The Russian ecommerce sector will continue to experience significant growth, whether serving the B2C or B2B markets.  And Russia has much to gain by supporting a robust ecommerce marketplace, for example, broadening the labour market for skilled workers and increasing the tax base,  Absent specific tax legislation, existing tax laws will be applied to ecommerce transactions.  Yet existing tax laws are often inadequate to address the new business and transaction models arising from ecommerce transactions.

The issues arising from the B2C market and the B2B market are clearly different, as are the type of taxes that may be imposed.  First, income tax imposed on profits arising from the ecommerce transactions, and second, in the case of B2C transactions, VAT.

The application of the existing framework for income taxation on transactions taking place between parties where both are located in Russia is identical to a transaction occurring without the benefit of the internet.  With increasing ease, companies can target consumers in any country, their reach is borderless.  In order fall subject to Russian profit tax, a foreign company must have a permanent establishment in Russia  A permanent establishment is deemed to arise where there is a remote place of business through which the foreign enterprise carries on business on a regular basis.  Although applied primarily where there is a building or other structure, or in the absence of a specific business location, where the business has employees.

In December 2010, the Moscow State Commercial Court held that a representative office of Bloomberg LP, through which employees gathered data which was entered into a database, access to which was subsequently sold through a UK office, constituted a permanent establishment.  Given this ruling, it is not unlikely that the same court would characterize a server located in Russia as a permanent establishment.  The permanency of a server, owned by a foreign company, that directs, stores, and filters customer traffic and through which transactions are completed will not be ignored by tax authorities.  Such characterization would follow similar rulings in other countries.

In terms of VAT, there are no specific tax rules that impose VAT on internet transactions.  Existing VAT legislation can be easily applied to an ecommerce transaction where both the buyer and seller are located within Russia.  VAT, an indirect tax, is generally imposed on goods at the place of consumption, but for services the imposition of VAT will depend on the place of supply.  This is perhaps an overly broad explanation, the Russian Tax Code does makes a distinction between certain types of services and the imposition of VAT on services is reliant on such distinction.  However characterized, foreign businesses are not required to collect and remit VAT.  Since the burden falls on Russian based businesses, then, a disparity arises.  Other countries, including the US have been grappling with this same issue.  Amazon.com is a prime example, it is not required to collect and remit sales tax in the state where the consumer is located if it has no physical presence in that state, providing an advantage over its competitors.  The question remains, in an ecommerce transaction where services are being supplied, such as, access to internet services, including, digital products, is the “place of supply” where the consumer is located or where the server or service provider is located.  This is an area of significant debate, one which will not end soon.  As ecommerce expands its reach, lawmakers will resolve some of the ambiguities present in application of outdated laws.  Until then, be aware of where the ambiguities create the biggest risk for your ecommerce business.

Once again President Vladimir Putin is putting pressure on Russian owned offshore companies to pay taxes.  In his state of the nation address, Putin announced Russia would be taxing offshore companies.  This continues the government’s crusade against offshore-declared income.  In 2012, the Federal Tax Service developed draft amendments to the Tax Code which would effectively terminate previously held deductions for costs paid to offshore companies, thereby reducing taxable income.  The amendments allowed for the recapture of the deductions if the taxpayer could prove that they had no control over the recipient of the payment.  There was significant push-back and watered-down versions were subsequently proposed to ease the burden on large companies and maintain an attractive market for foreign investors.

But Putin seems intent on pushing for further amendments that will result in retaining capital in Russia and minimize tax evasion.  Currently, gains and profits arising from assets held by offshore companies that are not repatriated to Russia are not taxed.  The use of offshore companies to hold assets has become more commonplace.  The use of a holding company in a country with a double tax treaty, Cyprus, for example, provides the benefits of minimal withholding rates.

The question remains, whether new tax laws imposing stricter control on Russian controlled offshore companies, if vigorously applied, will lead to a mass exodus of businesses from Russia and keep foreign investors away.

For a number of years, France, and others, (remember, the byte tax originally proposed by the Netherlands) have been raising the idea of a digital media tax.  We can all appreciate that the internet has revolutionized the way in which business is conducted and revenues are generated.  Gone at the static business models with very identifiable revenue streams.  Current tax laws are inadequate to capture the value digital activities being undertaken by multinational technology and digital media companies are creating.  To address this issue in a more formal way, France, in early 2013, commissioned a study on the taxation of the digital economy.  And more recently the European Commission has begun a study of its own by appointing a committee of experts to look at ways to tax internet companies.

