CJEU Shareholder Data Ruling: What Obliged Entities Need to Know
On 18 December 2025, the Advocate General of the Court of Justice of the European Union (CJEU) published an opinion on C-798/24 that could reshape access to shareholder data across Europe.
At first glance, the case concerns minority shareholders in Latvia. In practice, it raises a much larger question: how much corporate ownership data must be public to support effective anti-money laundering (AML), counter-terrorist financing (CTF), and sanctions enforcement?
Stephen Abbott-Pugh, a long-time expert on beneficial ownership and company registers, sees the opinion as a warning shot.
“This could set a precedent across the whole of the European Union,” he says.
From Beneficial Ownership to Shareholders: A Familiar Legal Path
The roots of the case lie in the CJEU’s 2022 ruling on beneficial ownership registers. That judgment held that fully public access to beneficial ownership data infringed individuals’ fundamental rights to privacy.
The impact was immediate and severe. Registers closed. Access fractured. Legitimate interest tests replaced open access, but as Transparency International discovered, this was often in theory more than in practice. According to research by Kyckr, only a third of public registers were accessible to the public.
“European registers are only now, at the end of 2025, recovering,” Abbott-Pugh explains, “and introducing what’s called legitimate interest access.”
Now, the Advocate General has issued an Opinion – advice to the court – on C-798/24 that argues publicly available shareholder data also contravenes the individual right to privacy.
The Latvian case was brought by 17 minority shareholders. They argued that, unlike beneficial owners, they do not control companies and should not have their personal data fully exposed through public registers.
The Advocate General agreed.
The Core Finding: Public Access Is Not ‘Necessary’
At the heart of the opinion is GDPR’s principle of data minimisation. Personal data should not be published unless it is strictly necessary.
The Advocate General concluded that this test is not met for shareholder data.
“The Advocate General,” says Abbot-Pugh, “said that there’s only a limited extent to which unfettered public access to shareholder information contributes to combating money laundering, terrorism, and sanctions evasion.”
The opinion does not argue for secrecy. Law enforcement, journalists, civil society, and AML actors would still retain access. But the public would not.
Once data is fully public, Abbott-Pugh notes, control is lost.
“Once something’s fully public, anyone can do anything with that personal data. You have no control. You have no idea what people are doing with it.”
A Fragile Balancing Act
The opinion frames the issue as a balance between individual privacy and transparency in the business environment. The Advocate General comes down firmly on the side of privacy.
The language is blunt. Making shareholder data fully public is described as “inappropriate and unnecessary” for achieving a transparent business climate.
“The Advocate General thinks that you can achieve all of this without having it fully public,” Abbott-Pugh says.
For financial crime professionals, this is where concern sets in. Transparency works because it scales. More eyes catch more discrepancies. Public access enables independent scrutiny, investigative journalism, and third-party verification.
“In a bunch of jurisdictions, having the data public was the main way discrepancies were reported,” Abbott-Pugh says. “More eyeballs means more accuracy.”
The Risk of Further Fragmentation
The opinion isn’t legally binding. But if the opinion becomes a final ruling, the EU risks repeating the mistakes of 2022.
After the beneficial ownership judgment, Member States diverged sharply. Some remained public. Some shut registers entirely. Some introduced workable legitimate interest access (LIA) regimes.
But the situation was far from clear. As Kyckr CEO Steve Lamb wrote in an article for The Paypers, legal access is not the same as access in practice: “While these countries provide LIA on paper, often such requests are virtually impossible in practice.”
“Czechia only closed its beneficial ownership register on December 17, 2025,” Abbott-Pugh notes. “That’s more than three years after the ruling.”
Shareholder data could follow the same path.
“People have built entire systems to understand who controls companies using shareholder information,” he says. “If that now sits behind tests and gates, people will understand less about who is behind companies.”
The transition would not be quick. Legal changes, technical rebuilds, and access frameworks take years. In the meantime, visibility drops.
“If the same thing happens with shareholder data,” Abbott-Pugh warns, “there could be a real damaging impact on the ability to do checks across Europe.”
Minority Shareholders, Major Blind Spots
The opinion focuses on minority shareholders, arguing they are not controllers. But corporate structures are rarely that simple.
“You can have someone with 24% of a company,” Abbott-Pugh says. “They’re not a beneficial owner. They’re not in the UBO register. But they can still exert huge influence.”
Nominees, dispersed holdings, and cross-border structures thrive in these gaps. Removing shareholder visibility does not remove risk. It conceals it.
“As soon as you have fewer eyes on it,” Abbott-Pugh adds, “everything gets less transparent.”
Harmonisation Promised, Access Still Broken
The EU’s AML package, passed in 2024, promises improvement. By 2026, beneficial ownership access should be more harmonised. A form of “access passport” is envisaged, allowing approved users to access registers across Member States.
“There should be common methods,” Abbott-Pugh says. “You pass the test once, and you can go to any EU register.”
But today, access remains inconsistent.
“Every country is different,” he says. “Some will only allow you to apply if you’re based in that country. Some don’t allow all the categories of users set out in the directives.”
Even when access is granted, data quality is uneven. Formats differ. Fields vary. APIs are rare.
“If you’re jumping through a million hoops to access bad quality information,” Abbott-Pugh says, “you’re just making life harder for everyone.”
Effectiveness, Not Formal Compliance
The Financial Action Task Force has been clear: collecting data is not enough. Countries must use it, verify it, and connect it to other sources.
“You can be compliant,” Abbott-Pugh says, “collecting lots of information and then not using it. That’s not winning the fight.”
Restricting shareholder data without fixing access and quality elsewhere risks undermining the entire effectiveness agenda.
“The more difficult you make it,” he says, “the less effective these reforms will be.”
What Happens Next
For now, this is only an opinion. A final CJEU ruling will follow. But the direction of travel is clear.
If shareholder data is pushed behind legitimate interest barriers, the EU must avoid repeating the errors of the past. This could happen, but only if the Member States behave differently.
Abbott-Pugh’s advice is simple.
“If this ruling goes this way, people should make every effort to make the data easy to access and easy to use for the people who should have it.”
Access and quality. One of them must improve.
“If you solve neither,” he says, “you don’t get privacy or transparency. You just get blindness.”
The Implications for Obliged Entities
For compliance teams, the message is clear: access to company and ownership data can no longer be assumed to be uniform, public, or predictable across Europe.
The rules of the game are changing. Data delivery alone will only take KYB teams so far. What matters now is knowing what data is available, where it can be accessed, under what legal conditions, and with what limitations.
In that environment, value no longer lies in aggregating whatever happens to be open, but in providing lawful, authoritative access, and in making constraints explicit rather than invisible.
This is the problem Kyckr was built to solve, offering a single access point to more than 300 company registries worldwide, through the Kyckr Portal or API.