Privacy Issues of Tax Regulations Introducing e-Invoices and
Online Cash Registers
Adv LLM thesis
submitted by
Perizat Nurlankyzy
in fulfilment of the requirements of the
'Advanced Master of Laws in International Tax Law'
degree at the University of Amsterdam
supervised by
Raffaele Russo / Prof. Dr. Dennis Weber
co-supervised by
PERSONAL STATEMENT
Regarding the Adv LLM Thesis submitted to satisfy the requirements of the 'Advanced Master of Laws in International Tax Law' degree:
1. I hereby certify (a) that this is an original work that has been entirely prepared and written by myself without any assistance, (b) that this thesis does not contain any materials from other sources unless these sources have been clearly identified in footnotes, and (c) that all quotations and paraphrases have been properly marked as such while full attribution has been made to the authors thereof. I accept that any violation of this certification will result in my expulsion from the Adv LLM Program or in a revocation of my Adv LLM degree. I also accept that in case of such a violation, professional organizations in my home country and in countries where I may work as a tax professional, are informed of this violation.
2. I hereby authorize the University of Amsterdam and IBFD to place my thesis, of which I retain the copyright, in its library or other repository for the use of visitors to and/or staff of said library or other repository. Access shall include, but not be limited to, the hard copy of the thesis and its digital format. 3. In articles that I may publish on the basis of my Adv LLM Thesis, I will include the following statement in a footnote to the article’s title or to the author’s name:
“This article is based on the Adv LLM thesis the author submitted in fulfilment of the requirements of the 'Advanced Master of Laws in International Tax Law' degree at the University of Amsterdam.”
4. I hereby certify that any material in this thesis which has been accepted for a degree or diploma by any other university or institution is identified in the text. I accept that any violation of this certification will result in my expulsion from the Adv LLM Program or in a revocation of my Adv LLM degree.
signature:
name: Perizat Nurlankyzy
Table of Contents
Table of Contents ... III
List of Abbreviations used ... IV
Executive Summary ... V
Main Findings ... VI
1.
Introduction ... 1
2.
OCRs and e-Invoices: concept, purpose, main characteristics ... 3
2.1. Online Cash Registers ... 3
2.2. e-Invoices ... 4
3.
Protection of personal data collected through OCRs and e-invoices ... 6
3.1. Information obtained by tax administrations via OCRs in Italy and Russia ... 6
3.2. Information obtained by tax administrations via e-invoices in Italy and Russia ... 8
3.3. Existing legal instruments on protection of personal data in Italy and Russia ... 9
3.4. Coverage of B2B e-invoices by existing personal data protection rules ... 10
3.4.1. Coverage of B2B e-invoices by GDPR and the Italian Personal Data Protection Code10 3.4.2. Coverage of B2B e-invoices by the Law on Personal Data in Russia ... 11
4.
Balancing taxpayers’ rights to privacy and data protection and fight against
tax fraud and evasion ... 11
4.1. Limitation of privacy and personal data protection for public interest ... 11
4.1.1. Limitations in the EU and in Italy ... 11
4.1.2. Limitations in Russia ... 13
4.2. Balance between taxpayers’ rights to data protection and fight against tax fraud and evasion ... 14
4.2.1. OCRs and e-invoices in Russia ... 14
4.2.2. E-invoices in Italy ... 15
4.3. Safeguards to achieve the right balance between taxpayers’ right to privacy and data protection and the fight against tax fraud and evasion ... 17
5.
Conclusions ... 18
Appendix I. Existing legal instruments on protection of personal data ... 21
International instruments ... 21
Development of personal data protection instruments in European Union and Italy ... 22
Pre-GDPR ... 22
The emergence of the GDPR ... 23
Italy’s Domestic Instruments ... 24
Personal data protection instruments in Russia ... 24
List of Abbreviations used
AEOI Automatic Exchange of Information
B2B Business-to-business
B2C Business-to-consumer
DPD Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
e-invoices Electronic invoices
ECHR European Convention on Human Rights ECJ Court of Justice of the European Union (CJEU) ECtHR European Court of Human Rights
EPD Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications)
EU European Union
FTA Forum on Tax Administration
FTS Federal Tax Service of Russian Federation
GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
ICCPR International Covenant on Civil and Political Rights ITA Italian Tax Administration / Revenue Agency OCR(s) Online cash register(s)
QR-code ‘Quick Response’ code
TEU Treaty on European Union
TFEU Treaty on Functioning of the European Union UDHR Universal Declaration of Human Rights
Executive Summary
The practice from all over the world shows the efficiency of the OCRs and e-invoicing systems. OCRs are intended to fight sales suppression in retail sectors. Although there are differences in implementing those OCRs, they have become the most effective tool in this field, because the data from these OCRs are directly sent to tax administrations and copied in their systems with no option for alteration.
E-invoicing systems become the most effective tool in fighting VAT fraud and decreasing the VAT gaps. One of the recent showcases is the Russian experience, where VAT gap was decreased from 8% in 2016 to less than 0.6% in 2019, which as of now, is one of the least VAT gaps in the world.
There are many other benefits of OCRs and e-invoicing systems, such as providing by tax administrations of pre-filled tax returns, the saving of costs for exchanging paper invoices, easing the tax audits and VAT return procedures.
However, there are some concerns about privacy and protection of personal data of individuals and taxpayers. The key finding of this paper was that the receipts issued by OCRs and e-invoices may incur personal data. These personal data may belong to consumers, persons who make the settlements with consumers (cashiers, waiters, etc.), individuals registered for VAT purposes although not acting as a business. The personal data in conjunction with the other data indicated in the receipts and e-invoices (the goods, services provided, the amounts of payment) can give a chunk of information about the individual – concerning private life, social and economic circumstances, health concerns, behaviour, habits.
