Data protection and privacy in beneficial ownership disclosure

  • Publication date: 20 May 2019
  • Authors: The B Team, The Engine Room, Open Ownership

II. Is Beneficial Ownership Disclosure in Public Registers Lawful?

  • Individual privacy is a fundamental right that must be taken seriously. It protects important values such as autonomy, dignity and security.
  • When companies disclose information about their beneficial owners, it may have implications under laws that aim to protect privacy – including data protection legislation.
  • Various models worldwide demonstrate that the disclosure of beneficial ownership can readily be accommodated alongside data protection and other relevant obligations.
  • Companies disclosing information regarding beneficial owners residing overseas are not likely to face legal liabilities under the law of those overseas states and will only be required to comply with their domestic legal standards. The fact of global reach ought not to prevent companies from providing beneficial ownership disclosure either under a domestic legal obligation or, if the circumstances allow, on a voluntary basis.

What are the international standards and principles of privacy and data protection law?

The right to privacy is enshrined in a number of international human rights instruments, including the Universal Declaration of Human Rights, [6] as well as in the constitution of more than 100 countries worldwide. The right to privacy requires that all individuals should be free from arbitrary or unlawful interference with their privacy, home, correspondence and family, and from attacks upon their reputation.

Privacy is closely related to concepts of autonomy and human dignity. It empowers individuals to make decisions free from the influence or interference of public or private actors. Protecting privacy is not necessarily about secrecy or anonymity, but rather about giving individuals control over their lives and decisions. As a result, any policy initiatives which have potential impacts on privacy rights demand careful legal consideration.

The right to privacy typically protects:

  • the confidentiality of letters, phone calls, emails, text messages and internet browsing
  • the sanctity of the home
  • the ability of individuals to make decisions about their lives, including their sexual and reproductive choices
  • individuals’ control of their personal data

Critically, and especially in the digital age, the right to privacy increasingly includes the right to the protection of personal data and associated obligations if an individual’s private information is ‘processed’ by another entity. Processing can include any act of collecting, using, analyzing, storing and – importantly for the purposes of this paper – publishing an individual’s personal data.

It is important to clarify that the privacy rights at issue when considering the disclosure of beneficial ownership are those of the beneficial owners, not the companies. That avoids the difficult question as to whether, as a matter of law, companies have privacy rights, something which is a matter of considerable academic debate. [7] Courts have reached different conclusions on the issue. Courts in the US, UK, and Australia have considered whether companies have rights under specific domestic privacy statutes, but none have directly ruled on whether privacy as a constitutional or human right extends to companies. Such an extension was doubted, however, by both the Australian High Court [8] and the Court of Appeal of England and Wales. [9] The High Court of Ireland, on the other hand, has allowed a company to advance arguments on the right to privacy, [10] and the European Court of Human Rights has held that Article 8 does apply to companies, at least in limited circumstances, such as respect for a company’s registered offices. [11] That said, the people behind companies – the beneficial owners – have privacy rights themselves, and they do not lose those rights because of their commercial interests.

Key concepts:

Privacy Privacy is not an absolute right: it can be limited or restricted under certain circumstances. The basic idea in human rights law is that a law or policy that interferes with a fundamental human right must be justified. To be justified, it must be in accordance with the law, necessary to achieve a legitimate aim, and proportionate to that aim.

To strike this balance, a field of regulation has emerged, known as data protection law.

In the digital age, when considerable personal information is gathered, processed and held externally by new technology, there is a growing consensus about the need for enhanced data protection of individuals. Data protection laws give effect to the government’s obligation to respect the privacy rights of individuals, ensuring that there are proper restrictions on how personal data is used and secured. Data protection laws exist in a large majority of countries around the world and are becoming progressively more comprehensive every year. [12]

Generally speaking, these laws seek to balance two things:

  1. the interests of individuals in controlling access to, and use of, their personal data (identity details, information on financial and online behavior, etc.) and
  2. legitimate interests in the use of that data to fulfil various functions, such as customer service, research, marketing or regulatory compliance – especially where the individual in question provides consent or legal obligations require data recording.

Data protection legislation will typically apply to all public and private entities that process data. [13] Processing data can include any act of collecting, using, analyzing, storing and – importantly – publishing an individual’s personal data.

Private entities such as companies do not owe human rights or constitutional obligations to individuals. However, they do owe individuals obligations under data protection laws that reflect (in substance) the privacy rights of those individuals. The treatment of personal data – including the identity details of beneficial owners (namely, their names and ages) – therefore entails legal obligations for the private companies that collect, hold, and pass on that data. This is the case even though the source of those obligations is in domestic legislation that differs from the privacy obligations of governments establishing beneficial ownership disclosure regimes. It is government’s work to protect the privacy rights of individuals, but both governments and businesses that collect, hold and pass on data on beneficial ownership need to follow data protection laws.

Key principles: Data protection

There is a considerable degree of convergence between various regimes (both mandatory and advisory) regarding data protection internationally. Beginning with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 (‘OECD Guidelines’), [14] there has been widespread international agreement that effective protection of personal data requires compliance with a series of basic principles.

