VAT reporting obligations in the Digital Age: any risk for personal data processing?

On 3 March 2023, the European Data Protection Supervisor (hereafter, the “EDPS”) responded to the EU Commission’s consultation dated 10 January 2023 on the legislative proposal on VAT reporting obligations, assessing the potential impact on the right to personal data protection, within the package “VAT in the Digital Age”. For instance, among the specific provisions of the proposal, taxable persons within the scope are required to report new data elements in relation to the content of the invoice and the recapitulative statement, such as the identifier of the bank account in which the payment for the invoice will be credited. These new elements may qualify as “personal data” under the applicable data protection law whenever they relate to an identified or identifiable individual.

The “VAT in the Digital Age” package is part of the Commission’s 2020 Action Plan for fair and simple taxation. Its aim is to facilitate VAT registration and reporting obligations for businesses while increasing the resilience of the system against fraud. The reform introduces three main changes in the current VAT legislative landscape of the EU: (1) a modernised reporting system; (2) updated VAT rules for the platform economy and (3) a single VAT registration system for businesses that sell products or offer services across the EU. However, the date of implementation is uncertain. The European Parliament¹ recently issued four reports containing amendments aimed at, amongst others, ensuring that the data from the VAT Information Exchange System is accessible in a secure and confidential manner.

This article focuses on the first of these changes: the modernised VAT reporting system. In particular, this article explores the impact that this new digitalised and centralised system can have on data protection rights in light of the opinion issued by the EDPS.

I. Main points of the reform and impact on the right to data protection

Reforming the VAT reporting system was necessary to adjust it to the realities of the digital economy of the EU. In 2022, it was reported that Member States lost €93 billion in VAT revenues^2. Some estimates suggest that one-quarter of the missing revenues can be attributed directly to VAT fraud linked to intra-EU trade³. Hence, the European Commission’s “VAT in the Digital Age” package (composed of a Proposal Directive and a Proposal Regulation) aims to tackle this issue while facilitating the reporting of VAT-related information for all businesses, whether big or small.

These new reporting obligations are structured around two main axes: (a) a harmonized set of Digital Reporting Requirements for taxable persons, and (b) a centralised information system aimed at improving the intra-community exchange of information in view of better detecting potential VAT fraud. This section will present both axes and explain their impact on data protection rights.

a. The New Digital Reporting Requirements: towards an increase in data reporting?

The Digital Reporting Requirements, as spelled out in the VAT in the Digital Age package, establish a ‘real time’ reporting system based on e-invoicing for cross-border transactions. In other words, any transaction between entities or persons located in different Member States of the EU will require the seller or service provider to issue its invoice in electronic form. E-invoicing would thus become mandatory rather than optional for the purposes of cross-border transactions involving the payment of VAT. The use of paper invoices will only be possible in situations where Member States authorise them⁴. Down the line, if the tax authorities investigate a specific cross-border case, this should simplify the automated checking and cross-matching of information on the basis of these e-invoices, and thus allow the detection and fighting of fraud in a more efficient manner.

Beyond this e-invoicing requirement, the Digital Reporting Requirements also specify the form and content of the information to be reported by taxable persons to the national tax authorities. As far as the form is concerned, the information must be provided electronically (i.e., there is no possibility of submitting the information on paper anymore) and on a transaction-by-transaction basis (rather than in an aggregated form). As far as the content is concerned, Article 264 of the Proposal for a Council Directive provides for an exhaustive list of information to be transmitted by the taxable person to the tax authorities, which is to a large extent identical to the information that needs to be reported today in the recapitulative statements, but on a transaction-by-transaction basis (instead of aggregated by the customer). Yet, Article 264 also adds a few additional fields to improve the detection of fraud, i.e., (i) the reference to the previous invoice in the case of a rectification of invoices, (ii) the identification of the bank account into which the payment for the invoice will be credited and (iii) the dates agreed for the payment of the amount of the transaction.

From the perspective of EU data protection law, the processing of more data usually means an increased level of risk for the rights and freedoms of the individuals to whom this data relates (i.e., the data subjects). Aggregated data from various invoices may, for example, indirectly reveal information about a natural person, such as information concerning “purchased goods (including intimate products), travel arrangements or legal services”^5. However, the additional information that taxable persons need to report to tax authorities under the new system is limited to administrative data (i.e., (i) previous invoice numbers; (ii) bank account details and; (iii) the date of payment). No sensitive data is concerned^6. Hence, the reform does not significantly increase the level of risk for the right to privacy or personal data protection of the individuals concerned, compared to the current reporting requirements. Therefore, EDPS did not criticize the reporting requirement on these additional fields, considering that they were indeed necessary for fighting VAT fraud, and thus respected the principle of data minimisation. In particular, the EDPS welcomed the fact that the information to be reported is limited to an extract of the information from the (e-)invoice, rather than the full (e-)invoice.

b. The central electronic system: the EU Member States as controllers.

As far as the respect of the right to data protection and privacy are concerned, a more problematic issue is the one posed by the centralisation of all the reported information in an EU-central electronic system. The central electronic system would be developed, maintained, hosted and technically managed by the European Commission^7. The advantage of this centralisation is obvious when it comes to the fight against VAT fraud; the cross-matching of information is indeed essential to detect discrepancies or inconsistencies. However, some of this data qualifies as personal data. As already pointed out above, information on transactions made by individuals may reveal a person’s wealth, habits, professional status, location, etc., i.e., personal data.

