From the register to abduction? The courtroom of the EU Court of Justice witnessed an interesting battle. Beneficiaries of Luxembourg companies argued that unrestricted access to the register of beneficiaries not only violates the provisions on the protection of personal data, but above all may expose them to kidnapping, blackmail, extortion, violence or intimidation. The result? Revocation of regulations and rendering registers “classified”. 

On the basis of the proceedings pending before the Luxembourg District Court, the Court of Justice held, in a preliminary ruling, that the provisions on the prevention of money laundering and the financing of terrorism (AML), in so far as they allow the disclosure of the data of beneficial owners to any given person, are invalid. We will write about the consequences of this ruling for Poland (and other EU countries) below. 

The heart of the matter

In the verdict of 22 November 2022, the CJEU decreed the invalidity of the provision of the AML Directive providing that “Member States shall ensure that information on beneficial owners […] is made available in all cases to any person”.

This means that access should be restricted by individual countries.

The CJEU determined the economic fate of the public interest. Undoubtedly, a legitimate desire to prevent the use of the financial system for money laundering or financing terrorism is very much part of this interest, as well as of the individual interest which boils down to the necessity of protecting personal data. 

The results of the analysis by CJEU invalidate the provisions allowing unrestricted access to the beneficiaries’ data disclosed in national Beneficial Ownership Registers. According to the CJEU, such a broad access to the Registers, allowing for any instance of collection, possession and sharing of information, is a disproportionate protection measure and thus violates, among others, the provisions of the Regulation on the protection of natural persons with regard to the processing of personal data, commonly referred to as the “GDPR”.

Objective – transparency of the system 

The objective of the EU regulations on the prevention of the financial system from being used  for the purpose of money laundering or financing terrorism is to protect the public interest expressed in terms of the transparency of the EU financial system. The invalidated provisions regarding the unrestricted access to the beneficiaries’ data were intended to allow a greater control of information by civil society, the press and social organisations. In addition, they were also intended to increase confidence in the integrity of financial transactions as well as the financial system as a whole. According to the legislator, it is in the general public best  interest to create an environment in which  money laundering or financing terrorism is next to impossible. 

Misguided proportion in the restriction of rights

According to the CJEU, the cost of introducing regulations ensuring unlimited access to data in the national Registers of Beneficial Owners was not only a violation of the GDPR, as mentioned above, but above all a violation of civil rights. Amongst the infringed rights are the following:

  • the right to respect for private and family life 
  • the right to the protection of personal data 

According to the CJEU, such a large reduction in fundamental rights is disproportionate in comparison with the stated objective of the regulation on beneficiaries. The CJEU left no doubt that restrictions on the exercise of rights and freedoms may only take place (subject to the principle of proportionality) if they meet general interest objectives or are necessary to protect the rights and freedoms of other persons. 

Consequences of the CJEU verdict 

The essence of the CJEU ruling is to invalidate the provisions allowing for unrestricted access to the registers of beneficial owners and limiting them to a situation where an interested party demonstrates its interest in obtaining data from the register. 

This necessitates the introduction of systemic changes and developing a method of identifying/verifying the existence of such an interest by authorities. 

The legislators’ stance on this matter?

Malta and Cyprus are the leading countries with regard to “classifying” the register of beneficial owners. The Netherlands and Denmark have also laid the cornerstone in this matter and are preparing to introduce appropriate changes. However, the agitation, or rather confusion, is noticeable not only on the part of the Member States of the European Union, but also on the part of the EU authorities. To this day, said authorities have not taken a precise and firm position on the ground-breaking verdict – after all, the regulations at EU level have been overturned.

The Polish stance, that is “we shall look into the matter”

The Ministry of Finance emphasizes that the contents of the ruling of 22 November 2022 is subject to analysis on both the Polish and EU side. In turn, the Ministry points out that determining such rules should not be a consequence of the presentation of the CJEU’s position on a single case. 

The most complete position on the matter was taken by the President of the Office for Personal Data Protection, recommending the amendment of the provisions of the AML Act. This change would be based on guaranteeing access to CRBO solely for persons having a legal or factual interest. In addition, the President of the Personal Data Protection Office declared to the state authorities that he is ready to provide support in the scope of possible amendments to the AML Act. 

EU regulations vs national regulations – difficult legal dualism

The ruling of the CJEU (in principle) does not have a direct effect in Polish law, but the legal effect of this ruling must be the removal of the AML Act provisions from the legal framework in the scope of the unlimited disclosure of the register of beneficiaries. In Poland, public, free, and unlimited access to the information contained in the CRBO is still available

According to some commentators, the ruling of the CJEU may result in  a backdated removal of  the invalidated legal act from the legal framework, i.e. from the moment of its entry into force(!). This means that measures taken pursuant to the act declared null and void may cease to apply, which may also refer to the measures adopted by Member States to implement the directive whose provision has been invalidated[1]. However, although such situations cannot be ruled out, it is difficult to imagine that the legislator would not ensure a transitional period with the advent of these changes in order to avoid such situations.

Will there be compensation from the State Treasury?

In the public space, there increasingly appear voices contemplating the possibility of issuing a claim for compensation from the State Treasury in view of: 

  • CJEU deeming the unlimited transparency of the register as incompatible with fundamental rights 
  • failure to introduce changes “classifying” the register of beneficiaries at the national level

– the rights of the individual are undoubtedly violated. Therefore, the unanimously indicated provision of Art. 417 and Art. 417 with ind. 1 of the Polish Civil Code.

According to the latter provision, if the damage was caused by the issuance of a normative act, its redress may be demanded after it has been found in appropriate proceedings that the act is inconsistent with the Constitution, or a ratified international agreement or an act of law. Polish AML regulations are issued on the basis of the EU AML directive, and it is the provision of this very  directive that was declared invalid. Such a state of affairs may lead to interpretations indicating the State Treasury as being liable for damages. 

In addition, experts also point to the possibility of obtaining redress on the basis of the provisions of the GDPR, i.e. on the basis of Art. 82 para. 1 of GDPR. This provision envisages the liability of the personal data controller or the entity processing personal data. 

The Constitutional Tribunal will examine the provisions determining the liability of the State Treasury

Our attention should be drawn to the proceedings pending in the Constitutional Tribunal, namely the case bearing the number K 18/20. The case was initiated by the request of the Prime Minister on 28 August 2020. The Prime Minister requested that the compliance of Art. 417 ind. 1 § 1 of the Civil Code be examined to the extent to which it does not require the Constitutional Tribunal to determine the non-compliance of the regulation with the Constitution, a ratified international agreement or an act of law pursuant to Art. 2, Art. 188 point 3 and Art. 193 of the Polish Constitution; 

Although this request assumes examination of the case in relation to the regulations, a ruling which establishes the non-compliance of Art. 417 with ind. 1 § 1 of the Civil Code with the Polish Constitution could protect the State Treasury from any liability. 


The above analysis of the situation does no leave any shadow of a doubt that the decision in question came as a surprise, which resulted in the emergence of legal dualism in the field of keeping registers of beneficial owners. On the one hand, the verdict requires legislative changes, on the other hand, the legislative authorities postpone the introduction of appropriate regulations, and this delay may render state treasuries in many countries liable for damages. It should therefore be borne in mind that, despite the ruling, the provisions on the transparency of the Polish register of beneficial owners remain in force.

[1]See more: Rozstrzygnięcia sądowe w postępowaniu cywilnym, scientific ed. Maciej Rzewuski, Wolters Kluwer Poland, Warsaw, 2021, pp. 292-293.