18 December 2025

CJEU (AG) ¦ EU Advocate General Questions Blanket Shareholder Disclosure

Public Shareholders, Privacy, and Financial Crime Control: What Advocate General Norkus’s Opinion Means

On 18 December 2025, Advocate General Norkus delivered an important Opinion in Case C‑798/24, Jautiva (i), addressing a question that sits at the crossroads of company law, financial crime prevention, and data protection. The case arose from Latvia, but its implications extend across the European Union, especially for policymakers, compliance professionals, and anyone involved in corporate transparency initiatives. At the heart of the dispute is a simple but far‑reaching issue. Can Member States require the personal data of all shareholders in a public limited company to be made freely accessible to the general public, without any need to show a legitimate interest? And if they can, does EU law actually require them to do so?

Shareholders are not company controllers

The first major conclusion of the Opinion concerns the interpretation of Directive (EU) 2017/1132 on company law. Latvian law assumed that shareholders fall within the category of persons who “take part in the administration, supervision or control of the company” and that this justified full public disclosure of their personal data.

Advocate General Norkus rejected that reading. He stressed that the directive draws a clear line between shareholders and the bodies that manage or supervise a company. Shareholders, especially minority shareholders, are not appointed to office, are not responsible for day‑to‑day management, and do not exercise control simply by holding shares. Their rights flow from ownership, not from a mandate or function within the company.

As a result, EU company law does not oblige Member States to disclose information on every shareholder of a public limited company. Where the EU legislature has wanted shareholder identities to be disclosed, such as in the case of single‑member companies, it has said so explicitly. The absence of such language here is decisive.

A serious interference with privacy rights

The Opinion then turns to data protection. Making shareholder registers freely accessible online means publishing names, personal identification numbers, contact details, shareholdings, and voting rights. According to Advocate General Norkus, this is not a marginal interference with privacy but a serious one.

Public access to this information allows anyone to draw conclusions about an individual’s wealth, investment choices, and business relationships. Because the data can be accessed, copied, reused, and combined with other sources without restriction, the risk of misuse is real and ongoing. This directly affects the rights to private life and data protection under Articles 7 and 8 of the EU Charter.

Bastian Schwind-Wagner _Follow

"This Opinion sends a clear signal that transparency measures in company law and financial crime prevention have legal limits. Even strong public‑interest objectives such as fighting money laundering or enforcing sanctions cannot justify unrestricted access to sensitive personal data.

For policymakers and compliance professionals, the message is one of balance rather than retreat. Effective financial crime controls must focus on real risk and control while respecting data protection principles that remain central to EU law."

Legitimate aims do not remove the need for proportionality

Latvia argued that full public access serves several aims of public interest. These included creating a transparent business environment, protecting third parties, preventing money laundering and terrorist or proliferation financing, and enabling the enforcement of national and EU sanctions.

The Advocate General accepted that these aims are legitimate and recognised by EU law. Combating money laundering and enforcing sanctions, in particular, are objectives that can justify even serious interferences with fundamental rights. However, legitimacy alone is not enough. The measures must also be necessary and proportionate.

Here, the Opinion draws heavily on the Court’s reasoning in the Luxembourg Business Registers judgment. That case invalidated unrestricted public access to beneficial ownership information because it went beyond what was strictly necessary. Advocate General Norkus considered the Latvian rules even more intrusive, since they cover all shareholders, including those with no control or influence.

Why unrestricted public access is not necessary

A key part of the analysis concerns necessity. The Opinion emphasises that financial crime prevention is primarily the responsibility of public authorities and obliged entities, such as banks and financial institutions, which already have enhanced access to information. EU anti‑money laundering law also allows access for persons who can show a legitimate interest, striking a balance between transparency and privacy.

The Advocate General found no convincing evidence that allowing unrestricted access for everyone is essential to achieve these aims. Less intrusive alternatives exist, such as systems where access is granted on request, with a stated purpose and safeguards against misuse. These mechanisms may involve some delay, but they still allow effective checks while significantly reducing the impact on fundamental rights.

Sanctions enforcement does not justify blanket disclosure

The Opinion also addresses sanctions compliance, an area of growing importance for financial crime professionals. While everyone is required to respect EU sanctions, this does not mean that everyone must have constant access to personal data on every shareholder of every public limited company.

According to Advocate General Norkus, sanctions enforcement can function effectively through targeted access, regulatory oversight, and reporting duties. Requiring universal, continuous scrutiny of all shareholder changes by all economic actors would be excessive and unrealistic, particularly given how frequently shareholdings can change.

Implications for financial crime policy

The proposed conclusion is clear. The General Data Protection Regulation (GDPR) precludes national legislation that allows unrestricted public access to the personal data of all shareholders in a public limited company, even when justified by transparency, anti‑money laundering, or sanctions enforcement goals.

For financial crime policy, this Opinion reinforces an important message. Transparency remains essential, but it must be calibrated. Measures aimed at fighting illicit finance must be carefully designed to target risk, focus on those who exercise control or influence, and include safeguards that respect fundamental rights.

If the Court of Justice follows this Opinion, Member States will need to review shareholder disclosure regimes that go beyond EU requirements. For compliance teams and regulators, the ruling would underline the importance of balancing access to information with data minimisation, purpose limitation, and proportionality.

In the evolving landscape of financial crime control, the message is not that transparency should be rolled back, but that it must be smarter, more precise, and legally sound.

The information in this article is of a general nature and is provided for informational purposes only. If you need legal advice for your individual situation, you should seek the advice of a qualified lawyer.

Did you find any mistakes? Would you like to provide feedback? If so, please contact us!

Dive deeper

CJEU ¦ Case C‑798/24 ¦ Link
EUR-Lex ¦ Directive (EU) 2017/1132 ¦ Link
EUR-Lex ¦ Charter of Fundamental Rights of the European Union ¦ Link

« CJEU (AG) ¦ Beneficial Ownership, Trusts and “Similar Legal Arrangements”

Bastian Schwind-Wagner _Follow Bastian is a recognized expert in anti-money laundering (AML), countering the financing of terrorism (CFT), compliance, data protection, risk management, and whistleblowing. He has worked for fund management companies for more than 24 years, where he has held senior positions in these areas.