Luxembourg: Legality Of The Use Of Information On Beneficial Owners Following CJEU's 22 November 2022 Judgment

The judgment of the Court of Justice of the European Union ("CJEU") in joined cases C-37/20 restricted the access to the register of beneficial owners (registre des beneficiaires effectifs, RBE). The ensuing consequences for the RBE pose, inter alia, the question of the access to the RBE by interested entities, as well as the legality of the use and reuse of the information on beneficial owners, as submitted to and available in the RBE by professionals.

The CJEU's judgment and its consequences

On 22 November 2022, CJEU acknowledged the invalidity of the provisions in Directive 2015/849, as amended by Directive 2018/843 (the anti-money-laundering directive) allowing the general public to access the information on the beneficial ownership of corporate and other legal entities, as contained in registers established by European Union (EU) members states, such as the RBE.

Following the CJEU's judgment, access to registers on beneficial owners provided for under the amended anti-money-laundering directive is in principle granted to (i) competent authorities and (ii) entities within the framework of their customer due diligence obligations (such as professionals).

Furthermore, as the CJEU's judgment only restricts access by the general public, it can be argued that Luxembourg based companies having filed information on their beneficial owners are not prohibited from consulting the RBE and obtaining excerpts in relation to such information.

In light of the foregoing, the main consequences for users of the RBE (other than competent authorities) under the Luxembourg law of 13 January 2019 establishing the RBE (the RBE Law) consequent to the adoption of the CJEU's judgment can be summarised as follows:

• Professionals may access the RBE only within the framework of their obligations set out under the law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (the AML Law). For instance, as per the Luxembourg Bar's circular n. 002 – 2022-2023 (the Bar Circular), lawyers may consult the RBE only within the framework of their professional anti-money laundering obligations (as referred to in art. 2 (1) point 12 of the law of 12 November 2004 on the AML Law) (AML Obligations);
• The access to the RBE's website by the general public was barred following the adoption of the CJEU's judgment, so that the general public can neither directly access the relevant information on beneficial owners, as filed with the RBE, nor request that the RBE issue an excerpt from the RBE regarding beneficial owners;
• Luxembourg companies having filed information on their beneficial owners, may be considered among the entities entitled to consult the RBE and obtain excerpts regarding their own beneficial ownership;
• Journalists may request access to the RBE on the basis of a convention with the Conseil de Presse; and
• Further legislation shall determine whether other actors, for instance persons capable of proving a legitimate interest, may access beneficial owner registers.

Access to the RBE by professionals and use of the information on beneficial owners

On 19 December 2022, the LBR published a circular on the new rules governing the access to the RBE and subsequently set up a mechanism to allow the access of professionals, such as credit institutions and professionals of the financial sector (PFS), accountants, notaries and lawyers, to the RBE.

In order to access to the RBE, professionals need to enter into an agreement with the LBR, a template of which is available on the LBR's website (the Model Agreement) and use one of the LuxTrust devices allowing their identification.

A crucial question however concerns the use of the information to which professionals may have access in the RBE. The CJEU's judgment and the Bar Circular seem to limit the use to what is strictly required under the professionals' customer due diligence obligations.

This aspect has been taken expressly into consideration in the Model Agreement. Interestingly, art. 6.1 thereof provides some guidance that appears to be less strict than the CJEU's judgment and the Bar Circular:

"[...] Consultations are tracked. LBR reserves the right to suspend access by blocking the customer's account if fraudulent or abusive use has been observed.

It is the client's [professional's] responsibility to inform LBR without delay, when he/she is no longer entitled to consult the RBE. LBR will immediately remove the client's access to the RBE.

The re-use of the information accessible on the RBE portal by users defined by the client must not be contrary to public policy and must be in accordance with the applicable legal provisions, in particular those relating to the protection of personal data.

In any case, the client is solely responsible for the re-use of documents and information made available by LBR within the framework of the legislation and regulations governing the RBE. LBR cannot be held responsible for any damage resulting from this re-use [...]".

The preliminary conclusions stemming from a reading of these provisions are therefore the following:

• Access by professionals to the RBE will be tracked by LBR (probably by means of a specific software), in principle, to detect any abusive or fraudulent use of the information available in the RBE by professionals
• The information accessible in the RBE can be re-used, provided that public policy and the applicable legal provisions, among which in particular the General Data Protection Regulation (GDPR) are strictly observed and
• Professionals are responsible for the use of the information included in the RBE and, consequently, for any violation of the rules mentioned above, particularly the GDPR.

Given the establishment of a tracking and controlling system, it may be useful for professionals to strengthen their know-your-client (KYC) internal practices. For instance, they could make sure they record (on log-like registers) all access made to the RBE, indicating at least the date, the companies for which information on beneficial owners is accessed and the relevant grounds for such inquiry.

Direct access to the RBE by companies

Notwithstanding the legislative gap, it appears compatible with the CJEU's judgment that companies incorporated in Luxembourg, having filed information on their beneficial owner(s) in conformity with the RBE Law, may consult the registers and obtain excerpts therefrom.

