, and other groups are likely to object. The proposed rule was open to public comment through January 2023.

Keeping up with changes

Disclosure laws around the world are evolving as technology makes is easier than ever to collect and distribute information once relegated to back-office files. Now available at a click, company ownership data can be examined by authorities and journalists to root out sanction avoidance and the financing of illicit activities. But ownership data may also be used by authoritarian regimes to target dissidents, or by rivals to harm competitors. Achieving a balance between openness and privacy is often a matter of trial and error, with countries moving in different directions at different times. To keep up, companies should regularly check the status of beneficial ownership regulations in jurisdictions where they or their partners operate.

Lucia Povodova, Vistra's head of legal — Europe, contributed to this article.