IP case law Court of Justice

Judgment of 22 Nov 2022, C-37/20 (Luxembourg Business Registers)

Charter of fundamental rights of the EU > Article 7 - Respect for private and family life
Charter of fundamental rights of the EU > Article 8 - Protection of personal data
Charter of fundamental rights of the EU > Article 52 - Scope of guaranteed rights

JUDGMENT OF THE COURT (Grand Chamber)

22 November 2022 (*)

(Reference for a preliminary ruling – Prevention of the use of the financial system for the purposes of money laundering or terrorist financing – Directive (EU) 2018/843 amending Directive (EU) 2015/849 – Amendment to Article 30(5), first subparagraph, point (c), of Directive 2015/849 – Access for any member of the general public to the information on beneficial ownership – Validity – Articles 7 and 8 of the Charter of Fundamental Rights of the European Union – Respect for private and family life – Protection of personal data)

In Joined Cases C-37/20 and C-601/20,

TWO REQUESTS for a preliminary ruling under Article 267 TFEU from the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), made by decisions of 24 January 2020 and 13 October 2020, received at the Court on 24 January 2020 and 13 November 2020 respectively, in the proceedings

WM (C-37/20),

Sovim SA (C-601/20)

v

Luxembourg Business Registers,

THE COURT (Grand Chamber),

composed of K. Lenaerts, President, A. Arabadjiev, A. Prechal, K. Jürimäe, C. Lycourgos, E. Regan, M. Safjan, P.G. Xuereb, L.S. Rossi, Presidents of Chambers, S. Rodin, F. Biltgen, N. Piçarra, I. Jarukaitis, A. Kumin (Rapporteur) and I. Ziemele, Judges,

Advocate General: G. Pitruzzella,

Registrar: L. Carrasco Marco, Administrator,

having regard to the written procedure and further to the hearing on 19 October 2021,

after considering the observations submitted on behalf of:

–        WM, by M. Jammaers, A. Komninos, L. Lorang and V. Staudt, avocats,

–        Sovim SA, by P. Elvinger and K. Veranneman, avocats,

–        the Luxembourg Government, by A. Germeaux, C. Schiltz and T. Uri, acting as Agents,

–        the Austrian Government, by M. Augustin, A. Posch and J. Schmoll, acting as Agents,

–        the Finnish Government, by M. Pere, acting as Agent,

–        the Norwegian Government, by J.T. Kaasin and G. Østerman Thengs, acting as Agents,

–        the European Parliament, by J. Etienne, O. Hrstková Šolcová and M. Menegatti, acting as Agents,

–        the Council of the European Union, by M. Chavrier, I. Gurov and K. Pleśniak, acting as Agents,

–        the European Commission, by V. Di Bucci, C. Giolito, L. Havas, H. Kranenborg, D. Nardi, T. Scharf and H. Tserepa-Lacombe, acting as Agents,

–        the European Data Protection Supervisor, by C.-A. Marnier, acting as Agent,

after hearing the Opinion of the Advocate General at the sitting on 20 January 2022,

gives the following

Judgment

1        These requests for a preliminary ruling concern, in essence, the validity of Article 1(15)(c) of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (OJ 2018 L 156, p. 43), in so far as Article 1(15)(c) amended point (c) of the first subparagraph of Article 30(5) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73), and also the interpretation, first, of Article 30(9) of Directive 2015/849, as amended by Directive 2018/843 (‘Directive 2015/849 as amended’), and, secondly, of Article 5(1)(a) to (c) and (f), Article 25(2) and Articles 44 to 50 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

2        The requests have been made in two sets of proceedings, the first between WM and Luxembourg Business Registers (‘LBR’) (Case C-37/20) and the second between Sovim SA and LBR (Case C-601/20), concerning LBR’s refusal to prevent the general public’s access to information concerning, first, WM’s status as the beneficial owner of a real estate company and, secondly, Sovim’s beneficial owner.

 Legal context

 European Union law

 Directives 2015/849, 2018/843, and 2015/849 as amended

3        Recitals 4, 30, 31, 34, 36 and 38 of Directive 2018/843 state:

‘(4)      … [it is necessary] to further increase the overall transparency of the economic and financial environment of the Union … The prevention of money laundering and of terrorist financing cannot be effective unless the environment is hostile to criminals seeking shelter for their finances through non-transparent structures. The integrity of the Union financial system is dependent on the transparency of corporate and other legal entities, trusts and similar legal arrangements. This Directive aims not only to detect and investigate money laundering, but also to prevent it from occurring. Enhancing transparency could be a powerful deterrent.

(30)      Public access to beneficial ownership information allows greater scrutiny of information by civil society, including by the press or civil society organisations, and contributes to preserving trust in the integrity of business transactions and of the financial system. It can contribute to combating the misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing, both by helping investigations and through reputational effects, given that anyone who could enter into transactions is aware of the identity of the beneficial owners. It also facilitates the timely and efficient availability of information for financial institutions as well as authorities, including authorities of third countries, involved in combating such offences. The access to that information would also help investigations on money laundering, associated predicate offences and terrorist financing.

(31)      Confidence in financial markets from investors and the general public depends in large part on the existence of an accurate disclosure regime that provides transparency in the beneficial ownership and control structures of companies. … The potential increase in confidence in financial markets should be regarded as a positive side effect and not the purpose of increasing transparency, which is to create an environment less likely to be used for the purposes of money laundering and terrorist financing.

