publications full of ideas
The Future of Trans-Atlantic Data Transfers
What Apple’s 14 billion Tax Bill Could Portend For Privacy Shield And GPDR

9.21.2016

Ireland was recently stunned with the news that Apple owed it 13 billion euros it did not want. The underlying tax arrangement was relatively straightforward: Corporations that do businesses in different jurisdictions often configure their internal operations to reduce their tax obligations. The process ensures they are compliant with the tax law of every country they operate in, while still limiting their taxes.

This procedure is neither novel nor illegal. It is common enough to have a descriptor: “tax arbitrage.” The objective is recognized in Anglo-American jurisprudence. In 1929, the House of Lords held that “[n]o man in this country is under the smallest obligation, moral or other, so to arrange his legal relations to his business or to his property as to enable the Inland Revenue to put the largest possible shovel into his stores.” Five years later, Judge Learned Hand wrote “Any one may so arrange his affairs that his taxes shall be as low as possible; he is not bound to choose that pattern which will best pay the Treasury; there is not even a patriotic duty to increase one’s taxes.”

This principle has enabled Ireland to attract business on the basis of an attractive tax system. The Celtic Tiger campaign has been successful, recruiting major companies, including technology giants such as Amazon and Apple. Against this backdrop, European Union’s unsolicited tax bill came as a bolt from the blue.

Greatly simplified, the EU premise was this: EU members are free to set their own tax structures. Ireland and Apple were on safe ground there. But the EU went on to hold that the Irish tax structure constituted a de facto subsidy. Such a subsidy would be impermissible under EU law. Therefore, Apple’s payments to Ireland were improper.

In effect, the EU decision grafted principles from one legal area – trade subsidies – to another – tax policy. One view would dismisses this as routine jurisprudence: for instance the Affordable Care Act was famously upheld as a tax. But another views it more cynically. Brussels, this view holds, has used the subsidy principle as an expedient to strong-arm members on tax matters that would otherwise be outside its remit. Other members including Luxembourg and Belgium are next in line on the basis of their treatment of other multinationals such as Facebook, Google, Microsoft and Amazon.

So how does this cynical view potentially impact the U.S.-E.U. data framework? Readers will recollect that that framework – Privacy Shield – has been rolled out in the wake of the Schrems decision which struck down the previous framework. There are questions about whether Privacy Shield can survive, particularly when critics view the EU regulatory climate as hostile to American technology giants. This view holds that protectionism, not differences on principles, drives EU enforcement.

The EU has tried to rebut this view. Nevertheless, the road ahead contains two potential potholes. One, Privacy Shield could struck down in a subsequent legal challenge. In that case, corporations who had adhered to it in good faith would still face potential penalties. Two, even if Privacy Shield is affirmed, a new regulatory regime, the EU General Data Protection Regulation (GPDR) is imminent. Under the cynical view, GPDR would join an array of other regulatory disputes bogging down American businesses in Europe.

So what does the prudent data holding or processing entity do? It has three option. First, many companies relied on model contractual clauses or binding corporate rules post-Schrems. They may want to do so as an additional safety measure despite Privacy Shield: a belt-and-suspenders approach to ensure compliance. Two, since GPDR is expected in two years, it is time to prepare. Three, companies should incorporate “privacy by design” concerns into developing processes and procedures. Processes and procedures that incorporate privacy considerations at every stage from inception to launch would go a long way to heading off even the most zealous privacy regulator at the pass.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601

related information


follow us on twitter