Data protection and privacy in beneficial ownership disclosure

IV. How Can We Balance Beneficial Ownership and Privacy Concerns?

Beyond understanding whether beneficial ownership disclosure is lawful and effective, policy-makers and companies must be convinced that it is proportionate. In other words, this requires that it strikes the right balance between reducing corruption and increasing transparency in the private sector, on the one hand, and protecting individuals’ right to privacy and data protection, on the other.

Balancing privacy rights and beneficial ownership

Few rights are absolute and limiting them is not inherently unlawful or unethical. This is true of privacy: it is an important right that may nonetheless be balanced against legitimate public aims.

For example, the majority of countries require political parties and candidates to publicly disclose their campaign finances, and require these reports to include personal details, such as the full name and address, of the donors who made contributions above a certain amount (for example $200 in the US and Canada). [98] Some governments make this information publicly searchable as an online database of donors. [99]

Numerous states also require politicians to declare their own financial interests publicly. In the UK, for example, MPs must declare any financial interest, such as jobs or gifts, ‘which others might reasonably consider to influence his or her actions or words as a Member of Parliament.’ [100]

Arguments that we are ‘all entitled to protection of private data unless we are doing something wrong’ [101] are therefore overly simplistic.

The difficulty, however, lies in identifying the appropriate balance, and it is on this point that the opinions on public registers diverge. While many commentators acknowledge the aims and potential benefits of registers, they believe the potential negative impacts of a public register – either to companies or individuals – are too high, and the reach too broad. In other words, critics consider it to be an approach that is ‘disproportionately intrusive.’ [102]

What are the potential negative impacts of beneficial ownership disclosure?

This section examines risks to individuals that may have a bearing on whether the obligation to disclosure beneficial ownership data (in a public register or otherwise) may be too onerous to be considered proportionate. It does not focus on legal obstacles to publishing ownership data (examined above), or concerns specific to companies, such as confidentiality, reputation, cost of compliance, and the complexity of navigating the differing laws across different countries.

Publicly available records (such as beneficial ownership data) can facilitate re-identification when combined with de-identified or otherwise anonymized data from other sources. [103] The ability to identify an individual by combining data from a range of sources is known as the “mosaic effect,” [104] the likelihood of which grow as the amount of data online increases. Data brokers (which collect data about individuals and then sell it to other brokers, companies or individuals) can also play a key role in this process. [105]

This identification data could be used to target individuals in phishing attacks or identity fraud. A group of researchers demonstrated the mosaic effect by combining information available from an online list of persons hired by the Greek government with data from other government websites, such as the voter registration website, to eventually “create a complete profile” of identifying information. [106]

More common is combining the data with further information from social media, which may provide a person’s name and where they work; geo-tagged photos and posts can reveal their location to kidnappers and extortionists. [107]

Further risks may arise if data that appears neutral on its face may actually have identifying information embedded in it. For example, the US Social Security Number is nine seemingly random digits. However, the first three numbers are an area number that can potentially reveal the previous or current residence of the person. Furthermore, researchers have shown how Malaysian National Registration Identification Card numbers could be collected from certain Malaysian government websites and then used as an input to retrieve the person’s name, birth date, gender, voting district, and state. [108]

Are these harms only hypothetical?

This research has been unable to identify documented examples of harms that have arisen from the publication of beneficial ownership data in open registers.

There is some concern that publishing beneficial ownership data increases the risk of identity theft: LexisNexis research suggests that company directors are disproportionately likely to be victims of ID fraud, making up roughly 9% of the population but 19% of impersonation victims. [114] However, the same research also highlights that this risk is most serious when information about them has already been published online, such as in government datasets or on social media. In the UK, the government has been urged to prevent Companies House from publishing former names of transgender people in the PSC register due to concerns expressed by trans people that the requirement would effectively ‘out’ them. [115]

In the context of public procurement disclosure, research by Open Contracting Partnership ‘found remarkably little evidence of harm’ directly resulting from the public disclosure of contracts. Nevertheless, they provide examples of the kinds of threats that have arisen in related areas, including: the harassment of a New Orleans contractor hired to remove a confederate monument; the use of leaked tax returns for kidnapping in Colombia; and the defrauding of the NHS by fake contractors. [116]

The risks will differ depending on the country and context. There are relatively high rates of kidnapping in South and Central America, for example, and in some autocratic regimes even the knowledge that a person works on controversial issues could be problematic. [117] The strength of data protection – and therefore the risk of massive data theft or unauthorized access – also varies significantly between states.