The perceived, and currently untaxed, value created by internet companies is the difference between what is taxable without the presence of a permanent establishment (very little, if anything) and the revenues or value arising from user generated data and information.  Under the permanent establishment concept, present in most double tax treaties, a company that has no physical presence in a particular country is not subject to income tax on income arising from customers or users located in that country.  Internet companies are free to locate primary revenue generating activities in low or no tax jurisdictions, and use double tax treaties and other optimization methods to reduce worldwide income tax.

One justification for taxing the internet, was set out in the French commissioned report “L’Age de la Multitude” which pointed out that in order to reach its users, collect and market the data, companies like Google, Apple and Samsung, for example, rely on the infrastructure built by local public investment.  These internet companies, use the infrastructure and local technology networks without participating in its costs, by creating jobs or otherwise contributing to the local economy.

The question being raised, is whether companies profiting from the user data collected should pay tax on that value created, where it is created.  India may be have taken the first step to creating a system to tax the internet, by imposing a duty to pay income tax on companies that have an economic nexus rather than a physical one.  Applying this concept, a company who has collected, combined and monitored users’ personal data would pay a tax on the value of that information.  Could this conundrum be resolved by requiring internet companies to register in each country in which they collect personal information from its users?  It must abide by local data protection laws anyway, registration could be imposed by minor amendments to data protection laws; or perhaps redefine the double tax treaty concept of permanent establishment to trigger a permanent establishment each time a user’s data is collected by the internet company.

There will be many more studies, reports, discussions and negotiations around how to tax the internet.  Although I would not expect imminent across the board acceptance of a tax on digital media, I do expect that a few countries will push to amend local tax laws to capture some of this value within its borders. Watch for the results of the EC study, expected to be out mid-2014, and further steps to be taken by France who may be the front runner in imposing a tax on internet companies.

As cloud computing becomes more popular and experiences widespread adoption, the cost of using a cloud provider, as opposed to maintaining your own data servers, could give your business a competitive advantage.  But when your business stores personal data on someone else’s servers a degree of control over this sensitive data is lost.  Beware, data privacy laws do not permit the cloud user to shift the risk of violation solely to the cloud provider.  Staying compliant with data protection laws around the world will require you to ensure that any cloud provider also abides by the same regulatory and legal requirements.  Transfer of personal data outside of, the EU, for example must comply with EU data protection law and any other local data protection laws.

Although Cloud providers may not provide an easy path to negotiate changes to their standard terms and conditions, your business may nevertheless be responsible for violations of the law.  Examining the cloud provider’s privacy policy, security, redundancy practices and disclosure policy will allow you to make an informed decision.  Push for changes to terms and conditions that would impose risk of noncompliance with data protection laws.

Know where your cloud provider is located, the legal environment with regard to data protection varies significantly from country to country.  Data protection laws in Asia, have not caught up with other regions in introducing laws regulating data sovereignty, cross border data flow and data security.  Yet the cost of a cloud provider located in China, for example, could be much lower than one located in the EU.  The cost, however, of a violation of data protection laws could bring the overall costs much higher than using that budget cloud provider located in a country that does not sufficiently protect the personal data collected by your business.

As your business expands globally you want to create the most efficient and competitive structure possible.  A holding company is an important part of that structure and requires examination of local tax laws, including any reductions in local tax for holding companies.  And should allow for maximization of profits earned by the business.  Holding companies can be located anywhere in the world, regardless of where your business operations or your target markets are located.  Determining your business needs first is essential.  For example, will any business operations take place in the same jurisdiction?  Will there be a pool of talented or skilled workers?  Identify the country where the largest market for your products or services is located, then determine whether there is a Double Tax Treaty between that country and the one you are considering as a possible holding company location.  A strong treaty network often results greater efficiencies.

Ireland had a number of boom years followed by a decline in the number of new companies locating there.  Ireland is now making changes to lure companies back with tax incentives and development programs, making it,  a very attractive location for a holding company.  Apple and other high technologies companies included Ireland in their global structures, Apple has actually had an Irish presence for the last 30 years and keeps a significant amount of its profits in an Irish subsidiary.

