Click here to listen to the audio.
In this Ropes & Gray podcast, Ellen Gilley, an associate in the tax controversy group, is joined by Kat Gregor, a partner in the tax group and co-founder of the tax controversy group, and Rohan Massey, a partner and co-leader of our data, privacy & cybersecurity group, to discuss the French Digital Services Tax and other developments in the taxation of digital services, with a focus on implications for tech companies serving users in the European Union.
Ellen Gilley: Hello, and thank you for joining us today on this Ropes & Gray tax controversy case of the quarter podcast. I’m Ellen Gilley, an associate in the tax controversy group. Joining me today are Kat Gregor, a tax partner and tax controversy group co-founder based in our Boston office, and Rohan Massey, a partner and co-leader of our data, privacy & cybersecurity group, who is based in our London office. In today’s podcast, we are taking a different approach—rather than discussing a judicial decision, we’re looking at the curious case of the French Digital Services Tax and other developments in the taxation of digital services, with a focus on implications for tech companies serving users in the European Union.
With the consistently growing presence of online businesses and platforms, the digital economy has become increasingly intertwined with the traditional economy. However, current tax regimes were designed to tax companies based on their physical or geographic connection to a country, and these principles don’t translate into effective taxation of the digital economy. In particular, there can be a mismatch between where digital services are being consumed and where (if at all) these services are being taxed. In response, different regimes for taxing the digital economy have emerged at both the national and international level. During this podcast, we will be examining two of these regimes. The national example we will explore is France’s Digital Services Tax, which was enacted in July 2019. On the international level, the Organization for Economic Cooperation and Development (known as the OECD) issued a proposal in October 2019 for a single, international approach to taxing digital services, and we will address its status and features. This proposal is commonly referred to as “Pillar One.” As we will discuss, there are common elements to France’s Digital Services Tax and the OECD’s Pillar One. For example, both target large tech companies that provide digital services to consumers. Both also establish the right to tax based on the user’s location, not the company’s location.
There has been substantial commentary on the taxation of digital services, particularly in the wake of the French Digital Services Tax. But less has been discussed about how digital taxation initiatives interact—and, potentially, conflict—with the European Union’s strict data protection rules. This podcast will focus on how these various digital taxes interact with the EU data protection regulations, and the challenges tech companies face in complying with both sets of laws. Kat, can you start by giving us an overview of how the French Digital Services Tax will work?
Kat Gregor: Sure. In July 2019, France passed a Digital Services Tax (or DST) that imposed a three percent tax on a company’s “digital services.” The tax applies retroactively to January 2019, and the first payment was due in November 2019.
As you mentioned, the companies targeted by the tax are large tech companies. Specifically, to be subject to the tax, a company must generate annual taxable revenue from digital services in excess of EUR 750 million worldwide and EUR 25 million for services generated in France. Due to these high thresholds, there are a limited number of companies—predominantly American companies—that will be subject to the tax. These companies include Google, Apple, Microsoft and Facebook, to name a few.
Ellen Gilley: These appear to be all American companies. Is this going to cause a problem?
Kat Gregor: There certainly have been a lot of discussions. In response, the Trump Administration launched an investigation into the French DST and recently concluded that the tax discriminates against U.S. companies and is unusually burdensome for the affected U.S. companies. As a result, President Trump is proposing retaliatory tariffs as high as 100 percent on high-end French exports, from Gruyere cheese to handbags to champagne.
Ellen Gilley: And you mention that the tax applies to these companies “digital services.” What are digital services?
Kat Gregor: Yes, digital services subject to the tax fall into two broad categories. One is interfacing services— these are technologies that enable users to interact with each other in order to deliver goods and services. These include online marketplaces, like eBay and Amazon.
The other category subject to the tax is advertising services, which are services that allow advertisers to purchase digital ad space and target specific French users based on data they have provided through, for example, keywords used in search engines. It’s important to note that there is a list of excluded services that are not subject to the French DST. These include the mere provision of digital content, communication services and payment services.
Ellen Gilley: Thank you. Ok, so that’s digital services. Another component of this tax though is that these services must be provided to “users in France.” What does this mean?