No matter the context, and even if instances of harm have so far proven rare, any risk to individuals must be taken seriously and proactively minimized because the ‘consequences are disproportionately far-reaching.’ [118]

Conducting a thorough privacy impact assessment can help to identify potential harms and aid decision-making. What is disclosed to the public at large can be a subset of the data that is collected by authorities, provided that enough information is made publicly available to allow for meaningful oversight. In addition, a carefully designed and narrowly defined exemption process is important to allow individuals with legitimate security or privacy concerns to request that their details are not published on the open register.

Transparency can be achieved without endangering the privacy and safety of individuals, but the risks must be openly discussed, recognized and mitigated.

Are there other ways to achieve the same goals?

A key question under human rights law in assessing proportionality is always whether the same goal could be achieved through less intrusive means. That is, could these legitimate aims be achieved through some other means that is less invasive of privacy and data protection, or that better minimizes the potential negative effects for individuals and companies, but is just as effective? This is precisely the argument made by certain jurisdictions such as Jersey and Guernsey.

What might be considered an ‘effective’ register is open to interpretation, but a useful starting point are Financial Action Task Force (FATF) recommendations 24 and 25: these require countries to ensure ‘adequate, accurate and timely information on the beneficial ownership of corporate vehicles’ (emphasis added). As is often pointed out, the FATF does not advocate public registers as the only means to achieve this standard.

There are generally two alternative models to a public central register: strict regulation of CSPs or a closed central register (or a combination of the two).

An alternative often referenced is the ‘Jersey Model’, which constitutes the following:

• Jersey companies can only be incorporated with consent of the Jersey Financial Services Commission (JFSC) – this requires an application from a regulated TCSP or a Jersey resident.
• During the incorporation process, BO information is collected and verified. This is held in a central register, but not made public.
• TCSPs are also required to continually monitor BO and submit changes to the JFSC within 21 days of knowledge.
• If the register proves insufficient for investigative purposes, further information can be obtained from the TCSP. [119]

This model has been lauded by Geoff Cook as ‘a system that prevents the misuse of companies, identifies and verifies owners, promotes quality data and yet minimizes concerns regarding privacy and personal safety.’ [120] The World Bank’s Puppet Masters report highlighted three elements of the Jersey Model that maximize the effectiveness of central registries: the active verification of beneficial owners’ identities at the time of registration; close coordination with CSPs to ensure information is up to date; and making registration subject to the registry staff being confident that they have correctly identified the beneficial owner. [121]

More generally, several reports have concluded that regulated CSPs are a more effective means of collecting and verifying beneficial ownership data. Compared to government registries, CSPs often have more capacity to carry out rigorous checks and, arguably, a greater incentive to do so due to the risk of large fines or deregistration. [122]

There are three main counter arguments to relying on CSP regulation:

• first, there is no reason why public registers cannot sit alongside and be complementary to robust CSP regulation;
• second, CSPs may have an incentive to promote the interests of the companies they are charged with monitoring and reporting on (i.e. their clients); and
• third, there are certain advantages to public registers (as outlined above) that do not apply to CSP regulation, namely the additional oversight from civil society, better access for public authorities, and the commercial and market advantages of a more open and transparent market.

How could the interference occasioned by beneficial ownership be minimized?

Even if, having considered the alternatives, public registers are determined to be the only effective means to achieve the aims outlined above, there remains the vital question of how they can operate in a way that is proportionate. Striking an appropriate balance will depend on the inclusion and effect of various safeguards, limitations and exceptions to publishing ownership data. In other words, the debate is not just about why the data is published, but also what is published, and how it is published.

The European Data Protection Supervisor in 2017 criticized public registers for ‘a lack of proportionality, with significant and unnecessary risks for the individual rights to privacy and data protection.’ [123] The French Constitutional Court reached a similar view in 2016, finding that a public trust register disproportionately interfered with rights to privacy and ‘entrepreneurial freedom.’ [124] More recently, there have been legal challenges to the legality of beneficial ownership registers and the Common Reporting Standard (see text box below). [125]

Despite these challenges, several commentators and states have adopted the position that the careful collection and publishing of limited types of data, combined with clearly defined exemptions for particular individuals, strikes the right balance between transparency, accountability, safety and privacy.

