Effective access to beneficial ownership information
Background
Effective access to BO information involves designing access regimes – the combination of decisions, rules, laws, and systems that enable access to the information – in a way that is both user-centred and responsible. This will result in information which is usable and reforms which are impactful, appropriately balancing transparency with privacy and data protection.
Access, effectiveness, and impact
For reforms to lead to impact, information needs to be accessible in ways that facilitate its use. Therefore, how decisionmakers define who has access to what information, how they access such information, and for what purpose determines how effective the reforms will be. Enabling this requires implementing governments to understand how the use of information by different parties can contribute to different objectives of BOT reforms, and what their specific needs are. Insufficiently understanding this may risk creating systems that are not fit for purpose. With an increasing number of countries implementing BOT reforms, more opportunities have emerged to start learning from users’ experiences on how to improve access to and usability of BO data.
Usable data means information that is easy enough for people to access, interpret, connect, and rely on, and therefore easier to use to create impact. [2] In the first decade of BOT implementation, BO registers have created opportunities for a range of actors – including police officers, regulatory authorities, investigative journalists, and researchers – to access and use BO data for a variety of purposes. A wealth of examples have illustrated the positive impact of BO data use over the past few years, ranging from investigating corruption schemes in public procurement, sanction evasion, money laundering, tax abuse, as well as informing investment decisions and supporting corporate accountability. [3]
Research on current user experiences provides crucial insights into obstacles and possible improvements to BO data usability. [4] For example, surveys from United Nations bodies and civil society organisations (CSOs) on authorities and civil society actors across different countries have highlighted challenges faced by users not being able to access sufficiently detailed information on the nature of BO interests, full ownership chains, and beneficial ownership of legal arrangements. [5] Government users also reported challenges in accessing usable BO data from foreign counterparts. [6]
When effectively implemented, BOT reforms can create impact through two main ways:
- Use of BO information
Information is accessed and used for a specific purpose, e.g. to detect risks in due diligence.
- Systemic impact through deterrence and behavioural change
The announcement, anticipation, or implementation of reforms, and the access and use of information, can each contribute to changing or deterring behaviours, which may result in measurable progress towards stated and additional objectives of the reforms (see Box 1).
Box 1. The systemic impact of reforms on public procurement
In the absence of obligations to disclose BO information of companies bidding for public contracts, public officials can more easily use legal vehicles to conceal conflicts of interest for personal gain with limited accountability. In the EU, research has tested the assumption that the implementation of BOT would make government officials less likely to award contracts to connected firms in anticipation of the implications of perceived corruption, and that competition for government contracts would increase as a result. [7] The study found that competition for government contracts increased after the introduction of BO registers, and that this effect was driven by countries with the highest opacity of BO before the mandate. Specifically, the research finds support for public scrutiny driving the result. Improved competition coincided with a reduction in the allocation of contracts to firms linked to riskier beneficial owners, including those connected to politically exposed persons (PEPs) in the face of public scrutiny. The research also emphasised broader positive market outcomes, such as benefits for smaller companies’ participation and improvement in contract execution performance.
These findings were supported by research in Chile, where the use of BO information was incorporated into its procurement system and processes to detect potential conflicts of interest. Between December 2022 and February 2025, the number of monthly conflict-of-interest cases detected decreased by 69%. [8]
Access, privacy, and data protection
In a growing number of jurisdictions, personal data is defined by data protection legislation as information about individual natural persons which allows them to be identified, directly or indirectly, and includes details such as names, dates of birth, and addresses. [9] Beneficial owners, by definition, are natural persons, so BO information inherently constitutes personal data, and its processing is therefore governed by privacy and data protection legislation in many jurisdictions.
Privacy as a legally protected human right is practically universal, and data protection is increasingly following suit. [10] Any access to this personal data constitutes processing, and therefore a limitation of the full enjoyment of these rights. The number of people who access data, the amount of information they can access, and how flexibly this can be used all have a bearing on the degree of interference with the individual’s right to privacy. Generally, in data protection legislation the interference with an individual’s right to privacy exists irrespective of whether individuals have been inconvenienced as a result of that interference. Just like any other natural persons, beneficial owners have rights to privacy and data protection.
On the other hand, the access to and processing of BO information also has a bearing on other rights. BOT is implemented for specific policy goals, including countering money laundering, the financing of terrorism, and corruption, and improving accountability. Many states have a constitutional duty to protect their citizens from crime, protect property rights, and conduct public procurement in a manner that is fair, equitable, and cost effective. [11] BOT is a policy reform that has been demonstrated to contribute positively to these important governance outcomes and fundamental rights.
