Data protection and privacy in beneficial ownership disclosure

  • Publication date: 20 May 2019
  • Authors: The B Team, The Engine Room, Open Ownership

IV. How Can We Balance Beneficial Ownership and Privacy Concerns?

  • Privacy and data protection are important rights that may be balanced, in some circumstances, against legitimate public aims. Few rights are absolute and their limitation is not inherently unlawful or unethical. The difficulty lies in identifying the appropriate balance.
  • To increase transparency without endangering individuals’ privacy and security, risks and tensions must be openly discussed and recognized. Even if documented instances of harm have so far proven rare, any risk to individuals must be taken seriously and proactively minimized.
  • Striking an appropriate balance will depend on the inclusion and effect of various safeguards, limitations and exceptions to publishing ownership data. In other words, the debate is not just about why the data is published, but also what is published, and how it is published.
  • It would be impossible to provide a one-size-fits-all answer to such a complex and nuanced balancing exercise, and the appropriate approach for different countries and companies will depend on a range of contextual factors. But there are a set of key underlying factors to be considered:
  • What is published
    • Governments and companies should not collect and disclose data beyond the minimum that is necessary to achieve their aim, or data that poses a significant risk of harm. The risk associated with different types of information will depend on the context of both the individual and the country where they reside. This highlights the need for carefully designed exceptions regimes tailored to risks in that context.
  • Whose data is published
    • Although there are strong arguments that disclosure should only apply to certain high-risk individuals, entities or sectors, it is impossible to predict which of the thousands of trusts and companies in existence may be of interest for investigators. Investigating and identifying financial crime is not as straightforward as monitoring high-risk sectors and persons – combing through the entire haystack may often be necessary.
  • How it is published
    • Limiting access to beneficial ownership data to those who can achieving proportionality. While it may be a difficult line to draw, it is fair and sensible to carve out a clearly defined exemption regime for those with legitimate safety concerns.
  • At a minimum, those considering disclosing beneficial ownership data should ensure that:
    • No more information should be published publicly than is necessary to achieve the aims of beneficial ownership transparency. Registers should share enough data with the public to allow them to participate in oversight such as red-flagging suspicious patterns that law enforcement officials can take forward), but no more.
    • A carefully designed and narrowly defined exemption process is created to allow individuals with legitimate security or privacy concerns to request that their details are not published on the open register.

Beyond understanding whether beneficial ownership disclosure is lawful and effective, policy-makers and companies must be convinced that it is proportionate. In other words, this requires that it strikes the right balance between reducing corruption and increasing transparency in the private sector, on the one hand, and protecting individuals’ right to privacy and data protection, on the other.

Balancing privacy rights and beneficial ownership

Few rights are absolute and limiting them is not inherently unlawful or unethical. This is true of privacy: it is an important right that may nonetheless be balanced against legitimate public aims.

For example, the majority of countries require political parties and candidates to publicly disclose their campaign finances, and require these reports to include personal details, such as the full name and address, of the donors who made contributions above a certain amount (for example $200 in the US and Canada). [98] Some governments make this information publicly searchable as an online database of donors. [99]

Numerous states also require politicians to declare their own financial interests publicly. In the UK, for example, MPs must declare any financial interest, such as jobs or gifts, ‘which others might reasonably consider to influence his or her actions or words as a Member of Parliament.’ [100]

Arguments that we are ‘all entitled to protection of private data unless we are doing something wrong’ [101] are therefore overly simplistic.

The difficulty, however, lies in identifying the appropriate balance, and it is on this point that the opinions on public registers diverge. While many commentators acknowledge the aims and potential benefits of registers, they believe the potential negative impacts of a public register – either to companies or individuals – are too high, and the reach too broad. In other words, critics consider it to be an approach that is ‘disproportionately intrusive.’ [102]

What are the potential negative impacts of beneficial ownership disclosure?

This section examines risks to individuals that may have a bearing on whether the obligation to disclosure beneficial ownership data (in a public register or otherwise) may be too onerous to be considered proportionate. It does not focus on legal obstacles to publishing ownership data (examined above), or concerns specific to companies, such as confidentiality, reputation, cost of compliance, and the complexity of navigating the differing laws across different countries.

