Beneficial ownership transparency and data protection in South Africa

  • Publication date: 31 December 2022
  • Author: Amanda Manyame

Beneficial ownership transparency and public interest

As mentioned above, BOT is used to combat financial crimes and aid in the improvement of financial transparency. Its overall purpose is for the public good, and it aims to ensure better public oversight and scrutiny, and to give companies, civil society actors, and foreign authorities more efficient, reliable access to information about the individuals who ultimately own and control companies. [48] However, when considering the protection of the right to privacy in terms of POPIA, the question remains as to whether and in what circumstances BO data — and which specific data fields – should be made publicly available.

It is trite law that when rights or interests are in conflict with each other — in this instance, the right to privacy and the measures used to combat financial crimes — the proportionality test, as established in international law, [49] is applied. In South Africa, Section 36 of the Constitution [50] provides for the limitation of the right in the Bill of Rights when the limitation is “reasonable and justifiable in an open and democratic society based on human dignity, equality, and freedom”. In terms of the Constitution, consideration should be given to, amongst other things, the nature of the right; the importance of the purpose of the limitation; the nature and extent of the limitation; the relation between the limitation and its purpose; and whether there are less restrictive means to achieving the envisaged purpose. [51] Whilst there are not yet any indications with which a correctly drafted provision on BOT would be in conflict, or even any that would stand as a justifiable infringement of the right to privacy, if a court challenge was to be brought, and should BOT provisions be deemed to infringe upon the right to privacy, a court would balance the two interests. This would be done by taking into consideration the purpose of BOT within the South African and international context. It would also consider the harm of restricting the right to privacy over BOT and vice versa, asking which would cause greater harm. This may also be assessed on a case-by-case basis depending on the circumstances of each case. Considerations from other jurisdictions suggest that a court could rule that publicly accessible BO data does not violate the right to privacy if it meets objectives of public interest, and this is proportionate to the infringement on those rights. Proportionality could be achieved in part through mitigating the risks of public access, such as through a protection regime that would allow people to make applications to have their information withheld from publication if they face increased risks of personal harm as a result of certain information being made public, as other jurisdictions have done. [52]

Box 1. Public access to beneficial ownership information and privacy in the European Union [b]

On 22 November 2022 the Court of Justice of the European Union ruled that the provision of the 5th European Union (EU) Anti-Money Laundering Directive (AMLD5) whereby the information on the beneficial ownership of companies incorporated within the territory of the Member States is accessible in all cases to any member of the general public is invalid. AMLD5 amended the access provisions in AMLD4, under which the general public could only access BO information if they could demonstrate a legitimate interest, which many deemed too restrictive for many actors outside government to use the information to help prevent money laundering and terrorist financing.

The judgement is specific to the EU context and points to the fact the legal approach taken in AMLD5 does not appropriately balance privacy and public access. It states that the Directive does not demonstrate sufficiently that public access is strictly necessary to prevent money laundering and terrorist financing. The judgement does not say that public access is never justified, but the ruling underscores the importance of appropriately balancing privacy concerns with the public interest benefits arising from public access to beneficial ownership information.

Following the ruling, some member states have suspended public access to their registers (e.g. the Netherlands). Other member states have maintained public access to their registers, in particular those where the rationale for this access is broader than the objective of preventing money laundering and terrorist financing, such as improving the business environment or providing oversight and accountability of companies receiving public contracts (e.g. Slovakia).

Section 3(2) of POPIA provides for the application of the provisions of POPIA; Section 11(2)(c) permits the processing of personal information, which is in line with legal obligations; and Sections 37 and 38 contain exemptions for certain functions, such as those related to combating financial misconduct. Therefore, in balancing BOT and the right to privacy, in many countries, it is accepted that BOT is in the public interest and justifiable. There are, however, legitimate concerns regarding the personal safety of individuals, particularly when personal information such as identity document (ID) numbers or residential addresses are shared between government departments or made publicly available. It is also concerning when special personal information, such as that of children and gender data, is made publicly available or published.

Personal information on minors as part of beneficial ownership disclosure

In many jurisdictions, data that conveys sensitive personal information or information about minors is accorded additional protections under the law. Jurisdictions have taken different approaches to whether beneficial ownership can be held by minors. In South Africa, a person under the age of seven years does not have the capacity to enter into a legal contract, meaning, they would not, on the face of it, be able to be a beneficial owner. However, all minors should have parental or guardian approval in order to enter legal contracts, [53] meaning that in these circumstances, arguably, a child between the ages of 7-17 could be a beneficial owner, but the parents or legal guardian are ultimately exercising control until the minor reaches the age of majority.

Box 2. Treatment of minors in beneficial ownership disclosure

In the United States, proposed legislation “provides a special rule for reporting the information of a parent or guardian in lieu of information about a minor child”, including a requirement to declare “that such information relates to the parent or legal guardian”. [54] In AMLD4, cases “where the beneficial owner is a minor or otherwise incapable” are treated along with cases where the beneficial owner is exposed “to the risk of fraud, kidnapping, blackmail, violence or intimidation” as grounds for exemption under a protection regime, allowing member states to “provide for an exemption from [access by parties beyond specific authorities] to all or part of the information on the beneficial ownership on a case-by-case basis”. [55] The risk with the EU approach could be that placing the ownership in the name of a child may become an attractive avenue to shield information from the public, although the authorities would still have access to this data.