In this balance, it is important to note that privacy and data protection are not absolute rights. This means they can be limited in certain circumstances, for instance, if it is deemed in the general interest to do so or when privacy and data protection are in conflict with other rights. For example, the Universal Declaration of Human Rights states that a limitation of rights can be justified when it is “for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society”. [12]
Generally, when there are competing rights, any measures interfering with a right should be necessary to achieving their specified purpose, and this should be proportional to the interference with the right it causes. Data protection emphasises concepts such as purpose limitation: processing data should be limited to specified purposes; and data minimisation: only the data necessary to achieve the purpose should be processed. Having a thorough and comprehensive understanding of who needs access to what information, how they access this information, and in order to achieve what purpose is therefore fundamental not only to designing effective reforms for impact, but also to creating reforms that comply with domestic privacy and data protection laws.
Any BOT regime should ensure a balance between access and safeguarding individuals’ rights to privacy and data protection. How this balance should be struck will be highly context dependent. It will be determined by a country’s policy aims, the domestic legal context, and evolving societal norms regarding privacy. In 2016, the first BO registers and the EU’s General Data Protection Regulation (GDPR) were implemented. GDPR was seen as landmark legislation, upon which many jurisdictions modelled their own data protection legislation. [13] This was before widespread evolving technology gave rise to wider public dialogue about the risks of having large amounts of personal information online. A decade on, debates and policy proposals for how to best strike the balance between privacy and access to BO information continue to develop.
Any framework for access that does not effectively strike this balance may be vulnerable to legal challenges, which can set back the implementation and effectiveness of reforms (see Box 2).
Box 2. The November 2022 Court of Justice of the European Union judgement
Following two legal challenges against Luxembourg’s BOT regime which reached the EU’s highest court, a November 2022 Court of Justice of the European Union (CJEU) ruling (“the Sovim judgement”) found that the indiscriminate public access to BO information for AML purposes was legally invalid. [14] This catalysed discussions at national and international levels, within and between governments, businesses, and civil society. The ruling and debates around access in the EU and beyond have highlighted the need to find more legally robust and nuanced solutions to delivering the access that a range of actors need to BO data while appropriately protecting other rights.
The EU’s fourth AML Directive (AMLD4) had previously mandated central BO registers in EU member states. In transposing AMLD4 into national law, member states were required to develop access regimes based on users having a legitimate interest. However, AMLD4 did not prescribe much detail on how to develop this requirement, and the resulting access regimes were ineffective in practice. [15] Key non-government users who could use the information to help combat money laundering, such as investigative journalists and CSOs, could either not access the information at all, or could not use the data effectively because of restrictive access procedures.
In the fifth AML Directive (AMLD5), the European Commission required BO information to be made publicly accessible. [16] This was in part due to the considerable operational challenges to establishing an access regime on the basis of legitimate interest – for example, defining the criteria one must meet to be considered a journalist, and for a registrar to design a process to determine whether someone meets these criteria.
In the Sovim judgement, the CJEU concluded that access to BO information constitutes an interference with the right to privacy and data protection. [17] This is irrespective of the subsequent use of the information, whether the information is sensitive, or whether the persons concerned have been inconvenienced in any way on account of that interference. [18] The ruling stated that:
it is inherent in making that information available to the general public in such a manner that it is then accessible to a potentially unlimited number of persons, with the result that such processing of personal data is liable to enable that information to be freely accessed also by persons who, for reasons unrelated to the objective pursued by that measure, seek to find out about, inter alia, the material and financial situation of a beneficial owner […] Furthermore, the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated and that, in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse. [19]
As a result, the judgement asserts that such interference is serious.
While the judgement recognises the objective of AML to be in the public interest, it concludes that the measures are not proportional. Specifically, it flags that AMLD5 itself has stated that the “general public’s access to information on beneficial ownership ‘can contribute’ to combating the misuse of corporate and other legal entities and that it ‘would also help’ criminal investigations”, and that these statements do not demonstrate that such a measure is strictly necessary to preventing money laundering and countering the financing of terrorism (CFT). [20]
Both the judgement and a follow-up statement confirmed that a broad range of actors outside of government – including “press and civil society organisations that are connected with the prevention and combating of money laundering and terrorist financing”, and anyone likely to enter into transactions with a company – do have a legitimate interest in accessing the information. [21] This directly rebuts the argument previously used by many privacy advocates that combating money laundering is within the purview of the state alone.
