European Union Law update
 |
EU VAT Mini-One-Stop-Shop
The new EU VAT Mini-One-Stop-Shop (“MOSS”) regime came into effect in Ireland on 1 January 2015. The MOSS scheme applies to EU businesses in particular that supply telecommunications, broadcasting and electronic services to consumers in Europe.
As a result of Council Implementing Regulations 1042/2013 (which give direct effect to Council Directive 2008/8/EC regarding the place of supply of services within the Member States), VAT will now be due in each jurisdiction where a business makes a supply of such services to consumers. Rather than registering for VAT in each jurisdiction, MOSS allows such businesses to submit returns and pay the relevant VAT due to various Member States to the tax authorities of one Member State. A similar regime already applies to non-EU based businesses making such supplies to consumers in Europe.
To ease the transition to the new system, the Irish Revenue Commissioners have issued detailed guidance on MOSS and indicated their willingness to engage with any businesses who wish to discuss the scheme and its application. MOSS is a significant development and one which is likely to have a material impact on the large number of Irish-based providers of electronic services.
Update on the Network & Information Security Directive
The latest update from the trilogue discussions from late 2014 suggested compromise on the outstanding issues regarding the scope of the Network and Information Security Directive (the “NISD”) is imminent. If these optimistic projections are to be believed, we should see an agreed scope for the NISD early in 2015.
In March 2014, the European Parliament (the “Parliament”) approved the provisional text of the NISD, the aim of which is to ensure “a high common level of network and information security across the Union”. The text voted on by the Parliament was the version as amended based on the report by the Internal Market and Consumer Protection Committee (“IMCP”).
The primary goals of the NISD are to (i) establish a set of cyber-security standards to apply across Member States, and (ii) encourage cooperation between Member States in combatting cyber-security threats across borders. The NISD envisages the establishment of a central competent authority in each Member State to act as a focal point for security activity and to investigate incidents of non-compliance.
The application of the NISD is a matter of ongoing debate, with the Council and the Parliament holding differing views. The Council are of the view that Member States should (based on a number of criteria) be able to decide which sectors of the economy would be subject to the security requirements contained in the NISD. The Parliament however wish to see all sectors included within the scope of the NISD (eg, including ISPs and online industries), but require different standards of evidence to demonstrate compliance depending on the sector involved.
Digital Single Market plans unveiled
On 16 December 2014 the European Commission (the “Commission”) announced its work programme for 2015. The 2015 programme consists of the Commission’s ten primary objectives for the coming year – central among which is the furtherance of plans for the Digital Single Market (the “DSM”).
The strategy for advancing plans for the DSM consists of six strands:- building trust and confidence;
- removing restrictions;
- ensuring access and connectivity;
- building the digital economy;
- promoting e-society; and
- investing in world-class ICT research and innovation.
An update on one central plank of the strategy – the proposed new Data Protection Regulation – is included below. As 2015 progresses we will profile further elements of the strategy as the Commission adds more detail to the legislative framework. Beyond the field of data protection, it is envisaged that modernising updates to copyright law and the rules governing online consumer purchases will be high on the agenda as the strategy moves forward.
If the projections of the Commission prove accurate, the DSM could see the GDP of the EU increase by as much as €200-€300 million per annum.
Further details on the overall Digital Agenda for Europe can be found here.
Data Protection Regulation update
The introduction of the proposed General Data Protection Regulation (the “Regulation”) is progressing with the Council of the European Union (the “Council”) releasing the latest version of the draft Regulation on 19 December 2014.
Divergence continues to exist between the Council and the European Commission (the “Commission”) and between Member States on a number of issues. An important example of this is in the area of data minimisation. The Commission’s proposed text would require personal data to be “adequate, relevant and limited to the minimum necessary in relation to the purposes for which they are processed”. In this regard the Council has proposed an amendment to the Regulation that deletes “limited to the minimum necessary” and replaces it with “not excessive”, which would appear to offer organisations a considerably more pragmatic approach to their obligations should it survive.
Further, in the Commission’s proposals, all public bodies, businesses with more than 250 permanent staff, and organisations with “core activities” that “consist of processing operations which … require regular and systematic monitoring of data subjects” would be required to appoint a Data Protection Officer (“DPO”). Under the Council’s plans, no organisation would be under an obligation to appoint a DPO unless required to do so under other EU legislation or the national laws of individual EU Member States but rather organisations “may” appoint a DPO subject to certain conditions.
In total the current draft Regulation shows over 30 reservations have been entered by the Commission and over 500 reservations from Member States and this underlines the difficulty in providing a reliable time frame for reaching political consensus on the Regulation at this point.
|
|
