In the fifth anti-money laundering directive (2018/843, “AMLD5"), the EU removed the requirement of 'legitimate access' for the general public to access the member states' UBO database, essentially allowing anyone for whatever reason to gain access to personal data such as the name, date of birth, country of residence and nationality of the natural person behind a legal entity. In 2022, the CJEU ruled that this general access constitutes a disproportionate and unnecessary violation of the right to privacy and the right to data protection, as follows from art. 7 and 8 of the EU Charter.
CJEU's case law on blanket data practices
This judgment follows a relatively steady line of CJEU case law regarding the blanket access, retention, use and storage of data. In cases such as Tele2 Sverige & Watson and Digital Rights Ireland, the CJEU ruled that the bulk processing of traffic and communications data without any targeting restrictions as to the time period, geographical zone or group of persons also constitutes a gross violation of the EU citizen's fundamental rights.
The big difference between the present UBO case and these past cases lies in the finality and the entities having access. The past case law concerned data collected for law enforcement and national security purposes, and accessible to law enforcement and intelligence agencies. In the UBO case, the data is processed for anti-money laundering purposes and is accessible to the general public.
Member states' reactions
Nevertheless, there is one important common denominator: proportionality, or rather the lack thereof. Following the invalidity of the general access, member states are left with the question how they can remedy this. Member states such as The Netherlands, Austria and Ireland have temporarily suspended the general access to the UBO database, whereas France has done the opposite and recently reinstated this general access, much to the liking of transparency activists. Interestingly, Germany has opted for the middle road: access must be individually requested and motivated, showing legitimate interest.
The question now is how member states can ensure these rights to privacy and data protection without stifling the fight against money laundering and terrorism financing. One way to solve the issue of requiring a legitimate interest is through a differentiated approach. It would be a more proportionate solution to build different dimensions of interests and grant access rights accordingly. Such a differentiated approach could consist in providing access to the three following categories (beside the competent authorities already having access) and would be subjected to ongoing monitoring and governance:
- Industry/profession-bound: granting general access to notaries, bailiffs, lawyers and other regulated professionals who require the UBO-data within the context of their activities;
- Purpose-bound: granting access to other entities who require the UBO-data for specific activities such as to engage in a transaction, to perform customer due diligence or to comply with another legal obligation;
- Ad-hoc: a final category could be ad hoc and upon a motivated request which shows legitimate interest, similar to the current German access mechanism.
In Belgium a Royal Decree was published last Friday, applying such a differentiated approach. The Decree not only re-introduces the requirement of 'legitimate interest' for the general access, but also defines the three cases in which there is a 'legitimate interest'. Nevertheless, this differentiated approach is much more narrow than the one we proposed above. These three cases in the Decree are centred around entities active in the fight against money laundering and terrorism financing. As the preparatory documents indicate, these will mostly concern NGOs and research journalists.
Different countries setting down different rules and requirement for general access forms a serious limitation on the EU internal market idea. Not only legitimate interest, but also the requirement of online registration through eID can hinder the free flow of services, as not all EU member states have eIDs. A common EU approach is required to ensure the freedoms of the internal market.
Even though the request for preliminary ruling in the UBO case included the question whether the general access was in violation of the GDPR, the CJEU still limited its analysis to the EU Charter of fundamental rights. Nevertheless, it remains an interesting question how member states will ensure compliance with the principles lawfulness, transparency, accountability and purpose limitation from the GPDR. The responsible authorities can take the first steps towards GDPR compliance through a data protection impact assessment, appointing a data protection officer, ensuring data protection by design, etc. An important question is how the requirement of legitimate interest under the old AML directive and the new Belgian rule will tie in with 'legitimate interests' as a legal basis for processing under the GDPR.
A couple of months after the CJEU ruling, different member states are still searching for a way to balance the fight against money laundering and terrorism financing on the one hand, and compliance with fundamental rights and the GDPR on the other hand. This noble pursuit of fighting white-collar crime should not be the end of a person's right to privacy and data protection. While some member states are waiting for the EU to intervene, other member states have taken matters into their own hands.
On a broader level, it will be interesting to see what effect this judgment will have on the general access to other public databases such as company registers.