One of the most attractive aspects of choosing Ireland for your holding company is that it is an onshore EU jurisdiction with an extensive Double Tax Treaty network.  The following is a brief summary of what Ireland offers:

A Corporate Income Tax rate of 12.5% on trading profits, compared to 30% in other EU jurisdictions and 25% on passive income.  Dividends received from foreign subsidiaries, located in the EU or a country with which Ireland has a Double Tax Treaty, are taxed at 12.5%.  Ireland does not have a “participation exemption,” but does grant foreign tax credits that can reduce or eliminate tax on dividends; minimum 5% shareholding is required to receive any foreign tax credits.  The Foreign tax credits granted are quite flexible and can be applied to different dividend streams.  Any unused tax credits can be carried forward indefinitely.  Gains from the sale or other disposal of shares, and potentially other assets in a subsidiary are exempt from capital gains tax, provided the parent holding company holds owns at least a 5% equity interest in the subsidiary.  This equity interest can be held directly or indirectly and must be held for at least a twelve month period before qualifying for the tax exemption.

Withholding taxes are levied at 20%, but the existence of a Double Tax Treaty will reduce the withholding rate to between zero and 15%.  Ireland has a general anti-avoidance provision which can result in the re-characterization of transactions that have no de facto commercial purpose.

There are other factors that make Ireland a good choice for your holding company.  It has a talented, well-educated pool of workers, it is one of the few English speaking countries in the EU, a holding company can be formed in just a few days and it has a well-established financial infrastructure.

When personal information is collected, often from multiple internet based sources, then combined and shared or sold to marketing companies,  should those who personal information is the subject of the sale be paid.  This question was raised by a group of plaintiffs in Northern California, looking for compensation from Google for the use and reuse of their personal information for profit.  U.S. Magistrate Judge Paul Grewal, dismissed the claims that Google’s privacy policy, allowing personal information from more than one source be combined, caused injury to the plaintiffs.

In his dismissal, Judge Grewal stated “Plaintiffs’ allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google’s services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived plaintiffs of economic value from that same information.”

The practice of combining personal information from multiple sources, added to Google’s Privacy Policy and terms and conditions, implemented in March 2012, has come under heavy fire recently. Courts in Germany and the Netherlands have both cited this as a violation of data protection laws and Google is subject to significant fines and penalties. In this class action lawsuit, Google’s users, in addition to claiming Google’s policy of combining personal information obtained through various sources violated their privacy rights, also claimed misappropriation of likeness, violations of the Wiretap Act, the Stored Communications Act and California’s Unfair Competition Law.

Although this case was dismissed, it raises an important question about whether marketing companies will need to offer compensation in addition to free use of a particular service in order to collect, combine and use personal information of their users. Google, for example, provides a number of services that are “free” to the user, provided the user agrees to their privacy policy and terms and conditions, which include the user’s consent to combine and share personal information across many platforms. Yet, without collecting revenue from its users, Google still makes substantial profits in part because it is able to sell advertisements that can be more carefully targeted on the users based on their personal information.

Marketing companies using panelists who are surveyed for opinions ranging from new products, use of existing products and various services, pay the panelists for completing surveys. Albeit the compensation is minimal, but the model might prove important in the future to avoid similar legal claims. Marketing companies might want to consider compensation ranging from free services to coupons or tokens for future purchases, to entice consumers to provide unrestricted use of personal information. This dismissal will not stop future litigants from raising the same issues, since it is possible that  future litigants will have more success.

On December 2, the Supreme Court of the United States declined to grant writ of certiorari filed by two online retail giants, Amazon.com LLC and Overstock.com, Inc.    The broad issue at hand, is whether online retailers must charge, collect and remit state sales tax in states where their customers are located, but where the online retailer has no physical presence.  The issue, although not new, could have quite an impact on online retailers worldwide.

In 1992, the Supreme Court held that a physical presence, in the state where the customer is located, is necessary to establish a nexus between a company and the state for the purposes of sales tax.  The State of New York, concluded, more recently, that sellers who sign up for the Amazon affiliate program create that nexus.  This is a tenuous conclusion since the sellers are, in fact, simply another Amazon.com customer; the product purchased is access to Amazon retail customers through a link on a website.  Amazon.com has no control over the website, does not employ the seller or have any trappings of a typical office in that state.  The Supreme Court’s refusal to hear the appeal could be taken as a broad expansion of the state’s power to tax.  This could have a ripple effect for online retailers located in other countries.  The cost of having to charge, collect and remit sales tax to each of the 52 states will create a significant hardship for small to medium sized companies.

The physical presence/nexus concept is not different from the treaty concept of permanent establishment.  U.S. online retailers selling into other countries have not had the burden of charging, collecting and remitting VAT or other tax on sales, if they had no permanent establishment in that country.  The question will now be whether the physical presence of a sales affiliate program similar to the Amazon.com will trigger a permanent establishment, not simply for the purposes of VAT, but also income tax.

