Monthly Archives: December 2013

You don’t need to be Target to get sued over data privacy violations

Following the latest major security breach, this time aimed at Target Corp. in which data connected to approximately 40 million credit and debit card users was stolen, over a dozen lawsuits have been filed, including 3 class action lawsuits.  The claims range from negligence in failing to protect customer data, to invasion of privacy, to failure to notify of the breach.  And a number of states have breach notification laws requiring the attorney general be notified.  This could also that governmental action will be taken possibly resulting in fines and penalties.

Civil lawsuits are becoming more prevalent to enforce data privacy policies and data protection laws.  Thus far, the biggest hurdle to overcome by plaintiffs, is proving damages.  Courts have dismissed a number of these suits simply because the plaintiffs could not establish that the data breach caused the plaintiff injury.  Plaintiff’s schooled off previous cases are becoming more clever in carefully in establishing damages.

One of the early cases, Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), filed claims for identify theft, negligence, invasion of privacy, and a violation of Florida’s Deceptive and Unfair Trade Practices Act.  The Plaintiffs, employee’s of Winn-Dixie, alleged that Winn-Dixie failed to protect and secure their personal information from theft.  An employee of a Winn-Dixie service provider, Purchasing Power, had obtained the Plaintiff’s personal information and misused it.  The case was eventually settled, and the defendants were required to maintain rigorous security safeguards going forward.  In order to receive settlement proceeds the plaintiffs had to prove they were victims of fraud and the circumstances of any loss.

In another case, there was no data breach, rather the plaintiffs alleged that their personal information was collected and sold to media outlets without their consent.  The claims included violations of the Electronic Communications, the Computer Fraud and Abuse Act and the Stored Communications Act.  This Seventh Circuit upheld certification of the class action, giving little weight to the defendant’s argument that the plaintiffs would each have to establish damages.

A Massachusetts law, the Song-Beverly Credit Card Act, prohibited retailers from collecting ZIP code information, thus preventing retailers from using ZIP code to find other personal information.  The Massachusetts Supreme Judicial Court broadened the term “personal information” to include ZIP codes and allowed the plaintiffs to proceed without having to establish that their data was compromised.

The number of cases involving claims of breach of data privacy or unauthorized use of information will undoubtedly continue to grow.  Businesses must keep vigilante to ensure compliance data protection laws wherever customers are located. Take precautions to avoid inadvertent breaches and update data privacy policies at least bi-annually.

Contact us if you need assistance maintaining an up-to-date data privacy policy.

Google Tax? The Birth of an Indirect Tax on Internet Advertising Companies

The Italian Parliament just passed a new law requiring Italian companies to purchase web-based advertising solely from companies with a registered Italian VAT number.  This is clearly aimed at large web-advertising companies such as Google, or Apple, that sell web-advertising from subsidiaries based in other countries.  Google, for example, sells EU advertising from its subsidiary in Ireland, minimizing income subject to Italian income tax.  Corporate income tax in Ireland is 12.5% on trading profits, whereas Italy corporate income tax is a much higher 31.4%.

Generally speaking, VAT is taxed in buyer’s location or the place tangible goods are delivered; however, VAT on electronic goods and services are charged in the seller’s location.  This new law requires Italian companies to purchase web-advertising from local companies, thereby capturing VAT on the transaction.  To register for an Italian VAT number the company would have to maintain a local presence, thus increasing the income taxable in Italy.  If enforceable, this would be a win-win for Italy, by increasing its revenues twofold.

The new law, however, is highly criticized.  As drafted, the new law is contrary to EU fundamental freedoms and laws such as the EU Distance Selling Directive, and the principles of non-discrimination found in the double tax treaties in which Italy is a party.  Thus, its enforcement is doubtful as currently adopted.  But its introduction will be carefully watched since many other EU Member States are struggling to find new methods of capturing income within their borders in order to increase their tax base.  The Organization of Economic Cooperation and Development is scheduled to study the issue in 2014.

Need assistance? Find our contact details on the Contact page.


Extracting Hidden Value from Your Business.

Do you think that a service based business doesn’t create intellectual property?  Think again, you may be ignoring a valuable asset.  Intellectual property can be found in business processes and data collected.  Business processes created and used by the business can be copyrighted, and licensed to others.  The brand can be trademarked and licensed, or franchised.  Don’t overlook the revenue that can be derived from the exploitation of the business intellectual property.

Every business collects data covering a wide range of information.  Information about their products, competitors, customers, market and industry, and more.  Some of this data is publicly available, some of it has been collected from consumers, customers or service providers , and although protected by data privacy laws, with consent, can be integrated with other data to create a useful tool for your business.  This aggregated data also has value not simply for direct use for the business, but can be useful to other businesses.  Thus, it can be sold to create a distinct revenue stream.  The value will be determined by its collection and usefulness and the method employed to exploit it.