Centralisation of personal data on a large scale tends to make individuals subject to an increased level of scrutiny, potential arbitrary discrimination or potentially harmful consequences in the event of a large-scale data breach. Hence, it was essential for the EDPS to issue an opinion in this respect with the aim of guiding the reform in a direction that allows it to fulfil its objective while ensuring the respect of the fundamental right to personal data protection. In particular, the establishment and use of this centralised database must be accompanied by appropriate safeguards to ensure the integrity and confidentiality of the data. The EDPS also pointed out the necessity of ensuring that the collection and storage of VAT-related information on a centralised database respects other important data processing principles under the GDPR, such as the principle of data minimisation (i.e., only data that is truly necessary for fighting VAT fraud may be collected and stored on that central system) or purpose limitation (i.e., the centralised data cannot be used for anything else than detecting, preventing and fighting VAT fraud). In this regard, the EDPS welcomes in its Opinion that the Proposal for a Council Directive excludes the name and address of the customer and the taxable person from the information to be transmitted and stored on the central electronic system.

The EDPS also welcomes the explicit qualification of Member States as “controllers”⁸ of the centralised electronic system, and the of Commission as “processor”.⁹ Indeed, as noted by the EDPS, “a clear designation of roles is in line with the EDPS Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 which recommends identifying the controller of specific processing operation(s) already in the basic legislative act, in order to avoid any possible problem of interpretation in assessing that role.”¹⁰ Yet, the EDPS deplores the fact that the Proposal Regulation does not yet define in detail the actual responsibilities of Member States as controllers and the Commission as the processor. The allocation of these responsibilities should be defined by means of implementing acts.¹¹ The EDPS notes in this respect that if the Commission is to act (only) as processor, operating under the (exclusive) control of the Member States, this should be duly reflected in those implementing acts.¹² In this respect, the EDPS also recommends that these implementing acts should enter into force and be applicable at the same time of entry into force and applicability of the basic act.¹³ The EDPS also recalls that it should be consulted in relation to the content of such implementing acts, which should further detail the format of the information and the responsibilities, conditions and safeguards for the processing of personal data in the context of this centralised electronic system.¹⁴

II. Takeaways of the EDPS’s opinion

The EDPS made three recommendations. This authority welcomed the objectives of the “VAT in the Digital Age” package but recalled that the processing of personal data must fully comply with the GDPR and the EU data protection rules. More precisely, the EDPS emphasizes that it should be clear in the proposal that the information collected by the tax authorities may only be processed for the purposes of fighting VAT fraud to ensure the principle of purpose limitation is observed. For those not familiar with this concept, it means that personal data should be collected for specified, explicit and legitimate purposes (in this case, mainly, facilitating VAT reporting obligations, and improving VAT fraud prevention and detection) and not further processed in a manner that is incompatible with those purposes. For instance, it would be inadmissible for the Commission and/or the national tax authorities to re-use the same data set for other purposes, such as blanket surveillance of EU citizens. The only purposes that would by default be deemed compatible with the initial explicit purposes of this legislative reform are the following: archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. To some extent, national authorities could thus also (re-)use this data to establish statistics about VAT fraud at the national level, but they could not use it for fighting terrorism or other unrelated purposes.

In addition, the EDPS stresses the importance of the principle of data minimisation. The principle of data minimisation, as enshrined in Article 5(1)(c) of the GDPR, entails that the data collected should be adequate, relevant and limited to what is strictly necessary in relation to the purposes for which it is processed. In this respect, the EDPS welcomed the fact that the tax authorities will only receive an extract of the invoice instead of the whole invoice. Therefore, natural persons should not be concerned about the disclosure of sensitive information since the name and address of the customer and the taxable person will not be shared with the tax authorities.

Furthermore, the EDPS has no objection regarding the designation of the roles of the Member States and Commission under EU data protection law. As explained above, the EDPS agrees with the Commission’s opinion that the Member States should be considered controllers of the personal data, i.e., the actors in charge of determining the means and purposes of the processing of this personal data, while the Commission should be regarded as a data processor, i.e., a mere delegate managing this data on a central electronic system on behalf and under the instructions of the Member States. The recommendation of the EDPS focuses on the necessity of clearly allocating the respective responsibilities of the Member States as controller and of the Commission as processor by means of implementing acts, which are yet to be adopted by the Commission and critically assessed by the EDPS.

^{1_{Committee on Economic and Monetary Affairs}
2_{European Commission, VAT Gap Report 2022, available at https://taxation-customs.ec.europa.eu/document/download/ba49e050-4003-44aa-954e-9323df1c737f_en.}
3_Ibid.
4_{Proposed wording of Article 218 provides that electronic invoicing will be the default system.}
5_{EDPS opinion 7/2023, p. 2.} 
6_{According to Article 9 and 10 GDPR, sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, as well as data relating to criminal convictions and offences.}
7_{New Article 24g(1) in the Proposal for a Council Regulation.}
8_{That is, the persons in charge of determining the purposes and means of the processing.}
9_{That is, a person acting on behalf and under the instructions of the controller(s), without the possibility of determining or changing the purposes and means of the processing.}
10_{Paragraph 23 of the EDPS Opinion 7/2023.}
11_{Article 24m, letter (b) of the Proposal for a Regulation.}
12_{Point 25 of the EDPS Opinion 7/2023.}
13_{Point 27 of the EDPS Opinion 7/2023.}
14_Ibid.}