The main instruments in the data protection field in the EU and Italy are the GDPR, the Personal Data Protection Code, the Charter of Fundamental Rights, and the ECHR. While in Russia, the main personal data protection instruments are the Personal Data Law and the ECHR. Although the Personal Data Law is not far behind of the GDPR, in my opinion, the main issue is that, comparatively to the GDPR, the level of the liability for violation of its provisions is extremely low.
It was established in the data protection instruments and case laws of the ECJ and the ECtHR that collecting and processing of personal data is qualified as interference with privacy and as limitation of the rights to privacy and protection of personal data. However, given that there are two different interests in the balance – financial and economic interests of the states and fundamental rights to privacy and protection of personal data – the rights of individuals can be limited.
It was concluded that in Italy, the prerequisites for the limitations of fundamental rights envisaged in Article 52(1) of the Charter of Fundamental Rights are observed. In Russia, the mere collection and processing of personal data is not considered as limitation. In its turn, the limitation shall (i) be provided by Federal laws and (ii) be necessary for the purposes of national security. And these prerequisites are observed.
However, to reach the right balance between taxpayers’ fundamental rights to privacy and personal data protection and fight against tax fraud and evasion with the means of e-invoices, certain safeguards shall be provided. In this paper, the following safeguards are proposed.
First, to establish in the legislations the fact of collecting the personal data through OCRs and e-invoices. Second, to identify the purposes of obtaining the personal data and to clarify whether these personal data can be used in the other fields of the governmental functions. To strictly prohibit fishing expeditions with regard to these personal data, as they may provide certain amount of information about the private life of consumers and taxpayers. To prohibit the use of these personal data for profiling of the consumers, and to allow, if necessary, only with regards the taxpayers.
Depending on the purposes of collection and storage of the personal data, it is necessary to establish the period of storage and set forth the obligation of erasure upon expiry of such period. This period may be limited by the length of statutory limitation, however, the shorter period may also be established.
Last, but not least, from the technical perspective, the level of protection of those personal data shall be not lower than the level of protection of any other important information of the tax administrations.
Main Findings
The aim of the research was to address the privacy implications of collecting, processing, and using personal data from e-invoices and OCRs based on the examples of Italy and Russia. The research considers: first, what are the features of OCRs and e-invoicing systems in Italy and Russia; second, are personal data of individuals provided to tax administrations through OCRs and e-invoicing systems; third, which legal instruments regulate the data protection matters; fourth, is there a right balance between the personal data protection and curbing tax evasion and tax fraud; fifth, how the right balance can be achieved and what measures are necessary to safeguard the individuals’ fundamental rights.
First, there are different types of OCRs, and the data from OCRs may be sent immediately after the settlement (e.g. in Russia), or the data can be sent periodically, once a day or rarer (e.g. in Italy, once a day at the closure of the day). The e-invoicing systems make B2B and B2C invoices issued in the system in electronic format available to tax administrations. The e-invoices usually have a single standard within a jurisdiction. E-invoices help to reduce the office expenditure. And, when mandatory e-invoicing is introduced, tax administrations make available these systems online or by other available means.
Second, the personal data are provided to tax administrations through OCRs and e-invoices. These personal data may belong to consumers (email and/or phone number), persons who make the settlements with consumers (cashiers, waiters, etc.) (position and last name), individuals registered for VAT purposes although not acting as a business (name and surname, residence or domicile, the tax representative, VAT number, address), employees of taxpayers acting as representatives of taxpayers (full name, position in the company, the basis for signing the e-invoice, etc.). The personal data in conjunction with the other data indicated in the receipts and e-invoices (the goods, services provided, the amounts of payment) can give a chunk of information about the individual – concerning private life, social and economic circumstances, health concerns, behaviour, habits.
Third, in Italy, the main personal data protection instruments are the GDPR, Italian Personal Data Protection Code and the Charter of Fundamental Rights, and the ECHR. In Russia, natural persons can rely on the Personal Data Law and on the ECHR. The main difference is that the GDPR provides heavy administrative liability for the violation, while in Russia, the administrative liability amount is extremely low. Fourth, given that there are two different interests in the balance – financial and economic interests of the states and fundamental rights to privacy and protection of personal data – the rights of individuals can be limited. Such limitations shall be subject to certain prerequisites, such as being legitimate, respecting the essence of the fundamental right, being strictly necessary, being proportionate and meeting objectives of general interest. In Italy, implementation of e-invoicing systems is compatible with these prerequisites and there is a balance between individuals’ fundamental rights to privacy and personal data protection and fight against tax evasion and tax fraud with the means of e-invoices. In Russia, the mere collection and processing of personal data is not considered as limitation. In its turn, the limitation shall (i) be provided by Federal laws and (ii) be necessary for the purposes of national security. Considering these requirements, the balance between individuals’ rights and the need to fight against tax fraud is observed.
Fifth, in order to achieve the right balance and retain it, the individuals shall also be provided certain safeguards, which are as follows. (1) To establish in legislation the fact of collecting personal data through OCRs and e-invoices. (2) To identify the purposes of obtaining the personal data. (3) To strictly prohibit fishing expeditions and the use of these personal data for profiling of the consumers and employees. (4) Depending on the purposes of collection and storage of the personal data, to establish the period of storage and shorten the storage period when affordable. (5) From the technical perspective, to establish the level of protection of those personal data not lower than the level of protection of any other important information of the tax administrations.