(34)      In all cases, both with regard to corporate and other legal entities, as well as trusts and similar legal arrangements, a fair balance should be sought in particular between the general public interest in the prevention of money laundering and terrorist financing and the data subjects’ fundamental rights. The set of data to be made available to the public should be limited, clearly and exhaustively defined, and should be of a general nature, so as to minimise the potential prejudice to the beneficial owners. At the same time, information made accessible to the public should not significantly differ from the data currently collected. In order to limit the interference with the right to respect for their private life in general and to protection of their personal data in particular, that information should relate essentially to the status of beneficial owners of corporate and other legal entities and of trusts and similar legal arrangements and should strictly concern the sphere of economic activity in which the beneficial owners operate. …

(36)      Moreover, with the aim of ensuring a proportionate and balanced approach and to guarantee the rights to private life and personal data protection, it should be possible for Member States to provide for exemptions to the disclosure through the registers of beneficial ownership information and to access to such information, in exceptional circumstances, where that information would expose the beneficial owner to a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. It should also be possible for Member States to require online registration in order to identify any person who requests information from the register, as well as the payment of a fee for access to the information in the register.

(38)      [The GDPR] applies to the processing of personal data under this Directive. As a consequence, natural persons whose personal data are held in national registers as beneficial owners should be informed accordingly. Furthermore, only personal data that is up to date and corresponds to the actual beneficial owners should be made available and the beneficiaries should be informed about their rights under the current Union legal data protection framework … and the procedures applicable for exercising those rights. In addition, to prevent the abuse of the information contained in the registers and to balance out the rights of beneficial owners, Member States might find it appropriate to consider making information relating to the requesting person along with the legal basis for their request available to the beneficial owner.’

4        Article 1(1) of Directive 2015/849 as amended provides:

‘This Directive aims to prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing.’

5        Article 3 of Directive 2015/849 as amended is worded:

‘For the purposes of this Directive, the following definitions apply:

(6)      “beneficial owner” means any natural person(s) who ultimately owns or controls the customer and/or the natural person(s) on whose behalf a transaction or activity is being conducted and includes at least:

(a)      in the case of corporate entities:

(i)      the natural person(s) who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity …

(ii)      if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), the natural person(s) who hold the position of senior managing official(s), …

…’

6        Article 30(1) and (3) of Directive 2015/849 as amended provides:

‘1.      Member States shall ensure that corporate and other legal entities incorporated within their territory are required to obtain and hold adequate, accurate and current information on their beneficial ownership, including the details of the beneficial interests held.

3.      Member States shall ensure that the information referred to in paragraph 1 is held in a central register in each Member State …

…’

7        In the version prior to the entry into force of Directive 2018/843, Article 30(5) and (9) of Directive 2015/849 was worded as follows:

‘5.      Member States shall ensure that the information on the beneficial ownership is accessible in all cases to:

(a)      competent authorities and [Financial Intelligence Units], without any restriction;

(b)      obliged entities, within the framework of customer due diligence in accordance with Chapter II;

(c)      any person or organisation that can demonstrate a legitimate interest.

The persons or organisations referred to in point (c) shall access at least the name, the month and year of birth, the nationality and the country of residence of the beneficial owner as well as the nature and extent of the beneficial interest held.

9.      Member States may provide for an exemption to the access referred to in points (b) and (c) of paragraph 5 to all or part of the information on the beneficial ownership on a case-by-case basis in exceptional circumstances, where such access would expose the beneficial owner to the risk of fraud, kidnapping, blackmail, violence or intimidation, or where the beneficial owner is a minor or otherwise incapable. …’

8        Article 1(15)(c), (d) and (g) of Directive 2018/843 amended paragraph 5, inserted a paragraph 5a and amended paragraph 9, respectively, of Article 30 of Directive 2015/849. Article 30(5), (5a) and (9) of Directive 2015/849 as amended therefore states:

‘5.      Member States shall ensure that the information on the beneficial ownership is accessible in all cases to:

(a)      competent authorities and [Financial Intelligence Units], without any restriction;

(b)      obliged entities, within the framework of customer due diligence in accordance with Chapter II;

(c)      any member of the general public.

The persons referred to in point (c) shall be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held.

Member States may, under conditions to be determined in national law, provide for access to additional information enabling the identification of the beneficial owner. That additional information shall include at least the date of birth or contact details in accordance with data protection rules.

5a.            Member States may choose to make the information held in their national registers referred to in paragraph 3 available on the condition of online registration and the payment of a fee, which shall not exceed the administrative costs of making the information available, including costs of maintenance and developments of the register.

9.      In exceptional circumstances to be laid down in national law, where the access referred to in points (b) and (c) of the first subparagraph of paragraph 5 would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable, Member States may provide for an exemption from such access to all or part of the information on the beneficial ownership on a case-by-case basis. Member States shall ensure that these exemptions are granted upon a detailed evaluation of the exceptional nature of the circumstances. Rights to an administrative review of the exemption decision and to an effective judicial remedy shall be guaranteed. A Member State that has granted exemptions shall publish annual statistical data on the number of exemptions granted and reasons stated and report the data to the Commission.

…’

9        Article 41(1) of Directive 2015/849 as amended provides:

‘The processing of personal data under this Directive is subject to Directive 95/46/EC [of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31)], as transposed into national law. …’

 The GDPR

10      Article 5 of the GDPR, entitled ‘Principles relating to processing of personal data’, provides in paragraph 1:

‘Personal data shall be:

(a)      processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

(b)      collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (“purpose limitation”);

(c)      adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

(f)      processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).’

11      Article 25 of that regulation, entitled ‘Data protection by design and by default’, provides in paragraph 2:

‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.’

12      Article 44 of that regulation, entitled ‘General principle for transfers’, states:

‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.’

13      Article 49 of the GDPR, entitled ‘Derogations for specific situations’, provides:

‘1.      In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

(g)      the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

…’

14      Article 94 of that regulation provides:

‘1.      Directive 95/46/EC is repealed with effect from 25 May 2018.

