Privacy First initiates legal action against the Dutch government on account of the recently-introduced UBO register. The preliminary injunction proceedings point at the invalidity of the legislation on which this register is based. The consequences of this new piece of legislation are far-reaching as the register contains very privacy-sensitive information. Data relating to the financial situation of natural persons will be up for grabs. More than 1.5 million legal entities that are registered in the Dutch Trade Register will have to make public details about their Ultimate Beneficial Owners (UBOs). The UBO register is publicly accessible: a request for information costs €2.50.
The UBO register aims to prevent money laundering but will lead to defamation.
The privacy breach that is the result of the UBO register and the public accessibility of sensitive data are disproportionate. The goal of the register is to thwart money laundering and terrorist financing. In order to achieve this goal there is no need for a UBO register, at least not one that is publicly accessible.
That is why Privacy First wants the UBO register to be rendered inoperative by a court, which, in case necessary, should submit questions of interpretation to the highest court in Europe: the European Court of Justice. In cases like these, the judiciary will have the final say. It is not uncommon for a court to overrule privacy-violating legislation and in this respect, Privacy First’s litigation has been successful in the past.
The proceedings will take place before The Hague District Court on 25 February 2021 at 12pm. The entire summons can be found HERE (pdf in Dutch). The ruling will follow two or three weeks after the hearing.
Background of the UBO register case
On 24 June 2020, the Dutch ‘Implementation Act for the Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ came into effect in the Netherlands. On the basis of this new Act, a new UBO register which is linked to the Commercial Register of the Dutch Chamber of Commerce will contain information about all ultimate beneficial owners of companies and other legal entities founded in the Netherlands. The register should indicate how many shares are owned by the UBO: 25-50%, 50-75% or more than 75%. Furthermore, the name, month and year of birth as well as the nationality of the UBO will be made public, with all the privacy risks this entails.
Since 27 September 2020, newly founded entities have to register the ultimate beneficial owners in the UBO register. Existing legal entities will have to do so before 27 March 2022.
The Act provides very few possibilities to safeguard information. This is possible only for persons that are protected by the police, minors and those placed under guardianship. This means that the shares of practically every UBO will become a matter of public record. Anyone has access to the UBO register, with extracts coming at a price of €2.50.
European money laundering directive
The new Act stems from the fifth European money laundering directive, which obliges EU Member States to register UBOs and disclose their details to the public. According to the European legislator, this contributes to the proclaimed objective of countering money laundering and terrorist financing. The transparency is supposed to be a deterrent for persons who set out to launder money or finance terrorism.
Massive privacy violation and fundamental criticism
The question is whether this produces a windfall effect. Registering the personal data of all UBOs and making these publicly available is a generic precautionary measure. 99.99% of UBOs have nothing to do with money laundering or terrorist financing. Even if it were proportionate to collect information on all UBOs, making that information available only to government agencies engaged in combating money laundering and terrorism should suffice. It is not appropriate to disclose that information to everyone. The European Data Protection Supervisor (EDPS) deemed this privacy violation to be disproportionate. This opinion, however, did not lead to an amendment of the European Directive.
When this Act was discussed in Dutch Parliament, fundamental criticism came from various corners of society. The business community made its voice heard because it perceived privacy risks and feared − and now indeed experiences − an increase in costs. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of social organizations − such as church communities and NGOs − that attach great importance to the protection of those affiliated with them. Associations and foundations that do not have owners face a different burden: they have to put the data that are already in the Trade Register in yet another register. Unfortunately these complaints have not resulted in any changes to the legislation.
Legal proceedings look promising
Privacy First has initiated legal proceedings against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First asks the Dutch court to render the UBO register inoperative in the short term and, if necessary, to submit questions of interpretation on this matter to the highest court in Europe, the Court of Justice of the European Union.
The Dutch Act as well as the underlying European directive are in conflict with both the European Charter of Fundamental Rights and the GDPR. It is the legislator who has created this legislation, but it will be up to the court to do a thorough review thereof. Ultimately, the court has the last word. If the (European) legislator fails to take adequate account of the protection of fundamental rights, then the (European) court can invalidate this legislation. This would not be unique. The Court of Justice of the European Union has previously declared legislation invalid due to privacy violations, for example the Data Retention Directive and, more recently, the Privacy Shield. Dutch courts too regularly annul privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings concerning the Telecommunications Data Retention Act and the System Risk Indication (SyRI). Viewed against this background, a positive outcome in the case against the UBO register is all but unlikely.