On November 27, 2013, the South African government signed into law, the Protection of Personal Information Bill.  This comprehensive Bill regulates how personal information may be collected, processed, and used, and aligns with international standards that prescribe the minimum threshold requirements for the collection, processing and use of personal information.

One significant change from previous law, will give individuals the right control over the collection, processing and subsequent use of their personal information.  Companies must obtain express consent from individuals to collect, process and use their personal information.  The previous practice allowed companies to collect, store and use personal information provided the individual did not object.  As was often the case, the objection, or opt out choice was not readily apparent.   Companies will be required to notify individuals and obtain consent before any communication takes place.  Consent may be revoked by the individual at any time after its been given.

In addition, the Protection of Personal Information Bill establishes a regulatory agency, sets stricter limits on processing of personal information of children and information regarding the individual’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behavior.  The Bill requires companies who collect and/or process personal information to implement security measures, to notify individuals of breaches, to set restrictions on processing of personal information for the purpose of direct marketing and limits transfers of personal information to other countries unless that country has data privacy laws at least as strict.

Companies will have one year to demonstrate compliance with the new law, although this transition period may be extended for up to 3 years.

Since South African data privacy laws will now be in line with international norms, the Act could increase multijurisdictional trade and provide a boost to the economy.  To be compliant, companies will have to limit outsourced data storage and processing to vendors in countries that have adopted similar data protection laws.

Similar to other jurisdictions, larger companies will have to appoint data protection officers to ensure compliance with the Act.  Failure to comply can result in significant penalties and/or imprisonment.

The Cayman Islands Financial Services Minister, Wayne Panton signed an agreement with the United States which will allow Cayman Island financial institutions to provide full disclosure of US assets held in the Cayman Islands by US persons and US entities.  The agreement, based on a Model 1 intergovernmental agreement, allows for the exchange of information between the governments ensuring transparency and exchange of information for tax purposes.

The Agreement signed, Friday November 29, 2013, puts the Cayman Islands on track with the U.S. Foreign Account Tax Compliance Act (FATCA), which became law in the U.S. in 2010, and will be fully effective in 2014.  While a mutual legal assistance treaty had been in place since 2001, local law made full disclosure by local financial institutions difficult.

Aimed at non-compliance by U.S. taxpayers with foreign accounts, FATCA requires foreign financial institutions to report about financial account held by U.S. taxpayers, or foreign entities in which U.S. taxpayers hold a substantial ownership interest.  FATCA imposed a 30% withholding tax on certain payments, interest or dividends paid by a U.S. corporation or the proceeds from the sale of shares, made to foreign financial institutions that refused to identify U.S. account holders.

FULL TEXT: US – Cayman Islands Agreement to Improve International Tax Compliance and to Implement FATCA [pdf]

In Spring 2012, Google completed its new privacy policy and implemented it throughout its product and services offerings worldwide.  The new privacy policy allows Google to collect, combine and share personal information obtained from its different products and services.  A court in Berlin, only last week, found Google’s privacy policy together with its terms of service, to be in violation of Germany’s data protection laws.  The German court raised a number of issues with Google’s privacy policy and terms of service, underlying each of the issues is the apparent lack of control users have over personal data collected by Google.

Now, the Dutch data protection authority is focused on Google’s practice of combining personal data collected from all sources.  The Dutch data protection authority claims that when Google changed its privacy policy it did not inform or obtain consent from users.  Google users must click acceptance to a general privacy policy and terms of service.  These general terms allow Google to make changes to the privacy policy and terms of service without obtaining further consent from its users.  This practice breaches Dutch data privacy law.  In addition, Google does not provide information to its users on what is being done with the personal data collected, including combining personal information obtained from multiple sources for undisclosed uses.

The Dutch data protection authority has not yet indicated what enforcement measures will be imposed.

Google’s data privacy troubles are not isolated to breaches of German and Dutch privacy laws.  Spain and France also have investigations and are calling for enforcement actions.  Google will have to change its privacy policy and terms of service to avoid further enforcement actions and penalties.  The US Safe Harbor is being carefully scrutinized to determine whether, following implementation of data privacy rules in 2014, self-certification under the program will be satisfactory.  Prior to implementation of the US Safe Harbor agreement, US data privacy laws, which differ from state to state, did not adequate data protection to satisfy the EU Data Protection Directive.  As EU data protection laws get tougher the US Safe Harbor will likely not offer the protection against enforcement actions, it once did.