2.      References to the repealed Directive shall be construed as references to this Regulation. …’

 Luxembourg law

15      Article 2 of the loi du 13 janvier 2019 instituant un Registre des bénéficiaires effectifs (Mémorial A 2019, No 15) (Law of 13 January 2019 establishing a Register of Beneficial Ownership; ‘the Law of 13 January 2019’) is worded as follows:

‘A register known as the “Register of beneficial ownership”, abbreviated “RBO”, shall be established under the authority of the Minister responsible for Justice, the purpose of which is to retain and make available information on the beneficial ownership of registered entities.’

16      Article 3(1) of that law provides:

‘The following information on the beneficial owners of registered entities must be entered and retained in the Register of Beneficial Ownership:

1°      surname;

2°      forename(s);

3°      nationality (or nationalities);

4°      day of birth;

5°      month of birth;

6°      year of birth;

7°      place of birth;

8°      country of residence;

9°      complete private or professional address …

10°      for persons registered in the National Register of Natural Persons, the identification number …;

11°      for non-residents who are not registered in the National Register of Natural Persons, a foreign identification number;

12°      the nature of the beneficial interests held;

13°      the extent of the beneficial interests held.’

17      Article 11(1) of the Law of 13 January 2019 provides:

‘In the performance of their duties, the national authorities shall have access to the information referred to in Article 3.’

18      Article 12 of that law provides:

‘Access to the information referred to in Article 3(1), (1) to (8), (12) and (13) shall be open to any person.’

19      Article 15(1) and (2) of the Law of 13 January 2019 provides:

‘A registered entity or a beneficial owner may request, on a case-by-case basis and in the following exceptional circumstances, by way of a duly reasoned application addressed to the Administrator, that access to the information listed in Article 3 be restricted to national authorities, credit institutions, financial institutions, bailiffs and notaries acting in their capacity as public officers, where access to that information would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable.

The Administrator shall provisionally restrict access to the information listed in Article 3 to national authorities upon receipt of the application and until notification of its decision and, in the event that the application is refused, for an additional period of 15 days. Where an appeal is lodged against a refusal decision, the restriction of access to the information shall be maintained until such time as the refusal decision is no longer amenable to appeal.’

 The disputes in the main proceedings and the questions referred for a preliminary ruling

 Case C-37/20

20      YO, a real estate company, lodged an application with LBR, pursuant to Article 15 of the Law of 13 January 2019, requesting that access to the information concerning WM, its beneficial owner, contained in the RBO, be restricted solely to the entities mentioned in that provision, on the ground that the general public’s access to that information would seriously, actually and immediately expose WM and his family to a disproportionate risk and risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation. That application was rejected by decision of 20 November 2019.

21      On 5 December 2019, WM brought an action before the tribunal d’arrondissement de Luxembourg (Luxembourg District Court, Luxembourg), the referring court, maintaining that his position as executive officer and beneficial owner of YO and of a number of commercial companies requires him frequently to travel to countries whose political regime is unstable and where there is a high level of crime, which creates a significant risk of his being kidnapped, abducted, subjected to violence or even killed.

22      LBR disputes that argument and contends that WM’s situation does not meet the requirements of Article 15 of the Law of 13 January 2019, since WM cannot rely either on ‘exceptional circumstances’ or on any of the risks referred to in that article.

23      In that regard, the referring court raises the question of the interpretation to be given to the concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate’ risk within the meaning of Article 30(9) of Directive 2015/849 as amended.

24      In those circumstances, the tribunal d’arrondissement de Luxembourg (Luxembourg District Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      The concept of “exceptional circumstances”

(a)      Is Article 30(9) of [Directive 2015/849 as amended], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon “exceptional circumstances to be laid down in national law”, to be interpreted as allowing national law to define the concept of “exceptional circumstances” simply as being equivalent to “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, concepts which already constitute a condition for applying the restriction of access in accordance with the wording of Article 30(9) of [Directive 2015/849 as amended]?

(b)      In the event that Question 1(a) is answered in the negative, and in the situation where the transposing national law has not defined the concept of “exceptional circumstances” other than by a reference to the ineffective concepts of “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, is Article 30(9) [of Directive 2015/849 as amended] to be interpreted as allowing a national court to disregard the condition of “exceptional circumstances”, or must it make good the national legislature’s omission by using its own authority to determine the scope of the concept of “exceptional circumstances”? In the latter case, since, according to the wording of Article 30(9) [of Directive 2015/849 as amended], that is a condition whose content is to be determined by national law, is it possible for the Court … to give guidance to the national court for that purpose? In the event that that last question is answered in the affirmative, what guidelines should the national court follow in determining the content of the concept of “exceptional circumstances”?

(2)      The concept of “risk”

(a)      Is Article 30(9) of [Directive 2015/849 as amended], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon “disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation”, to be interpreted as referring to a group of eight cases, the first of which corresponds to a general risk subject to the disproportionality requirement, while the other seven correspond to specific risks not subject to the disproportionality requirement, or as referring to a group of seven cases, each of which corresponds to a specific risk subject to the disproportionality requirement?

(b)      Is Article 30(9) of [Directive 2015/849 as amended], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon a “risk”, to be interpreted as confining the assessment of the existence and extent of that risk solely to the relationships which the beneficial owner has with the legal entity with regard to which he or she specifically seeks to have access to information concerning his or her status as beneficial owner restricted or as also requiring account to be taken of the relationships which the beneficial owner concerned has with other legal entities? If account must be taken of relationships with other legal entities, must account be taken only of the status of beneficial owner in relation to other legal entities or must account also be taken of any relationship whatsoever with other legal entities? If account must be taken of any relationship whatsoever with other legal entities, is the assessment of the existence and extent of the risk affected by the nature of that relationship?

(c)      Is Article 30(9) of [Directive 2015/849 as amended], in so far as it makes the restriction of access to information concerning beneficial owners conditional upon a “risk”, to be interpreted as meaning that the protection resulting from restriction of access is not afforded where that information, or any other information provided by the beneficial owner to demonstrate the existence and extent of the “risk” faced, is easily available to third parties through other information channels?

