The Court of Justice of the EU on 22 November emphatically struck down the public accessibility of the Ultimate Beneficial Owner (UBO) register. The general public having access to information on beneficial owners of companies and other legal entities constitutes a serious breach of privacy. In a principled ruling, the 15 judges of the Grand Chamber of the European Court explain that the fight against money laundering and terrorist financing is primarily a matter for public authorities. The fight against money laundering does not justify making a register containing privacy-sensitive data public to everyone, the highest European court stated. The entire text of this landmark decision can be found here.
Privacy First very much welcomes the critical and principled ruling by the Court of Justice. It provides a substantive ruling on the questions that Privacy First previously raised about the UBO register.
In early 2021, Privacy First filed summary proceedings against the UBO register, insisting that the Dutch court would take the case to the EU Court of Justice. The Dutch judge subsequently declined to do so because a similar Luxembourg case had just been submitted to the Court of Justice. The preliminary injunction court did however confirm that there is every reason to doubt the validity of the European Money Laundering Directives that form the basis of the UBO register. The judge ruled that the possibility could not be excluded that the highest European court would conclude that the public nature of the UBO register is not in line with the principle of proportionality. This judgment was upheld on appeal.
‘The introduction of the UBO register would mean that privacy-sensitive data of millions of people will be up for grabs’, Privacy First’s attorney Otto Volgenant of Boekx Attorneys commented at the time. ‘On all sides there are strong doubts whether this is actually an effective means in the fight against money laundering and terrorism. It’s like using a sledgehammer to crack a nut. The Court of Justice of the European Union will eventually adjudicate the case, and I expect it will annul the UBO register.’
This is indeed what happened last week. The public character of the UBO register is off the table. The main considerations of the EU Court of Justice ruling can be summarized as follows:
Making UBO data available to the public is a serious intrusion into the privacy of UBOs. Based on the information from the UBO register, a profile can be created that includes certain personal identification data, details on the person’s financial situation as well as the economic sectors, countries and specific companies in which they have invested. A freely accessible UBO register makes these data available to an unlimited number of individuals, including those who wish to view it for reasons that need not be related to anti-money laundering regulations. Not only are the UBO data freely accessible to anyone, it can also be stored and further disseminated by third parties, making it increasingly difficult or even illusory for UBOs to defend themselves against improper use.
Combatting money laundering and terrorist financing is a public interest objective that may justify the privacy intrusion that arises with a UBO register, but this does not mean without question that everyone should have access to that register.
The EU Court explains that the following questions must be assessed in this context:
1. Is the public accessibility of the UBO register an appropriate tool in the fight against money laundering?
2. Does the intrusion on the privacy of UBOs through public access meet the requirement of subsidiarity and is the public access limited to what is strictly necessary? In other words, can the fight against money laundering not reasonably be carried out just as effectively in another way that less affects the fundamental rights of the individuals concerned?
3. Is the privacy intrusion resulting from full disclosure of the UBO register proportionate, when weighing the importance of combatting money laundering on the one hand and the seriousness of the privacy intrusion on the other?
The first of these questions was addressed by the Court of Justice only briefly: a publicly accessible UBO register may, through the resulting transparency, contribute to an environment that is less likely to be used for money laundering. But with regard to the other two questions, the public nature of the UBO register does not meet the requirements to be imposed.
The Court’s answer to the second question is that the privacy violation that is the consequence of full disclosure of the UBO register is not strictly necessary. A previous version of the anti-money laundering regulations stated that ‘persons or organizations that can demonstrate a legitimate interest’ can have access to the UBO register. In its ruling, the Court specified the groups that may have such a legitimate interest:
a. the press and civil society organizations concerned with preventing and combatting money laundering and terrorist financing;
b. individuals who want to know the identity of a UBO in the context of a potential financial transaction; and
c. financial institutions and authorities involved in the fight against money laundering and terrorist financing.
The European Commission indicated earlier that it is difficult to give a legal definition of the concept of ‘legitimate interest’. The Court, however, found this too short-sighted: the fact that it is difficult to define this concept does not justify giving access to everyone. And so the public accessibility of the UBO register was cast aside, because the invasion of UBO’s privacy is not limited to what is strictly necessary.
In answering the third question, as to the proportionality of the privacy invasion in relation to the importance of anti-money laundering objectives, the Court also allows privacy to prevail. The fight against money laundering and terrorist financing is primarily a task of governments and financial institutions, which already had full access to the UBO register. Extending access to the UBO register to the entire public results in a significantly greater invasion of privacy, without being offset by benefits in the fight against money laundering and terrorist financing.
For the Netherlands, this means that the UBO register may no longer be publicly accessible with immediate effect. Immediately after this ruling, Privacy First called on the Dutch Minister of Finance to comply with the Court’s decision as soon as possible. On the very day of the ruling this call was heeded and an end was put to the public accessibility of the UBO register. This is a major victory for privacy. The goal of the lawsuit that Privacy First started in 2021 has thus been achieved. The UBO register is no longer publicly accessible. In the event the Dutch government fails to comply with this ruling, Privacy First will start new summary proceedings to enforce the EU Court ruling.
