Author: Paul Verhaeghe

1. Tax distortion that is triggered or facilitated through digital activities had better be addressed through new definitions (free services, users, data and the worldwide profit derived through them, Virtual Permanent Establishments) in the Union tax law and OECD.

But, as pointed out, negotiating and voting addendums to the existing tax treaties to insert these new tax law definitions, might take up a very long period of time. A unilateral taxation may, on the other hand, be questioned in court as long as these addendums do not take effect.  Tax revenue may have to be reimbursed if such a claim prevails.

Hence the scope of this article: to seek a way around this temporary obstacle through non-tax law requirements of presence that may in turn give cause to apply existing Permanent Establishment criteria.

2. A historical interpretation of the general intention of Article 5 is the goal to enable taxing the profit created on the territory of a State through a permanent form of activity in the territory. Hence the criterions of presence that were historically defined.

Data collected from users and users themselves form substantial sources of profit that are created in a permanent way through all the digital interfaces located in the State that feeds that activity.

The provider offers services on these digital interfaces of the residents in the territory of the Member State.  The presence of cookies left on the various digital interfaces of users in the Member State could be taken into account to qualify such material digital interfaces as tools to enhance the detection and extraction of the user’s data.

It is not relevant for Article 5 that such a material digital interface does not belong to the company. It suffices that the presence of tools on all these material digital interfaces leads to a constant digital activity. Forming an activity of a permanent nature as historically intended.

Such an argument may be useful when discussing the good faith of a contracting party in taxing profit that is generated in a permanent way, in its territory, through cookie-activity, in countless material digital interfaces of users.

3. A branch is not defined by OECD, nor is business.

A permanent presence of material digital interfaces in the territory of the contracting party that allows data detection and extraction could therefor be interpreted under Article 5, § 2, (b) OECD MC.

However, if presented alone, this criterion is open for various interpretations and could lead to contradictions in rulings from national tax judges both in Member States and between Member States.  Aforesaid uncertainty ought to be avoided.

4. An ‘office’ under article 5, § 2 (c) OECD MC is a more tangible criterion.

It would lead to a more predictable outcome of tax litigation if combined or not with article 5, § 2, (b) OECD MC and the historical interpretation.

The presence of such an office can be obtained through requirements of non-fiscal law.

5. From the aforementioned analysis of the different business models of relevant digital activities, the following requirements can be considered to give a valid cause to impose a physical presence in the territory of the Member State that may in turn lead to Permanent Establishments for tax purposes.

– data protection, criminal investigation, fake news containment, official warnings of an imminent and imperative nature (users)
– regulations that secure electronic payments in general (electronic (digital) payment service)
– regulations on providers of services when not offered by the collector of the price

6. Member States could consider the issue of fake news on social media by demanding that companies that take the commercial risk of offering a digital forum in the territory, are liable when the spreading of false information is not contained and / or erased within a certain time limit.

In order to detect and contain the source of fake news, which would typically be a short-term event, it could be required to temporarily store the exchanged content on a server located in the national territory.  This stored data is deleted after a given period of time (for instance 14 days).  At the very least the presence could be required of an office with a terminal that gives access in the national language to the servers outside the territory.

That would allow the national authorities to detect and contain fake news that has given an unlawful cause of harm to citizens or authorities.  Given the short time notion to stop the spreading and to root out fake news, a direct liaison office should be available to immediately reply and give access to the national authorities or habitants in their official language and in their national territory in order to assist or direct the required interventions of protection and prevention.

7. In the author’s view one should consider a digital forum in the Latin meaning of that word : it is a public square. Concepts of intimacy and privacy are misleading ; all that is written and shared remains in the public memory of those who were present on that square.  It is therefor paramount to contain, as soon as possible, the spreading of harmful data from the originator/subject to the receiver/subject (minors’ parents requesting immediate removal).

A direct liaison in the country of residence who offers direct contact in the national languages and means to immediately interfere in the spreading, is a necessary tool for that purpose.

8. Such a direct liaison could also serve, in a general way, criminal investigations and security or consumer protection by issuing official warnings on the digital forum used by the digital interfaces located in the territory of the Member State.

For instance, in case of a nuclear incident or spreading fires and floods, authorities could consider sending messages to the public in the affected area through digital forums as the most efficient way to warn the users who are located in or near that area.

