Spotlight CJEU: No Unrestricted Access to Data of Beneficial Owners
On 22 November 2022, the CJEU, sitting in for the Grand Chamber, declared the current provision of the Anti-Money Laundering Directive invalid by which the general public had nearly unrestricted access to data of beneficial owners.
Facts of the case and question referred
The cases at issue (Joined Cases C-37/20 and C-601/20 (WM and Sovim SA v Luxembourg Business Registers)) concerned the implementation of Art. 30(5) first subparagraph, point (c) of Directive 2015/849 as amended by Directive 2018/843 (the Fifth Anti-Money Laundering Directive, 5AMLD) into Luxembourgish law. In accordance with the 5AMLD, the law had designed the Luxembourgish Register of Beneficial Ownership (RBO) in such a way that information on the beneficial ownership of registered entities can be retained and made available; access to these data is open to any member of the general public. On a case-by-case basis and in certain exceptional circumstances, a registered entity or a beneficial owner could request the administrator of the register, the Luxembourg Business Registers (LBR), to restrict access to specific authorities or entities.
A beneficial owner and a company proceeded against decisions taken by the LBR, which denied their applications to restrict the general public’s access to information concerning them. The referring tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg) considered the disclosure of such information capable of entailing a disproportionate risk of interference with the fundamental rights of the beneficial owners concerned and asked the CJEU, inter alia, to verify the validity of the Union provisions on access to information on beneficial owners.
The CJEU’s ruling and reasoning
The CJEU first observed that, since the data concerned include information on identified individuals, namely the beneficial owners of companies and other legal entities incorporated within the Member States’ territory, the access of any member of the general public to these data affects the fundamental right to respect for private life. In addition, making these data available to the general public involves the processing of personal data. Making personal data available to the general public in such a manner constitutes a serious interference with the fundamental rights enshrined in Arts. 7 and 8 Charter of Fundamental Rights (CFR), irregardless of the subsequent use of the information communicated.
As part of examining the justification of the interference, the CJEU confirmed that the provision on the general public’s access to information respects the principle of legality, does not breach the essence of the fundamental rights, pursues an objective of general interest, and can be considered appropriate to attain the objective.
However, the CJEU found that the interference cannot be considered to be limited to what is strictly necessary. In this context, the CJEU compared the amended provisions with the former provision, which required persons or organisations to demonstrate a “legitimate interest” before access to information on beneficial owners could be granted. According to the CJEU, the fact that it may be difficult to provide a detailed definition of the circumstances and conditions under which such a “legitimate interest” exists does not constitute a reason for the EU legislature to provide for access to that information by the general public.
Moreover, the CJEU held that the interference at issue is not proportionate stricto sensu. Accordingly, the optional provisions allowing Member States to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, respectively, are, in themselves, not capable of demonstrating either a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Arts. 7 and 8 CFR or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse.
Therefore, the amended point c) of the first subparagraph of Art. 30 of the current Anti-Money Laundering Directive, which obliges Member States to ensure that information on the beneficial ownership of companies and other legal entities incorporated within their territory be accessible to any member of the general public in all cases, is invalid.
Put in focus
The CJEU emphasised that the EU legislature failed to strike the right balance between the fight against money laundering/terrorist funding and the sufficient protection of personal data. The judgment triggers the need for all national legislatures to re-examine their implementation of the 5AMLD on the point raised by the Luxembourgish case at issue. In Luxembourg and the Netherlands, access to the registers of beneficial owners is to be restricted in the short term.