There will possibly be a discussion about the delineation of the group of persons who have access to the UBO register on the basis of a ‘legitimate interest’. This discussion is best conducted at the EU level, as anti-money laundering rules are also EU rules. This will also allow the European Data Protection Supervisor (EDPS) to get involved in the substance of this matter. This independent supervisor already in 2017 advised that public accessibility of the UBO register would not be proportionate.
Unfortunately, the European legislature did not heed that advice at the time. It happens more often that the European legislator drafts rules that are a major violation of privacy, which, years later, the highest European court indeed confirms to be the case. It is good that the European Court of Justice is critical and weighs the importance of privacy. After all, the courts have the final say in any democracy under the rule of law, and the EU Court of Justice’s Grand Chamber has ruled in favor of privacy time and again in recent years. But it would be even better if regulators themselves valued the importance of privacy protection as it would mean governments would not commit as many privacy violations in the first place.
The practices of advertising companies such as Google and Facebook often give rise to discussions about data protection and privacy. The operations of secret services and similar organizations such as the Dutch National Coordinator for Counterterrorism and Security (NCTV) equally draw attention and criticism.
There is a growing trend – remaining largely under the radar – towards general financial surveillance, whereby a number of large companies can follow citizens and organizations in detail on the basis of payment data. This is encouraged by public authorities and is spreading throughout society for all sorts of reasons, causing major data protection risks for citizens.
Privacy First would like to pay more attention to what it calls financial privacy in the period ahead.
What is financial privacy?
Financial privacy relates to the following:
- Detailed personal financial data in the hands of banks and other large parties. Nowadays, payments are made digitally for the most part; cash payments are becoming ever less common. As a result, parties involved in processing payments (banks, payment service providers and account information service providers) have detailed information about all their customers, including consumers, companies and various sorts of organizations. This means that these parties know a great deal about their customers. Financial data are becoming more and more detailed for all kinds of reasons and ever more companies can access these data. iDEAL 2.0, for example, is expected to cause further proliferation of personal financial data. In the past, banks have tried to monetize the financial data of customers, in the way that American advertising companies do, think of the ING affair in the Netherlands. This was stopped at the time, but could come back.
- New PSD2 services. The European Payment Services Directive 2 (PSD2) was intended to allow new services to be developed around the financial data of customers of payment institutions, including account information services. However, insufficient thought has been given to data protection, putting citizens at risk. Privacy First has been working on a campaign called Don’t-PSD2-me for several years now.
- Cash payments are disappearing, and so is this method of last resort to evade being tracked by banks from hour to hour. The European digital currency that is being developed is unlikely to be completely anonymous to enable crime fighting.
B. Privatization of crime fighting and the provision of services to public authorities
- Crime fighting duties of banks and other financial institutions (‘anti-money laundering’). These duties result in the collection of additional personal data of citizens. This concerns not only the identification of natural persons, but also the collection of data on and from natural persons involved in organizations. This may include directors and representatives of legal entities as well as the ultimate stakeholders. Customers often find themselves having to share confidential data with financial institutions in an insecure way. Please note that this is not only about crimes that can harm the customer or the financial institution. Institutions must actively check whether their own customers are holding criminal money and must report any suspicions of crime (‘unusual transactions’) to a section of the Dutch police: the Financial Intelligence Unit (FIU). The EU is currently working on a set of regulations, also known as the Anti-Money Laundering (AML) package, which will radically change the way in which companies combat crime. As a result of new regulations, more and more financial data will be transfered by companies to public authorities.
- Identification through biometrics among other ways. Banks and other financial institutions have to identify their customers, first and foremost to find out (under private law) with whom they are entering into an agreement, and secondly because anti-money laundering rules require it. There is some fuss about identification efforts, partly because banks now want to ‘re-identify’ existing customers, sometimes requiring biometric data in the process.
- UBO Register. Part of the crime-fighting duties of banks and designated enterprises, is that they must identify the ultimate beneficial owners (UBOs) of their customers and verify the accuracy of their customers’ registration with the UBO Register. Privacy First has litigated against the UBO Register and is now awaiting the outcome of similar cases pending before the European Court of Justice.
- Black lists. As part of crime fighting efforts and in order to protect financial interests, blacklists of ‘suspicious’ and convicted customers are created in the financial sector. There are two such lists, known as the internal referral register (Dutch abbreviation: ‘IVR’) and the external referral register (‘EVR’). The rules for these registers are laid out in ‘PIFI’, the Protocol Incident Warning System for Financial Institutions. Insurers have a complete overview of all claims that insurees have submitted to them. Increasingly, other companies with crime-fighting duties also want to create blacklists.
