Privacy and data protection vs public access to entrepreneurs’ personal data. Score 2:0
How did the ECJ balance the rights to privacy and data protection against transparency of Ultimate Beneficial Owners registries in WM and Sovim SA v Luxembourg Business Registers?
While the eyes of the world are on the FIFA World Cup in Qatar, the highest referee in the European Union (EU) – the Court of Justice of the EU (ECJ), sitting as the Grand Chamber – ruled in favour of privacy and data protection of the ultimate beneficial owners (UBO) of corporate entities, whose fundamental rights were infringed by one of the provisions of the EU secondary law. In judgment WM and Sovim SA v Luxembourg Business Registers (joined Cases C‑37/20 and C‑601/20) delivered on 22 November 2022, in the preliminary reference procedure, the ECJ struck down a provision of the EU Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) legal framework, which since early 2020 required a considerable amount of information about UBOs to be accessible to the general public. In the view of the Court, the access in all cases of any member of the general public to such information constitutes a serious interference with the fundamental rights to respect for private life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter of Fundamental Rights (CFR), which is neither limited to what is strictly necessary nor, as one can infer from the reasoning of the Court, proportionate to the objective pursued (paras 44, 76 and 77 read jointly with 85 and 86).
UBO registries for corporate entities
In order to trace criminals who may hide their identity behind corporate structures, the 4th (4AMLD) and 5th (5AMLD) Anti-Money Laundering Directives required Member States to establish a central UBO registry for corporate and other legal entities incorporated within their territory. UBO means a ‘natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity’ (Art. 3(6)(a) 4AMLD as amended). Identification of UBO is one of the compulsory customer due diligence measures carried out by obliged entities (most notably financial institutions) and an important element of (financial) investigations conducted by relevant public authorities, including Financial Intelligence Units (FIUs). Yet, the 5AMLD provided for a public access to UBO registries and envisaged it as a tool for increasing transparency of the economic and financial environment of the Union.
Insofar as Article 30(5) 4AMLD required Member States to provide access to information on UBO to ‘any person or organisation that can demonstrate a legitimate interest’, Article 1(15)(c) 5AMLD introduced an amendment, which required to extend such access to ‘any member of the general public’.
According to the amended provision the information at issue should ‘at least’ comprise of the name, month and year of birth, country of residence and nationality of the UBO, as well as the nature and extent of the beneficial interest held. Member States could also provide access to additional information.
The amended Article 30(9) 4AMLD allowed Member States, to provide for an exemption from the public access to all or part of the information contained in UBO registry ‘[i]n exceptional circumstances (…) laid down in national law, where [such] access (…) would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable’.
The Luxembourg Business Register and rejected requests for the restriction of access
With the law of 2019, Luxemburg introduced a register of beneficial ownership (RBO), which facilitated public access to a vast array of information on UBO. WM (case C-37/20) – a beneficial owner of a number of companies and Sovim (case C-601/20) – another company whose UBO information was registered in RBO – lodged applications with the Luxembourg Business Register (LBR) requesting restriction of access to information publicly available in the RBO. Both applications were rejected by the LBR and brought to the scrutiny of the Luxembourg District Court. While WM demanded the restriction on the ground of the existence of exceptional circumstances, Sovim argued primarily that granting public access to the identity and personal data of its UBO infringes the fundamental rights to privacy and protection of personal data enshrined in the CFR and a number of provisions of the GDPR.
In both cases, the Luxembourg District Court stayed the proceedings and referred several questions to the ECJ on the interpretation of Article 30 4AMLD (as amended) and compatibility of that provision with the CFR (requests for a preliminary ruling C-37/20 and C-601/20).
Key findings of the ECJ
The ECJ commenced its deliberations with the problem of compatibility of Article 30 4AMLD (as amended) with the fundamental rights enshrined in Articles 7 and 8 CFR and having found that provision invalid, it did not need to examine other questions.
1. Serious interference with Articles 7 and 8 of the Charter
The Court had no doubt that although the information on UBOs relates to their professional activities, it is in fact information on identified individuals, and therefore personal data, and making such data available to third parties constitutes data processing. This, in the view of the ECJ, implies an interference with the fundamental rights enshrined in Articles 7 and 8 CFR, irrespective of the subsequent use of information on UBO (paras 38-39).