(3)      The concept of “disproportionate risk”

What competing interests must be taken into consideration in the context of applying Article 30(9) of [Directive 2015/849 as amended], in so far as it makes the restriction of access to information concerning a beneficial owner conditional upon a “disproportionate” risk?’

 Case C-601/20

25      Sovim lodged an application with LBR, pursuant to Article 15 of the Law of 13 January 2019, requesting that access to the information concerning its beneficial owner, contained in the RBO, be restricted solely to the entities mentioned in that provision. That application was rejected by decision of 6 February 2020.

26      On 24 February 2020, Sovim brought an action before the referring court.

27      Principally, Sovim seeks a declaration that Article 12 of the Law of 13 January 2019, pursuant to which access to certain information contained in the RBO is open to ‘any person’, and/or Article 15 of that law are inapplicable and an order for the information provided by Sovim pursuant to Article 3 of that law not to be made publicly accessible.

28      In that regard, Sovim submits, in the first place, that granting public access to the identity and personal data of its beneficial owner would infringe the right to respect for private and family life and the right to the protection of personal data, enshrined respectively in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (‘the Charter’).

29      In that company’s view, the aims of Directive 2015/849 as amended, on the basis of which the Law of 13 January 2019 was introduced into Luxembourg law, are to identify the beneficial owners of companies used for the purposes of money laundering or terrorist financing, as well as to ensure certainty in commercial relationships and market confidence. However, it has not been shown how granting the public entirely unrestricted access to the data held in the RBO enables those aims to be attained.

30      In the second place, Sovim submits that public access to personal data contained in the RBO constitutes an infringement of several provisions of the GDPR, in particular a number of fundamental principles set out in Article 5(1) thereof.

31      In the alternative, Sovim claims that the referring court should hold that there is a disproportionate risk in the present case, within the meaning of Article 15(1) of the Law of 13 January 2019, and accordingly make an order requiring LBR to restrict access to the information referred to in Article 3 of that law.

32      In that regard, the referring court observes that Article 15(1) of the Law of 13 January 2019 provides that LBR must carry out a case-by-case analysis of whether there are exceptional circumstances justifying a restriction of access to the RBO. While, in the context of that law, several questions have already been referred to the Court in Case C-37/20, concerning the interpretation of the concepts of ‘exceptional circumstances’, ‘risk’ and ‘disproportionate’ risk, the present proceedings in Case C-601/20 also raise other issues, in particular that of whether the general public’s access to some of the data in the RBO is compatible with the Charter and also with the GDPR.

33      In those circumstances, the tribunal d’arrondissement de Luxembourg (Luxembourg District Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1)      Is Article 1(15)(c) of [Directive 2018/843], amending the first subparagraph of Article 30(5) of [Directive 2015/849], in so far as it requires Member States to make information on beneficial owners accessible to the general public in all cases, with no requirement for a legitimate interest to be shown, a valid provision:

–        in the light of the right to respect for private and family life guaranteed in Article 7 of the [Charter], interpreted in accordance with Article 8 of the European Convention on Human Rights, having regard to the objectives stated, inter alia, in recitals 30 and 31 of Directive 2018/843 relating, in particular, to efforts to combat money laundering and terrorist financing; and

–        in the light of the right to the protection of personal data guaranteed by Article 8 of the Charter, in so far as it is intended, inter alia, to guarantee that personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject, that the purposes for which such data are collected and processed are limited, and that the data are minimised?

(2)      (a)      Is Article 1(15)(g) of Directive 2018/843 to be interpreted as meaning that the exceptional circumstances to which it refers – in which Member States may provide for exemptions from access to all or part of the information on beneficial owners, where access on the part of the general public would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation – may be found only where it is demonstrated that there is a disproportionate risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation which is exceptional, which is actually borne by the beneficial owner as an individual, and which is significant, real and present?

(b)      If that question is answered in the affirmative, is Article 1(15)(g) of Directive 2018/843, thus interpreted, a valid provision in the light of the right to respect for private and family life guaranteed by Article 7 of the Charter and the right to the protection of personal data guaranteed by Article 8 of the Charter?

(3)      (a)      Is Article 5(1)(a) of [the GDPR], which requires data to be processed lawfully, fairly and in a transparent manner in relation to the data subject, to be interpreted as not precluding:

–        that the personal data of a beneficial owner, recorded in a register of beneficial ownership, established in accordance with Article 30 of Directive 2015/849, as amended by Article 1(15) of Directive 2018/843, is accessible to the general public, with no monitoring of access and no requirement for any member of the public to provide justification, and without the data subject (the beneficial owner) having any way of discovering who has accessed his or her personal data; or

–        that the data controller responsible for such a register of beneficial ownership provides access to the personal data of beneficial owners to an unlimited and indeterminable number of persons?

(b)      Is Article 5(1)(b) of the GDPR, which requires the purposes of data processing to be limited, to be interpreted as not precluding that the personal data of a beneficial owner, recorded in a register of beneficial ownership established in accordance with Article 30 of [Directive 2015/849 as amended], is accessible to the general public, in circumstances where the data controller cannot guarantee that those data will be used only for the purpose for which they were collected, which is, in essence, the combating of money laundering and terrorist financing – a purpose in relation to which the general public is not the body responsible for compliance?

(c)      Is Article 5(1)(c) of the GDPR, which requires data to be minimised, to be interpreted as not precluding the general public from having access, through a register of beneficial ownership established in accordance with Article 30 of [Directive 2015/849 as amended], to data indicating, in addition to the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests, also his or her date and place of birth?

(d)      Does Article 5(1)(f) of the GDPR, which requires data to be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and thus guarantees the integrity and confidentiality of such data, not preclude the provision of access to the personal data of beneficial owners held in a register of beneficial ownership, established in accordance with Article 30 of [Directive 2015/849 as amended], on an unlimited and unconditional basis and with no undertaking to preserve the confidentiality of those data?

