In this note we cover three legal developments of importance to TMT companies and legal advisers.
1. Microsoft Email Case - Can US authorities demand access to data in Microsoft's data centres in Ireland?
In 2014, Ireland found itself at the centre of a battle between the US authorities and Microsoft in relation to data access. In late 2013, Microsoft was ordered by a US federal court, pursuant to a search warrant issued under the US Stored Communications Act (SCA), to produce user and content (including private e-mail) data as part of an on-going US Department of Justice (DoJ) investigation into narcotics trafficking. The relevant data is stored outside the US, on Microsoft servers located in Ireland, and operated by an Irish subsidiary of Microsoft Corp.
Microsoft argues that the data held on Irish servers is not subject to US jurisdiction and complying with the warrant by handing over the data may breach Irish and EU law. For example, it would likely breach the provisions of the Irish Data Protection Acts 1988 and 2003 which require Microsoft to process the data fairly, keep the data secure and restrict non-EEA transfers of the data. It also argues that the US should follow the process set out in a Mutual Legal Assistance Treaty (MLAT), such as that in place between the US and Ireland since 2001, which is the conventional route for seeking case evidence located in a foreign country. On the other hand, the US authorities claim that they have global jurisdiction in relation to all transactions involving a US company. Microsoft therefore finds itself in a "catch-22" situation between the US authorities on the one hand, and the Irish and European data protection regime and sovereignty on the other.
In September 2014 Microsoft declined to comply with the court's ruling and voluntarily entered into contempt. Microsoft will now proceed to the Second Circuit Court of Appeals to continue the case. In December 2014, the Irish Government filed an amicus curiae brief in the New York federal appeals court in which it noted that it did not acquiesce in the approach being adopted by the US DOJ, and reiterated the existing process for mutual legal assistance in criminal matters.
The case continues, but the ruling handed down by the US court poses significant concerns for US multi-national technology companies that have data centers located anywhere in the European Union, not just in Ireland. The court's decision effectively means that even if data is stored outside US borders, US courts may interpret US law as requiring the disclosure of such data, even if it would cause the recipient of the warrant to act inconsistently with the laws of another state or interfere with the sovereignty of that state. In the context of the digital economy, the case also creates significant legal uncertainty for cloud providers and their customers regarding the protection and security of digital data and information, wherever it is hosted.
2. Media Mergers – so good we will check them twice
A revised merger regime came into effect in Ireland on October 31 2014 with the introduction of the Competition and Consumer Protection Act 2014 (the Act). As a result, the Competition Authority and the National Consumer Agency have merged, creating a unified regulator called the Competition and Consumer Protection Commission (the Commission).
The Act significantly alters the Irish competition and merger control landscape. Most notable changes are those to the general merger control thresholds and a complete overhaul of the media merger regime. Media mergers continue to be subject to mandatory notification irrespective of turnover of the undertakings.
For a media merger to be notifiable, at least one of the merging parties must carry on 'a media business in Ireland', which is now defined as:
- having a physical presence in the State (that is to say, the Republic of Ireland), including a registered office, subsidiary, branch, representative office or agency and making sales to customers located in the State; or
- having made sales in the State of at least €2 million in the most recent financial year.
Further, the Act also extends the definition of 'media business' to include online media businesses.
Under the new rules, parties to a media merger are now required to make two separate notifications; one notification to the Commission (or to the European Commission where appropriate) and a second notification (dealing with 'media plurality' issues) to the Minister for Communications, Energy and Natural Resources (the Minister). Importantly, a media merger can only be notified to the Minister after the Commission has rendered its determination – the applicable time periods, accordingly, cannot run in parallel.
A consultation on draft media merger guidelines is currently under way, and a final version is expected to be published this year. Given the significantly enhanced regulation in the area, this will be an important document. The extended application of the Act to online media businesses means that it is now important for those companies to be aware how the Act applies to them.
3. VAT Rules on the Supply of Telecommunications, Broadcasting and Electronic (TBE) services change from January 1 2015.
On January 1 2015, new EU VAT rules came into effect changing the place of supply in respect of all supplies of telecommunications, broadcasting and e-services to consumers from the place where the supplier is located, to the place where the consumer is established, has his permanent address or usually resides.
An electronically supplied service or 'e-service' as it is also known, is a service that is delivered over the internet (or an electronic network which is reliant on the internet or similar network for its provision) and is heavily dependent on information technology for its supply – that is to say, the service is essentially automated, involves minimal human intervention and in the absence of information technology does not have viability. Note that the use of the internet to convey information (for example, placing an order by e-mail) in the course of a business transaction does not change the nature of the transaction and transform it into a supply of an e-service.
From January 1, EU and non-EU business are required to register and account for VAT in every Member State in which they supply such TBE services to consumers. For these purposes a consumer is a person who is not registered for VAT, also known as a non-taxable person. Suppliers must now take account of the rules and rates of the Member State of consumption to ensure the correct VAT treatment.
For suppliers of TBE services, it is extremely important that they identify the taxable or non-taxable status of the customer as this will determine whether it is the supplier or the customer that is liable for the VAT on the supply.
Mini One Stop Shop
To simplify the obligations of suppliers of TBE services, an optional new scheme known as the Mini One Stop Shop (MOSS) has been introduced. MOSS will allow business to submit returns and pay the relevant VAT due to Member States through the web portal of one Member State. Any eligible business wishing to register for MOSS should do so in January 2015 to avoid having to register for VAT in multiple Member States.
Further, non-EU established suppliers of TBE services to non-taxable persons (consumers) in the EU will have the option of declaring and paying the VAT due for all Member States using the Mini One Stop Shop in any one Member State of their choosing.