The principles set out in the OECD Guidelines include:

  • that collection of data be limited; [15]
  • that any collection be for a specific purpose; [16]
  • that onward use of data collected requires either the consent of the subject or legal authority; [17]
  • and that individuals should have the right to obtain the personal data others hold on them and, with respect to errors or data which is held unlawfully, require amendment, rectification, or erasure. [18]

Shortly after the development of the OECD Guidelines, the Council of Europe adopted the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’). [19] Convention 108, Article 5 provides that ‘personal data undergoing automatic processing shall be: (a) obtained and processed fairly and lawfully; (b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes; (c) adequate, relevant and not excessive in relation to the purposes for which they are stored; (d) accurate and, where necessary, kept up to date; (e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.’

These key principles have been reiterated in a range of international instruments, including the Organization of American States Principles on Privacy and Personal Data Protection (‘OAS Principles’) [20] and the Economic Community of West African States (‘ECOWAS’) Supplementary Act on Personal Data Protection. [21]

The most recent significant international development regarding data protection is the EU’s General Data Protection Regulation (GDPR), [22] which came into force in May 2018. Largely in line with the principles found elsewhere, the GDPR sets out mandatory requirements for the processing of personal data within the EU, including that personal data must be:

'a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

b) collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes …

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date…' [23]

With respect to the requirement that data be processed ‘lawfully,’ the GDPR clarifies that processing may be lawful for a variety of reasons, including that the subject of the data has provided consent, [24] that the processing is necessary for the performance of a contract to which the subject is a party, [25] or the processing is necessary for compliance with a legal obligation. [26] The GDPR applies to all EU entities irrespective of whether they are processing data in the EU. [27] It also has a limited extraterritorial extent, applying to entities all over the world processing the data of subjects in the EU where the processing relates to (a) the offering of goods and services to data subjects in the EU, irrespective of whether a payment is required, or (b) the monitoring of the subjects’ behavior within the EU (by, for instance, the use of website cookies tracking EU customer behavior). [28]

It is important to note that the United States is a significant exception to the broad international convergence regarding data protection. US Federal and State data protection legislation does not uniformly reflect the principle that data must only be processed by private entities with a legal basis or the principles of transparency and proportionality in data processing are not uniformly reflected, although a range of individual statutes do contain particular requirements for data security. As for individual rights of access, individuals are entitled to receive copies of the information credit reference companies and health insurers hold, under particular legislative provisions such as the Fair Credit Reporting Act and the Health Insurance Portability and Accountability Act. However, the US has no uniform and broadly applicable set of data access, rectification, and erasure rights, as exist across much of the world.

How does data protection regulation interact with beneficial ownership registers?

Jurisdictions worldwide take different approaches to balancing data protection and the disclosure of beneficial ownership, and may be categorized as:

  • Jurisdictions in which both data protection and the disclosure of beneficial ownership are statutory obligations;
  • Jurisdictions in which data protection is a statutory obligation, but there is no obligation to disclose beneficial ownership information, such that disclosure of beneficial ownership information only occurs on a voluntary basis; and
  • Jurisdictions in which neither data protection nor disclosure of beneficial ownership information have any statutory basis.

Jurisdictions with both data protection and beneficial ownership disclosure obligations

Data protection laws invariably only allow the processing of data where the party processing that data has a proper legal basis for doing so. Three legal bases, present in all the major data protection regimes, are potentially relevant to the collection and disclosure of beneficial ownership information, namely: the consent of the person concerned; necessity for the performance of a contract; and lawful authority.

  • First, with respect to consent, data protection regimes specify that such consent needs to be free and informed. Article 4(11) of the GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signified agreement to the processing of personal data relating to him or her.’ The OECD Principles, Convention 108, the OAS Principles, and the ECOWAS Supplementary Act all refer to the consent of the data subject as providing a lawful basis for the processing of personal data.
  • Second, data protection law typically recognizes that contractual agreements to which the relevant data subject is party may form a lawful basis for the processing of personal data. For instance, if the processing of data is a condition of a contract between the data subject and a company processing data, or it is necessary for the company to process the data to perform its contractual obligations to the subject.
  • Third, data processing may be lawful, even in the absence of the subject’s consent or agreement via contract, if the company making the disclosure is specifically required to do so under a legal obligation. For EU Member States, Article 6(3) of the GDPR provides that the legal obligation must be laid down in either domestic or EU law. However, recital 41 of the GDPR notes that the obligation does not need to be explicitly set out in statute, so long as the application of the rule is foreseeable for individuals whose data is subject to disclosure. There will be arguments at the margins regarding the foreseeability of certain common law obligations concerning the disclosure of beneficial ownership. But no such complication arises in the countries (led by the UK, and to be followed by all EU Member States as they implement the Fifth Anti-Money Laundering Directive) where legislation expressly provides for the compulsory registration of information on beneficial owners.