1. Introduction
Governments all over the world are losing billions of their revenue each year from “under-reporting of income through electronic sales suppression and over-reporting of deductions through false invoicing”.1 The tools for tackling these types of tax evasion do already exist and are being
successfully implemented by number of tax administrations around the world. Sales suppression by retailers and consecutive under-reporting can be tackled by online cash registers (’OCRs’) or telematic recorders, which automatically send the data on sales to the respective tax authorities. The false invoicing and over-reporting of deductions can be tackled by e-invoicing systems. In such systems, tax evasion through false invoicing is almost impossible, because both parties of the B2B transaction (seller and customer) are registered in the system and the e-invoices issued in the system are available to the tax authorities to check.
Such cash receipts issued by retailers by means of OCRs and e-invoices issued in e-invoicing systems, depending on the country and the purpose of their implementation, may contain personal data. E.g. electronic cash receipts issued by means of OCRs may contain name, phone number or e-mail of the consumer, or the e-invoice may contain the name and contact details of persons involved in those transactions. Given that the tax administrations have access to those cash receipts and e-invoices, it is clear that the tax administrations will also have access to those personal data.
However, in this situation the privacy and personal data protection laws shall be applicable. Tax administrations do not collect the personal data directly, but the personal data of individual are being collected and transmitted to them by the taxpayers – suppliers of goods and services. Therefore, the question that arises is whether – and under what conditions - tax administrations should process2
personal data obtained via e-invoices and OCRs.
First of all, what is “personal data”? “Personal data means any information relating to an identified or identifiable natural person (‘data subject’); (…) such as a name, an identification number, location data, an online identifier (…)”.3 This itself is not an issue, because tax administrations already have
information about individuals, as we all are taxpayers. However, the issue that arises now is that with implementing e-invoices and OCRs, tax administrations can see what goods and services we acquire as individuals. Through this, the data subject can be portrayed – the preferences of the person, his/her habits, behaviour, religion, political views, sexual orientation, physiological, mental conditions, economic situation, social position. It was warned by the EDPS in his opinion on the implementation of e-invoicing systems at public procurement in EU, that although the information in e-invoices are treated as “innocuous and non-personal”4, when they are linked to persons for further use, they
become personal. Thus, here the question arises – where should the line between the right of individuals for privacy and the fulfilment of task on curbing tax evasion and tax fraud by tax administrations be? How to achieve the right balance between these two interests?
1 OECD, Technology Tools to Tackle Tax Evasion and Tax Fraud (OECD 2017)
https://www.oecd.org/tax/crime/technology-tools-to-tackle-tax-evasion-and-tax-fraud.pdf accessed 25 April 2020.
2 European Parliament, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation): GDPR
(2016). Article 4(2): “processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
3 Ibid. Article 4(1)
4 European Data Protection Supervisor, ‘Opinion of the European Data Protection Supervisor on the
Commission Proposal for a Directive of the European Parliament and the Council on electronic invoicing in
public procurement’ (2013)
The aim of the thesis paper is to find the right balance between the rights for privacy5 and protection of
personal data6, which are fundamental rights of a person, and the need to curb tax fraud and evasion
by using OCRs and e-invoices, so privacy and data protection do not become obstacles in administering and collecting taxes.
In this research I will consider these issues based on the examples of two countries: Italy and Russia. I have chosen those specific countries because Italy is a Member of the EU and is covered by the General Data Protection Regulation (‘GDPR’) and other EU Directives on personal data protection. The EU became the trend setter in the matters of personal data protection and many countries all over the world are amending their personal data protection laws based on the model of the GDPR. Moreover, recently Italy introduced the mandatory use of e-invoices, as well as the use of telematic recorders with daily transmittal of data to the Italian Tax Administration (‘ITA’). In its turn, Russia has implemented mandatory issuance of e-invoices and use of OCRs by taxpayers in 2015. However, Russia’s data protection regulations are not as robust nor comprehensive as the GDPR. It is thus necessary to analyse whether taxpayers’ personal data is effectively protected in these cases. Both Russia and Italy are the members of the Forum on Tax Administration (‘FTA’), where Russia leads the “project to study and accumulate the global experience in designing, implementing and operating online cash register (‘OCR’) systems”.7
The research addresses the privacy implications of collecting, processing, and using personal data from e-invoices and OCRs in Italy and Russia. More specifically, it considers the application of personal data protection laws to personal data obtained by tax administrations via e-invoices and OCRs; whether and how tax administrations can comply with the personal data protection laws so to find the right balance between the rights to privacy and protection of personal data and the need to curb tax fraud and evasion.
This research does not consider privacy issues and protection of personal data provided through banks at using bank accounts. The paper does not deal with personal data provided via Standard Audit File for Tax (SAF-T). As in the EU, the regulations on administering taxes are adopted by Member States, the research paper does not consider processing of personal data by European Union institutions.
The methodologies that are used to answer the research questions are, inter alia, the following: - Doctrinal analysis: primary and secondary sources of law are used to analyse e-invoices and
OCR regimes applied in Italy and Russia.
- Comparative method is used to compare the personal data protection laws and the amount and type of personal data obtained via e-invoices and OCRs by tax administrations of Italy and Russia.
- Theoretical method is used to explore the rationale behind tax administrations’ powers for collecting, processing and using personal data from e-invoices and OCRs and to evaluate if the tax administrations of Italy and Russia comply with the personal data protection regulations.