Publicly available records (such as beneficial ownership data) can facilitate re-identification when combined with de-identified or otherwise anonymized data from other sources. [103] The ability to identify an individual by combining data from a range of sources is known as the “mosaic effect,” [104] the likelihood of which grow as the amount of data online increases. Data brokers (which collect data about individuals and then sell it to other brokers, companies or individuals) can also play a key role in this process. [105]

This identification data could be used to target individuals in phishing attacks or identity fraud. A group of researchers demonstrated the mosaic effect by combining information available from an online list of persons hired by the Greek government with data from other government websites, such as the voter registration website, to eventually “create a complete profile” of identifying information. [106]

More common is combining the data with further information from social media, which may provide a person’s name and where they work; geo-tagged photos and posts can reveal their location to kidnappers and extortionists. [107]

Further risks may arise if data that appears neutral on its face may actually have identifying information embedded in it. For example, the US Social Security Number is nine seemingly random digits. However, the first three numbers are an area number that can potentially reveal the previous or current residence of the person. Furthermore, researchers have shown how Malaysian National Registration Identification Card numbers could be collected from certain Malaysian government websites and then used as an input to retrieve the person’s name, birth date, gender, voting district, and state. [108]

Reasons why beneficial owners may wish to keep their information private

Some value anonymity because it allows them to conduct their affairs without being watched and harassed. This is particularly true of celebrities, who may be looking to hide from the gaze of the media or overzealous fans. For others – especially public figures and the wealthy – their desire for privacy is a matter of safety: they are concerned that public access to their information may make them the target of crimes such as identity theft, kidnapping and blackmail.109 In fact, of the concerns expressed about beneficial ownership registers, it is the danger of identity theft, kidnapping, fraud and blackmail that has been raised most frequently. [110] Security is also a particular concern for family trusts, which may include children or vulnerable beneficiaries.

There are also commercial reasons for anonymity and discretion. Some examples cited by Alan Westin include ‘the protection of organisational autonomy, gathering of information and advice, preparations of positions, internal decision-making, inter-organisational negotiations, and timing of disclosure.’ [111] Requiring companies to reveal ownership information might discourage investment and damage legitimate businesses. [112] Some overseas territories such as Jersey and the British Virgin Islands argue that they will lose cross-border financial service business to rival jurisdictions such as the US, Hong Kong and Singapore if they chose to implement a public register. [113]

Are these harms only hypothetical?

This research has been unable to identify documented examples of harms that have arisen from the publication of beneficial ownership data in open registers.

There is some concern that publishing beneficial ownership data increases the risk of identity theft: LexisNexis research suggests that company directors are disproportionately likely to be victims of ID fraud, making up roughly 9% of the population but 19% of impersonation victims. [114] However, the same research also highlights that this risk is most serious when information about them has already been published online, such as in government datasets or on social media. In the UK, the government has been urged to prevent Companies House from publishing former names of transgender people in the PSC register due to concerns expressed by trans people that the requirement would effectively ‘out’ them. [115]

In the context of public procurement disclosure, research by Open Contracting Partnership ‘found remarkably little evidence of harm’ directly resulting from the public disclosure of contracts. Nevertheless, they provide examples of the kinds of threats that have arisen in related areas, including: the harassment of a New Orleans contractor hired to remove a confederate monument; the use of leaked tax returns for kidnapping in Colombia; and the defrauding of the NHS by fake contractors. [116]

The risks will differ depending on the country and context. There are relatively high rates of kidnapping in South and Central America, for example, and in some autocratic regimes even the knowledge that a person works on controversial issues could be problematic. [117] The strength of data protection – and therefore the risk of massive data theft or unauthorized access – also varies significantly between states.

No matter the context, and even if instances of harm have so far proven rare, any risk to individuals must be taken seriously and proactively minimized because the ‘consequences are disproportionately far-reaching.’ [118]

Conducting a thorough privacy impact assessment can help to identify potential harms and aid decision-making. What is disclosed to the public at large can be a subset of the data that is collected by authorities, provided that enough information is made publicly available to allow for meaningful oversight. In addition, a carefully designed and narrowly defined exemption process is important to allow individuals with legitimate security or privacy concerns to request that their details are not published on the open register.

Transparency can be achieved without endangering the privacy and safety of individuals, but the risks must be openly discussed, recognized and mitigated.

Are there other ways to achieve the same goals?