- Provision of data to public authorities (data reporting). Financial institutions, employers and, in the future, platforms too are required to provide data to public authorities. Within the framework of the obligation to provide information, many confidential data are collected from customers. One particular example is the obligation of financial institutions to collect customer data for the purpose of taxation by other countries. In this respect, the Foreign Account Tax Compliance Act (FATCA) is well known. It’s the US law that requires financial institutions around the world to provide free services to the US tax authorities, which relates not only to tax residents of the US and persons with property in or income from the US, but also anyone who has US citizenship (even if these people are without any real ties to the country, so-called ‘accidental Americans’). The Netherlands has entered into a FATCA treaty with the US and also participates in the ‘Common Reporting Standard’ (CRS), that many (EU) countries have implemented.
- Merchants in financial (personal) data. A number of very large and little-known parties are active on behalf of financial institutions, collecting financial and other data on both consumers and the natural persons involved in various organizations. These data are sold to financial institutions, among others, as credit information and as anti-money laundering information. Although these merchants must comply with the General Data Protection Regulation, they usually don’t, so the people whose data are being sold are not aware of the presence of their data with those merchants, nor can they verify whether the data are accurate and whether they were obtained lawfully. In other words, these people cannot exercise their GDPR rights. According to Privacy First, these merchants should be required to be licensed, just as financial institutions are, with a strong regulator and a strict review of executives.
- The Dutch Credit Registration Office (Bureau Kredietregistratie, BKR). This is a foundation recognized by the government and established by the financial sector to register data for the benefit of that sector.
What will Privacy First be doing?
Financial privacy covers a wide and complex area, which makes it difficult to tackle the issues surrounding this topic. In recent years, Privacy First has been active on the following subtopics:
- The UBO Register;
- The preservation of cash and anonymous means of payment.
 See for example https://ellentimmer.com/2015/12/23/gegevensuitwisseling/ (in Dutch).
It’s of paramount importance that the Netherlands leads the way not only in terms of digitalization, but also in the field of digital privacy. Public authorities should make people aware of the privacy risks in the digital world and set a good example by providing sufficient privacy-friendly alternatives to existing apps and platforms. This call was made today by a broad coalition of organizations and companies – the Privacy Coalition – to members of the Dutch House of Representatives, who were handed a manifesto.
The new Privacy Coalition notes in a joint manifesto that more and more digital platforms, services and apps are collecting users’ data without them realizing it. Those data are resold and integrated and then used to track people, follow their online behavior and influence them. “This creates digital profiles on the basis of which companies and even public authorities make decisions that have a major impact on our lives, without us being able to influence it”, the coalition states. It also warns of further polarization in society because people are no longer in control of what information they can and cannot see online.
Freedom of choice
Legislation is being drafted at both the European and national level to curb the unbridled use of personal data. But regulations and supervision alone will not be enough; developments are so rapid that we will always be lagging behind, the Privacy Coalition asserts.
The Privacy Coalition is calling on the Standing Committee on Digital Affairs of the Dutch House of Representatives to much more actively raise awareness among the citizenry about the importance of digital privacy. Public authorities, but also the business community, could set a good example by only using digital platforms and services that respect privacy. The coalition also advocates greater support for privacy-friendly alternatives to existing apps and platforms, so that people have freedom of choice.
“Digital platforms are becoming more adept at collecting data from users without being transparent about it”, says Haykush Hakobyan of Privacy First, one of the initiators of the Privacy Coalition. “People believe many services are offered for free, but they are unknowingly paying a high price with their personal data. We need to stop that trend now. It is a social responsibility of companies, public authorities and other organizations to actively promote digital privacy. There are plenty of technological possibilities to be active in the digital realm without having your privacy violated.”
Hakobyan called on the House of Representatives to organize a technical briefing with providers of privacy-friendly solutions. “Recently, the House held a hearing with Google and Facebook, among others. It is now time to consult with parties that do respect people’s privacy.” The Privacy Coalition invited the Committee on Digital Affairs to continue the conversation with stakeholders and seek solutions.
“As far as I’m concerned, privacy is non-negotiable”, commented Lisa van Ginneken upon receiving the manifesto. Van Ginneken is a member of the Digital Affairs Committee on behalf of D66. “It is a basic principle that guarantees our freedom and our right not to be spied upon either in physical space or on the Internet. Digital human rights should not be the final element, but rather the starting point of any technological development.”
You can read the current manifesto of the Privacy Coalition and all co-signatories HERE.
Recently, the Netherlands Standardisation Forum issued an advice to the government to ensure that public Wi-Fi networks for guest use are always secure. The independent advisory body recommends improving Wi-Fi security by using the WPA2-Enterprise standard. This recommendation applies to all public and semi-public institutions in the Netherlands and therefore has an impact on thousands of Wi-Fi networks.
