On 1 January 2015, new legislation comes into effect for the purposes of charging VAT on “digital services” received by consumers in one EU member state, where the digital service provider is based in a different EU state. The VAT place of supply rules for business to business supplies remains unaffected.
“Digital services” means broadcasting, telecommunications and e-services. “E-services” covers the supply of digitised products (including music, films and images) and services automatically generated from a computer in response to specific data input by the recipient.
Currently, VAT is charged in the supplier’s country of residence. So, if an e-service is provided by a UK based supplier to a consumer in France, the supply is treated as having taken place in the UK and VAT is charged at the UK VAT rate of 20%. From 1 January 2015 this will change so that the VAT will be charged in the country where the consumer is established, has their permanent address or usually resides.
As a result of this change, suppliers of digital services will need to be able to charge VAT in the EU states where their consumers are based. This can be done by obtaining a VAT registration in each member state but this is likely to be impractical. The MOSS (Mini One Stop Shop) Scheme has been introduced to streamline this issue. The MOSS Scheme is a voluntary system that allows suppliers of digital services to account for VAT in each member state via one single registration. A single electronic VAT return (showing the VAT payable in each member state) will be submitted quarterly and a single VAT payment will be made in each relevant state that a supplier has provided services to.
Non-EU suppliers of electronic services who currently make supplies into the EU through the VAT on E-Services Scheme will be moved to the MOSS Scheme from January 2015.
Applications for MOSS Scheme registration can be made from 1 October 2014.
ICO Big Data report
In August the Information Commissioners Office (ICO) released its ‘Big data and data protection’ report. The ICO defined big data as ‘high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making’.
The report found that not all big data used personal data. Where personal data is used, companies must comply with the UK Data Protection Act 1989 (Act) and should be upfront with customers as to how that personal data will be used. The report highlighted the issue of “repurposing data” (where data is used for a different purpose from that which it was first collected). Concerns have been raised that repurposing and big data are not adequately covered by the Act, but the ICO stated that big data was “not a game played be different rules”; the Act is equally applicable to big data.
The report also suggests customers should be given greater control over their personal data. Companies could consider anonymising data as this will, if done correctly, mean that the data is no longer considered personal and as such the Act will not apply. With the introduction of the EU General Data Protection Regulations, the ICO believes that levels of personal data protection will improve, but that companies should ensure their big data processing is sufficiently transparent, specifically, the extent to which it entails using personal data or repurposing data.
New Code for direct marketing
A new code of conduct came into effect on 18 August 2014 governing direct marketing in the UK. Direct marketing is regulated by the Direct Marketing Association and its Code, overseeing both online and offline direct marketing. The updated Code emphasises the need for businesses to demonstrate transparency in dealings with consumers. Under the “hero principal” of the Code, business are encouraged to clearly set out that a value exchange is taking place; information on services provided by the business in exchange for consumer information. The updated Code does not offer guidance on direct marketing via social media, but the Code does encourage businesses to go beyond legislative requirements in the interests of transparency.
Ofcom’s launches new communications checklist for SMEs
On 04 September 2014 Ofcom launched an initiative aimed at how small and medium enterprises (SMEs) access communication services in the UK. The initiative includes a checklist advising SMEs what to consider when signing up for new communications services. The checklist provides a useful tool for SMEs, covering items to consider before committing to a contract, as well as setting out what action to take should something go wrong. Ofcom intends to offer further support when it launches a web portal this autumn that will provide targeted advice and support for SMEs.
Safe Processor Rules
The Safe Processor Rules (BSPR) has recently been given the thumb’s up by EU data protection authorities so it is likely that this will soon be followed by some kind of legislative support. Data processing service providers (particularly Cloud service providers) would be best advised to take early steps to follow the BSPR so that they are ahead of the curve not only on what is likely to form the basis of future legislative requirements but also because this is likely to be what their customers demand. Here is a thumbnail summary of the BSPR:
- A set of internal, legally binding, codes of conduct regarding privacy and security applicable to entities transferring data in the EU.
- Used to guarantee that data transfers are adequately framed and protected.
- BSPRs will determine levels of compliance, audits, complaint handling, the duty of cooperation with the data controller, liability, rules on jurisdiction, and transparency.