Various services which are digitally split, could be considered as one service from a consumer’s protection perspective and the whole of the information on the executed operation could be made available to the consumer in his national language and in his country.

The consumer’s interests are also better served and more effective if he can legally call the organiser of the service before his national courts.  Having an office that can be validly notified would greatly reduce the legal costs for consumers who consider that their rights have been violated by a service contracted through their digital interface in their usual place of residence.  Even if some part of that service took place outside the territory.

9. This concern of protection of the interests of users can also be effectively addressed under two, more specific, non-tax law notions that have to be implemented no later than early 2018 in the national law of the Member States.

For free services, there is the implementation of data protection.  For paying services, there is both the implementation of data protection and electronic payment protection.

This implementation offers a unique opportunity to swiftly address some tax distortion through digital activities.

10. For data protection requirements, the Directive (EU) 2016/680 of 27 April 2016 on personal data protection[1] may prove relevant for Member States for digital tax definition purposes. Member States have to implement these rules by 6 May 2018.

The following considerations of the Directive would allow the Member States to require a direct liaison on their territory :

“(3) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows personal data to be processed on an unprecedented scale in order to pursue activities such as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.”

“(65) Where personal data are transferred from a Member State to third countries or international organisations, such a transfer should, in principle, take place only after the Member State from which the data were obtained has given its authorisation to the transfer.”

“(89) Penalties should be imposed on any natural or legal person, whether governed by private or public law, who infringes this Directive. Member States should ensure that the penalties are effective, proportionate and dissuasive and should take all measures to implement the penalties.”

11. The following tools must be implemented (Article 3) :

– All automated processing of personal data is prohibited unless authorised under Member State law (Article 11).
– All processing activities of this personal data must be recorded by the controllers (Article 24).
– Logs must be kept for controlling purposes of data collection, alteration, consultation and disclosure including transfers, combination and erasure (Article 25).

This is also the case outside the European Union :

“Article 24 (2) c where applicable, transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;”

• Articles 35 (1) b and 39 prohibit transfer of personal data to third countries that do not have an authority for data protection as set out under Article 1 (1) of the Directive.

12. These elements are also potential useful tax tools next to giving cause for the presence of an Permanent Establishment :

– they allow to identify the companies that collect such personal data with an undisputed economical value,
– they allow to quantity the number of users on their national territory and the amount of data given by these users,
– they allow to control the tax reporting of the companies that qualify under digital tax measures on business models that exploit users and their data.

13. Under CHAPTER V “Transfers of personal data to third countries or international organisations” of the Regulation (EU) 2016/679 of 27 April 2016 [2] the Commission controls if third countries provide similar adequate protection as the Regulation organises between Member States.

The personal data defined under this Regulation is relevant since it directly relates to the difficulties expressed by the participants under the OECD’s public enquiry on how to grasp the economic value of worldwide data mining activities of data collected from a State’s territory.

– considerations (23 and 24) :

“..the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment..(..) factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union..

(24) The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”

All data collected from “data subjects who are in the Union”, with or without payment from these “data subjects” must be traceable in and outside the Union.  This is indispensable for both the supervision on how and by whom the collected data are ‘processed’ and the enforcing of the data subject’s rights granted under the Regulation.

The tracing back of the collected data to the user can be done most effectively if this collecting was recorded on a server in that user’s Member State.  In would ensure the most immediate and timely access and supervision.

– considerations (73, 80 and 82) :

“(74) The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

(80) Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a representative (..)

(82) In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.”

The Commission thus potentially controls very effective tools in identifying and qualifying digital activity in each Member State.  Major parts of the digital economy become transparent and traceable for taxing purposes of digital activities.

Through the requirement of an office (direct liaison with legal notification purpose) a Permanent Establishment under existing tax treaties is made while awaiting the addendums to implement the definitions of Virtual Permanent Establishments.

This is a highly relevant competence of the Commission that may qualify under Article 292 TFEU and may in turn in a significant way improve the Member State’s tools to insert in their national tax law equal tax burdens on all national, European or third country competitors alike.  This Regulation becomes effective on 25 May 2018.

14. Under consideration (23) of this Regulation, the processing of personal data should take place even when no payment is involved. A large portion of digital activities does not relate to persons but to business.

Business related data does not fall under the scope of these data protection rules.