Specific data can be licensed through data-specific license agreements.  The business database can be licensed by using a subscription license model, a license for access to specific content and through a distribution or reseller network.

License agreements should be well drafted, clearly set out ownership, use, collection, resale, fee and termination provisions.  Business intellectual property, whether or not patentable, can find protection as a trade secret, copyright, or perhaps patent.  To ensure your business intellectual property is preserved and protected, retain copies of how, for example, data is collected and stored, or in the case of processes, how the processes were generated.

To find out how we can assist you in identifying, protecting and exploiting your business intellectual property contact us now.


2014: Data Privacy and a Big Boon for EU Companies

In 2014, the impending and almost certain to be enacted EU Data Privacy Directive, the strictest and the most comprehensive to date, may create an artificial boon for EU companies.  This year, with news that the NSA readily accesses data collected and stored by U.S. cloud companies, such as Google, consumers and companies alike are looking for an option that provides greater security and greater anonymity.  EU companies, and any company collecting information from an individual located in the EU will have to abide by the rigourous articles set out in the Directive.  This just might provide a competitive advantage to EU companies.  Consumers may be more likely to seek out companies that comply with the Directive to purchase goods or services.

One of the primary tenants of the EU Data Privacy Directive is control over personal information.  Every individual will have control over the collection, storage and use of his or her personal data.  Explicit consent from the individual will be required.  And that control will not end with a one-time simple expression of consent.  Individuals, will retain the right to access his or her personal information, make changes, and if so desired, the right to have personal information deleted completely.  Companies that do not comply will face significant penalties.  U.S. companies that currently maintain personal information on EU citizens will have to comply or suffer the risk of steep fines.

There is no comprehensive federal U.S. law governing data privacy, nor is there likely to be one soon.  A number of states are enacting data privacy laws, but the focus has been on protecting information primarily related to health and children.  Implementing a U.S. federal law as comprehensive as the EU Data Privacy Directive seems not just unlikely, but impossible.  Data collection is a huge industry and revenues generated and potential jobs created could assist in the current economic recovery.  Following enactment of the Directive, however, U.S. companies may have to step in line or risk alienating their customers.

Taxation of Ecommerce Transactions: Spotlight on Russia

The Russian ecommerce sector will continue to experience significant growth, whether serving the B2C or B2B markets.  And Russia has much to gain by supporting a robust ecommerce marketplace, for example, broadening the labour market for skilled workers and increasing the tax base,  Absent specific tax legislation, existing tax laws will be applied to ecommerce transactions.  Yet existing tax laws are often inadequate to address the new business and transaction models arising from ecommerce transactions.

The issues arising from the B2C market and the B2B market are clearly different, as are the type of taxes that may be imposed.  First, income tax imposed on profits arising from the ecommerce transactions, and second, in the case of B2C transactions, VAT.

The application of the existing framework for income taxation on transactions taking place between parties where both are located in Russia is identical to a transaction occurring without the benefit of the internet.  With increasing ease, companies can target consumers in any country, their reach is borderless.  In order fall subject to Russian profit tax, a foreign company must have a permanent establishment in Russia  A permanent establishment is deemed to arise where there is a remote place of business through which the foreign enterprise carries on business on a regular basis.  Although applied primarily where there is a building or other structure, or in the absence of a specific business location, where the business has employees.

In December 2010, the Moscow State Commercial Court held that a representative office of Bloomberg LP, through which employees gathered data which was entered into a database, access to which was subsequently sold through a UK office, constituted a permanent establishment.  Given this ruling, it is not unlikely that the same court would characterize a server located in Russia as a permanent establishment.  The permanency of a server, owned by a foreign company, that directs, stores, and filters customer traffic and through which transactions are completed will not be ignored by tax authorities.  Such characterization would follow similar rulings in other countries.

In terms of VAT, there are no specific tax rules that impose VAT on internet transactions.  Existing VAT legislation can be easily applied to an ecommerce transaction where both the buyer and seller are located within Russia.  VAT, an indirect tax, is generally imposed on goods at the place of consumption, but for services the imposition of VAT will depend on the place of supply.  This is perhaps an overly broad explanation, the Russian Tax Code does makes a distinction between certain types of services and the imposition of VAT on services is reliant on such distinction.  However characterized, foreign businesses are not required to collect and remit VAT.  Since the burden falls on Russian based businesses, then, a disparity arises.  Other countries, including the US have been grappling with this same issue. is a prime example, it is not required to collect and remit sales tax in the state where the consumer is located if it has no physical presence in that state, providing an advantage over its competitors.  The question remains, in an ecommerce transaction where services are being supplied, such as, access to internet services, including, digital products, is the “place of supply” where the consumer is located or where the server or service provider is located.  This is an area of significant debate, one which will not end soon.  As ecommerce expands its reach, lawmakers will resolve some of the ambiguities present in application of outdated laws.  Until then, be aware of where the ambiguities create the biggest risk for your ecommerce business.

