In a judgment of 22 November 2022 (a judgment delivered in joined cases C-37/20 and C-601/20), the Court of Justice of the European Union (the “CJEU”) questioned the unrestricted public access to information on beneficial owners, i.e. access for everyone and without additional requirements. The CJEU found that full disclosure of the register of beneficial owners unjustifiably interferes with privacy and is at the same time not necessary to achieve the objectives of combating money laundering and financing of terrorism. The unlimited public accessibility of UBO information goes beyond what is necessary and proportionate in view of the objectives pursued. Consequently, the CJEU found it to be contrary to the Charter of Fundamental Rights of the European Union (the “CFR”).
The above-described judgment will undoubtedly have an impact on the practice of the Polish Central Register of Beneficial Owners (the “CRBR”), in particular the system for accessing the data contained therein will need to be changed. Information on the details concerning such changes will be revealed in due course. Importantly, access to the CRBR will not be lost for entities that have to apply AML regulations. However, it is worth noting that Luxembourg suspended the ability to access the online equivalent of their CRBR as at the date of the judgment. It would appear that the Polish legislature will eventually have to intervene. The judgment shows that the principles underlying the provisions of EU law on data protection (the “GDPR”) and the increasing protection of privacy no longer concern only companies and public organisations, but also national and European legislatures.
Contrary to some comments, the ruling is not a complete surprise. It has been noted for a long time that the measures in the AML legislation could be considered to violate the right to privacy. It also fits into the discussion about data on individuals made available in public records. Examples of similar controversies include the issue of land registry numbers recognised by the President of the Personal Data Protection Office as personal data (proceedings on fines imposed on the Surveyor General of Poland are still pending before administrative courts), or the scope of information made available in the National Court Register.
These dilemmas are growing due to the ease of processing large data sets and the exponentially increasing possibilities for their use. The issued ruling is another example of the recognition of the primacy of privacy over other values.
Here is a little more detail on the case in which the ruling was made:
- In 2019, the Luxembourg legislature created the Registre des bénéficiaires effectifs (the “RBE”), the equivalent of the Polish CRBR. As with the CRBR, any internet user could access all the data included in the RBE.
- Withholding information on beneficial owners was subject to the need to demonstrate that disclosure would expose the UBO to a disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. Other justifications for secrecy could also be the status of a UBO as a minor, or another circumstance conclusive of restricted legal capacity.
- In the cases that led to the CJEU judgment, the RBE twice refused to restrict the general public’s access to information concerning an ultimate beneficial owner. The authority indicated that the applicants did not clearly demonstrate that they met the conditions indicated in the previous bullet. The decisions were appealed to the Luxembourg District Court. Since that court considered that the disclosure of such information could entail a disproportionate risk of interference with the fundamental rights of the beneficial owners concerned, it referred a series of questions to the CJEU for a preliminary ruling.
- The CJEU confirmed that the role of the register is to increase transparency in the financial market. Such transparency should result in increased scrutiny by civil society and deepen investor confidence in the integrity of financial transactions. As the CJEU pointed out, achieving such an objective, in order to remain compatible with EU law, requires balancing two sets of values. On one hand, we have the general public interest related to the prevention of money laundering and terrorism financing. In this case, the group of entitled entities includes all trade participants. On the other hand, consideration must be given to the fundamental rights of beneficial owners, i.e. those natural persons whose data is included in national registers. These rights are not absolute and may therefore be subject to limitations. However, any such interference must be duly justified and balanced.
- The Court noted that the transparency of the register can be effective in countering money laundering and terrorism financing. However, it pointed out that, in addition unrestricted access may result in information on the private and family lives of beneficial owners being obtained by an unlimited number of persons, as well as the risk of such information being recorded and further disseminated.
- Consequently, in the CJEU’s view, Article 30 of the fourth AML Directive, requiring Member States to ensure access to the data contained in the registers to any person and in all cases, is not in conformity with the standard of protection of fundamental rights under the CFR and is therefore invalid.
Download PDF _ AML vs. GDPR – the balance restored?
dr Marek Maciąg, partner in the corporate department of Rymarz Zdort.
Marcin Serafin, partner in Maruta Wachta co-heads the TMT practice and heads the Data Protection and Privacy Team.
Wojciech Piszewski, counsel, ACO (approved compliance officer) in Maruta Wachta.
Aleksandra Maciąg, attorney at law and an AML specialist at Rymarz Zdort.
Piotr Króliński, associate in the corporate department of Rymarz Zdort.
Jakub Szewczak, associate in the dispute resolution department of Rymarz Zdort.