(e)      Is Article 25(2) of the GDPR, which guarantees data protection by default, providing in particular that, by default, personal data must not be made accessible without the individual’s intervention to an indefinite number of natural persons, to be interpreted as not precluding:

–        that a register of beneficial ownership, established in accordance with Article 30 of [Directive 2015/849 as amended], does not require members of the general public consulting the personal data of a beneficial owner on its website to create an account; or

–        that no information concerning the consultation of the personal data of a beneficial owner contained in such a register is disclosed to that beneficial owner; or

–        that no restriction on the extent and accessibility of the personal data at issue is applicable in the light of the purpose of their processing?

(f)      Are Articles 44 to 50 of the GDPR, under which the transfer of personal data to a third country is subject to strict conditions, to be interpreted as not precluding that the personal data of a beneficial owner, contained in a register of beneficial ownership established in accordance with Article 30 of [Directive 2015/849 as amended], are accessible in any circumstances to any member of the general public, with no requirement to demonstrate a legitimate interest and no limitations as to the location of that public?’

 Consideration of the questions referred

 The first question referred in Case C-601/20

34      By the first question referred in Case C-601/20, the referring court raises the issue, in essence, of the validity, in the light of Articles 7 and 8 of the Charter, of Article 1(15)(c) of Directive 2018/843, in so far as that provision amended point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 in such a way that that point (c), as thus amended, provides that Member States must ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public.

 The interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, resulting from the general public’s access to information on beneficial ownership

35      Article 7 of the Charter guarantees everyone the right to respect for his or her private and family life, home and communications, while Article 8(1) of the Charter expressly confers on everyone the right to the protection of personal data concerning him or her.

36      As is apparent from Article 30(1) and (3) of Directive 2015/849 as amended, Member States must ensure that corporate and other legal entities incorporated within their territory are required to obtain and hold adequate, accurate and current information on their beneficial ownership and that that information is held in a central register in each Member State. Under Article 3(6) of that directive, beneficial owners mean any natural person (or persons) who ultimately owns or controls the customer and/or the natural person (or persons) on whose behalf a transaction or activity is being conducted.

37      Point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended requires Member States to ensure that the information on beneficial ownership is accessible in all cases to ‘any member of the general public’, while the second subparagraph of Article 30(5) states that the persons referred to in that point (c) must be permitted ‘to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held’. Article 30(5) adds, in its third subparagraph, that ‘Member States may, under conditions to be determined in national law, provide for access to additional information enabling the identification of the beneficial owner’, which ‘shall include at least the date of birth or contact details in accordance with data protection rules.’

38      In that regard, it should be noted that since the data referred to in Article 30(5) include information on identified individuals, namely the beneficial owners of corporate and other legal entities incorporated within the Member States’ territory, the access of any member of the general public to those data affects the fundamental right to respect for private life, guaranteed in Article 7 of the Charter (see, by analogy, judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 94 and the case-law cited), it being of no relevance in that respect that the data concerned may relate to activities of a professional nature (see, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, paragraph 59). In addition, making available those data to the general public in that manner constitutes the processing of personal data falling under Article 8 of the Charter (see, by analogy, judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, paragraphs 52 and 60).

39      It should also be noted that, as is apparent from the Court’s settled case-law, making personal data available to third parties constitutes an interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. In that connection, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way on account of that interference (judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 96 and the case-law cited).

40      Consequently, the general public’s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015/849 as amended, constitutes an interference with the rights guaranteed in Articles 7 and 8 of the Charter.

41      As regards the seriousness of that interference, it is important to note that, in so far as the information made available to the general public relates to the identity of the beneficial owner as well as to the nature and extent of the beneficial interest held in corporate or other legal entities, that information is capable of enabling a profile to be drawn up concerning certain personal identifying data more or less extensive in nature depending on the configuration of national law, the state of the person’s wealth and the economic sectors, countries and specific undertakings in which he or she has invested.

42      In addition, it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner (see, by analogy, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraphs 102 and 103). That possibility is all the easier when, as is the case in Luxembourg, the data in question can be consulted on the internet.

43      Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.

44      Accordingly, the general public’s access to information on beneficial ownership, provided for in point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended, constitutes a serious interference with the fundamental rights enshrined in Articles 7 and 8 of the Charter (see, by analogy, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraph 105).

 The justification for the interference resulting from the general public’s access to information on beneficial ownership

45      The fundamental rights enshrined in Articles 7 and 8 of the Charter are not absolute rights, but must be considered in relation to their function in society (judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 112 and the case-law cited).

46      Under the first sentence of Article 52(1) of the Charter, any limitation on the exercise of the rights and freedoms recognised by the Charter must be provided for by law and respect the essence of those rights and freedoms. According to the second sentence of Article 52(1) of the Charter, subject to the principle of proportionality, limitations may be made on those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. In that connection, Article 8(2) of the Charter states that personal data must, inter alia, be processed ‘for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’.

–       Observance of the principle of legality

47      As regards the requirement that any limitation on the exercise of fundamental rights must be provided for by law, this implies that the act which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned, bearing in mind, on the one hand, that that requirement does not preclude the limitation in question from being formulated in terms which are sufficiently open to be able to adapt to different scenarios and keep pace with changing circumstances and, on the other hand, that the Court may, where appropriate, specify, by means of interpretation, the actual scope of the limitation in the light of the very wording of the EU legislation in question as well as its general scheme and the objectives it pursues, as interpreted in view of the fundamental rights guaranteed by the Charter (judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 114 and the case-law cited).