The Standardisation Forum facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens. It is the advisory body for the public sector regarding the use of open standards. According to its own website, all standards that the Forum recommends have been thoroughly tested, lower costs and reduce the risk of internet fraud and data abuse. The recent recommendation came after a request over a year ago by Privacy First and Wi-Fi roaming provider Publicroam. Privacy First and Publicroam requested the Forum to mandate WPA2-Enterprise as the standard for access to guest Wi-Fi. The Standardization Forum then decided to conduct further research, resulting in its current opinion.
Stop offering insecure guest Wi-Fi
Privacy First chairman Paul Korremans is delighted with the advice: "It took a while, but now there is a clear recommendation. The Standardisation Forum calls for the secure provision of guest Wi-Fi, preferably using the WPA2-Enterprise standard. This recommendation creates clarity for all parties involved in setting up and managing public Wi-Fi networks within government institutions. Moreover, the recommendation will likely have a broader effect: in our view, the Forum is saying that we need to stop offering insecure guest Wi-Fi altogether."
The Netherlands at the vanguard
The Standardisation Forum made its decision in the summer of 2021 after several expert meetings and a public consultation. The recommendation was added to the existing obligation around WPA2-Enterprise in early September. The Netherlands is one of the first countries to have such an obligation.
Experts consider the standard WPA2-Enterprise (and its successor WPA3-Enterprise) to be the most suitable method for achieving secure Wi-Fi access. The standard is mandatory for Wi-Fi access for government employees and is widely used by businesses and educational institutions among others. Because it is a long-standing open standard, it is widely available and easy to implement.
A coalition of civil rights organizations in the Netherlands that had previously won a lawsuit against System Risk Indication (SyRI) is calling on the Dutch Senate to reject an even more sweeping Bill dubbed ‘Super SyRI’. According to the parties, the proposal is on a collision course with the rule of law while the Dutch government refuses to learn lessons from the childcare benefits scandal, one of the largest scandals in Dutch politics in recent decades.
The Data Processing by Partnerships Act (Wet Gegevensverwerking door Samenwerkingsverbanden, WGS) enables Dutch government agencies and companies to link together the data stored about citizens and companies through partnerships. Public authorities and companies that take part in such cooperative frameworks are obliged to pool together their data. This should help in the fight against all kinds of crime and offenses.
Under the Act, it is not just data that companies and public authorities share with each other. Signals, suspicions and blacklists are also exchanged and linked together. On the basis of this form of shadow record-keeping, these parties can coordinate with each other enforcement ‘interventions’ against citizens who end up in their crosshairs.
Public authorities and companies targeting citizens through data surveillance
In order to enable the large-scale sharing of personal data between public authorities and companies, the Act casts aside numerous confidentiality obligations, privacy rights and legal safeguards that have traditionally applied to the processing of personal data. This leads to a "far-reaching, large-scale erosion of the legal protection of citizens", according to the opposing coalition of which Privacy First is a member: "If this Bill is adopted, the door will be left wide open for the executive branch of the government and private parties to subject both citizens and companies to arbitrary data surveillance."
Through the Act, the Dutch government also wants to create the possibility to start new partnerships in case of ‘urgency’, without providing Parliament the opportunity of examination. The Dutch House of Representatives will be informed about such partnerships only after their establishment, then having to decide whether to pass them into law. This is contrary to the Dutch Constitution, which stipulates that legislation approved by Parliament should include privacy protections. The parties find it unacceptable that Parliament is not involved in the formation of new partnerships and can decide on them only after they have been established.
Legitimizing unlawful practices that have lasted for years
In addition to the possibility of establishing new partnerships, the Act includes four partnerships that have been around for years, but have never been laid down in law. The cabinet now wants to retroactively create a legal basis for these partnerships.
The parties that brought legal proceedings against System Risk Indication (SyRI) point out that SyRI, which was prohibited by the court, was also used for years without a legal basis. According to the parties, there are strong similarities with the partnerships that the new Bill is now intended to legitimize: "Drastic practices in which personal data are processed in violation of the fundamental rights of citizens were set up as a trial and continued for years, only to be given a legal basis as a fait accompli. Fundamental rights that should protect citizens against unjustified government action thereby become mere obstacles for the government to overcome."
Risk assessments, blacklists and suspicions
The coalition previously wrote that the practices under the Act are in many ways similar to the data processing that preceded the childcare benefits scandal that sent shock waves through Dutch society. Based on secret data analyses, lists of citizens who had been falsely labeled by the tax authorities as criminal fraudsters were distributed through various agencies, ruining the personal lives of tens of thousands of families. Under the partnerships that would be made possible by the Act, public authorities and companies would be able to abundantly share risk analyses, blacklists and many other types of data, suspicions and signals about citizens. The Dutch Data Protection Authority advised the Senate in November 2021 not to pass the law, stating that the proposal could lead to "Kafkaesque situations for large numbers of people".