The UK government conducted a Privacy Impact Assessment (PIA) of its decision to adopt a centralized, public BO register. The PIA identifies the risks that could arise, such as fraud and identity theft, and the measures taken to minimize them. It is a detailed examination of how the conflicting risks and benefits can be balanced, and ultimately concludes that the UK’s approach is both necessary and proportionate. [129]

As useful as the UK’s PIA is, it would be impossible to provide a one-size-fits-all answer to such a complex and nuanced balancing exercise, and the appropriate approach for different countries and companies will depend on a range of contextual factors. What follows is instead a set of relevant factors and examples that may inform the approach of both companies and countries planning to publish ownership data.

Distinguishing between different types of data

As a basic principle, no more information should be collected for beneficial ownership registers than is necessary to fulfil the aims outlined above. Necessary data would include the basic information needed to adequately identify the individual, such as their name and date of birth. Public authorities will also need sufficient information to contact or locate the person, such as a service address.

But a careful distinction must be made between data that is essential and data that, while helpful or interesting, is not strictly necessary. For example, data on beneficial ownership is best-suited for use in analysis when each individual is linked to a unique identifier. However, some jurisdictions have reportedly considered publicly linking beneficial ownership data registers to existing public identification systems to accomplish this; doing so could increase interference with privacy beyond the level necessary to fulfil the aims of beneficial ownership registers. Consideration should be given to whether seemingly neutral or harmless data could reveal more sensitive information, or be pieced together with other datasets, as outlined in the examples above.

It is also crucial to recognize that the risk associated with different types of information will depend on the context of both the individual and the country where they reside.

Governments and companies should therefore consider carefully whether they require the disclosure of information that, while low risk in one country, would be more sensitive in another.

Scope of the data collected and published

A separate issue is whether transparency and public access is more justifiable for specific subsets of corporate entities – for example, only requiring individuals such as Politically Exposed Persons (PEPs) and entities involved in activities such as public procurement and extractives to disclose data.

For some, the actions of a small number of criminals do not justify the publishing of all beneficial owners’ data: why should thousands of innocent company owners and directors have to reveal personal information in the hope of catching a small number of criminals? Proponents of this argument suggest that beneficial ownership disclosure targeting high-risk sectors and individuals would be more fair, effective and feasible than blanket disclosure requirements. [130]

Although there is an intuitive logic to linking disclosure with risk, it is impossible to predict which, among the thousands of trusts and companies, may be of interest in future investigations. Illicit financial activity has proven so difficult to combat in part because much of it involves complex webs of companies; some may be criminal entities, others may be perfectly legitimate. While one company or owner may themselves be seemingly innocuous, they may in reality be an important piece of a puzzle: research by the Natural Resource Governance Institute (NRGI) on corruption cases in the extractives sector highlights how illicit funds are often funneled through complex networks or chains of shell companies with unclear beneficiaries. [131] Investigating and identifying financial crime is therefore not as straightforward as monitoring high-risk sectors and persons – combing through the haystack is to some degree inevitable.

It is also wrong to suggest that combating crime is the sole purpose of making all BO data public. As outlined above, there are broader benefits to be had from a more open, transparent market in which businesses know who they are dealing with, and in which both investors and the general public can have greater confidence.

How wide the net is cast will also depend to a large extent on how beneficial owners are defined – in particular the thresholds used to define ‘ultimate’ control or ownership of a company – which is itself a controversial matter. [132]

The scope and conditions of access

A key plank of the French Court’s decision regarding the public register of trust beneficiaries was that the register created a disproportionate interference with the right to privacy because it allowed unlimited access by the public. And the Court of Justice of the European Union (CJEU) has previously held [133] that general access to electronic communication content without any limits or exceptions was a violation of privacy and data protection. [134]

The solution adopted by many EU states (the 4th Anti Money-Laundering Directive) was to limit access by requiring that members of the public must demonstrate a ‘legitimate interest’ in the company information they request. However, this approach has flaws that could limit the effectiveness of beneficial ownership registers. First, states may define ‘legitimate interest’ so narrowly as to exclude many activists, journalists and researchers, removing the potential benefit of additional scrutiny outlined above. On the other hand, it could be defined so broadly as to effectively allow unlimited access, just with added bureaucracy.

An alternative approach is to allow public access but disclose to the public only a subset of the data that is collected and available to public authorities. In this way, a balance can be sought between providing enough information to the public to allow for meaningful additional oversight, while not disclosing those details that significantly increase the risks to privacy (but which are still justifiably available to public authorities). This approach is taken by, for example, the UK and Denmark.

