Civil society organisations, businesses and governments across the world are increasingly recognising the need for greater transparency about the ownership of companies as a useful means to stem illicit financial flows and even up markets. While there is important momentum toward legal frameworks requiring more ownership transparency, the move towards collection and publication of beneficial ownership information—particularly its availability in public registers—has its critics.
One stumbling block which has emerged is the issue of privacy. Because beneficial ownership data includes data about people, the concern is that the publishing of beneficial ownership information interfere with or threaten individuals’ rights to privacy and the protection of their personal data. This raises strict legal considerations. Do beneficial ownership registers contravene or conflict with data protection and privacy laws? But it also raises broader questions about whether making beneficial ownership information public is necessary to meet policy goals.
There is nothing inherent to the task of owning a company that would require information about that ownership to be kept private; indeed, there are many proud business owners across the world. Furthermore, because owning a company comes with considerable benefits including limited liability, it is reasonable for authorities to ask for ownership transparency as a quid pro quo. The type of personal information published under beneficial ownership disclosure regimes, however, should be a limited set of data that allows the identification of a company’s ultimate beneficial owners.
Privacy concerns need to be examined thoroughly to enable responsible policymaking on this issue. In an accompanying research report, we consider the legal implications of public beneficial ownership data to the public, evaluated from both the perspective of the companies holding that information and the authorities requiring it to be disclosed publicly. Applying a legal analysis derived from human rights law, we conclude that public disclosure of beneficial ownership data is compatible with data protection regimes. Further, public company ownership data is necessary to achieve a legitimate aim, and its disclosure can be managed so as to be proportionate to any potential harms.
What do we mean by “privacy”?
To set the stage, it is useful to preview the key concepts of privacy and personal data protection from a legal perspective.
The right to privacy is enshrined in a number of international human rights instruments, including the Universal Declaration of Human Rights, as well as in the constitutions of more than 100 countries worldwide. The right to privacy requires that all individuals should be free from arbitrary or unlawful interference with their privacy, home, correspondence and family and from attacks upon their reputation.
Privacy is closely related to concepts of autonomy and human dignity. It empowers individuals to make decisions free from the influence or interference of public or private actors. Protecting privacy is not necessarily about secrecy or anonymity, but rather about giving individuals control over their lives and decisions.
The right to privacy protects:
- the confidentiality of letters, phone calls, emails, text messages and internet browsing
- the sanctity of the home
- the ability of individuals to make decisions about their lives, including about their sexual and reproductive choices
- individuals’ control of their personal data
Privacy is not an absolute right: it can be limited or restricted under certain circumstances. The basic idea in human rights law is that a law or policy that interferes with a fundamental human right must be justified. To be justified, it must be in accordance with the law, necessary to achieve a legitimate aim, and proportionate to that aim.
To balance all of these considerations, a field of regulation has emerged, known as data protection law.
What are the principles of data protection law?
In the digital age, where considerable personal information is gathered, processed and held externally by new technology, there is a growing consensus about the need for enhanced data protection of individuals. Data protection laws give effect to the government’s obligation to respect the privacy rights of individuals, ensuring that there are proper restrictions on how personal data is used and secured. Data protection laws exist in a large majority of countries around the world and are becoming progressively more comprehensive every year.
Generally speaking, these laws seek to balance two things:
- the interests of individuals in controlling access to, and use of, their personal data (identity details, information on financial and online behavior, etc.); and
- legitimate interests in the use of that data to fulfil various functions, such as customer service, research, marketing or regulatory compliance—especially where the individual in question provides consent or legal obligations require data recording.
Data protection legislation will typically apply to all public and private entities that process data. Processing data can include any act of collecting, using, analysing, storing and—importantly—publishing an individual’s personal data. It is government’s work to protect the privacy rights of individuals, but both governments and businesses that collect, hold and pass on data on beneficial ownership need to follow data protection laws.
Putting beneficial ownership transparency to the test
Because legal considerations derive ultimately from individuals’ human rights to privacy, we subject beneficial ownership transparency to the most stringent possible test—one that considers not just compliance with data protection laws, but also the role of governments in protecting individuals’ fundamental right to privacy.
Data protection laws invariably only allow the processing of data where the party processing that data has a proper legal basis for doing so. Three legal bases, present in all the major data protection regimes, are potentially relevant to the collection and disclosure of beneficial ownership information, namely: the consent of the person concerned, necessity for the performance of a contract and lawful authority.
Various models worldwide demonstrate that the disclosure of beneficial ownership can readily be accommodated alongside data protection and other relevant obligations:
- When a country has both data protection laws and legislation requiring the public disclosure of beneficial ownership information, the data can be published by the company, government or any other data processor under the “lawful authority” exemption.
- When a country has data protection laws but no legislation requiring the public disclosure of beneficial ownership information, the data can be published with the consent of the beneficial owner.