The thesis paper contains five chapters. Chapter 1 provides a brief introduction, which describes the reasons for researching, the research question and the research plan. It also sets the methodology used in course of the research. Chapter 2 provides the general information on what are OCRs and e-invoices, their purpose, main characteristics, and worldwide use. Chapter 3 analyses whether personal data are obtained via OCRs and invoices in Italy and Russia and whether the B2B e-invoices are covered by personal data protection instruments. Chapter 3 also contains the brief
5 Publications Office, Charter of Fundamental Rights of the European Union: Charter of Fundamental Rights
(2012). Article 7
6 Ibid. Article 8(1)
7 OECD Forum on Tax Administration (ed), ‘Online Cash Register Project, Budapest Workshop Summary’
(2018)
https://www.nalog.ru/html/sites/www.new.nalog.ru/docs/international/oecd/Budapest%20Workshop%20Summ ary%20.pdf accessed 18 April 2020. p.1
section on the existing legal instruments on the protection of personal data applicable, however, the detailed descriptions of those legal instruments are provided in Appendix I. Chapter 4 provides the analysis of the balance of taxpayers’ right to data protection and privacy and fight against tax evasion and tax fraud. Chapter 5 contains the conclusions made in the result of the aforementioned analysis.
2. OCRs and e-Invoices: concept, purpose, main characteristics
2.1. Online Cash RegistersFirst of all, what is an online cash register? An online cash register (‘OCR’) is an electronic cash register “where the information is transmitted directly or through an approved intermediary to the tax administration”.8 The information is sent in encrypted form and can be received by the tax
administration in real-time or close to real-time.9 It means that while a person makes any payment to a
supplier with an OCR, all payment details go to tax administrations and are stored as external files. This ensures security from alteration of sales data records by the supplier. A question may arise how the data from electronic cash registers can be altered taking into account that they are sealed by tax authorities. The issue with such electronic cash registers without (real-time or close to real-time) transmission of sales data to tax administrations is that the data can be altered by the means of special devices (“Phantomware”10 or “Zappers”11) that are sometimes even sold with the electronic
cash registers. For instance, “in 2008 the Canadian Revenue Agency criminally charged the owners of four restaurants with tax evasion involving the “zapping” of nearly 200,000 cash transactions, totalling EUR 3.1 million”.12
The governments around the globe have certified the models of electronic cash registers with digital signatures and which data cannot be altered. However, the OCRs have been introduced in few countries, including Russia, Hungary, South Korea, Kazakhstan. The other countries made the transmission of billing data periodical, e.g. Italy, Canada.13
In general, OCRs are designed to fight tax evasion in retail sectors and prevent the altering of relevant data recorded in previous models of electronic cash registers that did not transmit data to the tax authorities in real time. With the real-time (e.g. in Russia) or close to real-time (e.g. in Italy - daily)
8 OECD Forum on Tax Administration, Implementing Online Cash Registers: Benefits, Considerations and
Guidance (Paris 2019) http://www.oecd.org/tax/forum-on-tax-administration/publications-and-products/implementing-online-cash-registers-benefits-considerations-and-guidance.pdf accessed 18 April 2020. p.12
9 Ibid.
10 Noah Gaoua, OECD releases study on electronic sales suppression (2013)
https://research.ibfd.org/#/doc?url=/document/tns_2013-02-19_o2_1 accessed 01 June 2020. “Phantomware is a software program already installed or embedded in the accounting application software of the electronic cash registers (ECR) or computerised POS system. It is concealed from the unsuspecting user and may be accessed by clicking on an invisible button on the screen or a specific command sequence or key combination. This brings up menu of options for selectively deleting sales transactions and/or for printing sales reports with missing lines”.
11 Richard T Ainsworth, ‘Sales Suppression: The International Dimension’ [2016] 65 American Law University
Review https://ssrn.com/abstract=2848973 accessed 31 May 2020. p. 1244. “POS system called Profitek manufactured in Vancouver by InfoSpec can be purchased with a dedicted sales suppression device—the Profitek Zapper. A high quality zapper responds to suppression requests by entering the ECR/POS database and deleting selective sales, as well as recalculating individual receipts and the taxes due. It will re-order all sales slips and adjust the internal ledger, which informs the operator how much extra cash is in the till to withdraw so that bank deposits will match the adjusted sales totals. An application that effectively manipulates the digital records of a specific POS system for which it was designed. Therefore, zappers initially developed on short notice for use in one jurisdiction can quickly become a concern for a neighbouring tax authority”.
12 OECD (n 1) p. 12
13 KPMG, COVID-19: 'Relaunch Decree': Urgent measures to support healthcare, employment and the
economy, and social policies. Tax & Legal Alert (Italy 2020) https://kdocs.kpmg.it/Marketing_Studio/270520_COVID-19_Relaunch_Decree_Tax.pdf accessed 01 June 2020. para. 3.4 In Italy, the mandatory daily transmission of sales data “for retailers whose turnover does not exceed EUR 400 000” was supposed to start on 1 July 2020; however, due to the Covid-19 outbreak, it was postponed to 1 January 2021.
automatic transmission of data from electronic cash registers to tax administrations, it is no further possible to alter such data, because it is copied in tax administrations’ servers. It is proved that OCRs help to reduce both the VAT gap and the shadow economy. Indeed, Russia reported “38% increase in VAT collection” in 2017 compared to 2016.14 In Quebec, Canada, by 31 March 2016, CAD 1.2 billion
(EUR 822 million) in taxes was recovered following the introduction of sales recording modules into the restaurant industry”.15
In addition to such automatic transmission of sales data to tax administrations, some countries (e.g. Russia, Slovakia) also provide options for verification of those sales data in the websites of their tax administrations. As it was discussed in the 2019 Report on “Implementing Online Cash Registers: Benefits, Considerations and Guidance” by the FTA, “while some verification systems may involve the registration of customers, the use of this information will be subject to data protection laws and is optional for customers”. As was defined by the Federal Tax Service of Russian Federation (‘FTS’), the purpose of implementing such verification option is to protect consumers’ rights, i.e. to ensure that the goods are not counterfeit and ease the process of returning the goods.