Here, there is a balance to be struck; protecting individuals’ privacy while retaining its usefulness for tackling tax evasion and organized crime. For example, if a register only publishes a beneficial owner’s name and their month and year of birth (as the UK PSC register does), then people with common names may still be difficult to track down.

Exemptions

One way to guard against the risks to individuals is to create narrowly-defined exemptions that allow those who can demonstrate a serious risk of harm to be exempted from the disclosure requirements.

The EU’s 5th Anti Money-Laundering Directive, for example, allows for exemptions to be granted in cases where access to the data would expose the beneficial owner to risks such as fraud or kidnapping. The UK exempts from company ownership data individuals who can demonstrate a ‘serious risk of violence or intimidation.’ That exemption is tightly controlled: according to a Freedom of Information request by Global Witness in 2017, of more than one million companies that provided beneficial ownership information in the six months following the UK PSC register’s initiation, only 270 individuals applied to have their information withheld on the basis that it would put them at risk, and of these only five were granted. [137] The definition and operation of these exceptions may prove to be the crucial element to achieving proportionality. But it is, again, a difficult line to draw. Some beneficial owners face a constant low-level threat to their safety due to their wealth or power. To define the exception too broadly could exclude a large number of beneficial owners and exempt precisely those who would be of greatest interest to investigators. On the other hand, a definition that is inflexible and defined too narrowly may fail to capture the different types of unforeseeable harms that could arise in novel situations.

There are additional practical considerations about the operation of exceptions. If the process for applying to be exempted is long and bureaucratic, should individuals be presumed to fall within the exception during the decision period (as is the approach of the UK)? If they are, then repeated applications for exemption could be used by beneficial owners to hide their data; if not, then individuals facing serious risk of harm have their details in the public domain while waiting for a decision.

Notwithstanding these difficulties, it is fair and sensible to carve out some form of a clearly-defined exemption regime for those with legitimate safety concerns.

Going for good, going for public

By applying a legal analysis used in human rights law to beneficial ownership transparency, we find:

• Disclosure of beneficial ownership can readily be accommodated alongside data protection and other relevant obligations.
• While the body of evidence supporting the effectiveness of public registers over non-public data sources is still emerging, the aims of the public disclosure of beneficial ownership data are without doubt legitimate. It is reasonable and rational for policymakers to act on the understanding that a public register will contribute to stopping illicit financial flows and serve other public interest needs.
• While there is no existing evidence of harm caused by public registers, governments should conduct privacy impact assessments and create appropriate exemption regimes designed to protect the vulnerable.

This research report, commissioned by OpenOwnership and The B Team, was conducted by The Engine Room from July to December 2018. The content of this report does not reflect the official opinion of OpenOwnership. Responsibility for the information and views expressed in the report lies entirely with The Engine Room.

Authors: Adriana Edmeades-Jones, Tom Parker, and Tom Walker

Report Design: Convincible Media

Fact Checking: Roderigo Sara

The Engine Room requests due acknowledgement and quotes from this publication to be referenced as: The Engine Room, OpenOwnership and The B Team (2019). Data Protection and Privacy in Beneficial Ownership Disclosure.

Footnotes

[98] International IDEA has created a database of the various political finance laws and requirements in each country: https://www.idea.int/data-tools/data/political-finance-database.

[99] See, for example, https://www.fec.gov/data/.

[100] UK Parliament Register of Members’ Financial Interests: https://www.parliament.uk/mps-lords-and-offices/standards-and-financial-interests/parliamentary-commissioner-for-standards/registers-of-interests/register-of-members-financial-interests/.

[101] Kenney, M., 2018. Open company UBO registers are not the panacea to financial crime, The FCPA Blog.

[102] Cook, G., 2018. Just Because UBO Data Isn’t Available for Everyone to See, It Doesn’t Make It Secret. GAB Blog. Available at: https://globalanticorruptionblog.com/2018/05/24/guest-post-just-because-ubo-data-isnt-available-for-everyone-to-see-it-doesnt-make-it-secret/ [Accessed August 10, 2018]; Forstater, M. 2018. Beneficial Openness: Is More Transparency Always Better? Center For Global Development.

[103] Center for Democracy & Technology, 2009. Data.gov and DeIdentification Considerations for the Open Government Directive. Available at: https://cdt.org/press/report-examines-privacy-implications-of-data-gov/ [Accessed September 21, 2018].

