The Invalidity of Public Access to the Register of Beneficial Owners: Brief Analysis of the CJEU's Ruling of 22 November

SÉRVULO PUBLICATIONS 15 Dec 2022

On November 22, 2015, the Court of Justice of the European Union ("CJEU") ruled[1] the unlawfulness of the generalised public access to the personal data of beneficial owners, as prescribed in article 30(5)(c)[2] of Directive (EU) 2015/849 of the European Parliament and the Council of 20 May 2015, on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing (“Anti-money-laundering Directive”).

It follows from this article, in its current wording, that Member States of the European Union shall ensure that "the information on the beneficial ownership is accessible in all cases to (…) any member of the general public", including, at least, the name, the month and year of birth, the country of residence and nationality, and the nature and extent of the interest held by the beneficial owner.

The CJEU has concluded, however, that the public access - now independent from the existence of a legitimate interest[3] - to the information contained in the register of beneficial ownership, even if in the name of the public interest in preventing money laundering and terrorist financing, and with reference to the provisions contained in the General Data Protection Scheme ("GDPR")[4] , constitutes a disproportionate[5] and, therefore, invalid restriction of the fundamental rights to respect for private life and protection of personal data[6]. According to this Court, the terms under which the imposition of disclosure and access to the data in question is now regulated, which can only be excepted, at the discretion of the Member States, when it exposes the beneficial owner to “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable”[7], "are not, in themselves, capable of demonstrating either a proper balance between the objective of general interest pursued and the fundamental rights (…) or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse"[8].

In Portugal, the Central Register of Beneficial Owners ("RCBE") was enacted by Law no. 89/2017, of August 21, which transposed the EU Directives on this matter to ensure compliance with the national duties on preventing and combating money laundering and terrorist financing[9]. Therefore, it is possible to access, online, with the mere authentication of the interested party through his/hers Digital Mobile Key[10], the name, month and year of birth, nationality, country of residence and economic interest held, of the beneficial owners[11]. These may request for such access to be restricted only when there is a risk of fraud, threat, coercion, persecution, kidnapping, extortion, or other forms of violence or intimidation, or if the beneficial owner is a minor or legally incapable[12].

Under this legal framework, the National Commission for Data Protection ("CNDP") had already undertaken a similar position to the one that has now been adopted by the CJEU[13], shedding light on the "unnecessary and excessive" interference that the public access to personal data of beneficial owners results in for the fundamental rights to respect for private life and the protection of personal data[14], further violating the provisions of the Portuguese Data Protection Law[15].

The CJEU's decision does not automatically affect the validity of European and, consequently, national rules. However, these must hereafter be applied and amended in accordance with the Court's understanding. It remains to be seen under what terms such changes will be undertaken, as well as what impact the CJEU’s decision may now have on public access to personal data contained in other registers in the European Union and in Portugal.

Ana Mira Cordeiro | ami@servulo.com

Inês Pereira Lopes | ipl@servulo.com