Kat Gregor: So this means that the user (or consumer) of the taxable service must be in France when the service is being used or consumed. This is not based on the user’s residency (and, thus, is not something that companies can identify through static documentation). Rather, this test is satisfied in one of two ways, and requires gathering data on a user’s physical location at one of two times. First, revenue is sourced to France for transaction-based services (i.e., participation in an online marketplace) if the user visits an online interface and undertakes the transaction through a terminal located in France. Second, in the case of digital services that are not transaction-based (in other words, if the user is accessing an ad or undertaking an activity other than purchasing goods or services), revenue is sourced to France if the user has an account that has been opened in France to access the services. The introduction of this marketplace-based sourcing rule is a significant change, as income is generally sourced based on the location of the company’s activities and not the consumer.
Rohan Massey: And, If I may jump in here for a moment, Kat raises an interesting preview of what we will discuss later in the podcast, which is that we are seeing a variety of laws and regulations, not just related to tax, that are reacting to the digital marketplace, and especially to the fact that data is free flowing irrespective of geographic or jurisdictional boundaries. For example, there is a growing shift from using fixed geographic locations or national boundaries to determine the limitations on regulatory powers. Notably, the EU’s new data protection regime looks to protect individuals in Europe no matter where in the world their data is processed. This shift raises significant implications for compliance.
Ellen Gilley: Thank you, Rohan. That’s a great segue into discussing the international tax context. Kat, do we have an idea of what the OECD plan will look like?
Kat Gregor: We do. The OECD has been studying the challenges of taxing digital economy at an international level since 2015. By way of background, tax laws require some connection, known as nexus, between the income being taxed and the jurisdiction imposing the tax. Like Rohan mentioned, typically or historically the nexus rules have been based on a company’s geographic or physical connection to a jurisdiction. Countries that are considered “market jurisdictions”—in other words, those countries with large consumer populations—argue that these historic tests do not accurately allocate taxable income to the value generated by providing services digitally to a country’s consumer base.
In October of this year, the OECD distributed a proposal for a single, unified approach to tax the digital economy. This document, which is called the “Unified Approach under Pillar One,” is part of the OECD’s larger initiative to prevent companies from shifting profits to low-tax jurisdictions and employing other techniques to minimize taxes. Pillar Two, which was released one month later, proposes considerations for ensuring multinational companies’ profits do not escape taxation and are subject to a global minimum tax. We are focusing on Pillar One—the Unified Approach—in this podcast.
Ellen Gilley: Why would the OECD propose a single international framework for a digital services tax?
Kat Gregor: The alternative to an international framework is to have countries develop their own digital services tax, which would vary country to country. This is referred to as “unilateral action” and could create an international tax system where companies are struggling to apply a myriad of different rules. Having different rules and tests could materially increase the likelihood of double taxation. The simplest example of this problem is that of the French DST. This is a tax on revenues (also known as a “turnover tax”), and is not expected to be eligible for a tax credit for foreign taxes paid in the United States (or other jurisdictions offering foreign tax credits), and it is likely to apply to revenues that other countries’ laws source to their jurisdictions, and the tax, as a turnover tax, is unlikely to be covered by tax treaties that would provide means for companies to resolve any double taxation issues. In essence, anything that France is taxing under this new DST is very likely also being taxed somewhere else.
France faced a lot of criticism, primarily by the United States, as we mentioned earlier, when enacting this provision. In response, France agreed to replace its DST with whatever provision the OECD ultimately proposes, and to reimburse taxpayers the excess of the DST over whatever French tax would have accrued applying the final OECD approach. But, the OECD approach is just being developed now, so that is years in the future.
Ellen Gilley: Years in the future, so how developed is the OECD’s proposal?
Kat Gregor: The proposal is not yet complete, and no countries have signed onto it. Pillar One is really in its nascent stage and outlines a framework for implementing a digital services tax across multiple countries. The OECD continues to receive comments and hold public hearings on the proposals, and a number of issues are explicitly left unaddressed and will be subject to further comment. The OECD intends to work with its member countries through 2020 to arrive at a consensus.
Ellen Gilley: Is it surprising that the proposal is not more developed, given that the OECD has been researching this issue since 2015?
Kat Gregor: I am certainly not surprised that the proposal is still being developed—taxing the digital economy in a manner that does not create double taxation requires a new set of rules and concepts that can also coexist with current principles. We have seen many jurisdictions, including the U.S., struggle to apply existing laws and concepts to the digital economy—this issue is further exacerbated by the complexity of the international system where OECD member states have a variety of domestic tax systems and policies. Again, as Rohan mentioned, this is a challenge that is playing out in other areas of law and policy.
