Privacy First prepares lawsuit against privacy-invading UBO register

Under this new law, the Commercial Register of the Chamber of Commerce will contain information on all ultimate beneficial owners (UBOs) of companies and other legal entities incorporated in the Netherlands. This must include information on the UBO's interest, i.e. of 25-50%, 50-75% or more than 75%. Of the UBO, at least the name, month and year of birth and nationality become publicly available for all to see, with all the privacy risks involved. The law gives only very limited options for shielding information. This is only possible for persons secured by the police, minors and those under guardianship. The consequence will be that almost all UBOs will have their interests publicly disclosed. The law will enter into force shortly. After that, legal entities will have 18 months to register their UBOs. The implications of this new legislation will be far-reaching. It is a law that aims to combat money laundering but achieves blacklisting.

European directive

This legislative amendment stems from the European Fifth Anti-Money Laundering Directive, which requires Member States to register personal data of UBOs and make it publicly available. Its purpose is to counter money laundering and terrorist financing. Making UBOs' personal data publicly available, including the UBO's interest in the company, contributes to that goal, according to the European legislator. Disclosure would act as a deterrent to persons seeking to launder money or finance terrorism.

Massive privacy violation

The question is whether the means misses the mark. Making the personal data of all UBOs accessible to anyone is a 'blanket measure' of a preventive nature. 99.9% of UBOs have nothing to do with money laundering or terrorist financing. It is an invasion of privacy that is disproportionate in Privacy First's view. An important principle in privacy law is that data collected for one purpose should not be used for another. It should be sufficient if the information on UBOs is available to those government departments engaged in anti-money laundering and counter-terrorism activities. It is going too far to make that information fully public. The European Data Protection Supervisor judged already that this privacy violation is not proportionate. But that judgement did not lead to an amendment of the European directive.

During the Dutch parliamentary debate on this law, fundamental criticism came from various quarters. The business community stirred because it feared increased burdens and saw privacy risks. Family businesses whose UBOs have so far remained out of the public eye have a lot of privacy to lose. There was also much concern about the position of parties that attach great importance to protecting data subjects, such as denominations and civil society organisations. Unfortunately, this did not lead to regulatory changes.

Lawsuit

Privacy First will launch a lawsuit against the UBO register for violating European privacy law. The Dutch law and also the overriding European directive violate the European Charter of Fundamental Rights and the AVG. It is up to the courts to conduct a thorough review of this. Privacy First has successfully addressed the validity of legislation before, for example in the proceedings on the Telecommunications Retention Act.

Privacy First conducts its strategic proceedings on privacy mostly with a coalition of stakeholders. Privacy First is currently identifying which parties can contribute to this. Would you (or your organisation) like to participate as a co-plaintiff in this litigation? If so, please contact with us, or with our lawyer Otto Volgenant of Boekx Lawyers.

Update 6 January 2021

Privacy First's lawsuit against the UBO register was launched today. Read more on the case here, our summons and the scheduled court hearing at The Hague District Court.