Accordingly, for jurisdictions in which both data protection and the disclosure of beneficial ownership information are statutory obligations, compliance with the obligation of disclosure is consistent with data protection law, as it falls within the ‘lawful authority’ exception.

Once that lawful basis is satisfied, the relevant remaining issues to consider typically include: whether the information disclosed through beneficial ownership registration is limited to that which is relevant and necessary for the lawful purpose; and whether individual data subjects have recourse to access, challenge, and request amendments to, or erasure of, inaccurate or irrelevant information. With respect to the right of erasure, EU jurisdictions go further: reflecting the CJEU’s decision in the seminal Google Spain ‘right to be forgotten’ case, [29] data controllers faced with a request for erasure are, under the GDPR, required to take steps to erase not only the collated data itself, but also online links to, or copies of, the data.

Statutory disclosure regimes, such as the UK public register and the public registers due to be implemented across the EU by January 2020, incorporate design features that are compatible with these principles. First, the information required for registration is set out in statute, with the result that the information provided does not go beyond the scope of the lawful purpose. Second, each regime incorporates administrative means to access data and correct minor errors and allows recourse to the courts to raise more substantive challenges. Typically, however, statutory regimes requiring the collection and provision of beneficial ownership data for registers will impose restrictions on the ability of data subjects to demand erasure or a right to be forgotten. Company information is typically retained for a minimum period: the UK, for instance, is currently reviewing its retention period for company information (currently 6 years of free availability, but up to 20 years with the payment of a fee). The reasons for retention of company information are persuasive, since issues arising from questionable company practices may take a long time to emerge, meaning that research into historic information is required. Indeed, as the Court of Justice of the European Union noted in the Salvatore Manni case, ‘questions requiring [company] data may arise many years after a company has ceased to exist.’ [30]

Jurisdictions with data protection obligations but no beneficial ownership disclosure

Even where no statutory obligation exists for companies to disclose their beneficial ownership information, those companies remain entitled to do so on a voluntary basis if the consent of all beneficial owners has been obtained for their information to be disclosed, or those owners are contractually obliged to provide that information.

As already discussed, under data protection laws, consent of the data subject or contractual obligation are invariable exceptions to the prohibition on the processing of personal data. It may be challenging for companies to obtain and trust the authenticity consent in jurisdictions where there is no formal relationship between a company and its beneficial owners. Some jurisdictions mandate company-level registers of BOs to deal with this, but in other cases companies will have to go through legal owners to get information on beneficial ownership and to get consent to share this information. Contractual obligation is less frequently encountered, but could be satisfied where, for instance, a company stipulates that when new company shares are sold the purchasers agree to provide beneficial ownership information to the company for the purposes of onward disclosure.

Companies voluntarily disclosing beneficial ownership information on the basis of the subject’s consent or contractual obligation must take care not to disclose more information than is necessary to fulfil the legitimate purpose of identifying owners. Residential addresses, for instance, may provide personal information identifying not only beneficial owners, but also their family members, and should not be publicly released. Accordingly, when designing policies for voluntary disclosure of beneficial ownership, companies must ensure that such disclosure is targeted and proportionate. But there is no obstacle in principle to a workable voluntary disclosure system in jurisdictions with data protection obligations but no beneficial ownership disclosure law.

Jurisdictions with neither data protection nor beneficial ownership laws

Where a jurisdiction imposes no statutory obligations of data protection or disclosure of beneficial ownership, companies are entitled to disclose information held by them, provided that doing so does not violate protections for personal information grounded in the general law (rather than in data protection legislation).

While privacy rights may enjoy constitutional protection, which will restrict the types of legislation the government can enact, the key restriction on data collection and disclosure by the private company itself would be the risk of liability for breach of confidence. Breach of confidence arises where a party entrusted with confidential information, in circumstances where to disclose that information would be unfair, nonetheless releases the information. Again, the consent or contractual agreement of the beneficial owner themselves would mean that disclosure of that information was not unfair, preventing a breach of confidence. As already discussed, the information disclosed would need to be targeted and proportionate so as to avoid inadvertent publication of information about persons other than the beneficial owner, such as their family.

Case studies

Below, we analyze the relationship between data protection laws and beneficial ownership laws or policies in five countries: the United Kingdom, France, Ghana, Brazil, and Singapore.

This selection of countries provides a cross-section of jurisdictions that have both relatively robust data protection legislation as well as beneficial ownership disclosure obligations. Across the five countries, we find examples of mandatory beneficial ownership schemes (the UK, France, Brazil and Singapore) and voluntary ones (Ghana, at least until 2020); schemes that involve public registers (the UK and Ghana) and closed registers (France, Brazil and Singapore); and schemes which involve central registers (the UK, France, Ghana and Brazil) and decentralized registers (Singapore). The case studies demonstrate the various models worldwide for reconciling data protection and beneficial ownership responsibilities.

