On November 22, 2022, the Grand Chamber of the Court of Justice of the European Union (“CJEU”) issued its judgment in joint cases C‑37/20 and C‑601/20, holding that provisions of an EU anti-money laundering directive relating to the publication of beneficial ownership registers were incompatible with the EU Charter of Fundamental Rights (“CFR”). The Court found that while deterring money laundering was a valid objective, making data available to the general public was neither a necessary nor proportionate way to achieve this objective, so contravened the CFR. The judgment demonstrates the Court’s view that sharing a person’s personal data with a third party is a serious intrusion, and that the Court will carefully scrutinize any such sharing.

Although the case concerned the CFR, it sheds light on how the Court approaches similar principles that apply in other contexts, including in the context of the GDPR.

I.               Legal background

EU Directive 2015/849 (the “2015 Directive”) required each EU member state to establish a register of beneficial ownership (“RBO”) containing personal data about the owner of each legal entity in that member state – such as their name, nationality, and ownership interest – and to make the RBO available to a range of financial entities such as banks. The 2015 Directive also required the RBO to be made accessible to anybody who could demonstrate a “legitimate interest” in accessing the RBO.

Directive 2018/843 (the “2018 Directive”) expanded on the 2015 Directive by allowing any member of the general public to access the RBO, regardless of whether they could demonstrate a “legitimate interest”. This was intended to increase access to the RBO and thus “allow greater scrutiny by civil society, including by the press” and discourage “the misuse of corporate and other legal entities… through reputational effects”.

The public disclosure requirement under the 2018 Directive has long been controversial.  Two complainants, WM and Sovim, brought legal proceedings challenging the validity of the 2018 Directive on the basis that the publication of their personal data on a public website contravened their rights to the protection of personal data and to private and family life under Articles 7 and 8 of the CFR.

II.            The CJEU’s findings

The CJEU found that the objective of both the 2015 and 2018 Directives – namely, countering money laundering – was “capable of justifying even serious interferences” with CFR rights.

However, the CJEU went on to stress that under the CFR, any interference with fundamental rights must be a necessary and proportionate way to achieve an objective. The CJEU found that the changes made by the 2018 Directive were:

  • Not necessary, because the anti-money laundering objective could be achieved without making the RBO available to the public. In particular, the CJEU noted that scrutiny by civil society and the press could already be achieved under the 2015 Directive, since such entities would usually be able to demonstrate a “legitimate interest” in accessing the RBO. The CJEU was also unsympathetic to an argument made by the European Commission that the 2018 Directive was necessary because applying the “legitimate interest” test had proven difficult in practice; the Court noted that practical difficulties did not justify an interference with fundamental rights.
  • Not proportionate, because the CJEU viewed publication of a person’s personal information on the internet as a “serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter”, that was not offset by a proportionate benefit. In reaching this conclusion, the CJEU emphasised the lack of data protection safeguards in the 2018 Directive and the high level of intrusion involved in making information public on the internet, since such information is available to an unlimited number of people whose use of the data cannot be monitored or controlled.

Because the publication of the register was not necessary or proportionate, the CJEU struck down the provisions of the 2018 Directive that required the RBO to be made available to the general public. However, the CJEU did not strike down the provisions of the 2015 Directive requiring the RBO to be maintained and shared with a more limited set of parties.

IIII.             Next steps

In response to the Court’s decision, member states have begun restricting access to their RBOs (for example, see the notices posted to the Netherlands and Luxembourg registers). Member states will also begin to consider how the judgment affects other registers maintained by government bodies.

While the judgment has been described as a “gift to oligarchs under sanctions” in the press, it will bring some relief to many other business owners and executives who have been called upon to disclose potentially sensitive, personally identifiable information to the general public.  And, although the Court’s verdict related to the CFR rather than the GDPR, the verdict serves as a timely reminder of the detailed scrutiny that regulators, courts, and individual litigants continue to apply to data processing activities of all entities, especially where data is made public or is highly-sensitive. Entities should carefully consider their processing activities throughout their data lifecycle – including assessing whether data collection and processing is necessary at all – and prepare clear and persuasive documentation that can be produced in the event of a regulatory investigation or court proceeding.

*                      *                      *

The Privacy and Cybersecurity Practice at Covington has extensive experience advising on data protection issues across Europe, including in the context of regulatory investigations and court proceedings, and our Corporate Practice has extensive experience with beneficial ownership filings in many jurisdictions. If you have any questions about the CJEU’s verdict and its potential effect on your business, please let us know.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Philipp Tamussino Philipp Tamussino

Philipp Tamussino is a U.S. corporate partner based in Frankfurt. His practice focuses on cross-border corporate and finance transactions. Previously resident in our New York office, he joined the Frankfurt team when the office opened in 2018.
Philipp represents clients in mergers and…

Philipp Tamussino is a U.S. corporate partner based in Frankfurt. His practice focuses on cross-border corporate and finance transactions. Previously resident in our New York office, he joined the Frankfurt team when the office opened in 2018.
Philipp represents clients in mergers and acquisitions, financings, private equity transactions, corporate governance matters, joint ventures and venture capital investments, almost always in an international setting. He also has advised asset managers and investors in a variety of structured finance, alternative investment and financial derivatives transactions.

Philipp is the Managing Partner for Legal Personnel in the Frankfurt office, having previously served in that role in New York.

Photo of Aleksander Aleksiev Aleksander Aleksiev

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and…

Aleksander advises clients on legal problems associated with data protection, cybersecurity, and new technologies. He holds degrees in both law and computer engineering which he combines to provide advice that is both legally sound and technologically pragmatic.

Aleksander has advised companies, governments, and charitable organizations on a range of technology law issues including data breach response, compliance with privacy and cybersecurity laws, and IT contract negotiations. In addition to his experience advising on European law, Aleksander is Australian-qualified and has significant experience advising clients in the Asia-Pacific – particularly on Australian and Hong Kong law.