The Court of Justice of the European Union released on 22 November its judgement re. joined cases C-37/20 and the C-601/20, both involving the Luxembourg Business Register (“LBR”) and the issue of granting public access to certain personal data related to the beneficial owners of EU incorporated companies, notably in light of the right to respect private and family life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (the “Charter”).
Article 30, paragraph 5 of Directive (EU) 2015/849 (the “AMLD”) on Beneficial ownership information was indeed amended by Directive (EU) 2018/843 of 30 May 2018 to make sure that Member States would make the information on beneficial ownership “accessible in all cases to (…) any member of the general public”. The exact same provision has hence been transposed into Article 12 of the Luxembourg Law of 13 January 2019 establishing the Beneficial Owner Register (the “BO Law”), stating that “Access to the information referred to in Article (…) shall be open to any person”.
Exemptions to making BOs’ information public however exist, allowing registered entities on the basis of duly motivated “exceptional circumstances” to demand the manager of the BOs’ Register to limit the access of BOs’ information only to certain persons, such as national authorities and credit/financial institutions. This provision has been introduced by Directive (EU) 2018/843 and transposed into Luxembourg Law in Article 15 of the BO Law.
This is where the District Court of Luxembourg (“Tribunal d’arrondissement”) intervenes, dealing with two similar requests from Luxembourg incorporated companies having seen their requests of limited disclosure of BOs’ information being denied by the Manager of the Luxembourg Business Register. The Luxembourg District Court decided to stay its proceedings in asking the CJEU for a preliminary ruling, on the one side (in the Case C-37/20), with respect to the concepts of “exceptional circumstances”, “risk” and “disproportionate risk” as laid down in Article 30, para. (9) of the AMLD, while, on the other side (in the Case C-601/20), focusing firstly on knowing whether granting public access to certain BOs’ information contravenes Article 7 and 8 of the Charter, followed by questioning potential infringements to core GDPR rules notably set in its Article 5 (i.e. lawfulness-fairness-transparency, purpose limitation, data minimization and data protection by default).
The CJEU in its ruling holds that the article of the Directive (EU) 2018/843 introducing the accessibility of the BOs’ information to any member of the general public (i.e. Article 1, para. (15) (c), in so far as amending point (c) of the first subparagraph of Article 30, para (5) of the AMLD as amended) is invalid, clearly stating that “making personal data available to third parties constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated”.
Given that allowing public access to BOs’ information may be used for purposes others than countering ML/TF, “profiling” BOs, and potentially “abusing” personal data by allowing it to be available in the public sphere, the CJEU recalls that relevant part of the article of Directive (EU) 2018/843 “constitutes a serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter “.
While the Court affirms nonetheless that the observance with the principle of legality has been fulfilled and that the inference of public access in the BOs’ data does not undermine “the essence” of the fundamental rights guaranteed by Articles 7&8 of the Charter, “the principle of transparency (…) cannot be considered, as such, an objective of general interest capable of justifying the interference with the fundamental rights guaranteed in Articles 7&8 of the Charter.
Furthermore, the Court maintains that the inference with the rights of the Charter resulting from the general public’s access to information on Beneficial ownership, cannot be considered as “limited to what is strictly necessary”, also emphasising that the possibilities to provide for an exemption of BOs’ information access and registration to access BOs information are not “capable of demonstrating either a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse”.
A bit unfortunate though that the CJEU would not deepen its analysis to clear the issues raised on the GDPR side, given that point (c) of the first subparagraph of Article 30, para (5) of the AMLD was ruled as invalid, without further need to explore GDPR considerations.
Kindly note that the LBR has published a communication on its website stating that “following the judgment of the Court of Justice of the European Union of 22 November 2022, access to the RBE website via the internet is temporarily suspended. A solution allowing access to the RBE data by professionals as defined in Article 2 of the law of 13 January 2019 establishing a Register of beneficial owners will be communicated shortly”.
Julien Leroy - Senior Legal Adviser