United Kingdom

The United Kingdom provides a particularly good insight into the relationship between regimes of beneficial ownership information disclosure and data protection, given that in 2016 the UK was ahead of its G8 and EU peers in implementing mandatory disclosure of beneficial ownership information on UK registered companies.

The mandatory beneficial ownership disclosure obligation was introduced in the UK as part of the Small Business, Enterprise and Employment Act 2015, modifying the Companies Act 2006. [31] The Act established the Persons with Significant Control (‘PSC’) register, to which UK-registered companies and LLPs are obliged to disclose the identifying details of any person who comes within the relevant definition. That definition includes all persons who hold, directly or indirectly, more than 25% of the shares or voting rights in the company. [32] The information required under section 790K of the Companies Act 2006 includes the person’s name, address for service, country of usual residence, nationality, date of birth, usual residential address, and nature of their control over the company, [33] but the information actually published on the PSC register is less extensive: birthdates are not full, and the size of shareholdings is not precisely specified.

Certain publicly-listed companies are exempted from the requirement to provide information for the PSC register if they fall into two categories: companies traded on the London Stock Exchange main market; or companies traded on a regulated market in the European Economic Area or specified international markets with equivalent regulatory frameworks (including major markets in the US, Japan, Switzerland, and Israel). [34] The rationale for those exceptions is that companies traded publicly on those markets are already required, by market rules, to provide detailed information and reporting on their ownership structures.

With respect to data protection, the UK is subject to the GDPR and has also enacted the Data Protection Act 2018, which provides ancillary rules regarding the exemptions which apply to requests for access to personal data; rules for specific categories such as processing for research, public health, journalism, and fraud prevention; and new data protection offences and regulatory sanctions.

In the UK, then, compliance with the beneficial ownership disclosure obligations of the PSC register is entirely consistent with data protection. The explicit statutory basis for the disclosure regime satisfies the GDPR criterion of a lawful basis for processing. Where companies provide the specific list of information set out in section 790K of the Companies Act 2006, they can be sure that in doing so they have provided only the information which is relevant and necessary to their statutory obligation. In line with data protection rights, the PSC register can be accessed and minor changes can be requested and effected via administrative processes, while more substantial matters will be determined in Court.

Finally, while publicly-listed companies are exempted from the obligation to disclose information for the PSC register, it is worth noting that such companies are required to provide a considerable amount of information on governance and ownership to the market as part of the processes of listing and periodic reporting.

France

The French regimes for data protection and disclosure of beneficial ownership information derive from and mirror EU law. Following the passage of the Fourth Anti-Money Laundering Directive, France adopted Ordinance no. 2016- 1635 of 1 December 2016 reinforcing the French rules against money laundering and terrorist financing, and Decree no. 2017-1094 of 12 June 2017, which require most companies operating in France to register information regarding their beneficial ownership with the Registry of Commerce and Companies of the Commercial Court in the relevant region. Subsequent amendments to the Code Monétaire et Financier have given the changes a clear statutory footing.

The threshold for a registrable beneficial ownership stake is any natural person who either holds, directly or indirectly, more than 25% of the share capital or voting rights of the company, or who exercises, by any other means, a power of control over the management, administration, or executive bodies of the corporation or the general meeting of its shareholders. [35] Amendments to the Code Monétaire et Financier provide that, for new companies, the information on beneficial ownership must be filed together with first registration documents, [36] while existing companies were required to provide current information by 1 April 2018, and are under a duty to provide any updates within 30 days of the relevant change in beneficial ownership. [37]

The information which must be provided includes the name (including pseudonym, if any), date and place of birth, nationality, and personal address, and the date on which the relevant person became the beneficial owner of the reporting corporation.

Unlike the UK PSC register, the French register of beneficial ownership is not freely accessible by the public: automatic access is limited to judicial authorities and certain public authorities (including tax and customs authorities, and market regulators). [38] Public access is available where a person can establish before a court that they have a legitimate interest in access to the information, and obtain a court order to do so. That limited access regime will need to be expanded by January 2020 when the deadline for full implementation of the Fifth Anti-Money Laundering Directive expires, but there are no current plans for legislative amendments giving effect to that expansion in the near future.

Public registers have a difficult history in France, with a public register of trust beneficiaries having been struck down as unconstitutional by the Supreme Court (Conseil Constitutionnel) in 2016. That decision focused, however, on the fact that public disclosure of the beneficiaries of family trusts breached the privacy rights of persons making wills and seeking to dispose of their assets as they saw fit. The situation of companies is markedly different: the company itself does not have a family life deserving of privacy, and by extension the companies’ owners have no ‘family’ connection with each other, meaning that the arguments raised against the register of trusts are less likely to succeed.

In France, the GDPR has been in force since May 2018 and governs data protection subject to the exemptions already discussed. In addition to the GDPR, in May 2018 France enacted additional domestic legislation that provides for additional conditions on the processing of data. [39] The most significant departure from the GDPR regime relevant to beneficial ownership disclosure is the general extraterritorial extension of the obligation to protect the data of French residents beyond the limited extraterritorial reach of the GDPR.

