Anti-money laundering: UBO register violates EU data protection laws, says ECJ
Registers on the ultimate beneficial owners (UBOs) of legal entities no longer have to be accessible to all members of the public in all cases. This practice according to the Court of Justice of the European Union ("ECJ") rather violates the fundamental right to data protection (judgment of the Court of 22.11.2022, Luxembourg Business Registers, joined cases C-37/20 and C-601/20).
The Court's ruling is based on two references for preliminary rulings from the Tribunal d'arrondissement de Luxembourg (District Court of Luxembourg), which are largely based on the same occasion.
The beneficial owner of a real estate company applied to the Luxembourg court for a restriction of register information claiming that the disclosure of his personal data would have exposed him and his family to a "real and disproportionate risk" of violence and other risks. The court denied this request. The beneficial owner opposed this decision in a lawsuit in which he detailed his threat: In his capacity as the beneficial owner of several companies, he often travels to countries with politically unstable regimes, which increases his risk of becoming a victim of crime. The Luxembourg court asked the ECJ for a preliminary ruling.
EU law provisions and their implementation
In particular, the ECJ had to resolve a conflict between individual provisions of the following two legal acts of Union law:
- The 3rd EU Anti Money Laundering Directive (Directive (EU) 2015/849; "Directive"), and
- The General Data Protection Regulation (Regulation (EU) 2016/679 - "GDPR").
While the Directive is implemented in Austria in the Business Owners Register Act (Wirtschaftliche Eigentümer Registergesetz - WiEReG), the GDPR is directly applicable as a Regulation. Both legal acts must be interpreted in conformity with fundamental rights within the meaning of the EU Charter of Fundamental Rights. The questions raised by the referring court concern the interpretation of various Union law concepts that deserve a brief discussion.
For example, the Directive allows Member States to provide for exemptions from the disclosure requirement in "exceptional circumstances" where there are "well-founded risks" to beneficial owners, such as "fraud, extortion, kidnapping", "violence" or "intimidation".
For the processing of personal data, Article 5 of the GDPR provides for a graduated proportionality test based on the criteria of "lawfulness, transparency, purpose limitation, data minimization" and "integrity and confidentiality". Interestingly, however, the transfer of data to a third country or an international organization is exempt if the data originate from a register which, according to the law of the Union, is open to the entire public for inspection in individual cases (Art. 49 (1) (g) GDPR).
The Austrian WiEReG obliges, among others, legal entities to submit an annual report on their beneficial owners to the register. Since 2017, this obligation applies to all legal entities, including limited liability companies, private foundations and even trusts. Since then, the submission of this report via the government’s company service portal has become part of the usual service provided by lawyers, notaries and tax advisors in connection with the formation and ongoing support of companies.
The national regulation in Luxembourg is comparable to the WiEReG. However, under Luxembourg law, the beneficial owner can have the register information restricted to inspection by public authorities, credit institutions, notaries and lawyers, which the Austrian WiEReG does not provide. According to the very detailed provision of Section 10a of the WiEReG, the restriction of register information applies not only to certain institutions, but to all members of the public for a period of five years.
Fundamental rights review by the ECJ
For the ECJ, the disclosure of the beneficial owner's data interferes with Articles 7 and 8 of the EU Charter of Fundamental Rights, i.e. with the fundamental rights to respect for private and family life and to data protection. The Court even considered the access of all members of the public to this information as a heavy interference.
Since the data processing is provided for in a legal act of the EU, namely in the Directive, the principle of legality was respected for the ECJ. With regard to a recognized public interest for the identified encroachments on fundamental rights, the ECJ referred to the recitals of the Directive and cited the greater control of civil society made possible by the disclosure of data and the associated confidence in the integrity of the financial markets as legitimate purposes.
In principle, the means of disclosure in a public register is also suitable to achieve the "objective serving the public interest", the ECJ said. However, the Court ultimately recognized that the disclosure of the data was not necessary in the sense of limiting data processing to what was absolutely necessary because the member states were unable to agree on clear criteria in the course of law making as to when the public should not have access to the register of beneficial owners.
The judgement’s consequences for the EU and its member states
The judgement is to be welcomed from a fundamental rights perspective. The fact that personal data of all economic operators is always accessible without restriction and to the entire public is presumably not in line with the fundamental rights understanding of the European legal systems. The decision can contribute to a clearer interpretation of hitherto undefined terms in the EU Money Laundering Directive by indicating which practice is in any case not in conformity with fundamental rights. In this way, the ECJ has put a stop to rampant money laundering compliance, which, through well-intentioned, comprehensive transparency, could put natural persons at risk again through other crimes.
The ECJ does not make any clear statements regarding the question of what alternatives the member states would have in implementing the directive in conformity with basic law. Although this is not the core task of the Court from the point of view of procedural law, it would have been informative, especially in the case of this decision. Finally, a major reason for the decision was the fact that the member states were unable to agree on a uniform definition of the "legitimate interest" for which access to the register should be restricted.
Austria has solved this problem by basing § 10a WiEReG on facts "which justify the assumption that the inspection would expose the beneficial owner to a disproportionate risk of becoming a victim of one of the following criminal acts (...)". At this point, the provision refers to the Criminal Code and therefore sets quite clear boundaries, so that legal seekers can roughly assess when they have a legitimate interest in a restriction of register information by the authority. Our specialists in the area of Corporate / M&A can support you in this decision, which can be difficult in individual cases.
Although the ECJ's decision improves the protection of fundamental rights in the area of public registers, business operators are not spared certain burdens. Compliance with increasingly stringent requirements, including the maintenance of registers of the beneficial owners of a company, will continue to create additional administrative work, even if member states restrict the possibilities of inspection.