We also must remember that the OECD represents all its member states, including “market,”“IP-rich” and “resource-rich” jurisdictions. A country, like France, might be most concerned with ensuring it receives increased right to tax value generated by its marketplace, whereas another country (say, for example, an IP-rich country with a relatively small population) might instead be focused on retaining historic rules that would source revenues to the location of intellectual property. To seek consensus across such differently-situated member states will be difficult.
Ellen Gilley: Given there is so much uncertainty, what can you describe about the OECD’s Pillar One?
Kat Gregor: The OECD has provided guidance on defining which countries have the right to tax, which companies are the target of the tax, and which will trigger the tax.
Turning first to defining the right to tax, the OECD has proposed new nexus rules so that taxing rights can be reallocated to the country where the users or consumers are located. These are known as “market jurisdictions.” This approach is the same concept as the French Digital Services Tax, which imposes taxes on digital services provided to users in France.
Second, OECD has identified that the targets of the digital services tax are “large consumer-facing businesses.” However, we don’t know what “consumer-facing businesses” really are. The OECD seeks comments and suggestions to clarify this definition, but as with the French Digital Services Tax, we do know that the tax is directed at companies interfacing digitally with consumers to supply consumer products or digital services. However, at a basic level, this also means that companies that supply digital products, not to consumers, but instead to other companies and businesses (taking, for example, the Amazon Web Services business), would not be pulled in under the current proposal.
And third, the Pillar One report proposes that revenue thresholds determine when a market jurisdiction may tax the income from a digital company. This is similar to the French Digital Services Tax, which requires that a company generate a minimum global revenue from providing digital services and also generate a minimum amount of revenue from providing digital services to users in France. The OECD, however, has not specified any thresholds.
Ellen Gilley: To summarize, based on what you’ve described, a country could tax a “large consumer-facing business” if that company has generated a certain amount of revenue from providing digital services to users located in that country or that market jurisdiction. Leaving aside that we don’t know what “consumer-facing businesses” mean, or the applicable revenue threshold, can you tell us how the OECD has proposed to determine the amount of revenue that would be subject to the tax?
Kat Gregor: Sure. Determining how to allocate a multinational company’s profits across jurisdictions is perhaps the most complicated aspect of designing a uniform digital services tax. As a broad summary, the new nexus rules would entitle a market jurisdiction to tax a specific portion of a multinational company’s net operating income, known as the “deemed residual profit.” This amount would likely be calculated as a percentage of the company’s global net income, but this has not yet been determined. It is another outstanding issue that the OECD intends to resolve over the next year.
In addition to this amount, the OECD proposes applying transfer pricing principles, with some variation, to tax two other categories of income if (and only if) the company has an actual physical presence in the jurisdiction rather than just a digital presence.
Ellen Gilley: What else needs to be added to this proposal for it to be final and comprehensive?
Kat Gregor: This proposal clearly leaves many important questions unanswered. In addition to the ones we’ve already identified (the definition of a digital business, revenue thresholds for market jurisdictions, and precise methods for determining profit allocations), there are also issues of treatment of losses and interaction with existing double tax treaties. Additionally, there is the practical issue of determining the location of the user.
Rohan Massey: That’s right, Kat. And as we mentioned, focusing on the location of the user, which may change, is a new concept and challenges law and policy makers to rethink and rework current regulations. But, as you mentioned, the challenge of compliance is also present, and we see that in data protection as well as in tax.
Ellen Gilley: Starting first with tax, what kind of practical challenges do evolving digital tax regimes present to the companies subject to it?
Kat Gregor: One of the main practical challenges of complying with both the OECD’s proposal and France’s Digital Services Tax is determining when a service has been provided or consumed in a specific jurisdiction. Currently, some digital companies do not collect sufficient data on the location of the consumer, instead perhaps collecting only advertiser location to comply with other non-tax regulations. As a result, companies might need to build a new infrastructure to track consumer location. This problem is exacerbated by the retroactivity of the French Digital Services Tax, since companies that are required to calculate tax liabilities did not know they needed to keep records of such data before this July.
