On Jan. 5, 2021, the Privacy First foundation launched a lawsuit against the State against the so-called "UBO register. Indeed, since Sept. 27, 2020, companies registered in the Netherlands have been required to collect and register information about their 'ultimate beneficial owners' (UBOs) with the Chamber of Commerce (KvK).
According to Privacy First, the UBO register violates the fundamental right to privacy and would not be proportionate to the goal to be achieved. In order to achieve the purpose of the UBO register - namely to combat money laundering and terrorist financing - a publicly accessible UBO register is not necessary, according to Privacy First. Privacy First therefore requested the Dutch court in summary proceedings to declare the UBO-register inoperative and, if necessary, to ask preliminary questions about this to the Court of Justice about the compatibility of the UBO-register with the European directives on which the obligation rests and European fundamental rights.
A UBO is the beneficial owner natural person of a corporation or other legal entity. Every entity always has at least one UBO. The obligation to register the UBO information rests on the directors and executives of entities such as B.V. 's, N.V. 's, foundations, partnerships, vof's, and limited partnerships. The UBO register is part of European legislation to combat money laundering and terrorist financing.
Part of the UBO information is publicly accessible and can be consulted subject to valid registration and the payment of a fixed fee of 2.50 euros. The identity of those consulting the UBO register is maintained and registered by the Chamber of Commerce. Consultants can then view the UBO's name, birth month and year, state of residence, nationality and the nature and extent of the interest held in the relevant entity. The UBO's day, place and country of birth, residential address and BSN number or tax identification number are recorded, but are not publicly accessible. In a limited number of cases, the publicly accessible data can be (partially) shielded, for example, for UBOs who are secured by the police, are minors or have been placed under guardianship. However, the starting point is that the information is publicly accessible.
Much criticism was voiced about the privacy aspects of the UBO register during its creation. The data included in the UBO register link natural persons to assets. These data qualify as (special) personal data.
The public accessibility of the UBO register allows anyone to easily gain insight into personal information of UBOs that can be linked to financial information of "their" companies. This makes it possible for third parties to gain insight into the financial situation of these individuals. This could easily lead to significant risks for UBOs, such as (threats of) intimidation, extortion or blackmail.
Moreover, despite the fact that the possibility of (partial) masking is offered, it is questionable whether the public accessibility of UBO data as a standard is at all necessary and proportionate. Given the objectives of the UBO register, it is more obvious to keep access to it limited to investigative agencies and law enforcement officials. Finally, there is a significant chance that rogue companies or UBOs will not comply with the obligations of the UBO register or will use straw men in order to (still) remain out of harm's way.
In any event, Privacy First takes the position that the UBO register violates privacy law. On the one hand because of the mandatory nature of the registration and on the other hand because of the (partially) public access to registered UBO data. According to Privacy First, the UBO register thus violates Article 8 ECHR, Articles 7, 8 and 11 of the European Charter and Article 17 ICCPR. The central question now before the court is whether the UBO register is proportionate to its purpose, which is to prevent money laundering and terrorist financing.
What is striking is that Privacy First did not claim damages (on behalf of its supporters), but 'only' claimed the disabling of the UBO register, or at least of general access to the data in that register. Given Privacy First's idealistic objective and role as an advocate for the preservation and promotion of the right to privacy, it could have chosen to claim damages (also) on behalf of the aggrieved on the basis of the Mass Tort Claims Settlement Act in collective action.
In summary proceedings (an emergency procedure), the court generally places high demands on a claim for (an advance on) compensation; the right to compensation and the need for an advance payment must be clear. This while a compensation claim under mass tort law is almost by definition complex and can be handled more carefully in normal proceedings with the usual procedural safeguards. Privacy First has chosen to (first) present its more principled objections to the UBO register to the court in these summary proceedings. The summary proceedings will be heard on February 25, 2021 at the District Court of The Hague.
However, this is not yet a missed opportunity. If Privacy First is found in the right, a (collective) claim for damages can still be filed by (or on behalf of) the victims on account of the unlawful processing of their personal data in the UBO-register. If preliminary questions are actually raised, a judgment in this case may be some time away and the UBO data will have to remain/be included in the UBO register. If at any time a court ruling should follow that leads to the exclusion of the UBO-register, it is expected that it will not be difficult to identify a (large) group of people who have been disadvantaged in a similar manner(s) and request compensation for this.
More articles by Loyens & Loeff