It can be assumed however that the bulk of data generated by business, results in electronic payments. Requirements for implementing electronic payment protection may offer a motivation to impose an office for business related data purposes while awaiting the implementation of the addendums to the tax treaties that relate to Virtual Permanent Establishments.

Also, whereas some services are available for free from business to business, the author reminds that the freedom of services in the Integrated Market is qualified by Article 57 TFEU as those services that are normally provided for remuneration.

Member States could argue that they can also install, under the scope of free business to business services, offices / direct liaison requirements for some of the same purposes as set out for personal data protection ; criminal investigations (cyber-attacks), fake news containment (that could be considered even potentially more damaging in a business environment), industrial espionage (fake profiles, references etc..), and as a general warning tool when unexpected events occur.

15. For electronic payment protection requirements, the Directive (EU) 2015/2366 of 25 November 2015 on payment services[3] may prove highly relevant for Member States in digital tax definition purposes.

Member States have to implement these rules by 13 January 2018.  This date does not exclude that these rules may be further implemented and fine-tuned after that date.

16. This Directive imposes the following obligation on Member States :

(Article 101 (1 and 2) : Dispute resolution)

“Those procedures shall be applied in every Member State where the payment service provider offers the payment services and shall be available in an official language of the relevant Member State or in another language if agreed between the payment service provider and the payment service user.”

“Member States shall require that payment service providers make every possible effort to reply, on paper or, if agreed between payment service provider and payment service user, on another durable medium, to the payment service users’ complaints. Such a reply shall address all points raised, within an adequate timeframe and at the latest within 15 business days of receipt of the complaint.”

Member States can argue that the effectiveness of these Dispute resolution requirements are best met with the presence of an office in their territory.

17. The Directive states’ personal data obtained through payments systems must also comply with data protection requirements (Article 94). The Commission confirmed on 27 November 2017 that the personal Data protection requirements apply equally when they become effective on 25 May 2018[4].

This opens up a combined requirement of national offices for electronic payments that relate to consumers.   Article 29 (4) states in that regard :

“4. Member States may require payment institutions operating on their territory through agents under the right of establishment, the head office of which is situated in another Member State, to appoint a central contact point in their territory to ensure adequate communication and information reporting on compliance with Titles III and IV (*), without prejudice to any provisions on anti-money laundering and countering terrorist financing provisions and to facilitate supervision by competent authorities of home Member State and host Member States, including by providing competent authorities with documents and information on request.”

(*) Articles 94 and 101 fall within Title IV of the Directive

The Directive further states that the electronic payment data must be stored five years, without prejudice to Directive (EU) 2015/849 or other relevant Union law (Article 21).

18. Consequently, Member States can require the presence of an office on their territory, even if the payment institution is incorporated in another Member State.

This gives cause to a potential decisive element in the discussion whether or not a Permanent Establishment could be made present under existing OCDE criteria through electronic payment requirements.

19. However, a word of caution is needed. The caution relates to the effectiveness of the use of the collected financial data for national tax purposes.

Under Article 26 of the Directive, the exchange of information between Member States is regulated.  Article 26 (2) states :

“2. Member States shall, in addition, allow exchange of information between their competent authorities and the following:

(..)

(c) other relevant authorities designated under this Directive, Directive (EU) 2015/849 and other Union law applicable to payment service providers, such as laws applicable to money laundering and terrorist financing;”

Could this phrasing include the exchange of information requested by national tax administrations with the purpose of determining the profit tax base of the recipients of electronic payments originated in that Member State ?

This seems questionable since the wording only specifically exonerates ‘other Union law (..) such as laws applicable to money laundering and terrorist financing’.  Using the stored electronic payments data for national tax law purposes seems impossible under Article 26 (2) of the Directive.

20. When this Directive was adopted in November 2015, the ‘Swiss’ and ‘Lux’ leaks were already public, but that general and political awareness was further triggered by the following ‘Panama’, ‘Bahama’ leaks or ‘Paradise’ papers.

Several companies active in digital activities were so named in extensive tax engineering purposes and have since provoked a political momentum in the European Union which effectively wishes to address these legal loopholes.

The on-going legislative efforts of the European council and commission in addressing tax-avoidance through digital activities may so lift this restriction under Article 24 (2) c for national tax purposes or lead to other Union law which allows the monitoring of electronic payments data for tax purposes.