Other nuances will further complicate this problem. For example, it would be difficult for a company to track a user’s location when using a VPN, which often masks a user’s location. It is also unclear what the default test will be when the user’s location really cannot be determined. Would it be the residency of the users or their nationalities? Would companies allocate sales based on global populations? It’s unclear. In a similar context in the IRS’s taxation of cloud computing services in the US, industry groups are advocating that companies be permitted to determine the location of the user based on billing information.
Not only is compliance going to be an issue for companies, but enforcement of a national digital services tax will also be challenging, as governments will need to develop the capacity to demand and analyze full user data sets and then audit them.
Ellen Gilley: Thank you, Kat. Turning to the EU’s data protection rules, Rohan, could you please explain what these are and why they’re relevant to the French Digital Services Tax?
Rohan Massey: Sure. For listeners who aren’t familiar with this area, there are three main points to note. Firstly, the General Data Protection Regulation (known as the “GDPR”) took effect in May 2018 and imposes a wide range of obligations on organizations that collect, use, store or transfer personal data. The GDPR also gives individuals new and enhanced rights over their personal data. And in a significant break from the previous regime, organizations are now exposed to potentially eye-watering fines for non-compliance—up to the greater of EUR 20 million or 4% of their annual worldwide turnover.
Secondly, continuing with the example of France, the French data protection regulator, the CNIL, is one of the most well-resourced, knowledgeable and aggressive in the EU. As a case in point, earlier this year the CNIL fined a U.S. tech company EUR 50 million for a lack of transparency and valid consent in relation to its online advertising business. That fine remains the most significant enforcement under GDPR to date—and, to put it in context, the penalty only amounted to 0.04% of the company’s annual turnover. So, there is certainly scope for much higher fines coming in the future.
And thirdly, given its broad definitions of “personal data” and “processing,” the requirements of the French Digital Services Tax (and likely other national digital taxation regimes) will bring the GDPR into scope for many of the tech companies that offer interfacing and advertising services. On top of this, the ePrivacy Directive—which governs the privacy of electronic communications in the EU—will also apply to companies’ processing of location data. Taken together, these rules create a number of challenges for tech companies which are subject to a digital services tax within the EU.
Ellen Gilley: Thanks, Rohan. You mentioned previously that there are some of these challenges with compliance, could you tell us more about those?
Rohan Massey: Taking the GDPR first, companies that act as data controllers—that is, where they determine the means and purposes of processing of personal data—must have a legal basis for processing the user’s personal data. For tech companies covered by a national digital services tax, this will include the categories of data you might expect, such as users’ names and login details, but also their IP addresses and device IDs. Companies will likely legitimize their processing on the basis that they require it to comply with law—and, notwithstanding their GDPR obligations relating to transparency, accountability, security and international data transfers, this reliance on legal compliance should not be problematic.
Things are more complicated with the ePrivacy Directive. That is because the Directive allows location data to be used only if the data are anonymized, or if the user has given consent for a third-party to use them for a value-added service. In the event that a digital services tax requires location data to be non-anonymized in order for the reporting to be effective, companies could find themselves in a situation where their users refuse to give consent or revoke their consent at a later date, which could have adverse implications. In both cases, it is unclear how a company could effectively honor the user’s request whilst also complying with the tax. To complicate things further, the EU institutions are currently debating an ePrivacy Regulation to replace the Directive, and it’s unclear how, if at all, the Regulation will interact with the digital services tax that requires user location.
Ellen Gilley: So, you see the use of the user location in digital services tax as a key challenge for compliance?
Rohan Massey: Yes. In addition to anonymized data, there is also the challenge Kat mentioned of needing to track users rather than advertisers, which many of the tech companies affected by a digital services tax have done historically. In practice, this will require companies to establish links with end users in a way that users, and advertisers and companies themselves have not previously contemplated. Indeed, this potentially represents a fundamental shift in how online advertising is structured. The difficulties of obtaining valid consent in this scenario could be doubly challenging, given the current scrutiny of the AdTech industry in the EU, which is focused in large part on the sufficiency of its consent practices. It should not come as a shock to listeners to learn that this scrutiny is being spearheaded by the CNIL.
Ellen Gilley: I know none of us has a crystal ball, but how, if at all, do you see these tensions being resolved?
Rohan Massey: I’m afraid that, as things stand, there’s no easy answer to that question. We are unaware of the CNIL making any public pronouncements on the DST or how it will interact with the GDPR or the ePrivacy Directive, so currently companies are stuck between a rock and a hard place. The result is that, if this guidance does not materialize, companies which can’t meet their competing tax and data protection obligations may have to decide which they choose to prioritize.
