On December 2, the Supreme Court of the United States declined to grant writ of certiorari filed by two online retail giants, Amazon.com LLC and Overstock.com, Inc.    The broad issue at hand, is whether online retailers must charge, collect and remit state sales tax in states where their customers are located, but where the online retailer has no physical presence.  The issue, although not new, could have quite an impact on online retailers worldwide.

In 1992, the Supreme Court held that a physical presence, in the state where the customer is located, is necessary to establish a nexus between a company and the state for the purposes of sales tax.  The State of New York, concluded, more recently, that sellers who sign up for the Amazon affiliate program create that nexus.  This is a tenuous conclusion since the sellers are, in fact, simply another Amazon.com customer; the product purchased is access to Amazon retail customers through a link on a website.  Amazon.com has no control over the website, does not employ the seller or have any trappings of a typical office in that state.  The Supreme Court’s refusal to hear the appeal could be taken as a broad expansion of the state’s power to tax.  This could have a ripple effect for online retailers located in other countries.  The cost of having to charge, collect and remit sales tax to each of the 52 states will create a significant hardship for small to medium sized companies.

The physical presence/nexus concept is not different from the treaty concept of permanent establishment.  U.S. online retailers selling into other countries have not had the burden of charging, collecting and remitting VAT or other tax on sales, if they had no permanent establishment in that country.  The question will now be whether the physical presence of a sales affiliate program similar to the Amazon.com will trigger a permanent establishment, not simply for the purposes of VAT, but also income tax.

On November 27, 2013, the South African government signed into law, the Protection of Personal Information Bill.  This comprehensive Bill regulates how personal information may be collected, processed, and used, and aligns with international standards that prescribe the minimum threshold requirements for the collection, processing and use of personal information.

One significant change from previous law, will give individuals the right control over the collection, processing and subsequent use of their personal information.  Companies must obtain express consent from individuals to collect, process and use their personal information.  The previous practice allowed companies to collect, store and use personal information provided the individual did not object.  As was often the case, the objection, or opt out choice was not readily apparent.   Companies will be required to notify individuals and obtain consent before any communication takes place.  Consent may be revoked by the individual at any time after its been given.

In addition, the Protection of Personal Information Bill establishes a regulatory agency, sets stricter limits on processing of personal information of children and information regarding the individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior.  The Bill requires companies who collect and/or process personal information to implement security measures, to notify individuals of breaches, to set restrictions on processing of personal information for the purpose of direct marketing and limits transfers of personal information to other countries unless that country has data privacy laws at least as strict.

Companies will have one year to demonstrate compliance with the new law, although this transition period may be extended for up to 3 years.

Since South African data privacy laws will now be in line with international norms, the Act could increase multijurisdictional trade and provide a boost to the economy.  To be compliant, companies will have to limit outsourced data storage and processing to vendors in countries that have adopted similar data protection laws.

Similar to other jurisdictions, larger companies will have to appoint data protection officers to ensure compliance with the Act.  Failure to comply can result in significant penalties and/or imprisonment.

The Cayman Islands Financial Services Minister, Wayne Panton signed an agreement with the United States which will allow Cayman Island financial institutions to provide full disclosure of US assets held in the Cayman Islands by US persons and US entities.  The agreement, based on a Model 1 intergovernmental agreement, allows for the exchange of information between the governments ensuring transparency and exchange of information for tax purposes.

The Agreement signed, Friday November 29, 2013, puts the Cayman Islands on track with the U.S. Foreign Account Tax Compliance Act (FATCA), which became law in the U.S. in 2010, and will be fully effective in 2014.  While a mutual legal assistance treaty had been in place since 2001, local law made full disclosure by local financial institutions difficult.

Aimed at non-compliance by U.S. taxpayers with foreign accounts, FATCA requires foreign financial institutions to report about financial account held by U.S. taxpayers, or foreign entities in which U.S. taxpayers hold a substantial ownership interest.  FATCA imposed a 30% withholding tax on certain payments, interest or dividends paid by a U.S. corporation or the proceeds from the sale of shares, made to foreign financial institutions that refused to identify U.S. account holders.

FULL TEXT: US – Cayman Islands Agreement to Improve International Tax Compliance and to Implement FATCA [pdf]

In Spring 2012, Google completed its new privacy policy and implemented it throughout its product and services offerings worldwide.  The new privacy policy allows Google to collect, combine and share personal information obtained from its different products and services.  A court in Berlin, only last week, found Google’s privacy policy together with its terms of service, to be in violation of Germany’s data protection laws.  The German court raised a number of issues with Google’s privacy policy and terms of service, underlying each of the issues is the apparent lack of control users have over personal data collected by Google.

Now, the Dutch data protection authority is focused on Google’s practice of combining personal data collected from all sources.  The Dutch data protection authority claims that when Google changed its privacy policy it did not inform or obtain consent from users.  Google users must click acceptance to a general privacy policy and terms of service.  These general terms allow Google to make changes to the privacy policy and terms of service without obtaining further consent from its users.  This practice breaches Dutch data privacy law.  In addition, Google does not provide information to its users on what is being done with the personal data collected, including combining personal information obtained from multiple sources for undisclosed uses.

The Dutch data protection authority has not yet indicated what enforcement measures will be imposed.

Google’s data privacy troubles are not isolated to breaches of German and Dutch privacy laws.  Spain and France also have investigations and are calling for enforcement actions.  Google will have to change its privacy policy and terms of service to avoid further enforcement actions and penalties.  The US Safe Harbor is being carefully scrutinized to determine whether, following implementation of data privacy rules in 2014, self-certification under the program will be satisfactory.  Prior to implementation of the US Safe Harbor agreement, US data privacy laws, which differ from state to state, did not adequate data protection to satisfy the EU Data Protection Directive.  As EU data protection laws get tougher the US Safe Harbor will likely not offer the protection against enforcement actions, it once did.