As the government is aggressively promoting digital transactions the use of digital space has enhanced exponentially. E-commerce, e-wallets, e-governance, etc, has become the need of the hour. But privacy of the digital platform has always remained a cause of concern in India.
Recognising the need to ensure safety and security of payment system data, the Reserve Bank of India (RBI) in April 2018 had issued directions to the payment system operators, requiring them to store all the payment related data in India within a period of 6 months. The directions were issued in order to gain unencumbered access to all payment data for supervisory purposes, better monitoring and surveillance of the same and to reduce the risk of data breaches.
RBI directed these system providers along with their service providers, intermediaries and third party vendors to ensure that entire data related to payment systems operated by them should be stored on a server in India. This data should include the full end-to-end transaction details/information collected/carried/ processed as part of the message/payment instruction. For the foreign leg of the transaction, if any, the data can also be stored in the foreign country, if required. The companies were required to ensure compliance and report the same to RBI, which shall be subject to audit by the authorities.
Data protection bill
The RBI guidelines were in addition to the personal data protection bill 2018 proposed in July this year. It is expected to address the heftier issue of storage, processing and utilisation of customer data by tech-driven companies and online service providers. The bill has been drafted with the aim to tighten controls on the data that companies collect from its customers and to enhance individual rights with respect to their personal data. Every data fiduciary is required to store at least one copy of personal data on a server or data centre that is located in India. This may entail huge operational costs for the fiduciaries and may even upsurge compliance burden on companies.
Tax & new rules
Apart from the above implications, another angle of the proposed bill, which is also the cause of unrest among companies, is that data localisation may bring more foreign companies under the tax net. Until now foreign companies exploited local market data without paying taxes as they didn’t have physical presence. As per the international tax laws in this regard, an entity can be taxed on its business income in India only if it has a ‘permanent establishment’ (PE) in India. Modern technology has made it possible for many companies to do business in several countries without constituting a PE. As a result, it has been established in various judgments that hosting of local servers in India would make it possible to assert the existence of a ‘fixed place of business in India’, thereby attracting the taxation provisions by virtue of becoming a PE. For instance, in the famous case of MasterCard, the authority for advance rulings (AAR) held that MasterCard Asia Pacific constituted a fixed place PE in India as its interface processors, required to carry out significant transactions, were located in India, and were at the disposal of foreign entity.
Entities may take the services of cloud computing networks instead of maintaining their own infrastructure for the purposes of storing data, to avoid creation of a PE, however, they can’t escape from falling into the tax net, owing to the introduction of the new concept of ‘significant economic presence’ having tax consequences.
‘Significant economic presence’ is a concept that was introduced by the Finance Act 2018 making use of option proposed by OECD on BEPS. The existence of a significant presence entails tax liability. Whether the non-resident has place of business in India or not, has now become irrelevant. A non-resident will constitute a significant economic presence in India if the non-resident receives revenue exceeding a prescribed amount, for transactions carried on within India, or if the non-resident systematically and continuously solicits business in India through digital means or if the non-resident engages in interaction with users in India through digital means. Thought the thresholds have not yet been prescribed, data localisation shall surely help in tracking volume of activities of these non-residents in India.
The road ahead
Data localisation would make it easier for the income tax authorities to keep track of the volume, frequency & regularity of trade in India, thereby making it simpler for authorities to determine whether the business of an entity crosses the threshold for establishing significant economic presence in India.
It’s thus clear that data localisation may have significant impacts, not only with respect to data protection, but also in the area of taxation. A multitude of foreign headquartered entities may now have to pay taxes if they store their data on servers in India. While it may be a welcome relief for local firms, the new entrants will now have to retrace their business strategies and arrangements around the new laws of the land. Further, the surfeit of data that shall be available to the government, if the proposed bill is enacted, might be used to the advantage of the income tax authorities to check tax evasion, track financial activities and identify the magnitude of activities conducted in India.
The personal data protection bill 2018 and the RBI directions were surely aimed at maintaining a healthy, robust and digitised economy by ensuring the safety and security of data and its continuous scrutiny. But who could have thought that a simple data protection law could have tax implications as well. It may be too early to contemplate the exact tax angle, since the nature, extent and type of control is still under consideration but the possibility can’t be ruled out that this may lead to a wider tax base.
(The writer, a qualified chartered accountant, is partner of Nangia Advisors)