The abuse of anonymous companies to facilitate corruption, tax evasion and other sorts of criminal activity has prompted reformers to call for corporations and other legal entities to provide governments with accurate information on the true (or “beneficial”) human owners of these companies. A wide range of stakeholders from civil society and business have argued that governments should not only compile such beneficial ownership registries, but should make them public.
Public beneficial ownership registries, according to their proponents, would increase the efficiency of financial investigations, ease the due diligence burden on companies investigating supply chains and corporate counterparties and enable media and civil society to scrutinize more effectively who owns and controls what—especially among the global elite.
Opponents have advanced multiple objections to creating public beneficial ownership registries, including questions about their accuracy and effectiveness, as well as concerns about the effect on individual privacy and the associated risks that such public registries could facilitate “identity theft, cybercrime, and blackmail.”
How seriously should we take the “personal privacy” objection to public beneficial ownership registries?
In a new report, OpenOwnership, The Engine Room, and The B Team propose a framework to evaluate this issue, borrowing from the structured analysis of international human rights law. Crucially, under international human rights law not every interference with personal privacy qualifies as a violation of an individual’s privacy rights. A violation only arises if the interference with privacy lacks a legitimate justification. Determining whether an interference with privacy is justified, in turn, entails addressing three questions:
(1) Is the interference lawful (that is, consistent with generally-accepted standards governing personal information)? (2) Is the interference necessary to advance some legitimate aim? (3) Is the degree of interference proportionate to the legitimate end sought?
Application of these three criteria suggests that an appropriately-designed public beneficial ownership registry would not violate individual privacy rights.
With respect to whether the collection and provision of beneficial ownership information is lawful, a survey of jurisdictions worldwide indicates that public disclosure of beneficial ownership information is generally consistent with data protection legislation. There is considerable convergence among various data protection regimes internationally, with many jurisdictions’ rules ultimately deriving from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980.
The EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, is a good example. The GDPR sets out mandatory requirements for lawful processing (that is, collection, storage, and transmission) of personal data within the EU, and clarifies that processing of data is lawful if one or more of three conditions applies:
(1) the subject of the data has consented;
(2) the processing is necessary for the performance of a contract to which the subject is a party;
(3) the processing is necessary for compliance with a legal obligation.
The relevant condition in the case of public beneficial ownership registries is the third one. By definition, if a country adopts a law requiring legal entities to provide beneficial ownership information as a condition of incorporation or registration, then they’ve satisfied this third condition. This situation already exists in the UK, which has created a public beneficial ownership registry. Once the 5th EU Anti-Money Laundering Directive is fully enacted in 2020, all EU countries will be in the same legal position. The disclosure of beneficial ownership information is consistent with GDPR and equivalent data protection law under the statutory authority exception.
The fact that an interference with privacy is legally authorized does not end the inquiry. International human rights law considers even a statutorily authorized interference with privacy to be a violation of privacy rights if the interference is not necessary to further some legitimate interest. Despite the connotations of “necessity,” the burden is not on the government to prove with certainty that the legitimate end cannot be achieved without interfering with privacy. Rather, the idea is that the interference must be plausibly justified by its connection to a legitimate public policy goal.
This part of the inquiry addresses the efficacy of public (as opposed to government-only) beneficial ownership registries. Sufficiently compelling arguments exist to demonstrate that public registries have substantial advantages toward satisfying legitimate interest.
A public register allows for greater oversight by civil society and the public, leveraging local knowledge and more sets of eyes to identify errors and red flags. Public registers also make it easier for companies to conduct due diligence on their commercial counterparts. Furthermore, public registers may have advantages for government enforcement authorities beyond those that registries to which government authorities alone had access allow. For example, public registers allow authorities to check information from other jurisdictions efficiently, without needing to make formal requests of regulators, which assists cross-border investigations of global illicit activity.
Given the infancy of public beneficial ownership registers, there is not yet a great deal of direct evidence of their benefits, but there’s some suggestive evidence that they are effective. For example, following the introduction of a public registry in the UK, the incorporation of Scottish limited partnerships—a notoriously-abused legal form—dropped precipitously. While only time will tell how effective public registers may be, the variety of potential benefits suggests that they may be an effective tool to achieve their legitimate aims.
Even if public registers would be lawful and effective, the interference with privacy still needs to be proportionate to the legitimate public policy end. Proportionality can be achieved by ensuring the use of various safeguards, limitations and exceptions. All reasonable public register regimes must limit the information collected and disclosed to that which is necessary to identify the true beneficial owners—rather than additional information (such as residential addresses), which potentially identifies family members or threatens security. Public registers may also ensure proportionality by including class exemptions for certain types of companies (such as small family businesses) or mechanisms for individuals with legitimate concerns regarding safety to petition for anonymity (a mechanism that already exists in the UK register). If legitimate risks are mitigated with appropriate systems, there should be no legal barrier to providing public ownership information.
Not only does the application of a human rights-based framework provide a useful and stringent method for evaluating the privacy objections to public beneficial ownership registers, but it also suggests that, in the main, such objections are unfounded.
This short report summarises the arguments.