[104] Breeden, J., 2014. Worried about security? Beware the mosaic effect. GCN. Available at: https://gcn.com/articles/2014/05/14/fose-mosaic-effect.aspx[Accessed September 21, 2018].

[105] Grauer, Y., 2018. What Are “Data Brokers,” and Why Are They Scooping Up Information About You? Motherboard. Available at: https:// motherboard.vice.com/en_us/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection [Accessed September 21, 2018].

[106] Tzermias, Z. et al., 2017. Privacy Risks from Public Data Sources. arXiv [cs.CY]. Available at: http://arxiv.org/abs/1711.09260.

[107] Woody, C., 2018. Drug cartels have turned social-media sites like Facebook into one of their most potent weapons, (Business Insider 2016) available at: http://uk.businessinsider.com/drug-cartels-using-social-media-sites-for-crime-extortion-2016-4; see also Campden FB, 2016. Market Insight – Critical Risk. Available at: http://www.campdenfb.com/article/market-insight-critical-risk-extortion-blackmail-and-kidnap-ransom.

[108] Tzermias, Z. et al., 2017. Privacy Risks from Public Data Sources. arXiv [cs.CY]. Available at: http://arxiv.org/abs/1711.09260.

[109] Saul, H., 2016. Emma Watson named in Panama Papers database. The Independent. Available at: http://www.independent.co.uk/news/people/emma-watson-named-in-panama-papers-database-a7023126.html [Accessed August 15, 2018].

[110] Interview (permission to name pending).

[111] Westin, A. 1967. Privacy and Freedom, Scribner.

[112] Guider, I., 2018. Privacy issues and public registers of beneficial ownership. ACCA. Available at: https://www.accaglobal.com/us/en/member/ member/accounting-business/2018/06/in-focus/privacy-issues.html [Accessed August 9, 2018].

[113] Sharman, J., 2016. Solving the Beneficial Ownership Conundrum: Central Registries and Licenced Intermediaries, Jersey Finance. Available at: https://www.jerseyfinance.je/news/solving-the-beneficial-ownership-conundrum-central-registries-and-licenced-intermediaries-academic-paper-published#.W3FkZJMzaHq.

[114] LexisNexis Risk Solutions, 2016. Who are the victims of identity fraud? Available at: https://risk.lexisnexis.co.uk/insights-resources/White-Paper/who-are-the-victims-of-identity-fraud-wp-uk [Accessed August 13, 2018].

[115] Companies House and Transgender Persons, HC Deb 15 November 2017, vol 631, c827. Available at https://hansard.parliament.uk/Commons/2017-11-20/debates/45F8123F-2D20-4B15-9EEC-322D320C866F/CompaniesHouseAndTransgenderPersons. Duffy, N., 2017. Government urged to change law that “outs” transgender business people. Pink News. Available at: https://www.pinknews.co.uk/2017/11/21/government-urged-to-change-law-that-outs-transgender-business-people/.

[116] Open Contracting Partnership, 2018. Mythbusting Confidentiality in Public Contracting. Available at: http://mythbusting.open-contracting.org/ [Accessed August 9, 2018].

[117] Whitehead, H., 2016. Beneficial ownership: A new era of openness? International Compliance Association. Available at: https://www.int-comp.org/insight/2016/september/27/beneficial-ownership-a-new-era-of-openness-united-arab-emirates/ [Accessed September 10, 2018].

[118] PwC, 2015. Finding a balance between transparency and privacy, Available at: https://www.pwc.nl/en/publicaties/finding-a-balance-between-transparency-and-privacy.html [Accessed August 9, 2018].

[119] Jersey Finance Limited, 2017. Public Registers of Beneficial Ownership, Available at: https://www.jerseyfinance.je/media/PDF-Reports/Report%20on%20Beneficial%20Ownership%20-%20Jersey%20Finance%20Limited.pdf.

[120] Cook, G., 2018. Just Because UBO Data Isn’t Available for Everyone to See, It Doesn’t Make It Secret. GAB Blog. Available at: https://globalanticorruptionblog.com/2018/05/24/guest-post-just-because-ubo-data-isnt-available-for-everyone-to-see-it-doesnt-make-it-secret [Accessed August 10, 2018].

[121] Sharman, J., 2016. Solving the Beneficial Ownership Conundrum: Central Registries and Licenced Intermediaries. Available at: https://www.jerseyfinance.je/news/solving-the-beneficial-ownership-conundrum-central-registries-and-licenced-intermediaries-academic-paper-published#.W6Eq_HXwa3S [Accessed September 18, 2018].

