EU beneficial owner registry map from Transparency International, 2021. Read more. CC BY-NC-ND 3.0 |
I'm not a hard skeptic on the personal privacy prerogative of the EU General Data Protection Regulation. To the contrary, I've written that there's a lot to like about the emerging global privacy norms embodied in the GDPR, and, contrary to conventional wisdom, American social expectations, if not yet federal law, are converging with Europe's.
That said, the EU Court of Justice yesterday announced a profoundly problematic decision at the junction of public access and personal privacy. The blanket disclosure requirements of a key anti-money-laundering law can't stand, the court held, because they don't calibrate the public need for access with the privacy of natural-person business owners with sufficient precision, that is, as a function of necessity and proportionality.
Troublingly, the court characterized transparency norms, which are grounded in treaty and law more firmly in the EU than in the United States, as specially relevant to the public sector and not fully implicated in the private sector, in the context of business regulation.
The potential implication of this proposition is that access to information is limited to a requester learning "what the government is up to," to the exclusion of government oversight of the private sector. That's a cramped and problematic construction of access law that has dogged journalists and NGOs using the U.S. Freedom of Information Act (FOIA) for decades. Read more in Martin Halstuk and Charles Davis's classic 2002 treatment. As I have written in my comparative research on access to information, access to and accountability of the private sector is a problem of our times. We must solve it if we're to save ourselves from the maw of corporatocracy.
In my opinion, the CJEU decision fundamentally misunderstands and overstates the legitimate scope of data protection regulation with the effect of enervating transparency as a vital oversight tool. The impact is ironic, considering that data protection regulation came about as a bulwark to protect the public from private power. The court turned that logic on its head by using personal privacy to shield commercial actors from public scrutiny.
Unfortunately (for this purpose), I have my hands full in Europe (coincidentally) right now, and I lack time to write more. Fortunately, Helen Darbishire and the team at Access Info Europe already have written a superb summary. Their lede:
In a ruling that has sent shockwaves through Europe’s anti-corruption and transparency community, the Court found that the Fifth Anti-Money Laundering Directive (AMLD5, 2018) is too loosely framed and provides for overly-wide public access to the [ownership] registers without a proper justification of the necessity and proportionality of the interference with the rights to privacy and personal data protection of the beneficial owners.
A saving grace, Access Info observed, is that the court did not rule out transparency per se; rather, requesters will have to fight for access case by case on the facts, upon a properly narrowed regulation. In U.S. constitutional terms, it's like saying the one-size-fits-all law was struck for vagueness, but the regulatory objective still can be achieved under a narrower rule that works as applied. All the same, journalists and non-profit watchdogs are not famously well financed to fight for access on a case-by-case basis.
The case is No. C‑37/20 & No. C‑601/20 in the Grand Chamber of the CJEU.
No comments:
Post a Comment