Go Back

European Court of Justice invalidates public access to European registries of UBOs

November 20, 2022, the European Court of Justice (Grand Chamber) has issued a Judgement concerning the validity of Art. 1(15)(c) of European Directive (EU) 2018/843 of May 30, 2018 (the “Directive”)[1]. The ECJ concluded that mentioned provision of the Directive that provides the access to the huge amount of personal information on beneficiary owners (‘Ultimate Beneficial Owners’ = ‘UBOs’) of the companies to the public, is indeed invalid. The provided access should be limited to the extent of ‘exceptional circumstances’ for the purposes of ‘public security’.

1. Legal basis that triggered the judicial review

Art. 1(15)(c) of the Directive provisions:

Member states shall ensure that the information of the beneficial ownership is accessible in all cases to:

(a) competent authorities and FIUs, without any restriction;
(b) obliged entities, within the framework of customer due diligence in accordance with Chapter II;
(c) any member of the general public.

The persons referred to in point (c) shall be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.

Member States may, under conditions to be determined in national law, provide for access to additional information enabling the identification of the beneficial owner. That additional information shall include at least the date of birth or contact details in accordance with data protection rules.

During the period since 2018 when this directive was introduced until now, EU countries national registers of UBOs were accessible to everyone. For example, they were massively used for the KYC purposes by prospective partners and investors.

The Member states can introduce laws clarifying the Directive. Following that, Luxembourg has adopted the Law of 13 January 2019 establishing a Register of Beneficial Ownership[2] (the “Law on RBO”, “Luxembourg Business Registers” or “LBR”) providing the exact data on beneficial owners of the companies that should be retained and be publicly available (Art. 2 and 3 of Law on RBO).

The judicial review of the Art. 1(15)(c) of the Directive (in general) was triggered by several Luxembourg companies’ UBOs, including WM, aiming to protect their personal information from being wrongfully used. For instance, WM has challenged the aforementioned provisions on the ground that:

the general public’s access to that information would seriously, actually and immediately expose WM and his family to a disproportionate risk and risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation … maintaining that his position as executive officer and beneficial owner of YO and of a number of commercial companies requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime, which creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed.

2. Concepts of “Exceptional circumstances” and “Risk” in regard to beneficiary owners’ private data

The ECJ in this case have reviewed the concepts of “exceptional circumstances” and of “disproportionate risk” that are mentioned in para. 36 of the preamble to the Directive, in which cases the transparency of information on beneficiary owners can be duly limited by the Member States.

Considering the cases of WM and Sovim SA companies, the ECJ held that such availability of information, due to the Law on RBO and the Directive, violates several provisions of the GDPR that ensures the appropriate security of the personal data, of the European Convention on Human Rights that ensures the right of each person to a certain level of security of its personal information, and such availability can indeed harm the beneficiary owners.

The conclusion of the ECJ in this case is that access to information on beneficiary owners should be indeed public, but also should be provided to the public with certain restrictions. For example, such information should be provided to competent authorities and Financial Intelligence Units for the sake of preventing terrorist financing and money laundering and other risks.

Simply put, the criteria of what information on beneficiary owners should be available to public in UBO registers should be narrowed down, as well as the access to this information itself, for the sake of protection of beneficiary owners’ own information and their rights to respect of their private life.

The main consequence of this judgment for banks, service providers and business owners is the following: the European registers of beneficiaries being previously open, are becoming non-available for KYC check.

On the one hand, information on UBOs now will not be available to the general public and therefore protect these individuals from invasion of their privacy and even their life (see the example with WM above). On the other hand, the information being restricted for legal entities conducting KYC (as banks or prospective contractors) may require them to use alternative resources for the gathering of information on UBOs.

The ECJ also held that the provision of the Directive in question provides for disclosure of unnecessary amount of information to an unnecessary amount of people without providing the beneficiary owners with the correspondent mechanisms of protection of their data when its disclosure is unnecessary and even harmful to them.

3. Immediate consequences of ECJ judgment

On the date of this article’s publication there are several EU countries which already closed or updated the rules for access to UBO registers to the general public, following the ECJ judgment dated November 20, 2022:

  • Belgium
  • Netherlands
  • Austrian,
  • Ireland,
  • Luxembourg,
  • Cyprus.

The information on UBOs in the registers remains open for public authorities and the other entities and persons that can prove a legitimate interest in this information. The obligation of UBOs to disclose the personal information to certain extent is still in force, so are the registers, however the 3rd parties’ access to those registers is severely restricted.

NB: when the Directive was enacted, the UK was still a part of a European Union and therefore established register of UBOs accessible to the general public. Now, the consequences of the ECJ judgment are not applicable to the UK due to Brexit, and no action by UK Government is required. Still, it is more than likely that the validity of UK legislation on UBO information public access is challenged in the national courts. Upon such challenge, it is hardly to predict whether UK courts will follow the ECJ Judgment, maybe forced to do so by the ECHR.

[1] European Directive (EU) 2018/843 of May 30, 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU. Found at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32018L0843.

[2] Loi du 13 janvier 2019 instituant un Registre des bénéficiaires effectifs (Mémorial A 2019, No. 15). Found at: https://legilux.public.lu/eli/etat/leg/loi/2019/01/13/a15/jo.