While the GDPR applies to overseas entities which process EU residents’ data as part of offering goods or services to EU residents or monitoring EU residents’ behavior (including online behavior), the French legislation is not limited to the contexts of sale of goods and services and monitoring, and applies generally to overseas entities processing French residents’ data [40] with the exception of processing carried out for journalistic, academic, literary, or artistic purposes. [41] This law raises the prospect of a company operating entirely outside France being held liable for its processing of data under French law (if a relevant beneficial owner is a French resident). Companies dealing with the personal information of French residents will need to consider their potential exposure carefully. Given that the relevant substantive protections for French residents are those for which the GDPR provides, so long as the company ensures that it acts pursuant to consent, contractual authority, or statutory obligation, it can be confident of complying with its French law obligations.

Ghana

In Ghana, data protection legislation imposes certain restrictions upon the capacity of companies to provide public disclosure as to their beneficial ownership. The Data Protection Act 2012 stipulates that any entity which possesses personal data must ensure that such data is processed in a lawful and reasonable manner, and without infringing the privacy rights of the individual to whom the data relates. [42]

All entities processing data are obliged to ‘take into account the privacy of the individual’ by applying a series of principles including the lawfulness of processing, the specification of purpose, and handling the data in a secure fashion. [43] The ‘lawfulness of processing’ in turn depends upon either the consent of the subject or, in the absence of consent, a limited range of circumstances where the processing is:

'a) necessary for the purpose of a contract to which the data subject is a party;

b) authorised or required by law;

c) to protect a legitimate interest of the data subject;

c) necessary for the proper performance of a statutory duty; or e. necessary to pursue the legitimate interest of the data controller or a third party to whom the data is supplied.' [44]

In all circumstances, the processing of personal data is subject to what the Data Protection Act 2012 calls the principle of ‘minimality’: namely that personal data ‘may only be processed if the purpose for which it is to be processed is necessary, relevant, and not excessive.’ [45]

Individuals have rights to seek access to their data, [46] and to seek amendments or deletions of data which is inaccurate, excessive, or out of date. [47] The Act also established a Data Protection Commission, to which individuals can bring complaints regarding breaches of the Act by entities which hold and process their personal data unlawfully. Those domestic provisions are largely in line with the ECOWAS Supplementary Act on Personal Data Protection, to which Ghana is subject.

In line with domestic and regional data protection rules, then, companies registered in Ghana would be entitled to disclose the names and other identifying personal data of their beneficial owners, so long as the companies had the consent of those persons and complied at all times with the principle of ‘minimality’ by ensuring that the disclosure went no further than what is necessary, relevant, and not excessive bearing in mind the purpose of transparency as to ownership. Straightforward policies to avoid unlawful disclosure would include companies ensuring that they amend the information made available whenever the beneficial ownership of the company changes so that personal data which is no longer necessary or relevant is no longer shared.

While consensual disclosure is available, the main impetus for disclosure of beneficial ownership data on Ghanaian companies will be the pending introduction of a central register of beneficial ownership mandated by statute. At the UK Prime Minister’s Summit on Tackling Corruption in May 2016, then-President John Dramani Mahama committed Ghana to ‘preventing the misuse of companies and legal arrangements to hide the proceeds of corruption’ by using amendments to companies legislation to ensure that central registers are compiled for beneficial information on companies operating in all sectors of the economy, and to ensure that the information is accessible to the public. That announcement came shortly after the Panama Papers, which demonstrated the concentration of opaque ownership structures in the Ghanaian mining and oil sectors.

Accordingly, in August 2016, a statutory framework was created through the Companies (Amendments) Act 2016 requiring the Registrar General’s Department to collect information on beneficial owners of companies registered in Ghana. That data is to be collected at the time of registration for new companies and as part of the annual filing requirements for existing companies. While now placed on a statutory footing, the regime is not yet mandatory. President Nana Akufo-Anno has made a commitment that the beneficial ownership reporting system will be implemented by 2020, however, in line with the target date promoted by civil society actors in Ghana, including the Extractive Industries Transparency Initiative (EITI).

Under the Ghanaian legislation, a beneficial owner is defined as:

‘an individual

a) Who directly or indirectly ultimately owns or exercises substantial control over a person or company;

b) Who has a substantial economic interest in or receives substantial economic benefits from a company whether acting alone or together with other persons;

c) On whose behalf a transaction is conducted; or

d) Who exercises ultimate effective control over a legal person or legal arrangements.' [48]

The information which will be collected in respect of each beneficial owner comprises:

‘a) The full name and any former or other name

b) The date and place of birth

c) The telephone number

d) The nationality

e) Residential, postal, and email address, if any;

f) Place of work and position held; and

g) The nature of the interest, including the details of the legal arrangement in respect of the beneficial ownership.'

