Italy and the Italian Data Protection Authority (“Garante”) got recently the media attention given that the Garante – as the first Authority in the world – temporarily blocked ChatGTP for violations of the GDPR legislation[1].
The case has been rather striking and only recently it has come to a positive conclusion. Indeed, the Garante has now lifted its block against ChatGPT after the latter has implemented several new features to protect the privacy of the users[2] of its system.
The intervention of the Italian watchdog has certainly had an immediate impact on ChatGTP. Not less importantly, the Garante has also set an important precedent (related to the GDPR implementation) which shall be taken into consideration, from now onwards, by the companies developing artificial intelligence systems.
This is not the first time though that Italy is a pioneer on the international scene in addressing particularly complex digital issues.
In this regard, the press has recently leaked an investigation which would have started by the Milan Public Prosecutor’s Office against META, the American tech giant led by Mark Zuckerberg. META allegedly failed to file VAT returns for years 2015 up to 2021 and to pay VAT. Tax inspectors deemed that the agreements between META (which provides social platforms services in turn of users’ personal data) and users (who allow META exploiting their personal data for profiling and selling advertisements on META platforms) underlay in-scope VAT operations.
It is certainly worth sharing some thoughts on such case which could have major impacts for the tech companies offering similar services, given the increasing importance of the data in Today’s digital age.
The importance of personal data in the “data economy“
Counting on millions of registered users, Facebook, Instagram and WhatsApp are the most widely used social platforms in the world. They all belong to the META group, which is considered one of the major players in the industry.
Much of the fortunes of the big tech companies like META have been built on their ability to use the users’ personal data for the purpose of implementing massive online advertising campaigns[3].
The users’ personal data, such as age, gender, geographical location and purchase preferences, are indeed valuable elements for companies which, through the social media, seek to reach a specific target audience with the online advertising.
More in particular, big tech companies (such as META) collect the data to “profile” their users. They also make huge profits from the sales of the data thus processed to advertisers operating within their network[4].
Such business models have often been heavily criticized as they would ground their high profitability on the users’ lack of awareness regarding the use made by the platforms of their personal data.
For example, in the Facebook terms of service (which shall mandatorily be accepted to get access to the services offered by the company) it is, inter alia, specified the following (in a clause “scattered” among dozens of other contractual provisions):
“… Instead of paying to use Facebook and the other products and services we offer, by using the Meta Products … you acknowledge that we can show you personalized ads and other commercial and sponsored content that business and organizations pay us to promote on and off the Meta Company Products. We use your personal data, such as information about your activity and interests, to show you personalized ads and sponsored content that may be more relevant to you.
… We don’t sell your personal data. We allow advertisers to tell us things like their business goal, and the kind of audience they want to see their ads (for example, people between the age of 18-35 who like cycling). We then show their ad to people who we think might be interested …”[5].
It is debated whether clauses such these one could be valid[6].
Nevertheless, it is still possible to make two points which could be useful in our analysis.
In the first place, it is noted that, for companies like META, the data of the users have characteristics similar to an intangible asset with an economic value.
Moreover, it is also undisputed that for its services META does not charge a monetary consideration but gets in return the possibility of processing the personal data of its users.
The tax investigation
META file was lodged by the European Public Prosecutor’s Office with respect to the Italian subsidiary of the group. Due to jurisdictional competence, the case was allocated to Italian authorities.
According to leaked information, META has been charged with omitted VAT payments in Italy, amounting to a record-breaking approx. €220 million (approx. €870 million in the EU) over the years 2015-2021.
In the absence of official information, it is reasonable to assume that inspectors challenged META’s accountability for violating Italian VAT rules regarding barter transactions[7], allegedly hidden in service agreements between users and META[8].
According to domestic VAT rules, barter transactions are subject to VAT if the parties involved have mutual obligations, and the goods and/or services exchanged can be considered as a form of consideration (in-kind). The taxable base is determined by the value of the goods and/or services given in return for the goods and/or services received[9].
The Italian Revenue Agency and Supreme Court Case-law have held that barter transactions incorporate in-kind considerations, which value can be expressed in monetary terms[10]. These positions are seemingly based on EU VAT Directive[11] and certain EU case-law[12].