Contrary to the view of Advocate General (AG) Giovanni Pitruzzella (para 104 of the Opinion), the ECJ considered interference with both fundamental rights to be serious and based its reasoning on two grounds. The first ground regarded the character of information available through the UBO registry. The Court noted that the registry contains both information on UBOs’ identity and on the nature and extent of their interest held in corporate or other legal entities. According to the Court ‘that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested’ (para 41).
The second argument of the Court pertained to the intrinsic feature of making personal data freely accessible to a potentially unlimited number of persons, as it is the case especially when data becomes available on the internet, namely the loss of control over the purpose for which it would be consulted and further processed. This means that information from UBO registries could potentially be used for other than AML/CFT purposes, and that the persons whom the information concerns are in fact in an ‘increasingly difficult, or even illusionary’ position to defend themselves effectively against possible abuse (paras 42-43).
2. Nuanced conception of the objective of transparency
When considering whether the measure at issue meets the objective of general interest recognised by the EU, the Court distinguished between two matters, namely between creating hostile environment for criminals through the enhanced transparency and the principle of transparency as such, understood as an enabler of citizens’ participation in democratic processes.
As regards the first one, the ECJ agreed that prevention of money laundering and terrorism financing by creating an environment less likely to be used for such illicit purposes, including by means of enhanced transparency, constitutes an objective of general interest recognised by the Union that is capable of justifying even serious interferences with the rights enshrined in Articles 7 and 8 CFR. Inasmuch as the overarching objective of the EU AML/CFT policy is the prevention of the use of the EU financial system for money laundering and terrorism financing (see e.g. Article 1(1) 4AMLD) in, the 5AMLDthe legislator took a step further. The 5AMLD provides for that the realization of the aforementioned objective ‘cannot be effective unless the environment is hostile to criminals seeking shelter for their finances through non-transparent structures’ (recital 4 5AMLD). To that end, ‘[e]nhancing transparency could be a powerful deterrent’ (recital 4 5AMLD). Accordingly, better transparency could be achieved by enabling public access to beneficial ownership information, which as explained in recital 30 5AMLD, i.a. ‘allows greater scrutiny of information by civil society, including by the press or civil society organisations…’ and ‘can contribute to combating the misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing (…), given that anyone who could enter into transactions is aware of the identity of the beneficial owners’.
With respect to the arguments that the principle of transparency as such, i.e. as it results from the primary law (Articles 1 and 10 of the TEU and Article 15 TFEU) constitutes the objective of general interest of the EU in the decided case, the ECJ disagreed (paras 58-62). The Court contended that, while transparency as a principle is essential for democratic systems, it needs to refer to activities of a public character and not, as in the present case, to identity of private entrepreneurs and their beneficial interests. In this way, the Court nuanced the purpose of public disclosure of information via UBO registries and other instances of publication of personal data that reinforce public control (paras 60-62 and earlier ECJ case law such as Case C‑28/08 P, para 54 or joined cases C‑92/09 and C‑93/09, para 68).
3. The balancing exercise
To evaluate the proportionality of the interference, the ECJ followed a three prong test, known from its case law on the retention of traffic and location data (e.g. C‑140/20, para 93), which requires assessing the compliance of the measure with the requirements of appropriateness, necessity, and proportionality in relation to the pursued objective of general interest (paras 63-64).
Firstly, the Court contended that the general public’s access to information on UBO established by the 5AMLD and the increased transparency resulting therefrom are appropriate for attaining the objective of general interest pursued, since these measures contribute to the creation of an environment less likely to be used for money laundering and terrorism financing (paras 66-67), as discussed earlier.
Secondly, the Court explained that being strictly necessary means that ‘where there is a choice between several measures appropriate to meeting the legitimate objectives pursued, recourse must be had to the least onerous’ (para 64). On that point, the Court examined the rationale of the amendment introduced by the 5AMLD, which extended the possibility of accessing information in the registry beyond ‘any person or organisation that can demonstrate a legitimate interest’ and rejected Commission’s argument that the change at issue could be justified with a difficulty in defining the criterion of ‘legitimate interest’ (paras 68-73). Furthermore, the ECJ noted that where the access to information on UBO is driven by the objectives enumerated in recital 30 5AMLD (see above), there exists, in fact, also a legitimate interest, what does not render the expansion of accessibility of the registry to the general public strictly necessary (paras 74-76).
