Data Privacy Week was an opportune time to consider the important issue of how we as a society determine when privacy takes precedence in conflicts between data access and data privacy. A recent such example was the November 2022 decision by the European Union Court of Justice that invalidated a provision in the EU anti-money-laundering directive whereby companies’ beneficial ownership information was to be made accessible in all cases to any member of the general public.
Some background context may be useful before we address the ramifications of that decision in detail. Back in 2016, the EU adopted the General Data Protection Regulation, which came into force in May 2018. The intent behind GDPR was to harmonise data privacy laws across all EU member countries as well as to provide greater protection and rights to individuals. Many in the industry tout the GDPR as the “gold standard”. In Bermuda, the November 2022 Throne Speech announced the plan for a phased implementation of the Personal Information Protection Act in 2023, bringing similar protection to us here. Data protection and privacy issues affect all businesses and industry sectors, and compliance with the law and protecting individuals’ privacy is not just a legal issue. Failure to respect people’s privacy or ensure security of their data can severely damage a company’s brand and influence consumer-buying decisions.
At about the same time as the GDPR was being passed, the international Financial Action Task Force and various other onshore regulatory bodies started to push for legislation requiring countries to set up public registers of companies’ “beneficial ownership”. In theory, such registers help to prevent money laundering and terrorist financing as they provide transparency and stop criminals from using companies —often in complex structures — to hide their criminal activity. The logic is that by forcing full disclosure of the ultimate beneficial owners, the resulting transparency will reduce corruption, money laundering and tax evasion. It was in this spirit that Bermuda amended the Companies Act 1981 and the partnership legislation in 2017 and 2018, respectively, to require legal entities to keep a beneficial ownership register. This amendment was in addition to the already existing requirement to provide the Bermuda Monetary Authority with full details of any individual who would directly or indirectly hold 10 per cent or more of the voting shares or interests of a Bermuda entity. In Bermuda, the beneficial ownership registers maintained by the registered office of such entities and the beneficial ownership information held by the BMA are not public at present. In recent years, Britain has been pushing for its Overseas Territories and Crown Dependencies to make such registers public to all.
Against this background, the EUCJ decision caused quite a stir. In summary, the justices held that “the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data”. They further found that “the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that once those data have been made available to the general public, they cannot only be freely consulted, but also retained and disseminated”. One can only shudder to think how Twitter and other online algorithms could be used to abuse such access. There was agreement that relevant authorities and those with a demonstrably legitimate interest should have access to such beneficial ownership information, but allowing full public access directly contradicted the principles behind the GDPR.
For British Overseas Territories and Crown Dependencies, there is now a question of whether they should reject or modify their previous undertakings to create public registers. The Bermuda Government, for example, gave such an undertaking in July 2020, but only on the basis that public access became a global standard. Since Brexit, EUCJ judgments are not binding on Britain, which means it could hold its Overseas Territories and Crown Dependencies to their undertakings. However, the data protection regulation recently adopted by Britain is very similar to the GDPR, so the principles and logic set out by the EUCJ should apply. In addition, the implementation of public registers has not been without challenge within Britain itself. Concerns have been raised about the accuracy of the British public register, as the Companies House cannot verify the information and there appears to be no appetite to pursue prosecutions for submission of inaccurate filings. Because the British public register is arguably not achieving the desired objective, it would be hypocritical of Britain to push Bermuda to make our register public.
Two of the key principles underlying PIPA are that the personal information collected should be used in accordance with the rights of the individuals and should not be excessive in relation to the purpose or purposes for which it is used. As such, it is interesting to note that in the EUCJ decision, part of the reasoning was that the interference with the right to privacy was “neither limited to what is strictly necessary nor proportionate to the objective pursued”—i.e. prevention of money laundering.
It cannot be repeated enough that Bermuda is different from most jurisdictions in that the BMA has been a central repository of beneficial ownership information for the past 70 years. In Bermuda, separate from any requirements for client due diligence to satisfy anti-money-laundering requirements or to meet beneficial ownership register legislation, you cannot issue or transfer any voting shares or interests of a Bermuda entity without providing the BMA with information on any owner who directly or indirectly holds 10 per cent or more of the voting shares/interests in such entity. Our regulator already has all the beneficial owner information, which is not the case in Britain or any of the other jurisdictions pushing to make the beneficial ownership register public. The BMA keeps such personal information confidential, but it can use its powers to investigate and ensure compliance, as well as inspect and identify beneficial owners and their sources of wealth. Bermuda also has a number of agreements in place with onshore jurisdictions, which allows the BMA to share the beneficial ownership information with onshore regulators and law enforcement agencies in respect of legitimate investigations. (Such sharing also falls under the general exemption in PIPA.)
As such, the question is: do public registers provide transparency at the cost of privacy, arguably a fundamental human right? Is it possible to limit the abuse of using companies to hide the owners behind them and limit illegal activity while still preserving an individual’s privacy?
In this writer’s view, Bermuda already does this. The BMA, as the central repository of the necessary beneficial ownership information, can meet the legitimate needs to assist regulators and law enforcement to pursue criminal activity, money-laundering schemes and tax evasion. There is therefore no truly valid reason to have a public register here. Privacy should be protected.
This column originally appeared in The Royal Gazette on 30 January 2023.