However, it cannot be assumed that the FTS has access to sales data containing personal data only when consumers use the verification option and give their consent for processing their personal data on the website. In case of online sales, the electronic receipts issued still contain personal data, such as email address, phone number and name. Subsequently, the information on the goods and services purchased, read in conjunction with the personal data, also become personal. Therefore, it is presumed that tax administrations introducing OCRs have access to huge amount of personal data of consumers.
Every jurisdiction introducing such systems define the objectives and features of such systems in a different way. Therefore, the amount of data transmitted varies from country to country depending on the specific objectives pursued. For instance, in Italy, the data from electronic cash registers with telematic recorders are also used for the preparation of pre-filled tax returns. In Russia, along with the protection of consumers’ rights, the FTS seeks to provide neutrality with regard to businesses and protect the fair competition by “reducing the possibilities for fraud”,16 ease the compliance burden and
“decreas[e] the number of inspections”.17
Thus, while the ITA’s aims are set forth only towards the taxpayers (curbing tax evasion by taxpayers, preparing pre-filled tax returns for taxpayers to ease tax compliance), the FTS aims at protecting consumers’ rights too. This is the core difference between the approaches of the ITA and the FTS in implementing cash registers and obtaining data through cash registers.
2.2. e-Invoices
An e-invoice is a type of invoice “that records an entity’s commercial transactions in electronic form, fulfilling the principles of authenticity, integrity, and legibility in all applicable situations and for all the actors in the process, in the commercial, civil, financial, logistical and, undoubtedly, tax spheres”.18 In
jurisdictions where e-invoicing is introduced and is either mandatory or voluntary, e-invoices have the same value as paper invoices and are reliable supporting documents.
The main purpose of e-invoicing is to combat “false invoicing” that is made to deduct or refund the VAT amounts which were not actually incurred. However, they are also the source of information for the corporate income tax and personal income tax purposes, because “collecting data from supplier (…) allows a more complete picture to be drawn about the activity and income of the taxpayer”.19
14 OECD Forum on Tax Administration (n 8). p.42 15 OECD (n 1). p.12
16 OECD Forum on Tax Administration (n 8). p.38 17 Ibid.
18 Alberto Barreix and Raul Zambrano, Electronic Invoicing in Latin America. English Summary of the Spanish
Document (2018). p.6
19 OECD Forum on Tax Administration, Tax Administration 2019: Comparative Information on OECD and Other
The e-invoicing systems around the world have different functions and characteristics, however, the following features are common. First, e-invoices facilitate tax authorities’ oversight and control duties since “the simple accumulation of debits for a taxpayer in the invoices issued and credits in the invoices received – contrasted with the periodic tax returns covering the corresponding tax – creates a returns-related control capacity that is much greater than any of the mass control practices used previously”.20 Second, the adoption of a single standard format21 of e-invoices for all taxpayers within
one jurisdiction ensures the acceptability of the e-invoices by all taxpayers within that jurisdiction (i.e. the taxpayers cannot require additional details in invoices) and their compatibility with other e-invoicing systems (in cases when there are several e-invoicing systems, e.g. in Russia). Third, e-invoices effectively reduce the amount of office expenditure for printing and saves money, as well as time for delivering the printed invoices. To make it affordable to small and medium taxpayers too, often tax administrations provide low cost alternatives, such as “online system on [the tax administration’s] website, as in Chile and Argentina; or (…) free applications (…), as in Brazil and Ecuador; or by ensuring that third parties authorised to certify documents offer free options to taxpayers, as in Mexico”.22 Sometimes, countries offer several options for taxpayers to choose, e.g. Italy offers
free-of-charge Online Services and the mobile application “FatturAE”.23 Fourth, the logging in to e-invoicing
systems and signing the e-invoices usually is made with digital signatures (certificates), which also “allow the content of the documents to be enciphered during its online transmission to the [tax administration]”.24 Last but not least, “international experience shows that these systems are only
consolidated when they are made mandatory”,25 since in order to use all its functions and prevent tax
fraud both parties to transactions have to use an e-invoicing system.
In addition, in some countries (e.g. Italy, Chile), the data from e-invoicing systems is used for “making proposals on pre-filled tax returns”.26
The e-invoicing “is one of Latin America’s contributions to international taxation in support of the fight against evasion, global efforts towards tax transparency, and the digitalization of tax administrations”.27 It was introduced and started to be implemented in the beginning of 2000s: Chile in
2003; Mexico in 2004; Argentina and Brazil-SP in 2006.28 As of 2018, out of 82 jurisdictions surveyed,
it was indicated that 57 jurisdictions have a regulation related to e-invoicing.29 While it is possible to
apply invoicing as an invoicing system for tax purposes in general, most of the countries apply e-invoicing systems for VAT purposes. One of the most successful examples is the practice of Russia. According to the website of the FTS, due to the digitalisation, including the implementing of e-invoicing system, the VAT gap30 decreased from 8% in 2016 to less than 0.6% in 2019, which as of now, is one
of the least VAT gaps in the world. This is the result of implementing a robust e-invoicing system and obtaining detailed e-invoices. While in Italy, where mandatory e-invoices were introduced comparatively recently (from 1 July 2018), according to reports, the VAT gap in 2017 constituted EUR 33.6 billion31 (or 24% of total potential VAT amount). This is one of the reasons of introducing