The civil society coalition against SyRI consists of the Dutch Civil Rights Platform (Platform Bescherming Burgerrechten), the Dutch Lawyers Committee for Human Rights (NJCM), Dutch trade union FNV, the Dutch National Clients Council, Privacy First, the KDVP Foundation and authors Maxim Februari and Tommy Wieringa.
Download the recent letter by the coalition to the Dutch Senate HERE (pdf in Dutch).
Source: https://bijvoorbaatverdacht.nl/syri-coalitie-eerste-kamer-moet-datasurveillancewet-super-syri-afwijzen/, 15 February 2022.
A Dutch court has ruled on appeal in the summary proceedings brought by Privacy First concerning the Ultimate Beneficial Owners (UBO) register. Like the preliminary relief court, the Court of Appeal of The Hague unfortunately rejected Privacy First’s claims.
The court in preliminary relief proceedings earlier confirmed that there is every reason to doubt the legal validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be precluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. The ruling of the CJEU is expected in mid-2022.
Existing legal entities in the Netherlands do not have to register their UBOs until 27 March 2022. This is different for new legal entities: these have to register their UBOs immediately. The Court of Appeal of The Hague deems it unlikely that these UBOs will suffer serious damage in the short term and points out that UBOs fearing to be at risk from the disclosure of personal data can immediately shield these data from the general public. Dutch law provides for this possibility. The Hague Court of Appeal called this ‘a simple way to prevent UBO data from becoming or remaining public’. UBOs can apply to the Trade Register for shielding. As long as such applications are pending, UBO data will actually be protected. Now that the Court of Appeal has so emphatically pointed out this possibility, it is expected that many UBOs will follow this route.
‘The solution must come from the highest European court, the Court of Justice of the EU’, comments Privacy First’s attorney, Otto Volgenant of Boekx Attorneys. ‘It will rule on this in mid-2022. I expect that the Court will mark the end of the open nature of the UBO register. Thus far hardly any data have been entered into the register and I advise everyone to just wait as long as possible. The Dutch government has arbitrarily chosen a date by which UBOs must provide their data, namely 27 March 2022. It would be wise to postpone that end date by a few months until after the CJEU has provided clarity. That would prevent a lot of trouble and unnecessary costs.’
The judgment (in Dutch) of the district court in preliminary relief proceedings can be found here:
while the judgment (in Dutch) of the Court of Appeal can be found here:
Update 14 April 2022: further legal action by Privacy First against the UBO register may follow in mid-2022, depending on the outcome of similar Luxembourg lawsuits at the EU Court. Recently, Dutch Parliament passed a motion that until the ruling of the EU Court no fines should be imposed on organizations that have not yet registered their UBOs. It also seems that the UBO registration obligation of foundations and associations will not be enforced for the time being. Privacy First closely follows these developments and tries to have a positive influence on them as much as possible.
The hearing at the court of appeal in The Hague in the proceedings of Privacy First against the register for Ultimate Beneficial Owners (UBO) is scheduled for Monday, 27 September 2021.
Following the very critical advice of the European Data Protection Supervisor (EDPS), the district court of The Hague confirmed on 18 March 2021 that there is every reason to doubt the validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be excluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. Since a Luxembourg local court has already refered questions about this to the CJEU, the Dutch court in summary proceedings did not find it necessary to ask questions about it as well. Privacy First has appealed the judgment in these summary proceedings, taking the case to the court of appeal of The Hague. Our appeal summons can be found here (pdf in Dutch).
Privacy First requests the court of appeal to ask preliminary questions on the UBO register to the European Court of Justice and calls for the suspension of the operation of the UBO register until these questions have been answered. Privacy First also asks the court to temporarily suspend the public accessibility of the UBO register, at least until the CJEU has ruled on this matter. The court of appeal's ruling is expected a few weeks after the hearing on 27 September 2021.
‘‘The UBO register will put privacy-sensitive data of millions of people up for grabs’’, Privacy First’s attorney Otto Volgenant of Boekx Attorneys comments. ‘‘There are doubts from all sides whether this is an effective tool in the fight against money laundering and terrorism financing. It’s like using a sledgehammer to crack a nut. The Court of Justice of the EU will ultimately rule on this. I expect that it will annul the UBO register – at least its public accessibility. Until then, I advise UBOs not to submit any data to the UBO register. Once data have been made public, they cannot be retrieved.’’
Background of the lawsuit against the UBO register
Privacy First is bringing a lawsuit against the Dutch government regarding the UBO Register which was introduced in 2020. In summary proceedings, the invalidity of the EU regulations on which the UBO register is based are being invoked. The consequences of this new legislation are far-reaching. After all, it concerns very privacy-sensitive information. Data about the financial situation of natural persons will be out in the open. More than 1.5 million legal entities in the Netherlands that are listed in the Dutch Trade Register will have to disclose information about their ultimate beneficial owners. The UBO register is accessible to everyone, for €2.50 per retrieval. This level of public accessibility is not proportionate.