One noteworthy aspect of the Ghanaian legislation is that, unlike the UK PSC register or the register requirements of the EU Fifth Anti-Money Laundering Directive, there is no specific threshold set for what amounts to ‘substantial control’ of a company. Prior to the implementation of the register and the testing of the meaning of ‘substantial control’ in the Ghanaian courts, the scope of disclosure obligations is not certain. That raises a potential challenge for compliance with data protection law: the absence of a minimum threshold is likely to encourage companies to provide information on all beneficial owners, however marginal. Persons with negligible beneficial control of Ghanaian companies may plausibly argue that such disclosure goes beyond the statutory purpose of exposing the people with substantial control and so, in the absence of their consent, would constitute a disclosure of personal information without a lawful basis, contrary to data protection law. Companies registered in Ghana will need to consider carefully the appropriate balance to strike between transparency and privacy for negligible beneficial holdings.

Brazil

Brazil has recently taken significant steps to bring its domestic legislation into line with emerging consensus on data protection. In August 2018, the Brazilian Data Privacy Law (‘Lei Geral de Proteçao de Dados Pessoais’ or ‘LGPD’) was signed into law, closely mirroring the structure and substance of the GDPR. The law comes into force through a staged implementation period that will last until 2020.

Like the GDPR and also the OAS Principles to which Brazil is a signatory, the LGPD creates a framework for lawful collection of personal data based on consent, and for processing of personal data on the bases of consent, contractual necessity, lawful obligation, and the specific and notified legitimate purposes of the data controller. In addition to those typical grounds for lawful processing, the LGPD also creates specific exceptions where data is processed for healthcare and credit rating purposes.

Under the LGPD, data subjects have the right to information about the data held, and the rights of access, rectification, and erasure. A particular feature of the LGPD is its recognition of an additional right of data portability, which allows a data subject to request an entire copy of their personal data in a transferrable format. The data subject can then take that data record and transfer it as they see fit (passing it to a commercial competitor of the data controller, or another government department), which gives the data subject the benefit of the data compiled by the data controller.

In Brazil, the collection of personal data on ultimate beneficial owners of companies has been required since mid 2017 under the Instruçao Normitive RFB No 1.634/2016 (‘the Normative’). Most companies incorporated in Brazil were required to report the details of their ultimate beneficial owners to the Brazilian registrar of companies either by the end of 2018 (for companies existing when the law was enacted) or within 90 days of incorporation, although publicly traded companies and certain non-profit entities are exempt. The Normative defines an ultimate beneficial owner as a natural person who significantly influences the entity, with the significant influence threshold being met by either a direct or indirect shareholding of more than 25%, or direct or indirect control of the board of directors.

The Normative thus provides the obligation for collection of beneficial ownership data and disclosure to the registrar for most companies in Brazil and, as an obligation imposed by statute, would fall within the definition of lawful obligation meaning that such collection and disclosure would not contravene the LGPD data protection regime. Brazil does not, however, require that the personal data of beneficial owners be made available to the public at large. For a company to do so would require that the beneficial owners gave consent or were under a contractual obligation to do so.

Singapore

In Singapore, the Personal Data Protection Act 2012 (‘PDPA’) came into force in January 2013 and largely reflects the principles set out in the OECD Guidelines. Under the PDPA, an entity may only collect personal data if: (a) the express prior consent of the individual has been obtained, in light of the specific purpose of collection having been identified and notified; (b) consent has been implied or deemed to have been granted by that individual; or (c) exceptions set out in the Second Schedule to the PDPA apply.

The Second Schedule sets out a range of exceptional circumstances in which data may be collected without consent. Those exceptions are listed by subject matter, such as collection for a life-threatening emergency, [49] for legal investigations, [50] and for credit rating purposes. [51] Exceptions are potentially very broad in reach, such as collection in the national interest, [52] but there is no explicit category of lawful data collection when required by a legal obligation.

That said, since the creation of the Singapore data protection regime, Singapore has, in March 2017, enacted amendments to the Companies Act and Limited Liability Partnerships Act requiring each private company and limited liability partnership registered in Singapore to collect and maintain personal information on all substantial beneficial owners (relating to persons with ownership or voting control of 25% or greater) on a Register of Controllers for that company or partnership, with those Registers made available to law enforcement authorities. Unlike the UK regime, or the regime pending introduction across the EU following the Fifth Anti-Money Laundering Directive, these Registers of Controllers are held by each corporate entity, rather than centralized, and will not be publicly accessible (but may be subject to inspection by public agencies such as the Accounting and Corporate Regulatory Authority).

The beneficial ownership disclosure obligations now set out in the Singapore Companies Act and Limited Liability Partnerships Act do not apply to publicly-listed companies in Singapore, the reason being that (as in the UK) the requirements of listing on public exchanges already impose obligations of data collection with respect to the beneficial ownership of the relevant entity.

