[Varun is a student at Gujarat National Law University.]
The increase in the use of cloud computing has raised several privacy concerns and hindrances to cross-border law enforcement, particularly because multinational corporations do not maintain IT infrastructure in every country. Instead, they use servers situated at one location for their operations across the globe or rent the servers from a third party. To remedy this, the Personal Data Protection Bill 2019 (Bill) was introduced in Parliament. The Bill seeks to regulate the way in which personal data is collected, processed and stored by corporations and the government. It proposes data localisation to achieve the same.
The Bill categorises personal data into ‘sensitive personal data’ and ‘critical personal data’. ‘Sensitive personal data’ includes data that reveals or is related to or constitutes one’s health, sex, finances, identity, etc. What constitutes ‘critical personal data’ is yet to be notified by the government. The reason for this distinction is that ‘sensitive personal data’ may be transferred outside India for processing only if exclusively consented to by the individual, but it has to be stored in India. In contrast, critical personal data shall be processed and stored only in India. The underlying principle here suggests maintenance of personal data of Indian users within India. The distinguishing feature of cloud computing is that the transactions occur entirely in the virtual world. There is little, if any, connection between the revenue-generating activity and a particular geographical location. However, existing international tax concepts do focus on physical presence in allocating taxing authority among different jurisdictions. After the Bill receives legislative assent, multinational data companies, especially data giants like Facebook, Amazon, Apple, Netflix, Google etc. will have to maintain their servers in India, creating a physical presence in the country. This presence may create a permanent establishment (PE) subjecting the attributable profits to Indian tax jurisdiction.
As per various Double Taxation Avoidance Agreements (DTAA) entered into by India, the existence of a PE is a prerequisite to tax a non-resident company’s Indian income. A PE represents the existence of a substantial element of an enduring or permanent nature of a foreign enterprise in another country. It should be of such a nature that it would amount to a virtual projection of the foreign enterprise of one country onto the soil of another country. PE is defined as a 'fixed place of business through which business of an enterprise is wholly or partly carried on', thereby laying down two conditions for the creation of a PE: a) fixed place of business and b) carrying on of business .
Fixed place of business
According to various DTAAs and the OECD Commentary, equipment and, therefore, IT-based servers, may constitute a 'place of business' in the context of cloud computing transactions. It does not matter whether the cloud service providers own or lease the server from a third party, because as long as the non-resident business has the power of disposition over the facility, it is sufficient to constitute a specific place of business. In addition to that, if the servers are located at a particular geographical area for an adequate amount of time, it most likely is a place of business that is fixed.
However, if a non-resident cloud service provider’s only interaction with India is providing cloud computing services to its Indian customers while all of its infrastructure, servers and employees are located outside India, then the non-resident business has no 'fixed place of business' in India. Although, post-legislative assent to the Bill, foreign companies will be required to maintain their servers for processing and/or storing personal data in India. This requirement will constitute a 'fixed place of business', thus meeting the first precondition for a PE.
Carrying on of business
The more testing question is whether the non-resident company is wholly or partly 'carrying on business' at the place where the server is at its disposal. The various DTAAs and the OECD Commentary treats businesses as conducted at the location of the enterprise’s equipment, even if the enterprise conducts its operations mainly through automatic equipment that requires minimal human intervention. In other words, for an enterprise to be treated as conducting its business at the location of the servers, personnel are not required to operate the servers or other equipment at their location.
Accordingly, once data localisation norms are in place, Indian revenue authorities may treat a company as conducting its business through its Indian servers irrespective of whether it has any personnel located in India to manage the servers, thereby constituting carrying on of the business, fulfilling the second condition for the creation of a PE.
Preparatory or auxiliary activities exception
Despite the foregoing, not all companies’ servers would create a PE. Most DTAAs signed by India and the OECD Model Treaty exclude from the definition of a PE, 'business activities that are preparatory or auxiliary in nature.' Therefore, the functions performed by the non-resident business through its servers should exceed the threshold of the auxiliary or preparatory activities to constitute a PE. An analysis of the nature of functions performed is required to determine whether the transactions performed by the non-resident company over the server are auxiliary or preparatory in nature. Existing Indian tax laws provide that for a business to form a PE, the functions performed should form an integral, essential, vital, indispensable, real, substantial part of the activity of the whole enterprise.
Preparatory or auxiliary activities include using facilities solely for the purpose of storage, display, or delivery of goods, providing a communications link between suppliers and customers, advertising goods, or services, relaying information through a mirror server for security and efficiency purposes, gathering market data for the enterprise, or supplying information etc. However, if the non-resident company by maintaining servers in India, hosts software and customer database, then he is arguably doing more than a preparatory or auxiliary activity. In particular, if the servers contain data that the customer provides, and not just displays and contains the data the non-resident business provides, then it crosses the preparatory or auxiliary activity threshold. Therefore, if the activities represent valuable services that the non-resident company provides through the use of its servers, which are integral to the realisation of its profit and thereby appear to form an essential and significant part of its business as a whole then under existing law, locating a server in India may give rise to a PE.
Profits attributable to a permanent establishment
A PE in India gives the tax authorities jurisdiction over profits of the business to the extent; such profits are attributable to the PE. The amount of profit attributed to a PE must reflect the amount the entity would have earned if it were a distinct and separate enterprise. As a result, if a server-based in India creates a permanent establishment for a non-resident company, the Indian revenue authorities would tax its business profits that are attributable to, any Indian servers that the company owns or leases. On the other hand, if the Indian servers only perform storage or other routine functions and servers located elsewhere provide valuable intangible assets and services, then a substantial share of the profit associated with the cloud computing business would not be attributed to the Indian servers. Such an arrangement would significantly minimise Indian tax liability.
Cloud computing continues to grow and replace traditional businesses. The tax implications, once data protection measures are implemented, become exceedingly complicated. For the sake of illustration, Facebook Inc., through its subsidiary in Ireland, undertakes business throughout Asia, Africa, Europe, South Africa and Australia with their servers located only at 16 data centres. This arrangement hampers the creation of PE in most jurisdictions, subjecting Facebook to minimal or no taxes in countries like India. However, once data protection laws are in place, data giants like Facebook will have to maintain their servers in India, thus creating a PE. These regulations will subject them to Indian tax jurisdiction along with the countries in which they are already taxed.
Despite the uncertainty concerning taxability in such scenarios, the companies as well as the governments will rely on concepts based on physical presence and territorial jurisdiction until the traditional concepts evolve to tax the ‘virtual world’ comprehensively. These uncertainties will create compliance burdens, liability risks and a possible loss of revenue for the tax. The governments will end up taxing a similar stream of income, resulting in double taxation or non-taxation of server related transactions.
Therefore, policy-makers should clarify as to how specific transactions over the cloud are to be taxed. International Tax concepts could be evolved to tax the source of transactions and not rely on the taxable presence or location of the server. These improvements would help reduce uncertainties and economic disturbances created by applying traditional tax concepts to a novel technology.