While AMLD5 gave rise to public BO registers in EU Member States, it resulted in highly divergent access regimes, with public access absent or limited in some member states. [22] Many countries gave their own, differing interpretations to what constituted a public register, making judgements with varying levels of effectiveness as to which user groups constituted the public, what subset of information they could access, and how and in what form information could be seen.
While public access became a rallying call to allow all actors to leverage the benefits of using BO information in practice, and to provide a practical shorthand to circumvent the complexities of other access regimes, this discourse has risked creating a false dichotomy of public versus closed. The seemingly clear goal of establishing a public register undoubtedly encouraged many countries to follow suit, but it may have sidelined other complementary options and discussions. The simplicity of the goal drove significant progress towards greater transparency. However, as more countries made progress with the implementation of their registers, questions around access have not been answered in a consistent way. In part, this lack of clarity contributed to the CJEU’s ruling.
The European Commission has sought to respond to the judgement through an improved system of access on the basis of legitimate interest in a new AML Directive – AMLD6, discussed in more detail later in this briefing – with deadlines in July 2026.
Footnotes
[2] Open Ownership, Usable beneficial ownership data (Open Ownership, 2025), https://www.openownership.org/en/publications/usable-beneficial-ownership-data/.
[3] Public procurement: Ondrej Blažo, Daniel Zigo, and Alanna Markle, Measuring the impact of beneficial ownership transparency in public procurement: Starter guide, (Open Ownership, 2026), https://www.openownership.org/en/publications/measuring-the-impact-of-beneficial-ownership-transparency-in-public-procurement/; Irene Tello Arista, Mihály Fazekas, and Antonina Volkotrub, Using beneficial ownership data for large-scale risk assessment in public procurement. The example of 6 European countries (Government Transparency Institute, 2024), https://www.govtransparency.eu/wp-content/uploads/2024/07/Arista-Fazekas-Volkotrub_BO-CRI_GTI_WP_2024.pdf; Alanna Markle and Tymon Kiepe, Who benefits? How company ownership data is used to detect and prevent corruption (Open Ownership and EITI, 2022), https://www.openownership.org/en/publications/who-benefits-how-company-ownership-data-is-used-to-detect-and-prevent-corruption/. Money laundering: UK government, Department for Business and Trade and Companies House, “The value of corporate transparency in tackling crime”, 16 October 2024, https://www.gov.uk/government/publications/the-value-of-corporate-transparency-in-tackling-crime; Jackie Harvey, Tracking Beneficial Ownership and the proceeds of corruption: Evidence from Nigeria (Northumbria University and Global Integrity Anti-Corruption Evidence Programme, 2021), Integrity Anti-Corruption Evidence Programme, 2021), https://giace.org/wp-content/uploads/2021/12/Executive_Summary_121721-1.pdf; Andres Knobel, Uses and purposes of beneficial ownership data (Tax Justice Network, 2023), https://taxjustice.net/wp-content/uploads/2024/01/Uses-and-purposes-of-BO-Data-briefing-14-Oct-2.pdf. Tax abuse: Tymon Kiepe, Leveraging information about ownership networks to improve taxation (Open Ownership, 2025), https://www.openownership.org/en/publications/leveraging-information-about-ownership-networks-to-improve-taxation/use-cases-for-tax-authorities/; Jérémie Baruch, Maxime Ferrer, Maxime Vaudano, and Anne Michel, “OpenLux : the secrets of Luxembourg, a tax haven at the heart of Europe”, Le Monde, 9 February 2021, https://www.lemonde.fr/les-decodeurs/article/2021/02/08/openlux-the-secrets-of-luxembourg-a-tax-haven-at-the-heart-of-europe_6069140_4355770.html. Corporate accountability: Julie Rialet, Use and impact of public beneficial ownership registers: Denmark (Open Ownership, 2023), https://www.openownership.org/en/publications/use-and-impact-of-public-beneficial-ownership-registers-denmark/case-studies/.
[4] Julie Rialet, Understanding beneficial ownership data use (Open Ownership, 2025), https://www.openownership.org/en/publications/understanding-beneficial-ownership-data-use/.
[5] UNODC, “Good practices and challenges with respect to beneficial ownership transparency and how it can foster and enhance the effective recovery and return of proceeds of crime”, CAC/COSP/2023/16, 13 October 2023,https://www.unodc.org/documents/treaties/UNCAC/COSP/session10/CAC-COSP-2023-16/2319911E.pdf.