A key question under human rights law in assessing proportionality is always whether the same goal could be achieved through less intrusive means. That is, could these legitimate aims be achieved through some other means that is less invasive of privacy and data protection, or that better minimizes the potential negative effects for individuals and companies, but is just as effective? This is precisely the argument made by certain jurisdictions such as Jersey and Guernsey.

What might be considered an ‘effective’ register is open to interpretation, but a useful starting point are Financial Action Task Force (FATF) recommendations 24 and 25: these require countries to ensure ‘adequate, accurate and timely information on the beneficial ownership of corporate vehicles’ (emphasis added). As is often pointed out, the FATF does not advocate public registers as the only means to achieve this standard.

There are generally two alternative models to a public central register: strict regulation of CSPs or a closed central register (or a combination of the two).

An alternative often referenced is the ‘Jersey Model’, which constitutes the following:

  • Jersey companies can only be incorporated with consent of the Jersey Financial Services Commission (JFSC) – this requires an application from a regulated TCSP or a Jersey resident.
  • During the incorporation process, BO information is collected and verified. This is held in a central register, but not made public.
  • TCSPs are also required to continually monitor BO and submit changes to the JFSC within 21 days of knowledge.
  • If the register proves insufficient for investigative purposes, further information can be obtained from the TCSP. [119]

This model has been lauded by Geoff Cook as ‘a system that prevents the misuse of companies, identifies and verifies owners, promotes quality data and yet minimizes concerns regarding privacy and personal safety.’ [120] The World Bank’s Puppet Masters report highlighted three elements of the Jersey Model that maximize the effectiveness of central registries: the active verification of beneficial owners’ identities at the time of registration; close coordination with CSPs to ensure information is up to date; and making registration subject to the registry staff being confident that they have correctly identified the beneficial owner. [121]

More generally, several reports have concluded that regulated CSPs are a more effective means of collecting and verifying beneficial ownership data. Compared to government registries, CSPs often have more capacity to carry out rigorous checks and, arguably, a greater incentive to do so due to the risk of large fines or deregistration. [122]

There are three main counter arguments to relying on CSP regulation:

  • first, there is no reason why public registers cannot sit alongside and be complementary to robust CSP regulation;
  • second, CSPs may have an incentive to promote the interests of the companies they are charged with monitoring and reporting on (i.e. their clients); and
  • third, there are certain advantages to public registers (as outlined above) that do not apply to CSP regulation, namely the additional oversight from civil society, better access for public authorities, and the commercial and market advantages of a more open and transparent market.

How could the interference occasioned by beneficial ownership be minimized?

Even if, having considered the alternatives, public registers are determined to be the only effective means to achieve the aims outlined above, there remains the vital question of how they can operate in a way that is proportionate. Striking an appropriate balance will depend on the inclusion and effect of various safeguards, limitations and exceptions to publishing ownership data. In other words, the debate is not just about why the data is published, but also what is published, and how it is published.

The European Data Protection Supervisor in 2017 criticized public registers for ‘a lack of proportionality, with significant and unnecessary risks for the individual rights to privacy and data protection.’ [123] The French Constitutional Court reached a similar view in 2016, finding that a public trust register disproportionately interfered with rights to privacy and ‘entrepreneurial freedom.’ [124] More recently, there have been legal challenges to the legality of beneficial ownership registers and the Common Reporting Standard (see text box below). [125]

Mischon de Reya’s challenge to the lawfulness of the CRS and beneficial ownership registers

On 1 August 2018, the law firm Mishcon de Reya announced that it was acting in legal proceedings to challenge the lawfulness of the Common Reporting Standard (‘CRS’) and beneficial ownership registers. [126] While the full details are not public, the proceedings appear to be in the form of a complaint brought on behalf of an EU citizen formerly resident in the UK, but now living in Italy, to the UK’s Information Commissioner’s Office (‘ICO’). Publicly-available information suggests that the substance of the complaint is that the CRS regime – an agreement between OECD countries for tax authorities, including HMRC, to share certain information to ensure that the right tax is being paid – violates individual rights under the GDPR. [127] It is not clear how the beneficial ownership register regime is connected to that challenge, although it is theoretically possible that the tax affairs of the individual complainant have only come to the notice of HMRC by virtue of his ownership being disclosed on the register.