48      In that regard, it should be noted that the limitation on the exercise of the fundamental rights guaranteed in Articles 7 and 8 of the Charter, resulting from the general public’s access to information on beneficial ownership, is provided for by an EU legislative act, namely Directive 2015/849 as amended. In addition, Article 30(1) and (5) of that directive provides, first, for access by the general public to data relating to the identification of the beneficial owners and the beneficial interest which they hold, specifying that those data must be adequate, accurate and current, and expressly listing certain of those data to which any member of the general public must be allowed access. Secondly, Article 30(9) of Directive 2015/849 as amended lays down the conditions under which Member States may provide for exemptions from such access.

49      In those circumstances, the principle of legality must be considered to have been fulfilled.

–       Respect for the essence of the fundamental rights guaranteed in Articles 7 and 8 of the Charter

50      As regards respect for the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter, it should be noted that the information expressly referred to in the second subparagraph of Article 30(5) of Directive 2015/849 as amended may be classified into two distinct categories of data: the first comprising data relating to the identity of the beneficial owner (name, month and year of birth, and nationality) and the second comprising economic data (nature and extent of the beneficial interest held).

51      Furthermore, while the second subparagraph of Article 30(5) of Directive 2015/849 as amended does not – as is clear from the use of the expression ‘at least’ – contain an exhaustive list of the data which any member of the general public must be permitted to access, and the third subparagraph of Article 30(5) adds that Member States are entitled to provide for access to additional information, the fact remains that, in accordance with Article 30(1), only ‘adequate’ information on beneficial owners and beneficial interests held may be obtained, held and, therefore, potentially made accessible to the public, which excludes, inter alia, information which is not adequately related to the purposes of that directive.

52      As it is, it does not appear that making available to the general public information which is so related would in any way undermine the essence of the fundamental rights guaranteed in Articles 7 and 8 of the Charter.

53      In that context, it should also be noted that Article 41(1) of Directive 2015/849 as amended expressly provides that the processing of personal data under that directive is subject to Directive 95/46 and, therefore, to the GDPR, Article 94(2) of which states that references to Directive 95/46 are to be construed as references to the GDPR. It is, therefore, established that any collection, storage and making available of information under Directive 2015/849 as amended must fully meet the requirements arising from the GDPR.

54      In those circumstances, the interference entailed by the general public’s access to information on beneficial ownership provided for in point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended does not undermine the essence of the fundamental rights enshrined in Articles 7 and 8 of the Charter.

–       The objective of general interest recognised by the European Union

55      Directive 2015/849 as amended aims, in the words of Article 1(1) thereof, to prevent the use of the European Union’s financial system for the purposes of money laundering and terrorist financing. In that regard, recital 4 of Directive 2018/843 states that the pursuit of that objective cannot be effective unless the environment is hostile to criminals and that enhancing the overall transparency of the economic and financial environment of the European Union could be a powerful deterrent.

56      As regards, more specifically, the objective of the general public’s access to information on beneficial ownership, introduced by Article 1(15)(c) of Directive 2018/843, recital 30 of that directive states that such access, first of all, ‘allows greater scrutiny of information by civil society, including by the press or civil society organisations, and contributes to preserving trust in the integrity of business transactions and of the financial system’. Next, the access in question ‘can contribute to combating the misuse of corporate and other legal entities and legal arrangements for the purposes of money laundering or terrorist financing, both by helping investigations and through reputational effects, given that anyone who could enter into transactions is aware of the identity of the beneficial owners’. Lastly, that access ‘also facilitates the timely and efficient availability of information for financial institutions as well as authorities, including authorities of third countries, involved in combating such offences’ and ‘would also help investigations on money laundering, associated predicate offences and terrorist financing’.

57      Furthermore, recital 31 of Directive 2018/843 states that ‘the potential increase in confidence in financial markets should be regarded as a positive side effect and not the purpose of increasing transparency, which is to create an environment less likely to be used for the purposes of money laundering and terrorist financing’.

58      It follows that, by providing for the general public’s access to information on beneficial ownership, the EU legislature seeks to prevent money laundering and terrorist financing by creating, by means of increased transparency, an environment less likely to be used for those purposes.

59      That aim constitutes an objective of general interest that is capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter (see, to that effect, judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 122 and the case-law cited).

60      In so far as the Council of the European Union also refers, in that context, expressly to the principle of transparency, as follows from Articles 1 and 10 TEU and from Article 15 TFEU, it should be noted that that principle, as the Council itself states, enables citizens to participate more closely in the decision-making process and guarantees that the administration enjoys greater legitimacy and is more effective and more accountable to the citizen in a democratic system (judgment of 9 November 2010, Volker und Markus Schecke and Eifert, C-92/09 and C-93/09, EU:C:2010:662, paragraph 68 and the case-law cited).

61      While, in that respect, the principle of transparency is given concrete expression primarily in the requirements of institutional and procedural transparency covering activities of a public nature, including the use of public funds, such a link with public institutions is lacking where, as in the present case, the measure at issue is intended to make available to the general public data concerning the identity of private beneficial owners and the nature and extent of their beneficial interests held in companies or other legal entities.

62      Accordingly, the principle of transparency, as it results from Articles 1 and 10 TEU and from Article 15 TFEU, cannot be considered, as such, an objective of general interest capable of justifying the interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, which results from the general public’s access to information on beneficial ownership.

–       Whether the interference at issue is appropriate, necessary and proportionate

63      According to settled case-law, the proportionality of the measures which result in interference with the rights guaranteed in Articles 7 and 8 of the Charter requires compliance not only with the requirements of appropriateness and of necessity but also with that of the proportionate nature of those measures in relation to the objective pursued (see, to that effect, judgment of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258, paragraph 93).