20 Barreix and Zambrano (n 18). p. 7 21 Ibid.
22 Ibid.
23 Ing. S Stanziale, eInvoicing in Italy: Pioneering in mandate B2B eInvoicing (Brussels 2018). pp. 12-13. 24 Barreix and Zambrano (n 18). p. 8
25 Ibid. 26 Ibid. p.7 27 Ibid. p. 4 28 Ibid. p. 20
29 EY, Worldwide electronic invoicing survey 2018 (2018)
https://www.ey.com/Publication/vwLUAssets/ey-Worldwide-electronic-invoicing-survey-2018/$File/ey-Worldwide-electronic-invoicing-survey-2018.pdf accessed 01 June 2020., p. 5
30 OECD Publishing, Tax Administration 2017: Comparative Information on OECD and Other Advanced and
Emerging Economies (Paris 2017) http://dx.doi.org/10.1787/tax_admin-2017-en accessed 08 May 2020.: “The
tax gap is the difference between tax due and tax collected”
31 CASE and IHS, Study and Reports on the VAT Gap in the EU-28 Member States: 2019 Final Report (Warsaw
2019) https://ec.europa.eu/taxation_customs/sites/taxation/files/vat-gap-full-report-2019_en.pdf accessed 10 May 2020. p.33
mandatory e-invoicing in Italy. In the ITA’s estimations, the reduction of VAT gap will be EUR 2 billion.32 Additionally, fighting “carousel fraud”, increasing the “competitiveness of business” and
“actively facilitating tax compliance” through proposing “pre-compiled VAT returns and payment forms”33 are also the reason for implementing mandatory e-invoicing in Italy.
3. Protection of personal data collected through OCRs and e-invoices
3.1. Information obtained by tax administrations via OCRs in Italy and RussiaAs it was discussed above in Section 2.1, the features of OCRs depend on the purposes of their implementation. While in Russia, there are online cash registers, i.e. they transmit retail sales’ data to the FTS immediately after the transactions, in Italy, they are called telematic recorders and they “electronically store and transmit the data relating to the daily considerations electronically to the [ITA]”34 only once a day.
In Russia, the rules for using a cash register when making payments are defined by Law N54-ФЗ of RF On Cash Registers. The Russian Law does not define the buyer (customer) for the purposes of issuing the cash receipt, and it shall be issued in all retail sales, notwithstanding whether the client is an individual or an organisation (e.g. when an organisation pays for a business lunch in a restaurant). “The user of OCR must issue a receipt and (or) in case the buyer (customer) provides phone number or email before the settlement, to send the receipt in electronic form to the buyer (customer) to the provided phone number or email”.35 Electronic receipt can also be issued in a form of a QR-code,
which can be sent by a supplier to a buyer (customer) in electronic format or can be printed on a paper receipt – this depends on the capacities of the supplier. After the receipt of the QR-code, the buyer (customer) can obtain the full electronic receipt by himself through information service of the competent body or official software of the competent body for mobile phones, smartphones, or other devices, via scanning the QR-code. In practice, suppliers place the QR-code on the bottom of cash receipts, so the buyer (customer) could obtain the electronic format by itself or to ease the process of verification of the receipt. The data structure of the QR-code contains “(…) the date and time of the settlement, reference number of the fiscal document, settlement characteristics, settlement amount, serial number of fiscal memory device, fiscal characteristics of the document (…)”.36 In case of online
purchases with cashless payment (e.g. when ordering some goods on the website of the store with delivery), issuance of electronic receipt is mandatory.37
In all cases, receipt must contain the following details38:
- Document title; - Reference number;
- Date, time and place (detailed address or website in case of online purchase) of settlement; - Name of the seller (supplier);
- Tax identification number of the seller (supplier); - Taxation system;
- Settlement characteristics (payment, refund);
32 Stanziale (n 23). p. 8 33 Ibid.
34 Decreto legislativo del 05 Agosto 2015 n. 127 (2015). Article 2(1)
35 Федеральный закон от 22.05.2003 N 54-ФЗ "О применении контрольно-кассовой техники при
осуществлении расчетов в Российской Федерации" 22 May 2003, Law N54-ФЗ of RF On Cash Registers (Государственная дума) Article 1.2(2)
36 Федеральный закон от 22.05.2003 N 54-ФЗ "О применении контрольно-кассовой техники при
осуществлении расчетов в Российской Федерации": Law N54-ФЗ of RF On Cash Registers (2003).
Article 1.2(3.1)
37 Ibid. Article 1.2(5.3) 38 Ibid. Article 4.7(1)
- Title of the goods, works, services, payment, quantity, price (in RUB) per unit including discounts and mark-ups, cost including discounts and mark-ups, with VAT rate (if applicable); - Settlement amount with indication of VAT rate and VAT amount;
- Settlement means (by cash or cashless), as well as amount paid;
- Position and last name of the person making the settlement with the buyer (customer) and providing the receipt to the buyer (customer) (except for the cases when the settlement is automatic, including online purchases);
- Registration number of the OCR;
- Serial number of the fiscal memory device model; - Fiscal characteristics of the document;
- Website of the competent body where the settlement and fiscal characteristics can be verified; - Phone number or email of the buyer (customer) in case of sending electronic receipt or other characteristics for verification of the receipt and information about the electronic source where the receipt can be obtained;
- Email of the sender of electronic receipt; - Reference number of the fiscal document; - Number of shift;
- Fiscal characteristics of the message; - QR-code.
Thus, in Russia, the receipts issued by OCRs contain the position and the last name of the person making the settlement in representation of the seller (business). This person may be, for instance, a cashier in a market, waiter in a restaurant. In case of sending the receipts in electronic form, indication of the buyer’s (customer’s) email or phone number is mandatory. And in case of providing receipt via QR-code, the buyer (customer) may be identified in the system via electronic devices. These personal data also make personal the data on the goods, works and services indicated in the receipt and the amounts paid by the consumer.