[122] Interview.

[123] European Data Protection Supervisor, 2017. EDPS Opinion on a Commission Proposal amending Directive (EU) 2015/849 and Directive 2009/101/EC. Available at: https://edps.europa.eu/data-protection/our-work/publications/opinions/anti-money-laundering_en [Accessed September 18, 2018].

[124] Appleby, 2016. Secrecy, Privacy and a French Legal Case. Appleby. Available at: https://www.applebyglobal.com/insights/insights-2016/secrecy–privacy-and-a-french-legal-case-september-2016.aspx [Accessed August 2, 2018].

[125] Mishcon de Reya, 2018. Legal challenge to Common Reporting Standard (CRS) and Beneficial Ownership (BO) registers. Available at: https://www.mishcon.com/news/firm_news/legal-challenge-to-common-reporting-standard-crs-and-beneficial-ownership-bo-registers [Accessed August 13, 2018].

[126] Ibid.

[127] Data IQ, 2018. Top law firm challenges ICO to probe HMRC data sharing. Available at: https://www.dataiq.co.uk/news/top-law-firm-challenges-ico-probe-hmrc-data-sharing [Accessed September 20, 2018].

[128] R v Secretary of State for Transport, ex parte Factortame Ltd and ors (No 2)[1991] 1 AC 603 (HL).

[129] Department for Business, Innovation and Skills, 2014. Transparency and Trust: Enhancing the Transparency of UK Company Ownership and Increasing Trust in UK Business, Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/324742/bis-14-884-transparency-and-trust-company-ownership-privacy-impact-assessments.pdf.

[130] Emmen, M.B., 2015. When Transparency Isn’t the Answer: Beneficial Ownership in High-End Real Estate. GAB | The Global Anticorruption Blog. Available at: https://globalanticorruptionblog.com/2015/03/23/when-transparency-isnt-the-answer-beneficial-ownership-in-high-end-real-estate [Accessed August 9, 2018].

[131] Sayne, A., Gillies, A. & Watkins, A., 2017. Twelve Red Flags: Corruption Risks in the Award of Extractive Sector Licenses and Contracts, NRGI. Available at: https://resourcegovernance.org/sites/default/files/documents/corruption-risks-in-the-award-of-extractive-sector-licenses-and-contracts.pdf.

[132] Sayne, A., Westenberg, E. & Shafaie, A., 2015. Owning Up: Options for Disclosing the Identities of Beneficial Owners of Extractive Companies, NRGI. Available at: https://resourcegovernance.org/analysis-tools/publications/owning-options-disclosing-identities-beneficial-owners-extractive; Dun & Bradstreet, 2016. Beneficial Ownership: Why the Devil Really is in the Detail, Available at: https://www.dnb.co.uk/content/dam/english/business-trends/db-4981-beneficial-ownership-whitepaper.pdf.

[133] Schrems vs Data Protection Commissioner, 6 Oct 2015, Available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2393.

[134] Noseda, F., Common Reporting Standard and EU beneficial ownership registers: inadequate protection of privacy and data protection. Mishcon Academy. Available at: https://academy.mishcon.com/standard-and-eu-beneficial-ownership-registers-inadequate-protection-of-privacy-and-data-protection [Accessed August 9, 2018].

[135] Department for Business, Innovation and Skills, 2014. Transparency and Trust: Enhancing the Transparency of UK Company Ownership and Increasing Trust in UK Business, Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/324742/bis-14-884-transparency-and-trust-company-ownership-privacy-impact-assessments.pdf.

[136] Companies House Guidance, Restricting the disclosure of your information, updated 27 April 2018. Available at: https://www.gov.uk/government/publications/restricting-the-disclosure-of-your-psc-information/restricting-the-disclosure-of-your-information.

[137] Palstra, N., 2018. 10 lessons from the UK’s public register of the real owners of companies | Global Witness. Global Witness. Available at: https://www.globalwitness.org/en/blog/10-lessons-uks-public-register-real-owners-companies/ [Accessed August 13, 2018].

[138] Guidance on ownership registration, virk website: https://indberet.virk.dk/myndigheder/stat/ERST/Det_Offentlige_Ejerregister#tab2.

[139] Erhvervsstyrelsen, Questions and answers about real owners, available at: https://erhvervsstyrelsen.dk/hjaelp-til-registrering-af-ejere-2.