The Mishcon de Reya press release refers to the rights of privacy and data protection, and states that the firm contends that the sharing of information under the CRS and the publication of beneficial ownership information are inconsistent with protection of those rights under the European Convention on Human Rights and the EU Charter of Fundamental Rights. According to Mishcon de Reya, information sharing and publication are not justified in service of a legitimate public interest. That suggests that Mishcon de Reya seeks to attack the statutory provisions implementing the CRS and the beneficial ownership registers. The ICO cannot strike down the provisions of primary legislation for inconsistency with the European Convention. But under the legal doctrine of supremacy, a provision of UK law which is inconsistent with EU law must be disapplied. [128]

The first difficulty for the argument being advanced by Mishcon de Reya is that the EU provides both for the protection of privacy and data protection and also recognizes, under the GDPR, exceptions where disclosure is lawful. Those exceptions include precisely the sort of limited public disclosure under specific statutory obligation (or voluntary efforts) which the UK legislation establishes. Further, with the passage of the 5th Anti Money-Laundering Directive, EU law itself now specifically provides for public disclosure of beneficial ownership information. The safeguards in the UK regime – including the exemptions where safety concerns are established – provide a further layer of protection, indicating that the regime is likely to be held by a Court to take a proportionate and targeted approach. As a result, it appears unlikely that the complaint made to the ICO will successfully disrupt the UK regime, or the regime being implemented across the EU under the 5th Anti Money-Laundering Directive.

Despite these challenges, several commentators and states have adopted the position that the careful collection and publishing of limited types of data, combined with clearly defined exemptions for particular individuals, strikes the right balance between transparency, accountability, safety and privacy.

The UK government conducted a Privacy Impact Assessment (PIA) of its decision to adopt a centralized, public BO register. The PIA identifies the risks that could arise, such as fraud and identity theft, and the measures taken to minimize them. It is a detailed examination of how the conflicting risks and benefits can be balanced, and ultimately concludes that the UK’s approach is both necessary and proportionate. [129]

As useful as the UK’s PIA is, it would be impossible to provide a one-size-fits-all answer to such a complex and nuanced balancing exercise, and the appropriate approach for different countries and companies will depend on a range of contextual factors. What follows is instead a set of relevant factors and examples that may inform the approach of both companies and countries planning to publish ownership data.

Distinguishing between different types of data

As a basic principle, no more information should be collected for beneficial ownership registers than is necessary to fulfil the aims outlined above. Necessary data would include the basic information needed to adequately identify the individual, such as their name and date of birth. Public authorities will also need sufficient information to contact or locate the person, such as a service address.

But a careful distinction must be made between data that is essential and data that, while helpful or interesting, is not strictly necessary. For example, data on beneficial ownership is best-suited for use in analysis when each individual is linked to a unique identifier. However, some jurisdictions have reportedly considered publicly linking beneficial ownership data registers to existing public identification systems to accomplish this; doing so could increase interference with privacy beyond the level necessary to fulfil the aims of beneficial ownership registers. Consideration should be given to whether seemingly neutral or harmless data could reveal more sensitive information, or be pieced together with other datasets, as outlined in the examples above.

It is also crucial to recognize that the risk associated with different types of information will depend on the context of both the individual and the country where they reside.

Governments and companies should therefore consider carefully whether they require the disclosure of information that, while low risk in one country, would be more sensitive in another.

Scope of the data collected and published

A separate issue is whether transparency and public access is more justifiable for specific subsets of corporate entities – for example, only requiring individuals such as Politically Exposed Persons (PEPs) and entities involved in activities such as public procurement and extractives to disclose data.

For some, the actions of a small number of criminals do not justify the publishing of all beneficial owners’ data: why should thousands of innocent company owners and directors have to reveal personal information in the hope of catching a small number of criminals? Proponents of this argument suggest that beneficial ownership disclosure targeting high-risk sectors and individuals would be more fair, effective and feasible than blanket disclosure requirements. [130]

Although there is an intuitive logic to linking disclosure with risk, it is impossible to predict which, among the thousands of trusts and companies, may be of interest in future investigations. Illicit financial activity has proven so difficult to combat in part because much of it involves complex webs of companies; some may be criminal entities, others may be perfectly legitimate. While one company or owner may themselves be seemingly innocuous, they may in reality be an important piece of a puzzle: research by the Natural Resource Governance Institute (NRGI) on corruption cases in the extractives sector highlights how illicit funds are often funneled through complex networks or chains of shell companies with unclear beneficiaries. [131] Investigating and identifying financial crime is therefore not as straightforward as monitoring high-risk sectors and persons – combing through the haystack is to some degree inevitable.