Tax administrations supervise the application of OCRs and have access to all fiscal data contained in the OCRs, including the receipts.39 Moreover, “tax administrations, within the interdepartmental
information exchange, are entitled to transmit data on settlements, which list is set by competent bodies, considering the Law N152-ФЗ of RF On Personal Data”.40
Thus, in Russia, when issuing a receipt with OCRs, the personal data (position and last name) of the persons making settlements in representation of the seller (business) shall be indicated. If the receipt is sent in electronic form, the contacts (email and/or phone number) of the consumer shall be indicated, which also personalise the data on the purchased goods, works, services and the payment amounts.
As is the case in Russia, in Italy, the cash receipts are mandatory to issue in retail trade and related activities41 notwithstanding whether the client is an individual or a business. As distinct from Russia, in
the case of Italy, the cash registers are called Telematic Recorders (Registratore Telematico).42 They
retain the fiscal data and transmit it to the Revenue Agency only at the end of the business day. The types and amount of data to be stored and transmitted electronically is provided in the Attachment “Allegato - Tipi Dati per i Corrispettivi” (Attachment - Data Types For Considerations) to the Technical Specification.43 The type of data on considerations to be transmitted to the Revenue Agency contains 39 Ibid. Article 5(4)
40 Ibid. Article 7(6)
41 Italy - VAT Law 1972 (IVA 1972) - (Unofficial translation) (1972).
42 The new regulations regarding electronic cash registers were introduced by Article 2(1) of the Legislative
Decree N127/2015. Pursuant to this Decree, starting from 1 January 2020 (now postponed to 1 January 2021 due to Covid-19 outbreak), the subjects carrying out “retail trade and related activities” indicated in Article 22 of the VAT Law 1972, must “electronically store and transmit the data relating to the daily considerations electronically to the Revenue Agency”. “For retailers with annual turnover higher than EUR 400,000” the obligation entered into force starting from 1 July 2019.
only information regarding the device (i.e. cash register, vending machine, mobile device), the period for which the data is being transmitted, date and time of transmission of data, total amounts of considerations and total VAT amounts, etc. However, the data transmitted does not contain any information regarding the customer, including the customer’s contact details.
The Telematic Recorder, at the time of daily closing, generates an XML file, electronically seals it, and transmits it electronically to the information system of the Revenue Agency.44
The Technical Specification provides the requirements also for the electronic receipts, which does not provide any data regarding the customer. Thus, as opposed to Russian electronic receipts, electronic receipts in Italy do not contain any personal data of customers and, consequently, these data are not gathered or accessible by the ITA. Thus, the ITA does not collect and process personal data of customers indirectly through Telematic Recorders.
As discussed in Section 2.1 above, the differences in implementation of online cash registers in Russia and Italy depend on the objectives of implementation of those tools.
3.2. Information obtained by tax administrations via e-invoices in Italy and Russia
In Italy and Russia, e-invoices are issued only for purposes of VAT transactions and, therefore, issued at supplies of goods and services between persons subject to VAT. Personal data is incurred in e-invoices when the issuer is an individual entrepreneur or individual registered for VAT purposes. In addition, it might be personal data of employees (e.g. a cashier, a merchant, a manager) of a business.
In Russia, the forms of e-invoices require quite detailed information.45 Although not mandatory,
e-invoices may indicate the person who accepted the delivered goods or provided services. Namely, the person’s full name (first name, last name, and patronymic), position of the person and basis for accepting the delivered goods or provided services. However, these data do not constitute special categories of personal data, the indication of these data is not mandatory, though has a legal basis for transmission, and the transmission of these data shall be regulated by labour laws of Russia, as this is the matter of obtainment of an employee’s consent for the transmission of the personal data by an employer to tax administrations.
Regarding individuals issuing or receiving e-invoices, there must be indicated name, address, and taxpayer’s identification number, which also make personal the other data indicated in the e-invoice. Such other data include names of goods and services supplied, their amount and cost, date of supply. In Italy, e-invoices were introduced46 by the Legislative Decree N127/2015, which in Article 1(1) sets
forth that “the Revenue Agency will make available to taxpayers, free of charge, a service for generation, transmission and storage of e-invoices”.47 In fact, “the use of electronic invoicing is subject
Corrispettivi Giornalieri Di Cui All'Art. 2, Comma 1, Del Decreto Legislativo 5 Agosto 2015, N. 127: Specifiche Tecniche (2016).
44 Provvedimento N0182017 - Definizione delle informazioni da trasmettere, delle regole tecniche, degli
strumenti tecnologici e dei termini per la memorizzazione elettronica e la trasmissione telematica dei dati dei corrispettivi giornalieri da parte dei soggetti di cui all’articolo 2, comma 1, del decreto legislativo del 5 agosto 2015 n. 127, nonché delle modalità di esercizio della relativa opzione: Provvedimento N0182017 (2016).
45 "Формат счета-фактуры, формат представления документа об отгрузке товаров (выполнении
работ), передаче имущественных прав (документа об оказании услуг), включающего в себя счет-фактуру, и формат представления документа об отгрузке товаров (выполнении работ), передаче имущественных прав (документа об оказании услуг) в электронной форме" утвержденный приказом ФНС России от 19 декабря 2018 г. №ММВ-7-15.820@: RF Form of e-Invoices (2018).
46 In order to introduce mandatory e-invoicing in Italy, Italian authorities had to obtain authorisation of the Council
of the European Union “to derogate from Articles 218 and 232 of the VAT Directive [2006/112/EC]”. The authorisation was given by the Council Implementing Decision (EU) 2018/593 of 16 April 2018. Under this Council Implementing Decision (EU) 2018/593, e-invoicing is mandatory only for “taxable persons established in the Italian territory other than those taxable persons who benefit from the exemption for small enterprises referred to in Article 282 of Directive 2006/112/EC”. This authorisation for derogation is provided only for the trial period “from 1 July 2018 until 31 December 2021” with the right to consider prolongation after assessing the effectiveness of these measures.
to acceptance by the recipient”48, i.e. in order to issue and deliver an e-invoice, the recipient shall have
a system to accept that e-invoice.