64      More specifically, derogations from and limitations on the protection of personal data should apply only in so far as is strictly necessary, it being understood that where there is a choice between several measures appropriate to meeting the legitimate objectives pursued, recourse must be had to the least onerous. In addition, an objective of general interest may not be pursued without having regard to the fact that it must be reconciled with the fundamental rights affected by the measure, by properly balancing the objective of general interest against the rights at issue, in order to ensure that the disadvantages caused by that measure are not disproportionate to the aims pursued. Thus, the question whether a limitation on the rights guaranteed in Articles 7 and 8 of the Charter may be justified must be assessed by measuring the seriousness of the interference which such a limitation entails and by verifying that the importance of the objective of general interest pursued by that limitation is proportionate to that seriousness (see, to that effect, judgments of 26 April 2022, Poland v Parliament and Council, C-401/19, EU:C:2022:297, paragraph 65, and of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraphs 115 and 116 and the case-law cited).

65      Furthermore, in order to satisfy the proportionality requirement, the legislation in question entailing the interference must also lay down clear and precise rules governing the scope and application of the measures provided for and imposing minimum safeguards, so that the data subjects have sufficient guarantees to protect effectively their personal data against the risk of abuse. It must, in particular, indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary. The need for such safeguards is all the greater where personal data are made accessible to the general public, and thus to a potentially unlimited number of persons, and are liable to reveal sensitive data on the data subjects (see, to that effect, judgment of 21 June 2022, Ligue des droits humains, C-817/19, EU:C:2022:491, paragraph 117 and the case-law cited).

66      In accordance with that case-law, it is necessary to ascertain, first, whether the general public’s access to information on beneficial ownership is appropriate for attaining the objective of general interest pursued, secondly, whether the interference with the rights guaranteed in Articles 7 and 8 of the Charter which results from such access is limited to what is strictly necessary, in the sense that the objective could not reasonably be achieved in an equally effective manner by other means less prejudicial to those fundamental rights of the data subjects, and, thirdly, whether that interference is not disproportionate to that objective, which implies, in particular, a balancing of the importance of the objective and the seriousness of the interference.

67      In the first place, it must be held that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of the objective of general interest, identified in paragraph 58 above, of seeking to prevent money laundering and terrorist financing, since the public nature of that access and the increased transparency resulting therefrom contribute to the creation of an environment less likely to be used for such purposes.

68      In the second place, in order to demonstrate that the interference resulting from the general public’s access to information on beneficial ownership is strictly necessary, the Council and the Commission refer to the impact assessment accompanying the Proposal for a Directive of the European Parliament and of the Council amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and amending Directive 2009/101/EC (COM(2016) 450 final), which gave rise to Directive 2018/843. According to those institutions, whereas point (c) of the first subparagraph of Article 30(5) of Directive 2015/849, in the version prior to its amendment by Directive 2018/843, made access by any person to information on beneficial ownership conditional upon that person being able to demonstrate a ‘legitimate interest’, that impact assessment found that the lack of a uniform definition of that concept of ‘legitimate interest’ had given rise to practical difficulties, with the result that it was considered that the appropriate solution was to remove that condition.

69      Furthermore, in their written observations, the Parliament, the Council and the Commission state, referring in particular to recital 30 of Directive 2018/843, that the general public’s access to information on beneficial ownership, as provided for by Directive 2015/849 as amended, has a deterrent effect, enables greater scrutiny and facilitates the conduct of investigations, including those carried out by the authorities of third countries, and that those consequences could not be achieved in any other way.

70      At the hearing, the Commission was asked to indicate whether it had considered proposing a uniform definition of ‘legitimate interest’, in order to offset the risk that the obligation for any person or organisation to demonstrate such an interest, as initially provided for by Directive 2015/849, might lead to excessive limitations on access to information on beneficial ownership, owing to differences in the definition of ‘legitimate interest’ in the Member States.

71      In response to that question, the Commission observed that the criterion of ‘legitimate interest’ was a concept which did not lend itself easily to a legal definition and that, while it had considered the possibility of proposing a uniform definition of that criterion, it had ultimately decided not to do so on the ground that the criterion, even if defined, remained difficult to apply and that its application could give rise to arbitrary decisions.

72      In that regard, it must be noted that the fact that it may be difficult to provide a detailed definition of the circumstances and conditions under which the public may access information on beneficial ownership is no reason for the EU legislature to provide for the general public to access that information (see, by analogy, judgment of 5 April 2022, Commissioner of An Garda Síochána and Others, C-140/20, EU:C:2022:258, paragraph 84).

73      Moreover, nor can the effects relied on and the reference made, in that context, to the explanations set out in recital 30 of Directive 2018/843 establish that the interference at issue is strictly necessary.

74      To the extent that that recital states that the general public’s access to beneficial ownership information allows greater scrutiny of information by civil society, and that express reference is made in that regard to the press and to civil society organisations, it should be found that both the press and civil society organisations that are connected with the prevention and combating of money laundering and terrorist financing have a legitimate interest in accessing information on beneficial ownership. The same is true of the persons, also mentioned in that recital, who wish to know the identity of the beneficial owners of a company or other legal entity because they are likely to enter into transactions with them, or of the financial institutions and authorities involved in combating offences of money laundering or terrorist financing, in so far as those entities do not already have access to the information in question on the basis of points (a) and (b) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended.

75      Moreover, although it is stated in recital 30 of Directive 2018/843 that the general public’s access to information on beneficial ownership ‘can contribute’ to combating the misuse of corporate and other legal entities and that it ‘would also help’ criminal investigations, it must be found that such considerations are also not such as to demonstrate that that measure is strictly necessary to prevent money laundering and terrorist financing.

76      In the light of the foregoing, it cannot be considered that the interference with the rights guaranteed in Articles 7 and 8 of the Charter, which results from the general public’s access to information on beneficial ownership, is limited to what is strictly necessary.

77      In the third place, as regards the factors put forward to establish that the interference at issue is proportionate, in that, in particular, the general public’s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015/849 as amended, is based on a proper balance between, on the one hand, the objective of general interest pursued and, on the other, the fundamental rights at issue, and that there are sufficient safeguards against the risks of abuse, the following points must be made.