The South African Information Regulator issued the Guidance Note on Processing of Personal Information of Children [56] (under the age of 18) to guide responsible parties who are required to obtain authorisation from the Information Regulator to process personal information of children, as provided for in Section 35(2) of POPIA. The guidance note makes clear that a responsible party may obtain authorisation to process the personal information of children in terms of Section 35(2) when such processing is in the public interest. POPIA does not define what constitutes public interest in relation to the processing of personal information of children, but it states that public interest is wide in its scope and application, and it generally refers to an action, process, or outcome that would benefit the public at large, in the spirit of equality and justice. [57]

Furthermore, appropriate safeguards need to be put in place to protect the personal information of the child in question. To secure the integrity and confidentiality of personal information, the responsible party would need to take appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information. The guidance note provides guidance on what would constitute appropriate safeguards, and that the responsible party should:

  • identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
  • establish and maintain appropriate safeguards against the risks identified;
  • regularly verify that the safeguards are effectively implemented; and
  • ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

When considering the publication of BO information and BO registers, it is imperative that the guidance on the processing of personal information of children is considered and the appropriate authorisation is obtained from the Information Regulator. The Information Regulator may impose reasonable conditions in respect of any authorisation granted, which will be decided on a case-by-case basis. [58] This would ensure that the interests of children are protected and financial transparency is achieved in the public interest.

Gender information in beneficial ownership data

“Gender data” has been defined by the Information Regulator as data disaggregated by sex as well as data that affects women and girls exclusively or primarily. [59] Information about a person’s sex is relevant to their right to privacy and constitutes personal information as defined in Section 1 of POPIA. Notwithstanding, gender data, particularly as it refers to women, the LGBTQI+ community, and other marginalised communities requires extra consideration and protection because of the intersectional inequalities and challenges that these groups face.

It would therefore be prudent to adopt a cautious approach in the development of BOT policies. There is usually no reason to collect or publish gender data explicitly, although it is implicitly collected through titles, gendered names, passport scans, etc. [60] However, in South Africa, as a result of the Broad-Based Black Economic Empowerment Act, 2003 (B-BBEE Act), businesses need to be certified as being beneficially women-owned in order to qualify for preferential procurement contracts. The B-BBEE Act is a legislative framework for the promotion of Black economic empowerment in an attempt to redress the economic disfranchisement that people of colour experienced during Apartheid as a result of their race. In consideration of intersectionality, the B-BBEE Act tries to empower women of colour and increase the extent to which they own and manage corporate entities. [61] According to the scoring criteria applied in the B-BBEE Act, information regarding a beneficial owner needs to be collected. The information is currently collected by private verification agencies, [62] but given the vulnerability to fraud and the lack of complete certification documentation, there may be grounds for collecting gender data as part of BOT as a reference dataset for B-BBEE verification. However, the impact and effects of publication or access to this information for BOT purposes would need to be considered.

The processing conditions contained in POPIA should be applied. In addition, considerations should be made to risk mitigation measures, such as anonymising or pseudonymising data, and limiting access to sex data to clearly specified, legitimate purposes.

Further, specific attention can also be paid to the Information Regulator’s Guidance Note on Processing Special Personal Information, [63] the purpose of which is to provide guidance to responsible parties that are required to obtain authorisation from the Regulator to process special personal information in terms of Section 27(2) of POPIA. The guidance note provides that public interest is a broad concept that should not be limited in scope and application, and should be determined on a case-by-case basis. It further provides that the responsible party should adopt appropriate security safeguards, including identifying and continually updating all reasonably foreseeable internal and external risks to personal information in its possession or under its control.


[b] To read the ruling, see: “Judgment of the Court (Grand Chamber) In Joined Cases C-37/20 and C-601/20”, CURIA, 22 November 2022, For more information on the court’s ruling and its implications for BO register access in the EU, see: “Statement on Court of Justice of the European Union (CJEU) judgement on public beneficial ownership registers in the EU”, Open Ownership, 28 November 2022,


[48] Data protection and privacy in beneficial ownership disclosure, The B Team, The Engine Room, and Open Ownership, 20 May 2019,

[49] Article 19 of the International Covenant on Civil and Political Rights.

[50] Section 36 of the Constitution of the Republic of South Africa, 1996.

[51] Section 36(1) of the Constitution of the Republic of South Africa, 1996.

[52] For example, the United Kingdom (see: “Guidance: Applying to protect your personal information on the Companies House register”, Companies House, 16 September 2020,; the Canadian province of British Columbia (see: "Land Owner Transparency Act [SBC 2019] Chapter 23", King's Printer,; and the European Union (see: “Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2018 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC", Official Journal of the European Union, Article 30,

[53] R. H. Christie, The Law of Contract in South Africa, Fifth Edition (Durban: LexisNexis Butterworths, 2006).

[54] “Beneficial Ownership Information Reporting Requirements”, Federal Register: The Daily Journal of the United States Government, 8 December 2021,

[55] “Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2018 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC”, Official Journal of the European Union, Article 30,

[56] “Guidance Note on Processing of Personal Information of Children”, Information Regulator South Africa, n.d.,

[57] Ibid.

[58] Ibid.

[59] Gender Data: Sources, gaps, and measurement opportunities, Global Partnership for Sustainable Development Data, March 2017,

[60] Lubumbe Van de Velde, Gender and beneficial ownership transparency, Open Ownership, 28 April 2022,

[61] Section 2(d) of the BBBEE Act, 2003,

[62] Major B-BBEE Transactions Analysis Report: 2018/2019, B-BBEE Commission, March 2020,; Simone Liedtke, “Fronting still a major issue in delivering on economic transformation, says commission”, Engineering News, 22 October 2020,

[63] “Guidance Note on Processing of Special Personal Information”, Information Regulator South Africa, June 2021,

Next page: Considerations for policy and practice