On 24 June 2020, the Dutch ‘Implementation Act on Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ entered into force. Based on this new Act, a new UBO register linked to the Trade Register of the Netherlands Chamber of Commerce will contain information on all ultimate beneficial owners of companies and other legal entities incorporated in the Netherlands. This information must indicate the interest of the UBO, i.e. 25-50%, 50-75% or more than 75%. In any case, the UBO’s name, month and year of birth as well as nationality will be publicly available for everyone to consult, with all the privacy risks this entails.
Since 27 September 2020, newly established entities must register their UBO in the UBO Register. Existing legal entities have until March 27 2022 to register their UBOs. The law gives only very limited options for shielding information. This is only possible for persons secured by the police, for minors and for those under guardianship. The result will be that the interests of almost all UBOs will become public knowledge.
European Anti-Money Laundering Directive
This new law stems from the Fifth European Anti-Money Laundering Directive, which requires EU Member States to register and disclose to the public the personal data of UBOs. The aim of this is to combat money laundering and terrorist financing. According to the European legislator, the registration and subsequent disclosure of personal data of UBOs, including the interest that the UBO has in a company, contributes to that objective. The public nature of the register would have a deterrent effect on persons wishing to launder money or finance terrorism. But the effectiveness of a UBO register in the fight against money laundering and terrorism has never been substantiated.
Massive privacy violation and fundamental criticism
The question is whether the means does not defeat the purpose. Registering the personal data of all UBOs and making it accessible to everyone is a blanket measure of a preventive nature. 99.99% of all UBOs have nothing to do with money laundering or terrorist financing. If it was in fact proportionate to collect information on UBOs, it should be sufficient if that information is available to those government agencies involved in combating money laundering and terrorism. Making the information completely public is going too far. The European Data Protection Supervisor already ruled that this privacy violation is not proportionate. But this opinion has not led to an amendment of the European directive.
Leading up to the the debate on this law in the Dutch House of Representatives, fundamental criticism came from various quarters. The business community agitated because it feared – and now experiences – an increase in burdens and perceives privacy risks. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of parties that attach great importance to the protection of data subjects, such as church communities and social organizations. As for associations and foundations that do not have owners, things are cumbersome: they have to put the data that is already in the Trade Register in another register. Unfortunately, this has not led to any changes in the regulations.
Dutch investigative journalism platform Follow the Money looked into the social costs of the Dutch UBO register. Follow the Money writes: ‘‘The UBO register entails costs, hassle and sometimes slightly absurd bureaucracy for millions of entrepreneurs and directors. The Ministry of Finance reckons the total costs of the register for the business community is 99 million Euros. Another 9 million Euros must be added for one-time implementation costs. When lawyer Volgenant hears about this amount, he reacts with dismay: 'The total costs are much higher than I thought! If you extrapolate that to the whole EU, the costs are astronomical.’’’
Favourable outcome of lawsuit is likely
Privacy First has initiated a lawsuit against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First requests the Dutch judiciary to render the UBO register inoperative in the short term and to submit preliminary questions on this subject to the Court of Justice of the European Union. It would not be the first time privacy-violating regulations are repealed by the courts, something that previous Privacy First lawsuits attest to.
The Dutch law and also the underlying European directive are in conflict with the European Charter of Fundamental Rights as well as the General Data Protection Regulation. The legislator has created these regulations, but it is up to the courts to conduct a thorough review of them. Ultimately the judge will have the final say. If the (European) legislator does not pay enough attention to the protection of fundamental rights, then the (European) judge can cast the regulations aside. The Court of Justice of the European Union has previously declared regulations invalid due to privacy violations, for example the Telecom Data Protection Directive and the Privacy Shield. The Dutch courts also regularly invalidate privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings about the Telecommunications Data Retention Act and in the proceedings against SyRI. Viewed against this background, the lawsuit against the UBO register is considered very promising.
Update 27 September 2021: this afternoon the court session took place in The Hague; click HERE for the pleading of our lawyer (pdf in Dutch). The judgment of the court of appeal is scheduled for 16 November 2021.
As an NGO that promotes civil rights and privacy protection, Privacy First has been concerned with financial privacy for years. Since 2017, we have been keeping close track of the developments surrounding the second European Payment Services Directive (PSD2), pointing out the dangers to the privacy of consumers. In particular, we focus on privacy issues related to ‘account information service providers’ (AISPs) and on the dangerous possibilities offered by PSD2 to process personal data in more extensive ways.
At the end of 2017, we assumed that providing more adequate information and more transparency to consumers would be sufficient to mitigate the risks associated with PSD2. However, these risks turned out to be greater and of a more fundamental nature. We therefore decided to launch a bilingual (Dutch & English) website called PSD2meniet.nl in order to outline both our concerns and our solutions with regard to PSD2.