78      First of all, the Commission contends that, as is apparent from recital 34 of Directive 2018/843, the EU legislature took care to specify that the set of data made available to the public must be limited, clearly and exhaustively defined, and must be of a general nature, so as to minimise the potential prejudice to beneficial owners. It is in that context that, on the basis of Article 30(5) of Directive 2015/849 as amended, only data strictly necessary to identify the beneficial owners and the nature and extent of their interests would be accessible to the public.

79      Next, the Parliament, the Council and the Commission state that the principle that the general public should have access to information on beneficial ownership may be derogated from, since Article 30(9) of Directive 2015/849 as amended provides that in ‘exceptional circumstances’, ‘Member States may provide for an exemption from such access to all or part of the information on the beneficial ownership on a case-by-case basis’ where the general public’s access to that information ‘would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence or intimidation, or where the beneficial owner is a minor or otherwise legally incapable’.

80      Lastly, both the Parliament and the Commission observe that, as is apparent from Article 30(5a) of Directive 2015/849 as amended, read in conjunction with recital 36 of Directive 2018/843, Member States may make the information on beneficial ownership available on condition of online registration in order to identify the person requesting that information. In addition, in accordance with recital 38 of Directive 2018/843, in order to prevent the abuse of the information on beneficial ownership, Member States might make information relating to the requesting person along with the legal basis for their request available to the beneficial owner.

81      In that regard, it should be noted that, as recalled in paragraph 51 above, the second subparagraph of Article 30(5) of Directive 2015/849 as amended provides that any member of the general public is to be permitted to access ‘at least’ the data referred to in that provision, and the third subparagraph of Article 30(5) adds that Member States may provide for access to ‘additional information enabling the identification of the beneficial owner’, which includes ‘at least’ the date of birth or the contact details of the beneficial owner concerned.

82      However, it is apparent from the use of the expression ‘at least’ that those provisions allow for data to be made available to the public which are not sufficiently defined and identifiable. Consequently, the substantive rules governing interference with the rights guaranteed in Articles 7 and 8 of the Charter do not meet the requirement of clarity and precision recalled in paragraph 65 above (see, by analogy, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 160).

83      Furthermore, as regards the balancing of the seriousness of that interference, identified in paragraphs 41 to 44 above, against the importance of the objective of general interest of preventing money laundering and terrorist financing, it must be held that although in view of its importance that objective is, as found in paragraph 59 above, capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, the fact remains that, first, combating money laundering and terrorist financing is as a priority a matter for the public authorities and for entities such as credit or financial institutions which, by reason of their activities, are subject to specific obligations in that regard.

84      Indeed, it is for that reason that points (a) and (b) of the first subparagraph of Article 30(5) of Directive 2015/849 as amended provide that information on beneficial ownership must be accessible, in all cases, to competent authorities and Financial Intelligence Units, without any restriction, as well as to obliged entities, within the framework of customer due diligence.

85      Secondly, in comparison with a regime such as that laid down in the version of Article 30(5) of Directive 2015/849 prior to the entry into force of Directive 2018/843 – which provided, in addition to access by the competent authorities and certain entities, for access by any person or organisation capable of demonstrating a legitimate interest – the regime introduced by Directive 2018/843, providing for the general public’s access to information on beneficial ownership, amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from the latter regime as compared against the former regime, in terms of combating money laundering and terrorist financing (see, by analogy, judgment of 1 August 2022, Vyriausioji tarnybinės etikos komisija, C-184/20, EU:C:2022:601, paragraph 112).

86      In those circumstances, the optional provisions of Article 30(5a) and (9) of Directive 2015/849 as amended, which allow Member States to make information on beneficial ownership available on condition of online registration and to provide, in exceptional circumstances, for an exemption from access to that information by the general public, respectively, are not, in themselves, capable of demonstrating either a proper balance between the objective of general interest pursued and the fundamental rights enshrined in Articles 7 and 8 of the Charter, or the existence of sufficient safeguards enabling data subjects to protect their personal data effectively against the risks of abuse.

87      Moreover, the Commission’s reference to the judgment of 9 March 2017, Manni (C-398/15, EU:C:2017:197), – concerning compulsory disclosure by companies, including of their representatives in legal proceedings, provided for in First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community (OJ 1968 L 65, p. 8), as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003 (OJ 2003 L 221, p. 3) – is irrelevant in that context. Indeed, the compulsory disclosure provided for by that directive, on the one hand, and the general public’s access to information on beneficial ownership, provided for by Directive 2015/849 as amended, on the other, differ both in their respective purposes and in their scope in terms of the personal data covered.

88      In the light of all the foregoing considerations, the answer to the first question referred in Case C-601/20 is that Article 1(15)(c) of Directive 2018/843 is invalid in so far as it amended point (c) of the first subparagraph of Article 30(5) of Directive 2015/849 in such a way that point (c), as thus amended, provides that Member States must ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public.

 The second and third questions referred in Case C-601/20 and the questions referred in Case C-37/20

89      The second question referred in Case C-601/20 and the questions referred in Case C-37/20 are based on the premiss that Article 30(5) of Directive 2015/849 as amended is valid, in so far as it provides for public access to information on beneficial ownership.

90      However, in view of the answer to the first question referred in Case C-601/20, there is no need to examine those questions.

91      Furthermore, in the light of that same answer, there is also no need to adjudicate on the third question referred in Case C-601/20.

 Costs

92      Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.

On those grounds, the Court (Grand Chamber) hereby rules:

Article 1(15)(c) of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, is invalid in so far as it amended point (c) of the first subparagraph of Article 30(5) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, in such a way that point (c) of the first subparagraph of Article 30(5), as thus amended, provides that Member States must ensure that information on the beneficial ownership of companies and of other legal entities incorporated within their territory is accessible in all cases to any member of the general public.

[Signatures]

*      Language of the case: French.


Disclaimer