Russia To Tax Offshore Companies

Once again President Vladimir Putin is putting pressure on Russian owned offshore companies to pay taxes.  In his state of the nation address, Putin announced Russia would be taxing offshore companies.  This continues the government’s crusade against offshore-declared income.  In 2012, the Federal Tax Service developed draft amendments to the Tax Code which would effectively terminate previously held deductions for costs paid to offshore companies, thereby reducing taxable income.  The amendments allowed for the recapture of the deductions if the taxpayer could prove that they had no control over the recipient of the payment.  There was significant push-back and watered-down versions were subsequently proposed to ease the burden on large companies and maintain an attractive market for foreign investors.

But Putin seems intent on pushing for further amendments that will result in retaining capital in Russia and minimize tax evasion.  Currently, gains and profits arising from assets held by offshore companies that are not repatriated to Russia are not taxed.  The use of offshore companies to hold assets has become more commonplace.  The use of a holding company in a country with a double tax treaty, Cyprus, for example, provides the benefits of minimal withholding rates.

The question remains, whether new tax laws imposing stricter control on Russian controlled offshore companies, if vigorously applied, will lead to a mass exodus of businesses from Russia and keep foreign investors away.

Taxing the Internet: The Rise of a Digital Media Tax

For a number of years, France, and others, (remember, the byte tax originally proposed by the Netherlands) have been raising the idea of a digital media tax.  We can all appreciate that the internet has revolutionized the way in which business is conducted and revenues are generated.  Gone at the static business models with very identifiable revenue streams.  Current tax laws are inadequate to capture the value digital activities being undertaken by multinational technology and digital media companies are creating.  To address this issue in a more formal way, France, in early 2013, commissioned a study on the taxation of the digital economy.  And more recently the European Commission has begun a study of its own by appointing a committee of experts to look at ways to tax internet companies.

The perceived, and currently untaxed, value created by internet companies is the difference between what is taxable without the presence of a permanent establishment (very little, if anything) and the revenues or value arising from user generated data and information.  Under the permanent establishment concept, present in most double tax treaties, a company that has no physical presence in a particular country is not subject to income tax on income arising from customers or users located in that country.  Internet companies are free to locate primary revenue generating activities in low or no tax jurisdictions, and use double tax treaties and other optimization methods to reduce worldwide income tax.

One justification for taxing the internet, was set out in the French commissioned report “L’Age de la Multitude” which pointed out that in order to reach its users, collect and market the data, companies like Google, Apple and Samsung, for example, rely on the infrastructure built by local public investment.  These internet companies, use the infrastructure and local technology networks without participating in its costs, by creating jobs or otherwise contributing to the local economy.

The question being raised, is whether companies profiting from the user data collected should pay tax on that value created, where it is created.  India may be have taken the first step to creating a system to tax the internet, by imposing a duty to pay income tax on companies that have an economic nexus rather than a physical one.  Applying this concept, a company who has collected, combined and monitored users’ personal data would pay a tax on the value of that information.  Could this conundrum be resolved by requiring internet companies to register in each country in which they collect personal information from its users?  It must abide by local data protection laws anyway, registration could be imposed by minor amendments to data protection laws; or perhaps redefine the double tax treaty concept of permanent establishment to trigger a permanent establishment each time a user’s data is collected by the internet company.

There will be many more studies, reports, discussions and negotiations around how to tax the internet.  Although I would not expect imminent across the board acceptance of a tax on digital media, I do expect that a few countries will push to amend local tax laws to capture some of this value within its borders. Watch for the results of the EC study, expected to be out mid-2014, and further steps to be taken by France who may be the front runner in imposing a tax on internet companies.

Data Privacy in the Cloud

As cloud computing becomes more popular and experiences widespread adoption, the cost of using a cloud provider, as opposed to maintaining your own data servers, could give your business a competitive advantage.  But when your business stores personal data on someone else’s servers a degree of control over this sensitive data is lost.  Beware, data privacy laws do not permit the cloud user to shift the risk of violation solely to the cloud provider.  Staying compliant with data protection laws around the world will require you to ensure that any cloud provider also abides by the same regulatory and legal requirements.  Transfer of personal data outside of, the EU, for example must comply with EU data protection law and any other local data protection laws.

Although Cloud providers may not provide an easy path to negotiate changes to their standard terms and conditions, your business may nevertheless be responsible for violations of the law.  Examining the cloud provider’s privacy policy, security, redundancy practices and disclosure policy will allow you to make an informed decision.  Push for changes to terms and conditions that would impose risk of noncompliance with data protection laws.