It is also wrong to suggest that combating crime is the sole purpose of making all BO data public. As outlined above, there are broader benefits to be had from a more open, transparent market in which businesses know who they are dealing with, and in which both investors and the general public can have greater confidence.

How wide the net is cast will also depend to a large extent on how beneficial owners are defined – in particular the thresholds used to define ‘ultimate’ control or ownership of a company – which is itself a controversial matter. [132]

The scope and conditions of access

A key plank of the French Court’s decision regarding the public register of trust beneficiaries was that the register created a disproportionate interference with the right to privacy because it allowed unlimited access by the public. And the Court of Justice of the European Union (CJEU) has previously held [133] that general access to electronic communication content without any limits or exceptions was a violation of privacy and data protection. [134]

The solution adopted by many EU states (the 4th Anti Money-Laundering Directive) was to limit access by requiring that members of the public must demonstrate a ‘legitimate interest’ in the company information they request. However, this approach has flaws that could limit the effectiveness of beneficial ownership registers. First, states may define ‘legitimate interest’ so narrowly as to exclude many activists, journalists and researchers, removing the potential benefit of additional scrutiny outlined above. On the other hand, it could be defined so broadly as to effectively allow unlimited access, just with added bureaucracy.

An alternative approach is to allow public access but disclose to the public only a subset of the data that is collected and available to public authorities. In this way, a balance can be sought between providing enough information to the public to allow for meaningful additional oversight, while not disclosing those details that significantly increase the risks to privacy (but which are still justifiably available to public authorities). This approach is taken by, for example, the UK and Denmark.

Here, there is a balance to be struck; protecting individuals’ privacy while retaining its usefulness for tackling tax evasion and organized crime. For example, if a register only publishes a beneficial owner’s name and their month and year of birth (as the UK PSC register does), then people with common names may still be difficult to track down.

UK’s exemption regime

The UK’s People with Significant Control (PSC) register is public and free to search online. However, certain exemptions are allowed. These exemptions are specifically designed to mitigate some of the risks of public disclosure, as noted in the UK government’s Privacy Impact Assessment. [135]

First, residential addresses and the day of the date of birth are not made publicly available. The precise size of the person’s shareholdings is also not published.

Second, directors or PSCs can apply to Companies House (the UK’s registrar of companies) to prevent their information being disclosed on the public register or shared with credit reference agencies (it will still be available to certain public authorities). The applicant must provide evidence to show that their association with a company poses a ‘serious risk of violence or intimidation’ to them or someone they live with. [136]

Some examples provided by Companies House include those working in the animal testing or defense industry, or a member of a particular religion whose association with a company conflicts with the principles of that religion. However, there is no definitive list or criteria – each application will depend on the individual circumstances.

It is important to note that the risk must come from the activities of the company or the person’s association with it. An individual cannot make an application on the grounds that they generally face risks due to their status or personal circumstances.

When an application is made, Companies House will not disclose the information publicly until the application has been determined. If the application is denied, the person has a right to apply to court for permission to appeal.

Exemptions

One way to guard against the risks to individuals is to create narrowly-defined exemptions that allow those who can demonstrate a serious risk of harm to be exempted from the disclosure requirements.

The EU’s 5th Anti Money-Laundering Directive, for example, allows for exemptions to be granted in cases where access to the data would expose the beneficial owner to risks such as fraud or kidnapping. The UK exempts from company ownership data individuals who can demonstrate a ‘serious risk of violence or intimidation.’ That exemption is tightly controlled: according to a Freedom of Information request by Global Witness in 2017, of more than one million companies that provided beneficial ownership information in the six months following the UK PSC register’s initiation, only 270 individuals applied to have their information withheld on the basis that it would put them at risk, and of these only five were granted. [137] The definition and operation of these exceptions may prove to be the crucial element to achieving proportionality. But it is, again, a difficult line to draw. Some beneficial owners face a constant low-level threat to their safety due to their wealth or power. To define the exception too broadly could exclude a large number of beneficial owners and exempt precisely those who would be of greatest interest to investigators. On the other hand, a definition that is inflexible and defined too narrowly may fail to capture the different types of unforeseeable harms that could arise in novel situations.

