How does the 5th Directive of the European Union affect the Rights of Ultimate Beneficial Owners to the Protection of their Personal Data

What do the 4th and 5th EU Directives deal with?

The 4th and 5th Directives of the European Union (EU) deal with the measures for the prevention of the use of EU’s financial system to legitimize revenues from illegal activities, for terrorist financing, as well as for the transparency of corporate transactions and the corporate governance of the ultimate beneficial owners. They also deal with the measures to be adopted for the creation of an environment that will prevent ulterior motives with a view to improving the existing preventive framework.

The 4th Directive 2015/849/EU was incorporated into Cyprus law in April 2018, by the amendment of the Prevention and Suppression of Money Laundering Activities Law of 2007 (188(1)/2007). The 4th Directive requires service providers to identify and verify the identity of the ultimate beneficial owners by means of enhanced due diligence measures and to create a central register (the Register) which will be kept by the EU Member States, in which all corporate and other legal entities must enter the details of their ultimate beneficial owners.

The 4th Directive provides that the Register will be accessible to (i) obliged entities, within the framework of customer due diligence (KYC), (ii) competent authorities and units combatting money laundering  (Units) and (iii) any person or organisation that can demonstrate a legitimate interest.

The 5th Directive 2018/843/EU enhances the measures on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing that had been adopted in accordance with the 4th Directive. The main areas affected by the new requirements of the Directive are ultimate beneficial owners (UBO), politically exposed persons (PEPs), high value goods, high risk third countries, providers engaged in exchange services between virtual currencies and fiat currencies, cryptocurrencies, the provision of custodian wallet services and custodian wallet providers, prepaid cards and the lifting of the anonymity of virtual currencies, the creation of a register of bank accounts, the strengthening of due diligence measures, the inclusion of obliged entities and provisions for strengthening cooperation between supervisory authorities.  

The following changes are made to the Registers and the disclosure of personal data:

i. With regards to the register of the beneficial owners of corporate and other legal entities, the condition of having to demonstrate a legitimate interest is removed, by the adoption of precise rules concerning public access, to any member of the general public to be able to ascertain, throughout the EU, who the ultimate beneficial owners are.

ii. With regards to the register of the beneficial owners of trusts and similar legal arrangements access will be granted to any person that can demonstrate a legitimate interest.

iii. Banks must keep their own registers which will include bank accounts or payment accounts as well as the ultimate beneficial owners of safe-deposit boxes.

Definition and Identification of beneficial owners

The term “beneficial owner” means any natural person(s) who ultimately owns or controls the customer and/or the natural person(s) on whose behalf a transaction or activity is being conducted (in the case of corporate entities: a shareholding of 25 % plus one share or an ownership interest of more than 25 % in the customer held by a natural person shall be an indication of direct ownership (the Directive sets out clear provisions for the beneficial owners of companies, legal entities and trusts).

According to the Directive, Member States shall require that verification of the identity of the customer and the beneficial owner take place before the establishment of a business relationship or the carrying out of the transaction. 

By way of derogation from the above paragraph, Member States may allow verification of the identity of the customer and the beneficial owner to be completed during the establishment of a business relationship if necessary so as not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing.

Operation of Registers and Disclosure of Personal Data

According to the provisions of the 5th Directive, the amendments should have been transposed  into the national law of the Member States  by 10 January 2020, and registers of beneficial owners of corporate and other legal entities should have been established by 10 January 2020 and registers of beneficial owners of trusts and similar legal arrangements should have been established by 10 March 2020. Member States should set up centralised automated mechanisms allowing the identification of holders of bank and payment accounts and safe-deposit boxes by 10 September 2020.

The Register will contain sensitive information concerning the beneficial owners such as: their name, year of birth, nationality and voting rights in the relevant legal entity and shall provide for access to additional information enabling the identification of the beneficial owner. That additional information shall include at least the date of birth or contact details of the beneficial owners.

According to the Directive, the processing of personal data by obliged entities should be limited to what is necessary  for the purposes of the prevention of money laundering and terrorist financing and personal data should not be further processed in a way that is incompatible with that purpose. The processing of personal data for other purposes, e.g. commercial purposes shall be strictly prohibited.

To date, most Member States have not complied with the 5th Directive (many Member States have not even complied with the 4th Directive) due to its complexity and its provisions, which in many cases violate fundamental rights and other laws (personal data) of the Member States.

It appears that most EU countries find it difficult to harmonize domestic frameworks and legislation in order to fully comply with the 5th Directive and prefer, if possible, to follow a waiting approach to see how the system will work in practice in other countries.

Avoiding the Violation of Personal Data

When analysing the 5th Directive, extensive reference is made to the fact that a fair balance should be sought in particular between the general public interest in the prevention of money laundering and terrorist financing and the data subjects’ fundamental rights. In essence, however, the Directive requires Member States to take measures that conflict with these rights and violate fundamental rights contrary to the provisions of the Constitution and personal data laws.

