EU Eyes New Digital Tax, Implementation of Data Privacy Rules

22 March 2018

The digital economy in the European Union is gearing up for a series of potentially landmark changes, as officials move forward with the Digital Single Market strategy and debate a proposed digital tax.

The latter tax is expected to have significant implications for large technology firms, and is part of Brussels’ attempts to establish a more level playing field in taxation systems among the EU members. The taxation proposal was released on Wednesday 21 March, and has been described by Commission officials as a complement to the bloc’s Digital Single Market strategy.

In addition, a major overhaul of data flow and privacy rules will take effect in the European Union this coming May, as the bloc marks the third anniversary of its Digital Single Market strategy. The General Data Protection Rules (GDPR) aim to offer EU citizens more control over how their data is used, while providing for free movement of data and enacting more stringent rules on companies.

A separate EU legislative proposal, aiming at abolishing localisation requirements for non-personal data, is also under discussion within the bloc’s institutions.

Digital tax

The European Commission’s proposal for a digital tax, which experts say could have significant implications for firms such as Google, Facebook, and Apple, could potentially generate an additional €50 billion annual contribution to the European bloc’s budget.

The EU executive has put forward a two-pronged approach. A first proposal focuses on allowing EU members the chance to levy taxes on profits from digital platforms with “a taxable digital presence,” subject to certain conditions. A second proposal involves an “interim tax” covering advertising revenue generated by digital companies, the fees raised from users and subscribers, and the income made from selling personal data to third parties.

EU officials argue that digitalisation brought about unfair discrepancies in tax treatment of digital companies compared to traditional businesses. Digital companies benefit from public services and infrastructure, such as high-speed internet connection, but they do not pay “their fair share of taxes” in the countries where they operate. According to the Commission, the effective tax burden for traditional companies is 23 percent, while for digital companies this number is just 10 percent. 

Last fall, the EU’s largest continental economies – Germany, France, Spain and Italy – came out in favour of equalising the tax treatment, arguing that corporate tax frameworks have been unable to match the rapidly digitalising environment. They also suggested that technology companies pay too little tax in the bloc by routing some of their profits through Luxembourg and Ireland, which impose lesser taxes. 

Under current rules, a company can only be taxed on the profits it makes in a country if it has a physical presence, such as offices or factories, but not if it only does its business in that country digitally. One of the Commission proposals issued on Wednesday would change that, taxing instead if the company surpasses certain revenue thresholds in individual EU member states, or exceeds other thresholds like number of users or business contracts for digital services.

“Our pre-Internet rules do not allow our member states to tax digital companies operating in Europe when they have little or no physical presence here. ... Our aim is not to burden foreign or European tech giants but to make sure that digital income is brought into line with the real economy,” EU Commissioner for Economic and Financial Affairs, Taxation, and Customs Pierre Moscovici said in previewing the package of proposals, according to comments reported by the Financial Times.

On the other side of the Atlantic, the US has voiced serious concerns about the European proposal. Steven Mnuchin, the US Treasury Secretary, told the New York Times “having gross taxes on internet companies is not fair.”

“To the extent that there are issues with change in taxation systems regarding physical presence, that needs to be addressed. It should not be a two-tiered system where internet companies are taxed under a different standard,” Mnuchin added.

The news comes as EU antitrust authorities have been investigating and, in some cases, pressing charges against business practices of certain American tech giants, such as Google, citing antitrust concerns. (See Bridges Weekly, 29 June 2017)

In order to become a law, the digital tax proposal must go through the legislative approval procedures of the European institutions, which includes negotiation and sign-off with the EU Council and Parliament. Reports suggest that EU member states remain split on the proposal.

Personal data protection and cross-border flows

The General Data Protection Rules (GDPR) were formally adopted in 2016. After a two-year transition period, the GDPR is now set to become effective and enforceable from 25 May and will introduce stricter rules for businesses on obtaining customer consent on personal data usage.

Under the new regulation, firms will have to “demonstrate that the data subject has consented to processing of his or her personal data.” Going beyond usual terms and conditions forms, online businesses need to formulate user agreement in an “intelligible and easily accessible form,” and also use “clear and plain language.”

In the provision commonly referred to as “the right to be forgotten,” EU citizens can ask businesses to communicate and delete personal information. The new regime also requires firms to report data breaches within three days. Companies that deal with “systematic monitoring of data subjects on a large scale” must have a data protection officer in their organisation. It also significantly increases the fines for non-compliance, up to four percent of global annual turnover or €20 million, whichever is the highest. 

The scope of the GDPR is international, applying to any business offering services in the EU, regardless of where its head office is located. Some estimates suggest that larger companies could face costs in the billions of euros.

Consulting firm PwC found that businesses have “mixed reactions” about GDPR. In a survey, around half of the respondents from business viewed the new rules positively. Pat Moran, PwC’s Cyber leader, said that it is “worrying that one in two respondents still see no real benefits of GDPR.” While the transition might be painful, there are still tangible benefits, Moran said.

“Not only will your organisation have a cleaner data set, being GDPR compliant will ensure personal data is protected and secure and will reduce the risk of a data breach and consequent possible reputational damage,” said Moran.