Know where your cloud provider is located, the legal environment with regard to data protection varies significantly from country to country.  Data protection laws in Asia, have not caught up with other regions in introducing laws regulating data sovereignty, cross border data flow and data security.  Yet the cost of a cloud provider located in China, for example, could be much lower than one located in the EU.  The cost, however, of a violation of data protection laws could bring the overall costs much higher than using that budget cloud provider located in a country that does not sufficiently protect the personal data collected by your business.

Holding Companies: Spotlight on Ireland

As your business expands globally you want to create the most efficient and competitive structure possible.  A holding company is an important part of that structure and requires examination of local tax laws, including any reductions in local tax for holding companies.  And should allow for maximization of profits earned by the business.  Holding companies can be located anywhere in the world, regardless of where your business operations or your target markets are located.  Determining your business needs first is essential.  For example, will any business operations take place in the same jurisdiction?  Will there be a pool of talented or skilled workers?  Identify the country where the largest market for your products or services is located, then determine whether there is a Double Tax Treaty between that country and the one you are considering as a possible holding company location.  A strong treaty network often results greater efficiencies.

Ireland had a number of boom years followed by a decline in the number of new companies locating there.  Ireland is now making changes to lure companies back with tax incentives and development programs, making it,  a very attractive location for a holding company.  Apple and other high technologies companies included Ireland in their global structures, Apple has actually had an Irish presence for the last 30 years and keeps a significant amount of its profits in an Irish subsidiary.

One of the most attractive aspects of choosing Ireland for your holding company is that it is an onshore EU jurisdiction with an extensive Double Tax Treaty network.  The following is a brief summary of what Ireland offers:

A Corporate Income Tax rate of 12.5% on trading profits, compared to 30% in other EU jurisdictions and 25% on passive income.  Dividends received from foreign subsidiaries, located in the EU or a country with which Ireland has a Double Tax Treaty, are taxed at 12.5%.  Ireland does not have a “participation exemption,” but does grant foreign tax credits that can reduce or eliminate tax on dividends; minimum 5% shareholding is required to receive any foreign tax credits.  The Foreign tax credits granted are quite flexible and can be applied to different dividend streams.  Any unused tax credits can be carried forward indefinitely.  Gains from the sale or other disposal of shares, and potentially other assets in a subsidiary are exempt from capital gains tax, provided the parent holding company holds owns at least a 5% equity interest in the subsidiary.  This equity interest can be held directly or indirectly and must be held for at least a twelve month period before qualifying for the tax exemption.

Withholding taxes are levied at 20%, but the existence of a Double Tax Treaty will reduce the withholding rate to between zero and 15%.  Ireland has a general anti-avoidance provision which can result in the re-characterization of transactions that have no de facto commercial purpose.

There are other factors that make Ireland a good choice for your holding company.  It has a talented, well-educated pool of workers, it is one of the few English speaking countries in the EU, a holding company can be formed in just a few days and it has a well-established financial infrastructure.

Should Marketing Companies Pay for the Right to Use Personal Information?

When personal information is collected, often from multiple internet based sources, then combined and shared or sold to marketing companies,  should those who personal information is the subject of the sale be paid.  This question was raised by a group of plaintiffs in Northern California, looking for compensation from Google for the use and reuse of their personal information for profit.  U.S. Magistrate Judge Paul Grewal, dismissed the claims that Google’s privacy policy, allowing personal information from more than one source be combined, caused injury to the plaintiffs.

In his dismissal, Judge Grewal stated “Plaintiffs’ allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google’s services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived plaintiffs of economic value from that same information.”

The practice of combining personal information from multiple sources, added to Google’s Privacy Policy and terms and conditions, implemented in March 2012, has come under heavy fire recently. Courts in Germany and the Netherlands have both cited this as a violation of data protection laws and Google is subject to significant fines and penalties. In this class action lawsuit, Google’s users, in addition to claiming Google’s policy of combining personal information obtained through various sources violated their privacy rights, also claimed misappropriation of likeness, violations of the Wiretap Act, the Stored Communications Act and California’s Unfair Competition Law.

Although this case was dismissed, it raises an important question about whether marketing companies will need to offer compensation in addition to free use of a particular service in order to collect, combine and use personal information of their users. Google, for example, provides a number of services that are “free” to the user, provided the user agrees to their privacy policy and terms and conditions, which include the user’s consent to combine and share personal information across many platforms. Yet, without collecting revenue from its users, Google still makes substantial profits in part because it is able to sell advertisements that can be more carefully targeted on the users based on their personal information.

Marketing companies using panelists who are surveyed for opinions ranging from new products, use of existing products and various services, pay the panelists for completing surveys. Albeit the compensation is minimal, but the model might prove important in the future to avoid similar legal claims. Marketing companies might want to consider compensation ranging from free services to coupons or tokens for future purchases, to entice consumers to provide unrestricted use of personal information. This dismissal will not stop future litigants from raising the same issues, since it is possible that  future litigants will have more success.