There are additional practical considerations about the operation of exceptions. If the process for applying to be exempted is long and bureaucratic, should individuals be presumed to fall within the exception during the decision period (as is the approach of the UK)? If they are, then repeated applications for exemption could be used by beneficial owners to hide their data; if not, then individuals facing serious risk of harm have their details in the public domain while waiting for a decision.

Notwithstanding these difficulties, it is fair and sensible to carve out some form of a clearly-defined exemption regime for those with legitimate safety concerns.

Denmark’s exemption regime

Danish companies must collect information on their beneficial owners and register the information with the Danish Business Authority (Erhvervsstyrelsen). This data is made public and freely searchable on the Central Business Register (CVR).

The information about BOs that must be collected by companies are the name, address and identification number (either a Danish CPR number or foreign equivalent, such as a passport). However, the personal identification number is not made public. [138]

In exceptional cases, the Danish Business Authority can exclude information from publication in the CVR. To have their information exempted from publication, a person must provide evidence to show that there are special protection considerations. This is a broad test that could be satisfied if, for example, the person provides a statement from the police that the person would be at risk if their name and address was published.

However, the Danish Business Authority explicitly states that special protection considerations do not include a person concerned about inquiries from unsatisfied customers or creditors. People cannot have their information exempt based solely on their employment in certain industries or areas of work. [139]

Data Protection and Privacy in Beneficial Ownership Disclosure – image 3 (city)

Going for good, going for public

By applying a legal analysis used in human rights law to beneficial ownership transparency, we find:

  • Disclosure of beneficial ownership can readily be accommodated alongside data protection and other relevant obligations.
  • While the body of evidence supporting the effectiveness of public registers over non-public data sources is still emerging, the aims of the public disclosure of beneficial ownership data are without doubt legitimate. It is reasonable and rational for policymakers to act on the understanding that a public register will contribute to stopping illicit financial flows and serve other public interest needs.
  • While there is no existing evidence of harm caused by public registers, governments should conduct privacy impact assessments and create appropriate exemption regimes designed to protect the vulnerable.

This research report, commissioned by OpenOwnership and The B Team, was conducted by The Engine Room from July to December 2018. The content of this report does not reflect the official opinion of OpenOwnership. Responsibility for the information and views expressed in the report lies entirely with The Engine Room.

Authors: Adriana Edmeades-Jones, Tom Parker, and Tom Walker

Report Design: Convincible Media

Fact Checking: Roderigo Sara

The Engine Room requests due acknowledgement and quotes from this publication to be referenced as: The Engine Room, OpenOwnership and The B Team (2019). Data Protection and Privacy in Beneficial Ownership Disclosure.

Data Protection and Privacy in Beneficial Ownership Disclosure – image 4 (final page)
Footnotes

[98] International IDEA has created a database of the various political finance laws and requirements in each country: https://www.idea.int/data-tools/data/political-finance-database.

[99] See, for example, https://www.fec.gov/data/.

[100] UK Parliament Register of Members’ Financial Interests: https://www.parliament.uk/mps-lords-and-offices/standards-and-financial-interests/parliamentary-commissioner-for-standards/registers-of-interests/register-of-members-financial-interests/.

[101] Kenney, M., 2018. Open company UBO registers are not the panacea to financial crime, The FCPA Blog.

[102] Cook, G., 2018. Just Because UBO Data Isn’t Available for Everyone to See, It Doesn’t Make It Secret. GAB Blog. Available at: https://globalanticorruptionblog.com/2018/05/24/guest-post-just-because-ubo-data-isnt-available-for-everyone-to-see-it-doesnt-make-it-secret/ [Accessed August 10, 2018]; Forstater, M. 2018. Beneficial Openness: Is More Transparency Always Better? Center For Global Development.

[103] Center for Democracy & Technology, 2009. Data.gov and DeIdentification Considerations for the Open Government Directive. Available at: https://cdt.org/press/report-examines-privacy-implications-of-data-gov/ [Accessed September 21, 2018].

[104] Breeden, J., 2014. Worried about security? Beware the mosaic effect. GCN. Available at: https://gcn.com/articles/2014/05/14/fose-mosaic-effect.aspx[Accessed September 21, 2018].