Central to our project is the Don’t-PSD2-Me-Register, an idea we launched on 7 January 2019 in the Dutch television program Radar and in this press release. The aim of the Don’t-PSD2-Me-Register is to provide a real tool to consumers with which they can filter out and thus protect their personal data. In time, more options to filter out and restrict the use of data should become available. With this project, Privacy First aims to contribute to positive improvements to PSD2 and its implementation.
Protection of special personal data
In this project, which is supported by the SIDN Fund, Privacy First has focused particularly on ‘special personal data’, such as those generated through payments made to trade unions, political parties, religious organizations, LGBT advocacy groups or medical service providers. Payments made to the Dutch Central Judicial Collection Agency equally reveal parts of people’s lives that require extra protection. These special personal data directly touch upon the issue of fundamental human rights. When consumers use AISPs under PSD2, their data can be shared more widely among third parties. PSD2 indirectly allows data that are currently protected, to become widely known, for example by being included in consumer profiles or black lists.
The best form of protection is to prevent special personal data from getting processed in the first place. That is why we have built the Don’t-PSD2-Me-Register, with an Application Programming Interface (API) – essentially a privacy filter – wrapped around it. With this filter, AISPs can detect and filter out account numbers and thus prevent special personal data from being unnecessarily processed or provided to third parties. Moreover, the register informs consumers and gives them a genuine choice as to whether or not they wish to share their data.
We have outlined many of the results we have achieved in a Whitepaper, which has been sent to stakeholders such as the European Commission, the European Data Protection Board (EDPB) and the Dutch Data Protection Authority. And of course, to as many AISPs as possible, because if they decide to adopt the measures we propose, they would be protecting privacy by design. Our Whitepaper contains a number of examples and good practices on how to enhance privacy protection. Among other things, it lays out how to improve the transparency of account information services. We hope that AISPs will take the recommendations in our Whitepaper to heart.
Our Application Programming Interface (API) has already been adopted by a service provider called Gatekeeper for Open Banking. We support this start up’s continued development, and we make suggestions on how the privacy filter can be best incorporated into their design and services. When AISPs use Gatekeeper, consumers get the control over their data that they deserve.
Knowing that the European Commission will not be evaluating PSD2 until 2022, we are glad to have been able to convey our own thoughts through our Whitepaper. Along with the API we have developed and distributed, it is an important tool for any AISP that takes the privacy of its consumers seriously.
Privacy First will continue to monitor all developments related to the second Payment Services Directive. Our website PSD2meniet.nl will remain up and running and will continue to be the must-visit platform for any updates on this topic.
A Dutch court has today handed down a judgment in preliminary injunction proceedings brought by Privacy First concerning the UBO register. The district court of The Hague confirmed that there is every reason to doubt the legality of the European money laundering directives which are the foundation of the UBO register. On this point the judge follows the very critical opinion of the European Data Protection Supervisor. The interim proceedings court rules that it cannot be excluded that the Court of Justice of the European Union (CJEU) will come to the conclusion that the public character of the UBO register is at odds with the proportionality principle. Questions over its legality were recently referred to the CJEU by a Luxembourg national court. As such, the Dutch court felt there is no need to do the same.
Privacy First had also requested a temporary deactivation of the UBO register. This, however, is a step too far for the court, which states that deactivating the register is not possible as long as the underlying EU guideline is still in force. It would put the Netherlands in a position in which it operates in violation of the European guideline. With this claim, the judge says, Privacy First is getting ahead of itself. Privacy First will examine the ruling on this point, also in view of possibly going into appeal.
‘The introduction of the UBO register would mean that privacy-sensitive data of millions of people will be up for grabs’, comments Privacy First’s attorney Otto Volgenant of Boekx Attorneys.’On all sides there are strong doubts whether this is actually an effective means in the fight against money laundering and terrorism. It’s like using a sledgehammer to crack a nut. The Court of Justice of the European Union will eventually adjudicate the case, and I expect it will annul the UBO register.’
At the start of this year, the Privacy First Foundation initiated fundamental legal action against the Dutch government on account of the new UBO register, which is linked to the Trade Register of the Dutch Chamber of Commerce. Under the law the UBO register is based on, all 1.5 million Dutch legal entities that are included in the Trade Register will have to make public all sorts of privacy-sensitive data about their Ultimate Beneficial Owners. This concerns personal data of millions of directors, shareholders and high executives of companies (including family businesses), foundations, associations, churches, social organizations, charities, etc. Privacy First deems that this is a massive privacy violation, one which also creates personal safety risks. That is why Privacy First has asked the court to immediately declare the UBO register unlawful. A lot of information in the register will be publicly available and can be requested by anyone. In Privacy First’s opinion this is completely disproportionate and an infringement of European privacy law. The CJEU will examine whether the European legislation on which the UBO register is based violates the fundamental right to privacy.
The ruling (in Dutch) by the interim proceedings court can be found here: http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:2457.
