Since April 2016 companies in the UK have had to identify their owners and controllers. Those details have formed part of a publicly-available register held by Companies House. Ownership registers such as this have been introduced internationally in recent years. This is as part of a move towards increasing corporate transparency to combat money laundering, the financing of terrorism and tax evasion.
The Court of Justice of the European Union has ruled that an equivalent law in Luxembourg infringes the fundamental right to privacy. Within 48 hours of the ruling, the online registers in Luxembourg and Netherlands closed to public access. It is likely the other EU countries will follow.
What does this mean for the UK?
Because of Brexit, this won’t apply in the UK, right? Not so fast!
The ruling is based on the Charter of Fundamental Rights of the European Union. This enshrines human rights – including the right to privacy – in EU law. It mirrors the protections in the European Convention on Human Rights. Remember, the UK helped draft the Convention after World War II and it still (currently) adheres to it. The present government have resurrected controversial plans to deviate from some of these protections in the Bill of Rights. But for now those rights continue.
The General Data Protection Regulation also contains privacy certain rights. And, of course, the UK has replicated that through “UK GDPR” and the Data Protection Act. In fact, the EU Commission has decided that the UK’s data protection laws are “adequate”. This means personal data can flow freely between the UK and EU.
The Luxembourg register required the inclusion of a broad amount of data. For example: surname, forename(s), nationality, date and place of birth, country of residence, complete private or professional address, and national ID number. The CJEU ruled this was too broad to be made publicly available.
The UK register available to the public contains similar data. That is: surname, forename(s), nationality, date of birth, country of residence, complete private or professional address. If it’s too much in the EU, then surely it’s too much in the UK which has similar laws?
The UK could, in theory, deviate from the CJEU ruling. But this would be a curious step, particularly if ignoring this type of ruling leads to accusations that the UK doesn’t take data protection and privacy seriously. The EU Commission might conclude the UK’s data protection laws are no longer adequate and that could disrupt data transfers.
Wait – there’s more
So the UK will follow suit after all then? Probably, but there’s more.
The next step might be to redact some of this information from the public register. Only those with a “legitimate interest” would then get full access. The EU Commission didn’t define what this was as it was not a simple definition. It seems likely it will have to now. The UK may do the same.
This movement is not new. Domain name registers ceased to be public several years ago for similar reasons.
It will be interesting to see what happens in the UK.
If you need advice, contact me f.jennings@teacherstern.com or +44 (0) 20 7611 2338.