As for the relationship between beneficial ownership disclosure and data protection in Singapore, the allowance for data collection on the basis of the consent of the subject provides a clear route to collection and disclosure (even public disclosure) of beneficial ownership on a voluntary basis. The Second Schedule of the PDPA does not expressly refer to collection of data under a legal obligation; but the Fourth Schedule (governing circumstances where disclosure is allowed) authorizes disclosure to a public agency. [53] The doctrine of implied repeal means that the subsequent legal obligation on private companies to collect personal information to create a Register of Controllers takes precedence over the PDPA prohibition on that collection to the extent of any inconsistency. The very limited scope of disclosure (only to public agencies such as the Accounting and Corporate Regulatory Authority) however leaves Singapore as a jurisdiction with limited transparency regarding beneficial ownership.

Implications for companies with global reach

The various approaches worldwide to beneficial ownership disclosure and data protection pose questions for companies with global reach. Two points are particularly relevant: first, what legal regime applies to a company which operates across borders; and second, what might be the worldwide legal liabilities of a company with beneficial owners residing overseas.

On the first point, even though a company may have worldwide reach, it will have only one place of registration. In a corporate group, each subsidiary company will be individually registered in the relevant territory. The common feature of all beneficial ownership disclosure laws is that they apply as part of the company regulatory regime, and the relevant data needs to be provided either at initial registration or, for existing companies, by a deadline which normally coincides with the filing of new accounts.

As a result, those disclosure obligations only apply in the jurisdiction where each company is registered, rather than in every jurisdiction in which a company has operations (although, of course, if subsidiaries are formally registered overseas, those subsidiaries will need to comply with their domestic legal obligations). What is important is that each company complies with the legal regime in the country in which it is registered (which, as set out above, will allow voluntary disclosure of proportionate information even if it does not mandate it).

On the second point, given that disclosure of beneficial ownership will likely be accessible worldwide online, companies may be concerned about potential liabilities overseas. Consider a company registered in England which, under the Companies Act 2006, is under an obligation to disclose the personal data of its beneficial owners, but those owners reside in a jurisdiction which has stringent data protection laws but does not clearly authorize public disclosure of beneficial ownership information as an exception. As set out above, Singapore is such a jurisdiction. If a beneficial owner of an English company were, say, a politically-connected person in Singapore, the disclosure of their UK interests might raise concerns in Singapore or might affect their reputation. Could they bring litigation against the English company for breach of the Singapore Personal Data Protection Act 2012, or at common law for breach of confidence?

The likelihood is low. As a starting point, under widely-accepted rules of private international law, the English company would typically need to be sued in England, [54] and a court in Singapore would likely decline to hear any claim since England, being the place of the company’s registration, is clearly the more appropriate forum. [55] More important than the location of the proceedings, it is unlikely that the actions of the English company would be judged against Singapore law: on the contrary, English law would apply. The complaint by the beneficial owner in Singapore would be characterized under private international law as a non-contractual claim arising out of an alleged violation of privacy.

That type of claim falls outside the formal rules under the Rome II Regulation on choice of law, [56] but the general rules of private international law [57] (reflected in the Private International Law (Miscellaneous Provisions) Act 1995), [58] require that the applicable law will be the law of the country in which the ‘most significant element’ of the events complained of occurred. There are sometimes difficult issues if multiple significant elements occur in different jurisdictions – such as the taking of a photograph in breach of privacy in one country, but the publication and profit from it in another [59] – but in the situation of an English company disclosing beneficial ownership data in England to Companies House, all the significant elements occur within the one jurisdiction.

As a result, the English company would only be subject to English law, which, as already set out, both compels publication of beneficial ownership data and exempts such disclosures from liability for data protection breaches, and the question of liability under Singapore law is unlikely. That same result would be replicated across jurisdictions, and so while the various legal regimes lead to a patchwork of regulation worldwide, companies are not likely to face adverse legal consequences so long as they comply with the laws of the jurisdictions in which they are registered.

For the avoidance of doubt, it is worth noting that the much-publicized extra-territorial reach of the GDPR is limited to those situations where the data controller outside the EU is dealing with an EU subject’s data in the course of offering goods or services in the EU [60] or monitoring the subject’s behavior in the EU (e.g. using website cookies). [61] That will not apply to the processing of data for the purposes of compliance with beneficial ownership reporting laws.

Footnotes

[6] See, for example, the Universal Declaration on Human Rights, Art. 12; the International Covenant on Civil and Political Rights, Art. 17; the European Convention for the Protection of Human Rights and Fundamental Freedoms, Art. 8; and the American Convention on Human Rights, Art. 11.

[7] See, for instance: Avi-Yonah, R, ‘Country by Country Reporting and Corporate Privacy: Some Unanswered Questions’ (2016) 1 Colum. J. Tax L. Tax Matters 8; and D’Avino, R, ‘Balancing the public’s right to know and corporate privacy rights – safeguarding competition in the era of country-by-country reporting: a response to Reuven S. Avi-Yonah’ (2016) 8 Colum. J. Tax L. Tax Matters 5.

[8] ABC v Lenah Game Meats (2001) 185 ALR 1.

[9] R v Broadcasting Standards Commission, ex p BBC [2001] QB 885 (CA); cf R (Amro International SA) v Financial Services Authority [2010] EWCA Civ 123; [2010] 3 All ER 723.