It is likely that inspectors observed the fulfillment of the above conditions in this case, as:
- under the service agreement, users allow META to utilize their personal data, and META, in turn provides social platform services to users;
- the users’ data constitutes the consideration actually given in exchange for services provided by META. Therefore, the taxable base amounts to the value of users’ personal data.
The above suggests that META presumably did not treat these transactions as barter but rather as services without consideration, and therefore outside of the scope of VAT (based on domestic VAT rules and a position of the EU VAT Committee)[13].
In light of this, inspectors would have deemed that services provided by META only appeared to be without consideration and instead constituted barter transactions.
One interesting point to address is how inspectors identified the taxable base (i.e., market value of users’ personal data). This would have been particularly challenging, as users’ personal data is not inherently valuable (in terms of quality and quantity), especially at the time users submit the agreement with META. Investigators likely relied on economic elements that were not immediately available and external to the user/META agreement. It appears that they determined this amount by referring to the revenue realized by META from sales of advertisements (which accounts for almost 99% of META’s turnover).
Essentially, they mirrored the amount third parties in the market are willing to pay to acquire that data, which META “cashed in” at a later stage (not at the time users submit agreement with META).
Conclusions
It is certainly necessary to wait for further elements which may arise in the context of the investigation started by the Italian Authorities against META.
This will indeed be beneficial to better understand the position of the parties in the case.
Nevertheless, the impression is that this could be just a first chapter of the saga related to the consequences (also under a tax perspective) arising from the attribution of an economic value to the personal data.
As preliminary conclusions on the captioned matter addressed in this article it can be observed the following:
- from a “privacy” point of view, the companies active in the digital market shall closely monitor the debate related to the data monetization. Platforms which are availing of the users’ personal data for profiling purposes could indeed be forced to change their business models. This process is already under way. For example, in several European countries (including Italy), the major online newspapers have adopted the so-called pay walls requesting for explicit consent for the use of cookies for profiling purposes. If such consent is not provided, it is requested to the “potential reader” the payment of a subscription for getting access to the contents offered on the web by the newspapers[14];
- from a tax perspective, the allegations against META regarding barter transactions for VAT purposes may be replicated and could impact several business model similar to META. However, there are a number of counterarguments that cast doubt on these allegations.
Based on the above preliminary considerations, it appears highly recommendable, for companies which process users’ personal data for profiling purposes, to carry out an assessment of their business model. That could indeed be very beneficial to evaluate the current and potential risks (especially under a tax point of view) in light of the new trend which attributes an economic value to the personal data. The potential liabilities (as shown by the META’s case discussed in this article) could indeed be massive.
[1] The Garante banned indeed ChatGTP over privacy concerns and, in particular, on the ground that personal data were collected unlawfully and no age verification system was in place for children (see https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9870847).
[2] See https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9881490).
[3] www.wired.com/insights/2014/07/data-new-oil-digital-economy/
[4] For example, female users who have specific sport preferences and who are located in Italy.
[5] See point no. 2 of the Facebook Terms of Service at the following link: https://www.facebook.com/legal/terms
[6] It is noted that recently the Irish Data Protection Authority has imposed a maxi-fine of 390 million to META on the basis that it would have used the legal basis of the performance of the contract to conduct its targeted advertising. The Irish watchdog has instead taken the position that the personalization of the ads on social networks could only take place after specific consent is given by the user (see https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-two-inquiries-meta-ireland).
[7] See Article 11 of Presidential Decree 633/72.
[8] Barter transactions alleged to META should be made of two isolated transactions i) users provides their data to META in turn of META social platform services; and ii) META provides social platform services to users in turn of their data. However, only ii) would be subject to VAT since i) does not met VAT subjective requirement.
[9] See Article 13, paragraph 2, letter d) of the Presidential Decree 633/72.
[10] See Ruling no. 31/2023 and Italian Supreme Court n. 7947/2019 (which stated, among other, that the consideration may even correspond to the commitment to perform a supply of goods or a provision of services).
[11] See Art. 2 of the Directive no. 2006/112/CE.
[12] See among others, CJEU Case C-380/99, Case C283/12, Serebryannay vek EOOD, and Case C11/15, Cesky Rozhlas.
[13] See art. 3 c. 3 of Italian VAT law no. 633/72, and Working paper 30.10.2018 n. 958 of the VAT Committee.
[14] An investigation by the Italian Data Protection Authority is currently pending to assess the compliance of these initiatives with the GDPR (see https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9815415).