Kat Gregor: And the same goes on the tax side. We are unaware of the French tax authorities taking any official stance on how the DST will interact with the GDPR or the ePrivacy Directive. Nor have any proposals coming out of the OECD addressed the interaction of the digital tax regimes and data protection laws more generally.
Ellen Gilley: Are there examples of businesses in the EU facing a similar choice?
Rohan Massey: Indeed there are. The most recent example we have is in the context of economic sanctions. Following the U.S. withdrawal from the Iran nuclear deal and its reintroduction of sanctions against Iran, in May 2018, businesses in the EU were left with a choice. On the one hand, failure to comply with the U.S. approach meant that those businesses could themselves be sanctioned. On the other, the EU Blocking Regulation, which was introduced in response to the U.S. withdrawal, makes it an offence for EU businesses to comply with U.S. sanctions. Given that companies cannot seemingly comply with both requirements, many are taking a risk-based and commercially driven approach to compliance—taking into account factors such as their exposure to Iran and the enforcement histories of the respective U.S. and EU regulators.
Ellen Gilley: Do you think that taking a risk-based and commercially driven approach to compliance is also how things will play out in the tax context—and, if not, how can companies resolve these conflicts?
Rohan Massey: Well I hope not, as the uncertainty in the application of the law is clearly is a bad thing for businesses, consumers and regulators. The timing of these developments is also tricky, given that a new ePrivacy Regulation is currently being negotiated to replace the ePrivacy Directive—and it is uncertain whether the rules on location data will change in the final text and how, if at all, they will interact with laws such as the digital services tax. Assuming they don’t, and in the absence of regulatory guidance on how to navigate these competing laws, it would not surprise me to see companies affected by a digital services tax—which have already spent considerable time and money addressing their obligations under EU data protection law—continuing to prioritize those obligations. In making this decision, companies subject to France’s Digital Services Tax, for instance, will weigh the threat of enforcement by CNIL versus the French tax administration’s anticipated approach on enforcing its rule. And, once the regulatory picture becomes clearer, companies can actively start to make structural changes needed to comply with the digital services taxation laws. But until then, we’re in something of a holding pattern.
Kat Gregor: And to add to what Rohan describes, the French Tax Administration has become increasingly aggressive in recent years, regularly threatening criminal sanctions where companies took aggressive tax positions historically. Companies considering a pure risk-based approach where they ultimately choose not to comply with the DST would do so in the face of possible threats of criminal sanction by the FTA. Additionally, to the extent that companies might ultimately be entitled to a refund of DST paid, to the extent that the OECD approach results in lower tax in France, they are likely only going to get those refunds if they complied with the tax in the first place and have adequate records supporting their reporting positions.
Ellen Gilley: So to take what you have both said at a very high-level, companies face substantial uncertainties and compliance costs?
Kat Gregor: Exactly. Also, more and more countries are looking at adopting their own digital services tax. This will add to the compliance costs and create the risk of double taxation—if the location of the user is the test used in other digital services tax regimes, there is the potential for double taxation for a single digital transaction, which we touched on briefly earlier. For example, Italy and the UK are contemplating a digital services tax themselves.
Rohan Massey: This is not the first time businesses have had to navigate vague or developing guidance in the tax or data protection space. But what we are looking at for now is the potential tension, and even conflict, between these two sets of laws and the risk that a lack of regulatory clarity creates more confusion for companies and users.
Kat Gregor: Precisely. As the OECD’s proposal for digital services taxation and various national-level digital services tax regimes develop, I expect there will be clearer guidelines for businesses, and in the meantime, as Rohan suggested, it appears that businesses will engage in a fact-intensive analysis.
Ellen Gilley: Thank you both, Kat and Rohan, for joining us today in discussing the interaction between the emerging digital services tax regimes and the EU data protection regulations. We’ll be back soon to discuss the next case of the quarter. Please visit the Tax Controversy Newsletter webpage at disputingtax.com, or, of course, ropesgray.com for additional news and commentary about other notable tax developments as they arise. If we can help you navigate this complex and rapidly developing area of the law, please do not hesitate to contact us. You can also subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google and Spotify. Thanks again for listening.