Update 15 April 2021: yesterday Privacy First filed an urgent appeal against the entire judgment with the Court of Appeal of The Hague. The appeal subpoena can be found HERE (pdf in Dutch). Privacy First requests the Court, inter alia, to ask preliminary questions about the UBO register to the European Court of Justice and to suspend the UBO register until these questions are answered. In view of the major interests at stake, Privacy First hopes that the Court of Appeal of The Hague will hear this case as soon as possible.
Update 17 August 2021: the court hearing in the urgent appeal of Privacy First against the judgment will take place on Monday 27 September at the Court of Appeal in The Hague.
Privacy First initiates legal action against the Dutch government on account of the recently-introduced UBO register. The preliminary injunction proceedings point at the invalidity of the legislation on which this register is based. The consequences of this new piece of legislation are far-reaching as the register contains very privacy-sensitive information. Data relating to the financial situation of natural persons will be up for grabs. More than 1.5 million legal entities that are registered in the Dutch Trade Register will have to make public details about their Ultimate Beneficial Owners (UBOs). The UBO register is publicly accessible: a request for information costs €2.50.
The UBO register aims to prevent money laundering but will lead to defamation.
The privacy breach that is the result of the UBO register and the public accessibility of sensitive data are disproportionate. The goal of the register is to thwart money laundering and terrorist financing. In order to achieve this goal there is no need for a UBO register, at least not one that is publicly accessible.
That is why Privacy First wants the UBO register to be rendered inoperative by a court, which, in case necessary, should submit questions of interpretation to the highest court in Europe: the European Court of Justice. In cases like these, the judiciary will have the final say. It is not uncommon for a court to overrule privacy-violating legislation and in this respect, Privacy First’s litigation has been successful in the past.
The proceedings will take place before The Hague District Court on 25 February 2021 at 12pm. The entire summons can be found HERE (pdf in Dutch). The ruling will follow two or three weeks after the hearing.
Background of the UBO register case
On 24 June 2020, the Dutch ‘Implementation Act for the Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ came into effect in the Netherlands. On the basis of this new Act, a new UBO register which is linked to the Commercial Register of the Dutch Chamber of Commerce will contain information about all ultimate beneficial owners of companies and other legal entities founded in the Netherlands. The register should indicate how many shares are owned by the UBO: 25-50%, 50-75% or more than 75%. Furthermore, the name, month and year of birth as well as the nationality of the UBO will be made public, with all the privacy risks this entails.
Since 27 September 2020, newly founded entities have to register the ultimate beneficial owners in the UBO register. Existing legal entities will have to do so before 27 March 2022.
The Act provides very few possibilities to safeguard information. This is possible only for persons that are protected by the police, minors and those placed under guardianship. This means that the shares of practically every UBO will become a matter of public record. Anyone has access to the UBO register, with extracts coming at a price of €2.50.
European money laundering directive
The new Act stems from the fifth European money laundering directive, which obliges EU Member States to register UBOs and disclose their details to the public. According to the European legislator, this contributes to the proclaimed objective of countering money laundering and terrorist financing. The transparency is supposed to be a deterrent for persons who set out to launder money or finance terrorism.
Massive privacy violation and fundamental criticism
The question is whether this produces a windfall effect. Registering the personal data of all UBOs and making these publicly available is a generic precautionary measure. 99.99% of UBOs have nothing to do with money laundering or terrorist financing. Even if it were proportionate to collect information on all UBOs, making that information available only to government agencies engaged in combating money laundering and terrorism should suffice. It is not appropriate to disclose that information to everyone. The European Data Protection Supervisor (EDPS) deemed this privacy violation to be disproportionate. This opinion, however, did not lead to an amendment of the European Directive.
When this Act was discussed in Dutch Parliament, fundamental criticism came from various corners of society. The business community made its voice heard because it perceived privacy risks and feared − and now indeed experiences − an increase in costs. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of social organizations − such as church communities and NGOs − that attach great importance to the protection of those affiliated with them. Associations and foundations that do not have owners face a different burden: they have to put the data that are already in the Trade Register in yet another register. Unfortunately these complaints have not resulted in any changes to the legislation.
Legal proceedings look promising
Privacy First has initiated legal proceedings against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First asks the Dutch court to render the UBO register inoperative in the short term and, if necessary, to submit questions of interpretation on this matter to the highest court in Europe, the Court of Justice of the European Union.
The Dutch Act as well as the underlying European directive are in conflict with both the European Charter of Fundamental Rights and the GDPR. It is the legislator who has created this legislation, but it will be up to the court to do a thorough review thereof. Ultimately, the court has the last word. If the (European) legislator fails to take adequate account of the protection of fundamental rights, then the (European) court can invalidate this legislation. This would not be unique. The Court of Justice of the European Union has previously declared legislation invalid due to privacy violations, for example the Data Retention Directive and, more recently, the Privacy Shield. Dutch courts too regularly annul privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings concerning the Telecommunications Data Retention Act and the System Risk Indication (SyRI). Viewed against this background, a positive outcome in the case against the UBO register is all but unlikely.