Authors: Ewa Kurowska-Tober, Andrew Serwin,  John N Gevertz and Piotr Czulak

The CJEU recently ruled that a Luxembourg law adopted in 2019 in accordance with the amended anti-money-laundering directive[1] (“AML Directive”), which required the disclosure and publication of certain information on the beneficial owners of entities registered in the Register of Beneficial Ownership, was invalid because it interfered with the right to privacy. The law required disclosure of the owner’s name, month and year of birth, nationality and country of residence, as well as the “nature and extent” of the interests held in the organization.  This ruling not only finally addressed the conflict existing between EU privacy laws and AML regulations, but it is also important for Global financial institutions because: it highlights the different approach to privacy in the US and the EU, particularly around law enforcement data collection; and it highlights the need to have a Globally-governed AML program.

Two different Luxembourg-based companies, and their beneficial owners, brought actions before the Luxembourg District Court arguing that the general public’s access to the information should be restricted, because the disclosure would create a disproportionate risk of interference with the fundamental rights of the beneficial owners. Among the arguments plaintiffs made in the Luxembourg District Court was that due to the beneficial owner’s role in a real estate company, he was required to travel to countries with unstable political regimes and having to disclose this information would likely create a “significant risk” of kidnapping.

As a result of both actions, the Luxembourg District Court referred a series of questions to the CJEU for a preliminary ruling, focused on the interpretating the validity of the AML Directive’s requirements in light of the Charter of Fundamental Rights of the European Union.

In examining these questions, the CJEU first examined the basis for the disclosure and publication requirement, noting that the purpose of the AML Directive is to prevent the use of the European Union’s financial system for the purposes of money laundering and terrorist financing. Recital 4 of AML Directive states that this objective cannot be achieved unless the environment is hostile to criminals, which requires enhancing the overall transparency of the economic and financial environment of the European Union. Therefore, the disclosure requirement reflects an objective of general interests justifying even serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter.

However, the Court also noted that derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary. Where there is a choice between several measures appropriate to meeting the legitimate objectives pursued, recourse must be had to the least onerous.

The CJEU ruled that, in light of the Charter, the disclosure and publication requirements of the AML Directive constitute a serious interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined in Articles 7 and 8 of the Charter. In the CJEU’s view, the regulations of the AML Directive allowing member states to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, respectively, do not, in themselves, reflect either a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, or embody sufficient safeguards to enable data subjects to protect their personal data effectively against the risks of abuse.  Of particular note to the CJEU was the fact that the publication requirements allow a potentially unlimited number of readers to acquire and disseminate material information on the financial situation of the beneficial owner.

While the preliminary ruling does not decide the dispute to which either of the actions pertains, the national courts in Luxembourg and in all other member states must now rule in accordance with the CJEU’s decision. Therefore, it may trigger similar actions being raised in other member states and force local legislatures to amend their AML regulations by limiting the general public’s access to the information on beneficial owners.  One crucial question left open is what financial institutions with an EU establishment must do in light of this ruling if they are applying other similar AML requirements from other countries to personal data from EU data subjects.

While the EU’s approach to privacy is based upon fundamental human rights, the approach in the US, as highlighted by the Schrems II decision, is more property-based, and this difference leads to a perception in the EU that both US law enforcement and the intelligence community are in some cases given broader latitude than their EU counterparts.  This case illustrates the growing privacy divide between the EU and the US, which continues to create additional compliance challenges for Global companies, as well as the need for practical solutions, including effective governance processes for entities which must address varying regional AML requirements.

[1] Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73), as amended by Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 (OJ 2018 L 156, p. 43).