A new LBR procedure allowing entities to directly access the RBE to consult data on their own beneficial owners, was published by the LBR on 1 February 2023 appears to confirm this point of view. Luxembourg companies shall receive a code that is valid for three years to access the RBE (by means of a LuxTrust or eIDAS certificate). The access is strictly limited to consulting information on the company's own beneficial owners and ordering related excerpts.

As Luxembourg companies can only access information on their own beneficial owner(s), they are not be able to access information, or obtain excerpts, relating to beneficial owner(s) of third parties. This limitation is significant, as, prior to the CJEU's judgment, access to the RBE by the general public was expressly intended to allow, inter alios, companies to be informed on the identity of the beneficial owners of their potential contractual counterparts.

Non-Luxembourg companies (established in other member states of the European Union or in third countries) cannot access information on beneficial owners of Luxembourg companies on the RBE, even if they are part of the same group. Thus subsidiaries and parent companies may need to request RBE excerpts from their Luxembourg-based affiliate.

Indirect access to the RBE by companies

In practice, Luxembourg established companies often ask professionals (lawyers, accountants, professionals of the financial sectors, etc.) to obtain RBE excerpts on their behalf for their own compliance needs, or to satisfy requests of professionals located in third countries (lawyers, advisors, notaries), having to comply with AML Obligations similar to those applicable in the EU.

Accordingly, while under the legislation currently in force professionals are only entitled to access the RBE within the limits of compliance with their AML Obligations, they will in the future most probably receive requests to obtain information contained in the RBE and RBE excerpts for clients which are not professionals with access to the RBE.

The wording in the Model Agreement seems to expressly allow the professionals' sharing of information stored in the RBE and excerpts, insofar as such re-use is not contrary to public policy and is in accordance with the applicable legal provisions, in particular relating to the protection of personal data.

Thus our conclusion is that professionals may continue to obtain extracts from the RBE for their clients but only to the extent allowed under the applicable LBR procedures (i.e. at present only extracts regarding the beneficial owners of the clients).

Considering the interpretation of the CJEU's judgment and the absence, for the time being, of a legislation clarifying the extent to which the information filed with the RBE may be re-used, we recommend that professionals observe certain best practices:

• Making sure that any such access on a company's own beneficial ownership is requested by a director or an employee of the relevant Luxembourg based company (rather than from legal departments of global groups situated in third states, as it is often the case in practice)
• Storing all the communication relating to such request as part of the documentation relating to the KYC compliance by the company (in a log-like document as previously indicated) and
• Observing all applicable regulations, in particular the GDPR.

Compliance with the GDPR

Any collection, storage and sharing of information contained in the RBE must fully meet the requirements in the GDPR. As such, if professionals provide a company with an excerpt displaying the data on beneficial owners of such company, this action would imply the processing of personal data on behalf of the company. Consequently, the company so mandating the professional should obtain the beneficial owner's consent in advance.

In conformity with the provisions of the GDPR, such company, as data controller, would remain responsible for the treatment of the personal data of the data subject. The basic GDPR principles applicable to the processing of personal data would apply accordingly.

Furthermore, the provisions on the transfer of personal data to a third country would apply in case of transfer to and processing of data in non-EU member countries. However, in view of facilitating the processing of data within groups of companies, the GDPR contains certain exceptions to such transfer of data to group companies situated in non-EU countries.

Under such exceptions transfers to non-EU countries may, in particular, be carried out where adequacy decisions in relation to particular countries have been adopted by the Commission, where appropriate binding corporate rules are put in place by the group and where express consent is provided by the data subject.

The way forward

It has yet to be clarified by the lawmakers which persons besides the persons listed above should be granted access to the registers of beneficial owners without breaching any fundamental rights following the CJEU judgement . The procedures established by the LBR to allow certain persons (journalists and Luxembourg established companies as regards the information regarding their own beneficial owners) to access the RBE are based on an interpretation of the CJEU's judgment, which needs to be confirmed by the EU and national lawmakers.

Luxembourg's Ministry of Justice recently confirmed that a new law is in the process of being drafted with regard to these questions. It is as yet unclear to what extent, under the new law, persons other than those presently having a right of access may also be granted rights. This concerns, in particular, Luxembourg and non-Luxembourg companies that are part of the same group.

From this standpoint, it is possible that Luxembourg legislative authorities will require the proof of the existence of a legitimate interest as a condition of access to the RBE. The adoption of this concept to identify persons with a right of access would pose some difficulties with respect to its practical implementation. The RBE would probably face an important number of demands of access and require further experienced staff.

Nonetheless, the use of the concept of legitimate interest as a boundary line between those having and not having a right of access is certainly appealing from a legal point of view. This concept was used in the original anti-money-laundering directive prior to the 2018 reform extending access to the beneficial owner registers to the general public.

The CJEU's judgment itself expressly recognises that this concept respects the balance between the need for the fight against money laundering and terrorism financing, on the one hand, and the protection of fundamental rights, on the other. In light of this, it is not impossible that the EU lawmaker itself decides to reform the directive by re-introducing this concept for the purposes of the granting of access to the registers of beneficial owners.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.