Data havens: how to tackle the new digital race to the bottom

Britain’s Times Newspaper is carrying a story entitled Errors in The Crown may prompt tighter rules for streaming services. The issue at hand, apparently, is that the Netflix series The Crown isn’t sticking closely enough to historical facts, and showing the Royal Family in a poor light. 

Quelle horreur!

But what’s of interest to us here at the Tax Justice Network is that this is the latest sign of a race to the bottom among jurisdictions when it comes to investigation and enforcement of abuses. As the article states:

“Streaming platforms such as Netflix and Amazon Prime Video are covered by a weaker EU-wide regime, known as the audio visual media services directive. Netflix is registered with the Commissariaat voor de Media, a little-known Dutch regulator, which as of last year had not investigated a single complaint from a British viewer about the streaming service.”

We don’t care much whether or not The Crown, a drama, sticks to historical facts. But we do care that complaints get taken seriously. 

The Netherlands is at No. 4 in our Corporate Tax Haven Index — meaning, in effect, that it is the world’s fourth most damaging tax haven. And as we shall see, it is no coincidence that a damaging tax haven should also be super-lax on regulating audio-visual services like Netflix. A privacy expert told TJN, via an email on this subject:

“Being a tax or data haven is wanting to profit from allowing others to behave questionably and promising to turn a blind eye.”

Internet services are another case in point. Giant monopolising platforms like Facebook or Google fall under Europe’s General Data Protection Regulation (GDPR). Lax regulation of data sharing has contributed to all manner of abuses, from climate crimes to fake news to genocide. 

We noted this privacy-related race to the bottom between European countries last year, in a major post on the links between tax havens and monopolies. 

The specific problem here involves what is called, in EU jargon, the “Lead Supervisory Authority” for the internet giants, which is the jurisdiction where the Facebooks of this world decide to put their European HQs for tax and regulatory purposes — this will be the country that co-ordinates investigations into abuses across Europe. Obviously — obviously — this approach of letting large global platforms go jurisdiction-shopping to find the friendliest data supervisor and enforcer is likely to lead to a race to the bottom, as jurisdictions try to outdo each other in laxity, to capture the giants’ business. 

A report from Access Now, a group that protects people’s digital rights, provides new evidence on lax supervision of online content — and highlights jurisdictions whose identities will surprise nobody who is familiar with corporate tax havens. 

“Ireland and Luxembourg, which are the main authorities dealing with the cases involving Amazon, Facebook, WhatsApp, Twitter, PayPal, Instagram, Microsoft, Google, and others, have issued zero fines against the tech giants to date. In the meantime, in 2018 and 2019, the Irish authoritiy received a total of 11,328 complaints.”

In fact, Ireland has now just imposed a fine (against Twitter) for failing to notify regulators after a data breach. This may sound like progress — but it isn’t. Under the GDPR Ireland could have fined Twitter two percent of its $3.5bn global annual revenue, or around US$70 million (nearly €60m) according to our calculations. In the event, the Irish regulator took two years to levy the fine and came up with . . . $450,000. Ian Brown, an authority on internet regulation, described the fine as “an embarrassment… the Irish data protection commissioner is notoriously lax.” And, as one article on the fine put it:

“The Irish regulator originally wanted to fine Twitter even less than this, but through the dispute-resolution process, it was told to increase the amount.”

Brown told TJN that the Irish data regulator:

“just do not remotely have the resources they need to employ enough staff — including highly expert staff who understand the technology — or the political will to really make use of their enforcement powers.”

Ireland is, alongside its data haven role, another of the world’s largest — and sleaziest — corporate income tax havens, bowing down to rootless global capital by offering tax loopholes such as those that allowed Apple to set up companies that existed, in effect, nowhere. This game has undercut other countries’s tax systems and has not even benefited the broad population of Ireland. Luxembourg, at number 6 on the CTHI, also engages heavily in the data haven game, particularly through its hosting of Amazon.

Access Now summarises the problem:

Large tech companies have nearly endless financial resources in comparison to the restrictive budget allocated to Data Protection Authorities. In the case of Ireland, the revenue of some of these companies is even higher than the Gross Domestic Product of the country.

There is more bad news — alongside some potentially good news.

On the worrying side, Britain, which hitherto has successfully levied some meaningful fines against large companies for GDPR abuses, now faces Brexit, its departure from the European Union. A recent article by Carissa Veliz in The Guardian quotes the UK’s digital secretary as saying that:

“Data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded.”

That is indeed worrying. And the article continues:

“The UK could develop into a data haven, in the way some countries are tax havens. A data haven would be a country involved in “data washing”, being willing to host data acquired in unlawful ways (eg without proper consent or safeguards) that is then recycled into apparently respectable products.

(Data washing) would involve the UK allowing companies and governments the world over to do their dirty data work under its protection in exchange for money. [This] could turn into a privacy catastrophe.”

This is a realistic fear: there are powerful interests in the UK pushing for the UK, once out of the EU, to engage in tax-cutting and deregulation to attract capital, and data havenry.  (That’s another can of worms.)

But now, for some potentially very good news.

There is a straightforward solution to this, at least to the race-to-the-bottom element of it. And that is to do away with the “lead supervisory authority” system that allows giant companies to shop for the friendliest supervisor. Instead, supervision and enforcement should be centralised at a European level. 

The European Commission has just published its proposals for a Digital Markets Act (and Digital Services Act,) a broad, sweeping set of proposed legislation to deal with the digital economy in there.  And we find, in the DMA proposals, this:

The Commission examined different policy options . . . All options envisaged implementation, supervision and enforcement at the EU level by the Commission as the competent regulatory body. Given the pan-European reach of the targeted companies, a decentralised enforcement model does not seem to be a conceivable alternative, including in light of the risk of regulatory fragmentation
. . . 
the functioning of the internal market will be improved through clear behavioural rules that give all stakeholders legal clarity and through an EU-wide intervention framework allowing to address effectively harmful practices in a timely and effective manner. [our emphasis]

This, potentially, is huge — and worthy of support: these are still just proposals, which need to pass through the EU sausage machine before they harden into law, perhaps a year or two hence. 

The tax justice movement must now join forces with digital rights groups and others, to protect this crucial aspect of regulation in the digital age. This is the kind of cross-silo movement-building of “fusion coalitions” which, history suggests, can be the most effective of all.