CJUE Decision on EU AML Directive – Beneficial Ownership Register

The 5^th Money Laundering Directive (routinely known as AML 5 Directive) deals with the prevention of the use of the financial system for money laundering or terrorist financing. This Directive imposes on Member States an obligation to ensure that information about the beneficial owners of corporate and other legal entities incorporated in their territory is held in a central register that is accessible to the public. This obligation was introduced in 2018 and went further than the regime under the 4^th Money Laundering Directive, which required access only to those “capable of demonstrating a legitimate interest”.

Thus, per Article 30 of Directive 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for money laundering or terrorist financing (commonly known as AML 4 Directive), Member States must:

• Ensure that corporate and other legal entities incorporated within their territory obtain and hold adequate, accurate and current information on their beneficial ownership – including details of the beneficial interests held;
• Ensure that the information is held in a central register.

The Beneficial Ownership Register includes information about the companies and their partners or shareholders such as name, month and year of birth, country of residence, nationality of the beneficial owner, as well as the nature and extent of the beneficial interest, available to the public in general through the Internet without the need to prove a personal interest in accessing such information – per Article 30(5) c) of AML 5.

Issues at stake

Luxembourg’s District Court submitted two cases for a preliminary ruling to the European Union Court of Justice (CJEU) questioning if the access to personal data in the Beneficial Ownership Register complied with the principles of the EU Legislation and whether access provided sufficient protection for economic beneficiaries without representing illegal intrusion.

The final decision issued by the CJEU came on November 22^nd 2022, as follows:

Case C-37/20

In this case, an individual brought an action against Luxembourg Business Registers (LBR), the managing entity of the Registry. The proceedings before the Luxembourg Court were to limit access to information about a corporate officer of an entity listed in the Register. The applicant argued that the disclosure of the economic beneficiary information would expose him and his family publicly to a “disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”.

Also, the Directive (in its Article 15) stated that a registered entity of the beneficial owner could request, on a case-by-case basis and with an appropriate argument, that the manager could limit the access to information in exceptional circumstances where this access could expose the beneficial owner to a disproportionate risk of:

1. Fraud
2. Abduction
3. Blackmail
4. Extortion
5. Harassment
6. Violence or intimidation

The preparatory work of the EU Directive did not allow exceptions to the publication of beneficial ownership information, particularly regarding the concepts of exceptional circumstances and risk; The Luxembourg judge concluded it was necessary to refer the question to CJEU for a preliminary ruling.

Case C-601/20

In this case, a Luxembourg company criticized the Luxembourg legislature for failing to incorporate adequate security measures to identify the individuals accessing the information in the Register. Also, the claimant argued that the beneficial ownership would infringe on the processing and free movement of personal data and the right to protection of the beneficial owner’s private and family life, home and correspondence as provided for in Articles 7 and 8 of the EU’s Charter of Fundamental Rights.

For both cases, the CJEU decided that the provisions in Article 30 of the AML Directive whereby Member States must ensure that the information on the beneficial ownership of corporate and other legal entities incorporated within their territory is accessible in all cases to any member of the general public is invalid and constitutes a severe interference with the fundamental rights to respect for private life and to the protection of personal data enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Court Arguments

Besides those arguments mentioned above, the information disclosed enables a potentially unlimited number of persons to find out about the financial situation of a beneficial owner, which may lead to potential consequences for data subjects resulting from possible abuse and expose of data. Moreover, once those have been made available to the public, they can be freely consulted, retained, and disseminated.

The Court also commented that access was being granted to “a potentially unlimited number of persons” and the lack of any control over the use of data after it had been made available made it “difficult, or even illusory, for those data subjects to defend themselves effectively against abuse”.

Some Member States, in their transposition of AML 5, have legislated to require interest parties’ members to register themselves before having access to this register, and some have provided exemptions to public access in exceptional circumstances. Nevertheless, these measures are not sufficient privacy safeguards, said the CJEU in its decision.

Competing rights and interests

The CJEU pointed out that the rights enshrined in the Charter of Fundamental rights “are not absolute and must be considered accordingly to their function in society”. In conducting this exercise, the Court identified the following principles/objectives to be considered in performing a balancing exercise:

• Legality;
• Respect for the essence of fundamental rights guaranteed by Articles 7 and 8 of the Charter;
• Pursuit of general interest recognized by the E.U.;
• Whether the inference at issue is appropriate, necessary, and proportionate.

In Court’s opinion, the fourth principle was not respected because interference with fundamental rights was not strictly necessary in this Case.

Furthermore, the Court considered that the interference was not proportionate, i.e., the provision did not strike a proper balance between furthering the objective of the general interest (combating money laundering and terrorist financing) and protecting the fundamental rights enshrined in the Charter. As a result, the Court held that Article 1(15) c) AML5 was invalid.

The legal issue here was that this provision of access to the public – while it may pursue an objective of general interest (AML purposes) and be appropriate to range that objective – is neither limited to what is strictly necessary nor proportionate. The new requirement for the public to have access to the register, rather than just those with a legitimate interest, was an interference with rights defined in the Charter, which was not, in the Court’s opinion, justified by any additional actual benefits in terms of combating money laundering and terrorist financing.

The Court decided to use the principle of proportionality in this situation.

This CJUE judgment shares the message that absolute transparency is not above public interest because there is also an interest in preserving some information and data’s (relative) confidentiality with an adequate balance. In fact, personal data has been a significant concern of the European Union in the past few years.

However, there is always a need to weigh the values in question on a case-by-case basis, as they may conflict with individual interests (fundamental rights or commercial value) or collective interests (avoidance of distortions of competition).

Data management requires attention and caution, especially in a system of access to different types of information at different times, by different persons and under different conditions.

Digital management of information concerning personal or sensitive data creates increased risks when access to data is free and fully open. This CJUE decision confirms that unrestricted access to this information type is not viable under E.U. law.

CJEU gave a step forward in demonstrating that the capture, structure, retaining and disclosing of data relevant to countries in the fight against money laundering and terrorist financing must be well thought out by the Member States and European Union itself.

What will happen now?

The consequences of this decision are being discussed. It’s too soon to say how Member States will react to the transparency and disclosure of private and personal information changes. Still, EU and Member States’ regulations will need to be reviewed and updated.

Some Member States will immediately reduce public access to the Beneficial Ownership Registers. At the same time, others might wait for formal instructions from the European Commission or changes to national or E.U. law.

In any case, Member States now have some work to do to ensure that information available is within the limits of proportionality and necessity.

Some entities, such as banks and other financial institutions, will need help regarding AML obligation to check that a new customer’s Beneficial Ownership information has been registered before establishing a business relationship.

Instead of just consulting the registry’s information, financial institutions need to enhance the depth of information collected from their clients on KYC Forms.

The objectives of transparency and disclosure regimes are often at odds with individual rights and interests. It is often believed that such laws only move toward ever-increasing transparency. However, the CJEU showed that in the E.U., the fundamental rights to private life and personal data protection have begun to re-exert themselves.

We await further changes and alerts on the type and amount of information to be published and with the possibility of it being consulted based on a “legitimate interest”.

Disclaimer