[105] Grauer, Y., 2018. What Are “Data Brokers,” and Why Are They Scooping Up Information About You? Motherboard. Available at: https:// motherboard.vice.com/en_us/article/bjpx3w/what-are-data-brokers-and-how-to-stop-my-private-data-collection [Accessed September 21, 2018].

[106] Tzermias, Z. et al., 2017. Privacy Risks from Public Data Sources. arXiv [cs.CY]. Available at: http://arxiv.org/abs/1711.09260.

[107] Woody, C., 2018. Drug cartels have turned social-media sites like Facebook into one of their most potent weapons, (Business Insider 2016) available at: http://uk.businessinsider.com/drug-cartels-using-social-media-sites-for-crime-extortion-2016-4; see also Campden FB, 2016. Market Insight – Critical Risk. Available at: http://www.campdenfb.com/article/market-insight-critical-risk-extortion-blackmail-and-kidnap-ransom.

[108] Tzermias, Z. et al., 2017. Privacy Risks from Public Data Sources. arXiv [cs.CY]. Available at: http://arxiv.org/abs/1711.09260.

[109] Saul, H., 2016. Emma Watson named in Panama Papers database. The Independent. Available at: http://www.independent.co.uk/news/people/emma-watson-named-in-panama-papers-database-a7023126.html [Accessed August 15, 2018].

[110] Interview (permission to name pending).

[111] Westin, A. 1967. Privacy and Freedom, Scribner.

[112] Guider, I., 2018. Privacy issues and public registers of beneficial ownership. ACCA. Available at: https://www.accaglobal.com/us/en/member/ member/accounting-business/2018/06/in-focus/privacy-issues.html [Accessed August 9, 2018].

[113] Sharman, J., 2016. Solving the Beneficial Ownership Conundrum: Central Registries and Licenced Intermediaries, Jersey Finance. Available at: https://www.jerseyfinance.je/news/solving-the-beneficial-ownership-conundrum-central-registries-and-licenced-intermediaries-academic-paper-published#.W3FkZJMzaHq.

[114] LexisNexis Risk Solutions, 2016. Who are the victims of identity fraud? Available at: https://risk.lexisnexis.co.uk/insights-resources/White-Paper/who-are-the-victims-of-identity-fraud-wp-uk [Accessed August 13, 2018].

[115] Companies House and Transgender Persons, HC Deb 15 November 2017, vol 631, c827. Available at https://hansard.parliament.uk/Commons/2017-11-20/debates/45F8123F-2D20-4B15-9EEC-322D320C866F/CompaniesHouseAndTransgenderPersons. Duffy, N., 2017. Government urged to change law that “outs” transgender business people. Pink News. Available at: https://www.pinknews.co.uk/2017/11/21/government-urged-to-change-law-that-outs-transgender-business-people/.

[116] Open Contracting Partnership, 2018. Mythbusting Confidentiality in Public Contracting. Available at: http://mythbusting.open-contracting.org/ [Accessed August 9, 2018].

[117] Whitehead, H., 2016. Beneficial ownership: A new era of openness? International Compliance Association. Available at: https://www.int-comp.org/insight/2016/september/27/beneficial-ownership-a-new-era-of-openness-united-arab-emirates/ [Accessed September 10, 2018].

[118] PwC, 2015. Finding a balance between transparency and privacy, Available at: https://www.pwc.nl/en/publicaties/finding-a-balance-between-transparency-and-privacy.html [Accessed August 9, 2018].

[119] Jersey Finance Limited, 2017. Public Registers of Beneficial Ownership, Available at: https://www.jerseyfinance.je/media/PDF-Reports/Report%20on%20Beneficial%20Ownership%20-%20Jersey%20Finance%20Limited.pdf.

[120] Cook, G., 2018. Just Because UBO Data Isn’t Available for Everyone to See, It Doesn’t Make It Secret. GAB Blog. Available at: https://globalanticorruptionblog.com/2018/05/24/guest-post-just-because-ubo-data-isnt-available-for-everyone-to-see-it-doesnt-make-it-secret [Accessed August 10, 2018].

[121] Sharman, J., 2016. Solving the Beneficial Ownership Conundrum: Central Registries and Licenced Intermediaries. Available at: https://www.jerseyfinance.je/news/solving-the-beneficial-ownership-conundrum-central-registries-and-licenced-intermediaries-academic-paper-published#.W6Eq_HXwa3S [Accessed September 18, 2018].

[122] Interview.