[10] Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources [2010] IEHC 221.

[11] Société Colas Est v France (2004) 39 EHRR 17; [2012] ECHR 421.

[12] See, for example, the data protection law recently adopted by Brazil, which echoes the European Union’s General Data Protection Regulation, the most rigorous privacy law ever enacted.

[13] See the definition of ‘processing’ in GDPR, Article 4(2).

[14] OECD, Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, 23 September 1980, Annex (‘OECD Guidelines’). Available at http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm. [Accessed on 10 March 2018]. These guidelines were updated in 2013 and in 2019 the OECD is working with countries and experts to scope developments and provide practical recommendations on the implementation of the Guidelines in today’s digital environment. Further information is available at http://www.oecd.org/sti/ieconomy/privacy.htm.

[15] OECD Guidelines, (7).

[16] OECD Guidelines, (9).

[17] OECD Guidelines, (10).

[18] OECD Guidelines, (13).

[19] Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data (adopted 28 January 1981, entered into force 28 January 1981) ETS 108 (‘Convention 108’).

[20] Inter-American Juridical Committee, OAS Principles on Privacy and Personal Data Protection, OEA/Ser.Q, CJI/doc. 474/15 rev.2, 26 March 2015 (‘OAS Principles’).

[21] ECOWAS, Supplementary Act A/SA.1/01/10 on Personal Data Protection within ECOWAS, 16 February 2010 (‘ECOWAS SA’).

[22] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (‘the GDPR’).

[23] GDPR, Article 5(1)(a)-(d).

[24] GDPR, Article 6(1)(a).

[25] GDPR, Article 6(1)(b).

[26] GDPR, Article 6(1)(c).

[27] GDPR, Article 3(1).

[28] GDPR, Article 3(2).

[29] Case C-131/12 Google Spain SL and Google Inc v Agencia Española de Protección de Datos ECLI:EU:C:2014:317.

[30] Case C-398/15 Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v Salvatore Manni ECLI:EU:C:2017:197, (54).

[31] By inserting a new Part 21A.

[32] Companies Act 2006, Schedule 1A, paras 2 and 3.

[33] Companies Act 2006, section 790K(1).

[34] Register of People With Significant Control Regulations 2016, Schedule 1.

[35] Code Monétaire et Financier, Art. R 561-1.

[36] Code Monétaire et Financier, Art. R 561-55.

[37] Code Monétaire et Financier, Art. R 561-55.

[38] Code Monétaire et Financier, Art. R 561-57.

[39] Loi No 113 du 14 mai 2018 relatif à la protection des données personelles.

[40] Loi No 113 du 14 mai 2018 relatif à la protection des données personelles, Article 10(2).

[41] Loi No 113 du 14 mai 2018 relatif à la protection des données personelles, Article 10(3).

[42] Data Protection Act 2012, section 18(1).

[43] Data Protection Act 2012, section 17.

[44] Data Protection Act 2012, section 20(1).

[45] Data Protection Act 2012, section 19.

[46] Data Protection Act 2012, section 35.

[47] Data Protection Act 2012, section 33(1).

[48] Companies Act 1963, First Schedule, as amended by Companies (Amendments) Act 2016.

[49] Personal Data Protection Act 2012, Second Schedule, para 1(b).

[50] Personal Data Protection Act 2012, Second Schedule, para 1(e).

[51] Personal Data Protection Act 2012, Second Schedule, para 1(k).

[52] Personal Data Protection Act 2012, Second Schedule, para 1(d).

[53] Personal Data Protection Act 2012, Fourth Schedule, para 1(g).

[54] This rule is, for EU states, codified in Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters (Recast), OJ L 351, 20 December 2012, pp1-32, Article 4(1). It is also codified in the multi-lateral Lugano Convention on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters, OJ L 339, 21 December 2007, pp3-41, Article 2(1).

[55] Applying the well-known test set out by the House of Lords in Spiliada Maritime Corp v Cansulex Ltd [1987] AC 460 (HL), recently endorsed by the Singapore Court of Appeal in Rappo, Tania v Accent Delight International Ltd [2017] 2 SLR 265.

[56] Regulation (EC) No 864/2007 of the European Parliament and of the Council of 11 July 2007 on the Law Applicable to Non-Contractual Obligations (Rome II), OJ L, 31 July 2007, pp40-49, Article 1(2)(g).

[57] See: Dicey, Morris & Collins on the Conflict of Laws (15th ed, 2017), Rule 256(6)(c).

[58] Private International Law (Miscellaneous Provisions) Act 1995, s11(2)(c).

[59] As occurred in Douglas v Hello! Ltd (No 3) [2006] QB 125 (CA), [97] (Lord Phillips MR, on behalf of the Court).

[60] GDPR, Article 3(2).

[61] GDPR, Article 3(3).

Next page: III. Is Beneficial Ownership Disclosure Necessary to Achieve a Legitimate Aim?