[6] UNODC, “Reference document on good practices, challenges and lessons learned with respect to beneficial ownership transparency”, CAC/COSP/WG.2/2024/2, 3 April 2024, https://track.unodc.org/uploads/documents/UNCAC/WorkingGroups/workinggroup2/2024-June-10-14/CAC-COSP-WG.2-2024-2/2406076E.pdf; UNODC, “Outcome of the Intergovernmental Meeting on Enhancing the Use of Beneficial Ownership Information to Strengthen Asset Recovery”, CAC/COSP/WG.4/2025/CRP.2, 13 June 2025, https://track.unodc.org/uploads/documents/UNCAC/WorkingGroups/workinggroup4/2025-June-17-20/CRP.2/CAC-COSP-WG.4-2025-CRP.2_E.pdf.
[7] Carol Seregni, “Who are you Doing Business with? Beneficial Ownership Disclosure and Public Procurement”, The Wharton School Research Paper (2024), http://dx.doi.org/10.2139/ssrn.4826537.
[8] Guillermo Burr and Rodrigo Félix Montalvo, Beneficial ownership in Chile’s public procurement reform (Open Ownership, 2025), https://www.openownership.org/en/publications/beneficial-ownership-in-chiles-public-procurement-reform/.
[9] Information Commissioner’s Office, “What is personal information: a guide”, n.d., https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/.
[10] In the Charter of Fundamental rights of the EU, respect for private and family life is covered by Article 7 and the protection of personal data is covered by Article 8. Data protection is connected to the right to privacy, but it is not exclusively a subset of this right. There are gaps in the global protection of data protection as a human right (e.g. in the United States of America). A number of international legal instruments, including the EU Charter of Fundamental Rights and the Council of Europe’s Convention 108, as well as many countries – for example, many of those that have ratified the American Convention of Human Rights – explicitly articulate data protection as a unique right. For more information see: Mistale Taylor, Transatlantic Jurisdictional Conflicts in Data Protection Law (Cambridge University Press, 2023).
[11] See, for example: Republic of Kenya, National Council for Law Reporting, The Constitution of Kenya, 2010, Article 227, https://www.parliament.go.ke/sites/default/files/2017-05/The_Constitution_of_Kenya_2010.pdf.
[12] Universal Declaration of Human Rights (UDHR), Article 29, https://www.un.org/sites/un2.un.org/files/2021/03/udhr.pdf.
[13] For example, Argentina, Brazil, Chile, Japan, Kenya, Mauritius, South Africa, Republic of Korea, and Turkey have all modelled their data protection legislation on EU GDPR.
[14] CJEU, “Judgment of the Court”, 22 November 2022, Paragraph 88,https://infocuria.curia.europa.eu/tabs/document?source=document&text=&docid=268059&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=1113423.
[15] Transparency International, “Legitimate interest 2.0: Enabling journalists and activists to follow the money in the European Union”, 23 August 2023, https://www.transparency.org/en/news/access-beneficial-ownership-after-cjeu-legitimate-interest-6th-amld.
[16] In response to being asked whether the Commission had “considered proposing a uniform definition of ‘legitimate interest’, in order to offset the risk that the obligation for any person or organisation to demonstrate such an interest, as initially provided for by [AMLD4], might lead to excessive limitations on access to information on beneficial ownership, owing to differences in the definition of ‘legitimate interest’ in the Member States”, the Commission responded that it “observed that the criterion of ‘legitimate interest’ was a concept which did not lend itself easily to a legal definition and that, while it had considered the possibility of proposing a uniform definition of that criterion, it had ultimately decided not to do so on the ground that the criterion, even if defined, remained difficult to apply and that its application could give rise to arbitrary decisions”. This was not considered a sufficient reason to provide indiscriminate public access by the CJEU. See: CJEU, “Judgment of the Court”, Paragraphs 70-72.
[17] CJEU, “Judgment of the Court”, Paragraph 40.
[18] CJEU, “Judgment of the Court”, Paragraph 39.
[19] CJEU, “Judgment of the Court”, Paragraphs 42-43.
[20] CJEU, “Judgment of the Court”, Paragraph 75.
[21] CJEU, “Review of the judgment in joined cases C-37/20 and C-601/20”, LinkedIn post, 2023, https://www.linkedin.com/posts/european-court-of-justice_review-of-the-judgment-in-joined-cases-c-activity-7005505340528033792-1Pnt/.
[22] Transparency International, “Access denied? Availability and accessibility of beneficial ownership data in the European Union”, 26 May 2021, https://www.transparency.org/en/publications/access-denied-availability-accessibility-beneficial-ownership-registers-data-european-union.