- When a country has no data protection legislation and no beneficial ownership legislation, companies can disclose data about their beneficial owners if it doesn’t violate other relevant legal principles (such as breach of confidence).
Rules of international law provide that companies disclosing information regarding beneficial owners residing overseas are not likely to face legal liabilities under the law of those overseas states and will only be required to comply with their domestic legal standards. The fact of global reach ought not to prevent companies from providing beneficial ownership disclosure either under a domestic legal obligation or, if the circumstances allow, on a voluntary basis.
Is public beneficial ownership transparency necessary to achieve a legitimate aim?
The aims of public registers are clearly legitimate. More must be done to investigate and hold to account those responsible for illicit financial activity, and there are commercial benefits to greater transparency and openness. The key question is whether, in order to achieve these aims, the company ownership register must be made public.
There are convincing arguments as to why an open ownership register is not only justifiable, but uniquely effective. An open register allows for greater oversight and scrutiny from non-governmental stakeholders, including civil society and business, which could improve the overall quality and accuracy of the data. An open register would also help companies and authorities eliminate some barriers and inefficiencies involved in obtaining timely access to important beneficial ownership data.
Concerns about the accuracy of public registers are valid. False information may be deliberately submitted to registries, and the absence of stringent verification systems makes the publication of errors and misleading information more likely. However, these problems are not unique to a public register. The scale of corporate activity means that any register or repository faces the challenge of verification.
While there may currently be disagreement about the effectiveness of public registers of beneficial ownership to stem illicit flows, reduce risk and enhance competitive markets, the perceived advantages of introducing such registers are reasonable and rational. Public authorities have thus far had limited success in stemming the tide of illicit financial flows, even in those jurisdictions that tout the effectiveness of their (closed) company registers. Additional scrutiny of company ownership information could therefore prove invaluable.
Can the potential harms posed by beneficial ownership transparency be mitigated?
As of writing, there are no documented examples of harms that have arisen from the publication of beneficial ownership data in open registers.
One concern has been that publishing beneficial ownership data increases the risk of identity theft. LexisNexis research suggests that company directors are disproportionately likely to be victims of ID fraud, making up roughly 9 percent of the population but 19 percent of impersonation victims. However, the same research also highlights that this risk is most serious when information about them has already been published online, such as on social media. In the context of public procurement disclosure, research by Open Contracting Partnership found ‘little evidence of harm’ directly resulting from the public disclosure of contracts.
Even with no instances of harm to date, any risk to individuals must be taken seriously and proactively minimised because the ‘consequences are disproportionately far-reaching.’
Conducting a thorough privacy impact assessment can help to identify potential harms and aid decision-making. What is disclosed to the public at large can be a subset of the data that is collected by authorities, provided that enough information is made publicly available to allow for meaningful oversight. In addition, a carefully designed and narrowly defined exemption process is important to allow individuals with legitimate security or privacy concerns to request that their details are not published on the open register.
Transparency can be achieved without endangering the privacy and safety of individuals, but the risks must be openly discussed, recognised and mitigated.
Going for good, going for public
By applying a legal analysis used in human rights law to beneficial ownership transparency, we find:
- Disclosure of beneficial ownership can readily be accommodated alongside data protection and other relevant obligations.
- While the body of evidence supporting the effectiveness of public registers over non-public data sources is still emerging, the aims of the public disclosure of beneficial ownership data are without doubt legitimate. It is reasonable and rational for policymakers to act on the understanding that a public register will contribute to stopping illicit financial flows and serve other public interest needs.
- While there is no existing evidence of harm caused by public registers, governments should conduct privacy impact assessments and create appropriate exemption regimes designed to protect the vulnerable.
 See, for example, the Universal Declaration on Human Rights, Art. 12; the International Covenant on Civil and Political Rights, Art. 17; the European Convention for the Protection of Human Rights and Fundamental Freedoms, Art. 8; and the American Convention on Human Rights, Art. 11.
 See, for example, the data protection law recently adopted by Brazil, which echoes the European Union’s General Data Protection Regulation, the most rigorous privacy law ever enacted.
 See the definition of ‘processing’ in GDPR, Article 4(2).
 LexisNexis Risk Solutions, 2016. Who are the victims of identity fraud? Available at: https://risk.lexisnexis.co.uk/insights-resources/White-Paper/who-are-the-victims-of-identity-fraud-wp-uk [Accessed August 13, 2018].
 Open Contracting Partnership, 2018. Mythbusting Confidentiality in Public Contracting. Available at: http://mythbusting.open-contracting.org/ [Accessed August 9, 2018].
 PwC, 2015. Finding a balance between transparency and privacy, Available at: https://www.pwc.nl/en/publicaties/finding-a-balance-between-transparency-and-privacy.html [Accessed August 9, 2018].