While awaiting such initiatives, a Member State could argue that the Council Directive (EU) 2016/116 of 12 July 2016, implementing rules against tax avoidance practices which directly affect the functioning of the internal market, and other new Union laws who will be adopted in 2018, forms Union law that can qualify under the general requirement of Article 24 (2) c.

21. Such a demand of a Member State to another Member State to share the collected payment data for tax purposes would then best be motivated by national tax law, that was adopted in transposing Union tax law in national tax law, and clearly mention the transposed Union tax law in that nation tax law and how the demand to share the collected payment data serves the purposes as set out by that Union tax law. It remains to be seen if tax subjects can successfully challenge the production of these collected payments data before national tax courts for taxation purposes.

This uncertain outcome of tax litigation could be lifted once Article 24 (2) c is modified.

22. It is also important to remind the reader that the fields of criminal law, personal data protection and electronic payment protection (if qualified as financial services) fall outside the scope of Directive 2006/123 of 12 December 2006 on services in the internal market^[5] .

This Directive grants the following rights under the Internal Market of services :

– Member States cannot request a prior authorisation of a service activity on their territory unless some conditions are met (Article 9 (1)),
– Member States cannot enforce certain requirements (Article 14), such as (Article 14 (3)) :

“restrictions on the freedom of a provider to choose between a principal or a secondary establishment, in particular an obligation on the provider to have its principal establishment in their territory, or restrictions on the freedom to choose between establishment in the form of an agency, branch or subsidiary;”

– Member States can in general only enforce requirements on providers that are established in another Member State if some conditions are met (Article 16 (1)), however without (Article 16 (2)) :

“Member States may not restrict the freedom to provide services in the case of a provider established in another Member State by imposing any of the following requirements:

(a) an obligation on the provider to have an establishment in their territory;”

As said, the fields of criminal law, financial services and personal data protection are excluded.  Member States can enforce the forbidden or restricted requirements and authorisations in these fields.  They would however do well to observe in that matter the criteria of non-discrimination, proportionality and necessity that can be expected from legislation in general.

Also, Article 4 (1) qualifies a service under this Directive as an economic activity, normally provided for remuneration. Again, the digital activities that relate to free services and free users could be considered not to fall under the granted rights.

And, if in doubt over the presence in that legislation of an indirect goal that relates to tax purposes, Article 2 (3) excludes the field of taxation of its scope.

23. The more specific Directive 2000/31 of 8 June 2000 on electronic commerce^[6] also excludes the field of taxation of its scope (Article 1 (5)). This Directive grants the right to providers established in a Member State to provide ‘information society services’ without restrictions in all other Member States.

The protected services must be of a commercial nature.  Consideration 18 includes :

“extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data;”

But excludes personal mail services and services that generally require the physical presence of the provider :

“the use of electronic mail or equivalent individual communications for instance by natural persons acting outside their trade, business or profession including their use for the conclusion of contracts between such persons is not an information society service (..) activities which by their very nature cannot be carried out at a distance and by electronic means, such as the statutory auditing of company accounts or medical advice requiring the physical examination of a patient are not information society services.”

24. The granted rights can however be infringed by the Member States if they observe some conditions. If Uber was found to be an intermediary providing information society services and not a provider of transport services, the requirements laid on the Spanish company of Uber had to meet these conditions under Article 3 (4) (a) :

(i)  necessary for one of the following reasons:

–  public policy, in particular the prevention, investigation, detection and prosecution of criminal offences, including the protection of minors and the fight against any incitement to hatred on grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons,
–  the protection of public health,
–  public security, including the safeguarding of national security and defence,
–  the protection of consumers, including investors;

(ii) taken against a given information society service which prejudices the objectives referred to in point (i) or which presents a serious and grave risk of prejudice to those objectives;

(iii) proportionate to those objectives;

25. When reading the considerations to this Directive, the general goals of various protections (fake news, criminal law, consumers, personal data protection, electronic payment protection,.) which were suggested in this article, fall within the possible legitimate fields to impose restrictions on providers of information society services which are established in other Member States (considerations 11, 45, 52 and 57) :

“(11)  This Directive is without prejudice to the level of protection for, in particular, public health and consumer interests, as established by Community acts (..) those Directives also apply in their entirety to information society services;  which is fully consistent to information society services (..)

(45) The limitations of the liability of intermediary service providers established in this Directive do not affect the possibility of injunctions of different kinds; such injunctions can in particular consist of orders by courts or administrative authorities requiring the termination or prevention of any infringement, including the removal of illegal information or the disabling of access to it (..)