As described by recent ICTSD research, while the GDPR offers clear guidelines for EU countries on how to collect and use personal data, in the US there is no federal law covering such matters. Rather, different US states have addressed the issue in their own regulations, and industries have also taken their own approaches on the subject. (Editor’s note: ICTSD is the publisher of Bridges)

Since 2016, the EU and US have had in place an updated “Privacy Shield” agreement, replacing the previous “Safe Harbour Framework” and imposing stricter obligations on US companies to protect personal data of EU citizens. (See Bridges Weekly, 14 July 2016)

With limited time remaining before its application, in January the European Commission released guidance for business and authorities to prepare for the new law. Vĕra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, called on all affected actors to be prepared.

“We need modern rules to respond to new risks, so we call on EU governments, authorities, and businesses to use the remaining time efficiently and fulfil their roles in the preparations for the big day,”Jourová said at the time.

While covering protection and privacy rules, the GDPR also provides for cross-border flows and portability of personal data within the European Union. It does not cover non-personal data, such as financial systems or weather. A separate EU initiative seeks to establish the same free movement for non-personal data as the GDPR does for personal data.

Non-personal data flows

The regulation proposal on “Free Flow of non-personal data” was announced in September by European Commission Vice President Andrus Ansip as a complement to the GDPR.

“Our proposal, together with EU personal data protection rules will enable the free movement of all types of data in the single market,” Ansip said in a statement, adding that it primarily affects business. Estimates published by the EU executive suggest that it could yield a notable GDP increase as a result.

“The free flow of data will make it easier for [small and medium-sized enterprises] and startups to develop new innovative services and to enter new markets.” Under the proposal, which aims to do away with data localisation requirements, EU countries can no longer force businesses to store data within their borders, except for “reasons of public security.”

Mariya Gabriel, EU Commissioner for the Digital Economy and Society, welcomed the initiative to “ensure Europe’s success in the new era of the digital economy.”

“Removing obstacles to cross-border data flows is essential for a competitive European data economy,” she added.

Various industry players in the European business community have said that they support the proposed legislation “to remove and prevent unjustified restrictions to the free flow of data.”

“The EU should introduce a legal instrument that removes existing national data localisation requirements and prevents the creation of new ones,” says a Business Europe position paper. 

The business community has also highlighted the need for an “appropriate setting to share data based on contractual terms, allowing for innovation.”

“As regards data ownership, access and liability, we believe that these issues are – for the time being – adequately addressed by existing legislation,” the Business Europe paper continues.

While easing data localisation requirements, the proposal gives public authorities continued access to data even if it is stored or processed in another EU country. Other provisions include the creation of EU “codes of conduct” to ease switching between cloud storage providers and transferring and adapting data to users’ respective systems.

The proposal text has since moved to the European Parliament, where last February its Economic and Social Committee failed to endorse it for its “lack of ambition and political will and determination,” while welcoming the effort to develop such legislation. The Parliament has asked the Commission to revise the proposal further.

Background: Digital Single Market

Both the GDPR and the free flow of data initiative represent the latest attempts by the EU executive arm to update its rules to keep up with technological evolution. Data flows are also reportedly a hot topic in recent EU-level discussions over how to craft related provisions in foreign trade agreements.

The flagship Digital Single Market strategy, adopted in May 2015, included key actions aimed at easing cross-border digital trade and integrating the bloc into the wider digital economy. (See Bridges Weekly, 26 October 2017)

Initiatives range from cybersecurity to e-commerce, parcel delivery, telecoms and copyright rules, and cross-border digital trade. If completed, advocates say that the digital single market would facilitate intra-EU trade and cut costs for smaller companies.

Published last October, the Commission’s 2018 Work Programme called for boosting efforts to implement the bloc’s digital discussions, flagging slow progress in the strategy. Only six of the 24 related legislative proposals tabled by the EU’s executive arm over the past two years had been endorsed by all EU institutions, the programme said.

ICTSD reporting; “EU calls on firms, governments to speed up privacy law preparation,” REUTERS, 24 January 2018; “Should we forget about the ‘right to be forgotten’?” THE GUARDIAN, 5 March 2018; “The General Data Protection Regulation: What it says, what it means,” POLITICO, 13 February 2018; “Companies face high cost to meet new EU data protection rules,” FINANCIAL TIMES, 19 November 2017; “GDPR: Crackdowns and conflict on personal privacy,” FINANCIAL TIMES, 16 November 2017; “EU moves to remove barriers to data flows in trade deals,” REUTERS, 9 February 2018; “EU scrapes a pass on Digital Single Market,” POLITICO, 10 May 2017; “Bitter divisions undermine Europe’s digital tax plans,” POLITICO, 27 September 2017; “EU to unveil plan to tax turnover of big U.S. tech firms,” REUTERS, 21 March 2018;  “Google, Facebook and Apple face ‘digital tax’ on EU turnover,” FINANCIAL TIMES, 15 March 2018; “Europe’s Planned Digital Tax Heightens Tensions With U.S.,” THE NEW YORK TIMES, 19 March 2018.

This article is published under
22 March 2018
Leaders from the Association of Southeast Asian Nations (ASEAN) and Australia met in Sydney on 18 March to discuss the next steps for their Strategic Partnership , initiated in 2014, with regional...
22 March 2018
Officials representing the UK and the remaining 27 EU member states have reached a political deal that will govern the transition period after Brexit, releasing the draft text on Monday 19 March...