On November 22, 2022, the Grand Chamber of the Court of Justice of the European Union (“CJEU”) issued its judgment in joint cases C‑37/20 and C‑601/20, holding that provisions of an EU anti-money laundering directive relating to the publication of beneficial ownership registers were incompatible with the EU Charter of Fundamental Rights (“CFR”). The Court found that while deterring money laundering was a valid objective, making data available to the general public was neither a necessary nor proportionate way to achieve this objective, so contravened the CFR. The judgment demonstrates the Court’s view that sharing a person’s personal data with a third party is a serious intrusion, and that the Court will carefully scrutinize any such sharing.
Although the case concerned the CFR, it sheds light on how the Court approaches similar principles that apply in other contexts, including in the context of the GDPR.
I. Legal background
EU Directive 2015/849 (the “2015 Directive”) required each EU member state to establish a register of beneficial ownership (“RBO”) containing personal data about the owner of each legal entity in that member state – such as their name, nationality, and ownership interest – and to make the RBO available to a range of financial entities such as banks. The 2015 Directive also required the RBO to be made accessible to anybody who could demonstrate a “legitimate interest” in accessing the RBO.
Directive 2018/843 (the “2018 Directive”) expanded on the 2015 Directive by allowing any member of the general public to access the RBO, regardless of whether they could demonstrate a “legitimate interest”. This was intended to increase access to the RBO and thus “allow greater scrutiny by civil society, including by the press” and discourage “the misuse of corporate and other legal entities… through reputational effects”.
The public disclosure requirement under the 2018 Directive has long been controversial. Two complainants, WM and Sovim, brought legal proceedings challenging the validity of the 2018 Directive on the basis that the publication of their personal data on a public website contravened their rights to the protection of personal data and to private and family life under Articles 7 and 8 of the CFR.
II. The CJEU’s findings
The CJEU found that the objective of both the 2015 and 2018 Directives – namely, countering money laundering – was “capable of justifying even serious interferences” with CFR rights.
However, the CJEU went on to stress that under the CFR, any interference with fundamental rights must be a necessary and proportionate way to achieve an objective. The CJEU found that the changes made by the 2018 Directive were:
- Not necessary, because the anti-money laundering objective could be achieved without making the RBO available to the public. In particular, the CJEU noted that scrutiny by civil society and the press could already be achieved under the 2015 Directive, since such entities would usually be able to demonstrate a “legitimate interest” in accessing the RBO. The CJEU was also unsympathetic to an argument made by the European Commission that the 2018 Directive was necessary because applying the “legitimate interest” test had proven difficult in practice; the Court noted that practical difficulties did not justify an interference with fundamental rights.
- Not proportionate, because the CJEU viewed publication of a person’s personal information on the internet as a “serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter”, that was not offset by a proportionate benefit. In reaching this conclusion, the CJEU emphasised the lack of data protection safeguards in the 2018 Directive and the high level of intrusion involved in making information public on the internet, since such information is available to an unlimited number of people whose use of the data cannot be monitored or controlled.
Because the publication of the register was not necessary or proportionate, the CJEU struck down the provisions of the 2018 Directive that required the RBO to be made available to the general public. However, the CJEU did not strike down the provisions of the 2015 Directive requiring the RBO to be maintained and shared with a more limited set of parties.
IIII. Next steps
In response to the Court’s decision, member states have begun restricting access to their RBOs (for example, see the notices posted to the Netherlands and Luxembourg registers). Member states will also begin to consider how the judgment affects other registers maintained by government bodies.
While the judgment has been described as a “gift to oligarchs under sanctions” in the press, it will bring some relief to many other business owners and executives who have been called upon to disclose potentially sensitive, personally identifiable information to the general public. And, although the Court’s verdict related to the CFR rather than the GDPR, the verdict serves as a timely reminder of the detailed scrutiny that regulators, courts, and individual litigants continue to apply to data processing activities of all entities, especially where data is made public or is highly-sensitive. Entities should carefully consider their processing activities throughout their data lifecycle – including assessing whether data collection and processing is necessary at all – and prepare clear and persuasive documentation that can be produced in the event of a regulatory investigation or court proceeding.
* * *
The Privacy and Cybersecurity Practice at Covington has extensive experience advising on data protection issues across Europe, including in the context of regulatory investigations and court proceedings, and our Corporate Practice has extensive experience with beneficial ownership filings in many jurisdictions. If you have any questions about the CJEU’s verdict and its potential effect on your business, please let us know.