updated 2:11 PM CET, Oct 31, 2023

Mishcon's Noseda, as latest U.S. gov't data breach revealed: Beneficial ownership registers also vulnerable

 Court of Justice of the European Union Court of Justice of the European Union Court of Justice of the European Union Court of Justice of the European Union

 Luxembourg's courts are "understood" to have asked the Court of Justice of the European Union (CJEU) a number of questions relating to the validity of public registers of beneficial ownership, according to the latest statement on the subject of personal data security concerns issued by the London-based Mishcon de Reya law firm.

The statement came days before news broke, on Monday, of the latest major data breach of U.S. government agencies, this time by Russian government hackers, according to press reports published by such publications as the WashingtonPost , New York Times  and the  Financial Times.

The Luxembourg court in question was its District Court ('Tribunal d'Arrondissement' ), Mishcon de Reya said, adding that the issue had to do with the validity of Luxembourg's so-called registry of beneficial ownership (RBE) law, introduced last year in line with EU beneficial ownership regulations to provide for the establishment in Luxembourg of a public beneficial ownership register, and its compatibility with fundamental rights.

Pressure has been building recently on a number of countries, including the U.S. and many small jurisdictions some claim are tax havens, to introduce public registers of beneficial ownership as a means of eliminating one of the ways wealthy individuals are able to hide their assets from the tax authorities.

Critics, however, have long claimed that revealing such information can expose the individuals in question to such personal risks as kidnapping for ransom as well as the theft of their personal financial data by criminals.  Such critics typically argue that registers that provide beneficial ownership details to law enforcement officials and other "authorized" individuals are sufficient to prevent tax evasion, while ensuring individuals' data isn't at risk to thieves and would-be scammers.

Filippo Noseda EU PETA hearing 2019 Thierry ROGEOn Monday, Mishcon de Reya partner Filippo Noseda (pictured left), who has represented a number of individuals who have sought to challenge the way governments handle their personal financial information – including, as reported, a U.S.-born British citizen named Jenny, who launched a crowd-funded challenge last year about the way HM Revenue & Customs was providing her UK financial account data to the U.S. Internal Revenue Service, in compliance with FATCA – wrote the latest in an ongoing series of letters to European Data Protection Board chair Andrea Jelinek, in which he (again) called her attention to the problem of international data hacking and urged her, and the EDPB as a whole, to address the matter, "first raised over a year ago".

This letter, along with others he's written to Dr Jelinek as well as other correspondence dating back to 2016, may be found on Mishcon's website by clicking here. 

Separately, commenting on reports that the Luxembourg courts are reported to have "refer[red] the question of the compatibility of public registers of beneficial ownership with fundamental rights to the European Court of Justice", Noseda said, in a statement published on the Mishcon de Reya site as well: "This is welcome news in what is a very sensitive area. Indiscriminate access to personal information raises serious legal issues for company owners and their families.

"We filed several appeals against the Luxembourg Business Register and asked that the matter be referred to the European Court of Justice... 

"The request for a ruling has direct implications for all EU Member States, because the introduction of public registers is an EU requirement under the fifth anti-money laundering directive.

"It has also direct implications for the UK's Crown Dependencies and Overseas Territories (such as Bermuda, the BVI and the Cayman Islands), which have been pressured by the UK government to introduce fully public registers, as opposed to registers that are accessible to authorities and parties showing a legitimate interest."

Latest  hacking

The latest hacking incident involved what the Washington Post called "Russian government hackers" who it said had "breached the [U.S.] Treasury and Commerce departments, along with other U.S. government agencies, as part of a gobal espionage campaign" that stretched back "months."

The New York Times called it "one of the most sophisticated and perhaps largest hacks in more than five years."

It added: "The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government – almost certainly a Russian intelligence agency, according to federal and private experts – broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.

"Officials said a hunt was on to determine if other parts of the government had been affected... 

"Several said national security-related agencies were also targeted, though it was not clear whether the systems contained highly classified material."

The New York Times report went on to note that "a measure of the sudden panic sweeping federal offices" after the hack was discovered could be seen in the fact that late on Sunday night, the U.S. Department of Homeland Security "ordered all agencies to shut down any use of a complex piece of network management software made by a company called SolarWinds, and installed on networks belonging to government agencies and American corporations.

"The order was so urgent that it gave a deadline of noon on Monday for 'a completion report' confirming that the software was no longer in use."