When implementing the legal framework and during the operation of the Register, the following should be taken into account in Cyprus:

• that the right to privacy is enshrined in many provisions of the Universal Declaration of Human Rights (Article 12, right to privacy), in the Charter of Fundamental Rights of the EU (Article 7, Respect of Private and Family Life, Article 8, Protection of Personal Data), the Treaty on the Functioning of the European Union (Article 16 which provides that everyone has the right to the protection of his personal data), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), the principle of proportionality based on Article 50 of the Directive, the judgments of the European Courts of Justice, the Constitutions of the Member States, including Article 15 of the Constitution of the Republic of Cyprus (the Right to Respect of Private and Family Life) and the Personal Data Protection Law of 2018 (N. 125 (I)/2018).

• the serious concerns regarding the adoption of regulations governing the Register expressed by the European Data Protection Supervisor (EDPS) which issued an opinion providing that everyone has the right to the protection of his personal data, noting that the Directive comes into conflict with Fundamental Rights, the General Data Protection Regulation (GDPR) and the principle of proportionality, as well as the judgments of the European Courts of Justice.
On the basis of the General Data Protection Regulation (GDPR), the processing of personal data must: a. be lawful (including the consent of the data subject under Article 6(1)(a)), fair and transparent in relation to the underlying data, b. be collected for specific, explicit and lawful purposes and not to be further processed in a manner that is incompatible with those purposes, c. be sufficient, relevant and limited in relation to their use and in accordance with the purposes of the processing, d. be accurate and kept up to date where necessary.

• that the European Courts are not in favour of the mass disclosure of data. In their judgments, they suggest:

i. argumentation in the context of the protection of privacy (case of the Supreme Court of Ireland, (Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources [2010]),

ii. that the persons behind companies, the beneficial owners, have the same privacy rights, and do not lose those rights due to commercial interests (European Court of Justice delivering a judgment in relation to Article 8 (Protection of Personal Data) in Société Colas Est v France (2004) 39 EHRR 17; [2012] ECHR 421),

iii. that general access to the content of electronic communication without any limitation or exception constitutes a breach of confidentiality and data protection (Court of Justice of the European Union).

• That the Articles of the Directive themselves encourage the following:

i. the seeking of a fair balance (paragraph 34 of the Preamble) between the general public interest and the data subjects’ fundamental rights,

ii. the set of data to be made available to the public should be limited (paragraph 34 of the Preamble) so as to minimise the potential prejudice to the beneficial owners,

iii. the introduction of exemptions (paragraph 36 of the Preamble) with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to private life and personal data protection, and to access such information, in exceptional circumstances, where that information would expose the beneficial owner to a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation.

Recommendations regarding the implementation of the legal framework in Cyprus

In Cyprus, a bill of law has been prepared which is available for adoption which deals with the provisions implementing the 5th Directive in Cyprus and amends relevant legislation and regulations concerning the operation of the relevant registers, the process for the registration of each person requesting information and submitting objections to the disclosure.

The EU recently announced that 17 countries had lost the official deadline of 10 January 2020 for entering data in the Public Registry of Beneficial Owners and 8 other countries had partially complied and warning letters had been sent encouraging them to do so urgently.

It appears that Member States find it difficult to promote the Directive due to its complexity and multiple contradictions / violations arising in relation to fundamental rights and other EU laws, but also because there are complex procedures for maintaining / updating records and exchanging information.

It is necessary to study the Directive in full in order for it to be applicable and fully harmonized with the fundamental rights and principles referred to in the above section and to safeguard the data of the data subjects to a greater extent, by adopting practices of other European states that approached the issue in a more compromising way, so as to allow public access only if the necessary procedures are followed and only a subset of the data is disclosed to the public.

The following was adopted in most European countries:

i. the public has free access to the Register only to limited information regarding the details concerning the name and surname (in some cases the non-inclusion of the full name was discussed), the citizenship and the type and extent of the rights held by beneficial owners, in order to safeguard their rights and avoid exposing them to the risk of fraud, abduction, extortion, violence or intimidation.

ii. exception to the disclosure of the data of minors and persons incapable of taking legal action.

iii. application of a process so that the beneficial owner can request an exception from the publication of his data in the Register due to special circumstances.

iv. no obligation for the beneficial owner to be registered in case of a. companies listed on the stock exchange, public bodies, associations of owners and partnerships, b. companies and partnerships where the data of their beneficial owners are accessible from another electronic register (such as a company register, stock exchange, etc.) c. companies that do not have ultimate beneficial owners (none of the ultimate beneficial owners holds more than 25%).

v. publication of the data of beneficial owners of trusts to persons who can prove the existence of a legitimate interest and possibility of rejecting a written application if there is good reason to suspect that the written request is not in accordance with the objectives of the Directive which is to prevent the use of the financial system of the EU for money laundering and terrorist financing and not for commercial purposes.

vi. the requirement to register any person requesting information in order to identify any person requesting information from the Register.

Taking into account the importance of the Directive and the importance of fundamental rights, our country must exhaust all time limits for implementing the Directive governing the Register, citing legal impediments to its application, and exhaust all exceptions afforded by the Directive, the legislation and international declarations, the jurisprudence and the guidelines of the Courts and should also to follow the example of other countries that have placed safeguards in order to protect the fundamental rights of data subjects.

Article published to In Business and Kratos Dikaiou Think tank, on June 2020, by our Managing Partner Panikos Symeou.