[123] European Data Protection Supervisor, 2017. EDPS Opinion on a Commission Proposal amending Directive (EU) 2015/849 and Directive 2009/101/EC. Available at: https://edps.europa.eu/data-protection/our-work/publications/opinions/anti-money-laundering_en [Accessed September 18, 2018].

[124] Appleby, 2016. Secrecy, Privacy and a French Legal Case. Appleby. Available at: https://www.applebyglobal.com/insights/insights-2016/secrecy–privacy-and-a-french-legal-case-september-2016.aspx [Accessed August 2, 2018].

[125] Mishcon de Reya, 2018. Legal challenge to Common Reporting Standard (CRS) and Beneficial Ownership (BO) registers. Available at: https://www.mishcon.com/news/firm_news/legal-challenge-to-common-reporting-standard-crs-and-beneficial-ownership-bo-registers [Accessed August 13, 2018].

[126] Ibid.

[127] Data IQ, 2018. Top law firm challenges ICO to probe HMRC data sharing. Available at: https://www.dataiq.co.uk/news/top-law-firm-challenges-ico-probe-hmrc-data-sharing [Accessed September 20, 2018].

[128] R v Secretary of State for Transport, ex parte Factortame Ltd and ors (No 2)[1991] 1 AC 603 (HL).

[129] Department for Business, Innovation and Skills, 2014. Transparency and Trust: Enhancing the Transparency of UK Company Ownership and Increasing Trust in UK Business, Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/324742/bis-14-884-transparency-and-trust-company-ownership-privacy-impact-assessments.pdf.

[130] Emmen, M.B., 2015. When Transparency Isn’t the Answer: Beneficial Ownership in High-End Real Estate. GAB | The Global Anticorruption Blog. Available at: https://globalanticorruptionblog.com/2015/03/23/when-transparency-isnt-the-answer-beneficial-ownership-in-high-end-real-estate [Accessed August 9, 2018].

[131] Sayne, A., Gillies, A. & Watkins, A., 2017. Twelve Red Flags: Corruption Risks in the Award of Extractive Sector Licenses and Contracts, NRGI. Available at: https://resourcegovernance.org/sites/default/files/documents/corruption-risks-in-the-award-of-extractive-sector-licenses-and-contracts.pdf.

[132] Sayne, A., Westenberg, E. & Shafaie, A., 2015. Owning Up: Options for Disclosing the Identities of Beneficial Owners of Extractive Companies, NRGI. Available at: https://resourcegovernance.org/analysis-tools/publications/owning-options-disclosing-identities-beneficial-owners-extractive; Dun & Bradstreet, 2016. Beneficial Ownership: Why the Devil Really is in the Detail, Available at: https://www.dnb.co.uk/content/dam/english/business-trends/db-4981-beneficial-ownership-whitepaper.pdf.

[133] Schrems vs Data Protection Commissioner, 6 Oct 2015, Available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=2393.

[134] Noseda, F., Common Reporting Standard and EU beneficial ownership registers: inadequate protection of privacy and data protection. Mishcon Academy. Available at: https://academy.mishcon.com/standard-and-eu-beneficial-ownership-registers-inadequate-protection-of-privacy-and-data-protection [Accessed August 9, 2018].

[135] Department for Business, Innovation and Skills, 2014. Transparency and Trust: Enhancing the Transparency of UK Company Ownership and Increasing Trust in UK Business, Available at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/324742/bis-14-884-transparency-and-trust-company-ownership-privacy-impact-assessments.pdf.

[136] Companies House Guidance, Restricting the disclosure of your information, updated 27 April 2018. Available at: https://www.gov.uk/government/publications/restricting-the-disclosure-of-your-psc-information/restricting-the-disclosure-of-your-information.

[137] Palstra, N., 2018. 10 lessons from the UK’s public register of the real owners of companies | Global Witness. Global Witness. Available at: https://www.globalwitness.org/en/blog/10-lessons-uks-public-register-real-owners-companies/ [Accessed August 13, 2018].

[138] Guidance on ownership registration, virk website: https://indberet.virk.dk/myndigheder/stat/ERST/Det_Offentlige_Ejerregister#tab2.

[139] Erhvervsstyrelsen, Questions and answers about real owners, available at: https://erhvervsstyrelsen.dk/hjaelp-til-registrering-af-ejere-2.