(52) The effective exercise of the freedoms of the internal market makes it necessary to guarantee victims effective access to means of settling disputes (..)

(57) The Court of Justice has consistently held that a Member State retains the right to take measures against a service provider that is established in another Member State but directs all or most of his activity to the first Member State if the choice of establishment was made with a view to evading the legislation that would have applied to the provider had he been established on the territory of the first Member State.”

Restrictions, through the implementation of the Directives in the fields of personal data protection and electronic payment protection, would then not constitute to violations under this directive (consideration 11).

Nor would the presence on the territory of the Member State of a direct liaison of the provider for criminal and fake news purposes be a violation as such (consideration 45).

Nor the requirement of an office of the provider for victims / consumers to send notification to the provider in their national language and if needed call that provider before their national judges (consideration 52).

26. The Commission has, under Article 3 (6) of the directive, the power to examine the legislation which restricts the granted right, and notify the Member State if the Commission finds that the conditions under Article 3 (4) were not met.

Again, the Commission could then consider, under Article 3 (6) of this Directive and Article 292 TFEU, to establish guidelines for Member States who wish to adopt legislation that imposes a form of physical presence to providers of information society services that have a sufficient large and constant way of digital activity on the territory of that Member State.

27. Another Directive that may intervene in adopting national legislation that relates to relevant digital activities, is the obligation to communicate and postpone such legislation under the Articles 8 and 9 of the Directive 1998/34 of 22 June 1998.

This applies to legislation that adopts a ‘requirement of a general nature relating to the taking-up and pursuit of service activities (..), in particular provisions concerning the service provider, the services and the recipient of services’.

28. Again, only services that are normally provided for remuneration at a distance by electronic means and at the individual request of a recipient would qualify under its scope (Article 1 (2)). Article 1 (5) explicitly excludes rules that do not relate to such services.  So legislation regarding free users and free service cannot qualify for this Directive.

Article 10 (1) states that the Articles 8 and 9 do not apply to legislation that complies with binding Community acts on such services.  The legislation adopted to implement the personal data protection and electronic payment protection Directives could fall under this exclusion.

Other legislation, which qualifies as a requirement of a general nature, may have to observe the obligations of communication and postpone the adoption of the rules for six months.  During that period, other Member States may suggest comments on the announced legislation.  However Article 8 (1) states :

“..the comments or detailed opinions of the Commission or Member States may concern only aspects which may hinder trade or, in respect of rules on services, the free movement of services or the freedom of establishment of service operators and not the fiscal or financial aspects of the measure..”

The effect of such legislation on taxation cannot be invoked to oppose this legislation.  But requirements for a direct liaison in the Member State fall under the free movement of services or the freedom of establishment of service operators.

These two freedoms are organised through the two other commented Directives^[7].  If the requirement for a direct liaison falls within the scope of these two Directives and complies with them, there is no cause for further debate under this Directive. If the requirement does not fall in the scope of these two Directives, then there seems to be no ground of violation of the said freedoms by the projected legislation.

29. In conclusion, these three Directives do not oppose adopting requirements by Member States that relate to digital activities for non-tax law purposes such as personal data protection, electronic payment protection, fake news, criminal investigations, consumer protection..

The fact that these requirements may in turn lead to taxation of these digital activities is irrelevant under the scope of these three Directives.

Continue reading

[1] Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ, L 119, 4 May 2016, p. 89
[2] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ, L 119/1, 4 May 2016
[3] DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, OJ, L 337/35, 23 December 2015
[4] http://europa.eu/rapid/press-release_MEMO-17-4961_en.htm, section 4 ‘Protection of personal data’.
[5] DIRECTIVE 2006/123/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 December 2006 on services in the internal market, OJ, L 376, 27 December 2006, p. 36, Articles 1 (5),  2 (2) b and c, 17 (3) and considerations n° 18 and 20.
[6] DIRECTIVE 2000/31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), OJ, L 178, 17 July 2000, p. 1
[7] DIRECTIVE 2006/123/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 December 2006 on services in the internal market, OJ, L 376, 27 December 2006, p. 36, Articles 1 (5),  2 (2) b and c, 17 (3) and considerations n° 18 and 20 and DIRECTIVE 2000/31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), OJ, L 178, 17 July 2000, p. 1