Thirdly, the Court examined the requirement of proportionality. It considered whether the legislative measures in question entailing the interference with the rights enshrined in Articles 7 and 8 CFR, provides for ‘clear and precise rules governing the scope and application of the measures (…) and imposing minimum safeguards, so that the data subjects have sufficient guarantees to protect effectively their personal data against the risk of abuse’ (para 64). The ECJ concluded that the substantive rules governing the general public’s access to information on UBO – specifically Article 30(5) 4AMLD, which allows for providing access to ‘additional information’ that enables UBO identification, do not meet the standard of clarity and precision (paras 78-82).
Finally, when juxtaposing the seriousness of the identified interference with the importance of the pursued objective of general interest, the Court noted that the realization of the AML/CFT policy is predominantly a task of competent public authorities and obliged entities, who have had access to information on UBO irrespective of the amendment introduced by the 5AMLD (paras 83-84). In light of this, the Court failed to recognise the added value of providing access to the UBO information to the general public, which compared to the former rule is a measure that ‘amounts to a considerably more serious interference’ with the rights enshrined in Articles 7 and 8 CFR. Lastly, according to the Court, the exceptional possibility of restricting access to information stored in UBO registries is neither capable of demonstrating a proper balance between the objective of general interest pursued and discussed rights, nor amounts to sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse (para 86).
In view of the above, Article 1(15)(c) 5AMLD is invalid insofar as it amended point (c) of the first subparagraph of Article 30(5) 4AMLD and required Member States to ensure that information on UBO of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public (para 88).
A victory for human rights and a yellow card for the legislator
The score 2:0 in the match of privacy and data protection vs public transparency of UBO registries is a victory for human rights and good news for all entrepreneurs not willing to publicly share information about themselves and their beneficial interests. While privacy and data protection advocates can add the WM and Sovim case to the trophy cabinet, scholars can embark on the analysis of yet another convoluted interpretation of Articles 7, 8 and 52 CFR made by the ECJ. The judgment certainly calls for debate on issues such as conflation of the rights to privacy and data protection in the ECJ’s jurisprudence, lack of Court’s in-depth reflection on the ‘essence’ of these two fundamental rights, or the maze of criteria for testing proportionality of an interference with the rights enshrined in CFR.
But what does this decision mean for the AML/CFT policy and can it pass unnoticed when the new AML/CFT legislative package is on the table?
For the Member States, the most straightforward answer to the first question is the suspension of public access to UBO registries and return to the system established by the 4AMLD. Besides Luxembourg, other governments – for instance the Dutch government, immediately required relevant registries to block access of the general public.
The decision in the WM and Sovim case, however, can be seen also as a yellow card for the legislator making rules in the field of AML/CFT. The Court made at least two important observations, which should be taken into account when designing a new AML/CFT framework. The first one concerns the character of information processed for the AML/CFT purposes. Although the analysis was limited to the closed catalogue of data publicly accessible in the UBO registries, as was explained earlier, the ECJ still considered it sufficient to draw up certain profile of a person concerned. One can see the Court alluding in this way to its previous case law on metadata and Passenger Name Records (PNR), where it reiterated that even if some of the data points, taken in isolation do not appear liable to reveal important information about the private life of the persons concerned, ‘taken as a whole’ can allow ‘very precise conclusions to be drawn’ about specific persons (with respect to metadata e.g. joined cases C-293/12 and C-594/12, para 27; joined cases C-203/15 and C-698/15, para 99 and with respect to PNR Opinion 1/15, para 100).
It is noteworthy that information stored in UBO registries is only a small fraction of data processed for AML/CFT purposes. The AML/CFT systems facilitate processing of many more categories of data, including transaction records. All these information, especially when taken together are capable of providing quite an accurate overview of one’s personal life.
The second important observation concerns the purposes of specific measures introduced by the AML/CFT legal framework. The Court noted that inasmuch as the general public’s access to information on UBO ‘can contribute’ to attaining the goal of combating money laundering or terrorist financing, it fails to demonstrate its strict necessity. One can see this point in Court’s reasoning as a call for closer proximity of the devised – privacy and data protection intrusive – measure and the objective it is envisaged to pursue. In other words, such measure can be regarded strictly necessary only when it serves a specific and feasible to achieve goal, rather than a hypothetical or far-fetched one. Regrettably, in the discussed judgement, the Court refrained from reflecting further on the objectives of the AML/CFT policy and criteria such objectives should meet to be considered objectives of general interest recognised by the Union that can justify limitations of rights and freedoms guaranteed by the CFR.
Despite this, WM and Sovim is certainly a remarkable case, which hopefully marks the beginning of a – so far neglected – reflection on the problem of reconciliation of the AML/CFT regime with Articles 7 and 8 CFR.