Pursuant to the Italian Decree, the invoices must contain details regarding the seller/supplier and buyer/customer, in particular, their companies’ names or corporate names, names and surnames (in case if individuals), residence or domicile, the tax representatives, VAT numbers, address, the reference number of the transaction, nature, quality and quantity of goods sold, or services provided, consideration and taxable amount.49
More detailed information on content of e-invoices is provided in the Technical Specification.50 This
instrument provides that, in ordinary invoices of Article 21 of the Italian VAT Law 1972, it is possible to indicate identification data of the customer, but not of the employee or representative of the customer. Thus, when the customer is an individual, registered for VAT purposes or requesting issuance of B2C e-invoice, the e-invoice will contain the identification data of such individual.
The more personal data collected, the higher the risk of violation of rights for privacy and protection of personal data. If according to the practice of the ECtHR, collection of information and interference with those rights constitute limitation of those rights (this is further discussed in Section 4.1.1), in Russia, these actions of FTS are not considered as limitation of those rights (Section 4.1.2). According to the FTS, there is not any confirmed case of violation of human rights with regards to taxation.51 Some
countries (e.g. China, Serbia until 2014, Brazil) employ the “naming and shaming” tactics and publish taxpayers’ list with the amounts of tax debts.52 In Italy, since 2015, the annual tax returns of politicians
composing the Italian government are published and accessible to everyone (except for sensible data, such as address, tax code, etc.).53 In addition, there is a risk of breach of confidentiality. In Italy, there
are several recorded cases of unauthorised access to the ITA’s database. In 2011, in Casani case (n. 4694 of 27 September 2011), the Italian Supreme Court ruled that no matter for what purposes, the entering of subject having a password to the information or electronic system did not constitute a criminal offence. Such cases of interference with public information technology systems were considered by the Supreme Court in 2013 (Carnevale case n. 22024 of 22 May 2013), in 2017 (Case n. 41210 of 8 September 2017) and in 2018 (Case n. 1021 of 12 January 2018). However, in these cases the Italian Supreme Court considered the access for purposes “ontologically different from those for which the access is allowed” as misuse of powers and constituting a criminal offence under Italian Criminal Code.54
3.3. Existing legal instruments on protection of personal data in Italy and Russia
Italy is an EU Member State, and, therefore, the main instrument for protection of personal data is the GDPR. Comparatively to the Data Privacy Directive, which was in force in the EU before the GDPR, there are several main advantages. They are: (1) changing the legal form to Regulation, which does not need interpretation by national laws; (2) global territorial scope; (3) detailed provisions; (4) significant administrative fines, which also raised the status of data protection to the levels of competition, anti-corruption and anti-money laundering regulations.
Italy has its national Personal Data Protection Code55 adopted on 30 June 2003. After introducing the 48 (n 41). Art. 21(1)
49 Ibid. Article 21(2)
50 Agenzia delle Entrate, Specifiche Tecniche Dati Fattura . Attached to the Provision N182070 dated 28 October
2016
51 Olga Ageeva, ‘ФНС узнает о счетах россиян в швейцарских банках’ (2019)
https://www.rbc.ru/economics/04/09/2019/5d68e7f29a7947360b91d1d5 accessed 07 July 2020.
52 Carlos E Weffe and Betty Andrade, Observatory on the Protection of Taxpayers' Rights: 2015-2017 General
Report on the Protection of Taxpayers' Rights (2018). p. 34
53 Ibid. p. 33
54 BLB Studio Legale, ‘Unauthorized Access to an IT System: The Italian Supreme Court Changes its
Orientation’ http://www.blblex.it/newsletter.php?id=716&lang=en accessed 04 June 2020.
55 Personal Data Protection Code - Containing provisions to adapt the national legislation to Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive
GDPR, Personal Data Protection Code was amended by the Legislative Decree No 101 of 10 August 2018, and it seeks the purpose “to adapt the national legislation to the provisions of”56 the GDPR and
repeal the DPD. Thus, in Italy, “personal data shall be processed in accordance with the provisions of [the GDPR] and with [the] Code”.57
In Russia, the main legal document on processing and protection of personal data is the Federal Law on Personal Data of 27 July 2006. According to Article 6(1)(4) of the Federal Law on Personal Data, processing of personal data is allowed inter alia for fulfilment of tasks of federal and other governmental executive authorities. Thus, FTS of Russia is included into the Register of operators processing personal data on 13 January 2010.58 In addition, Russia is the signatory of the ECHR, i.e.
the data subjects in Russia are entitled to privacy under Article 8 of the ECHR.
The detailed analysis of the data protection instruments in Italy and Russia, including the development of international data protection instruments, is provided in Appendix I.
3.4. Coverage of B2B e-invoices by existing personal data protection rules
In Section 3.2 above, it was indicated that both in Italy and in Russia, e-invoices may contain personal data. The purpose of this Section is to identify if personal data provided in B2B invoices are covered by legal instruments of personal data protection.
It is necessary to divide the personal data incurred in B2B e-invoices into two categories – first, personal data of individual entrepreneurs and individuals acting as parties to VAT transactions, and second, personal data of employees of parties indicated in B2B e-invoices.
3.4.1. Coverage of B2B e-invoices by GDPR and the Italian Personal Data Protection Code
As it was identified in Section 3.3 above, in Italy, the main instruments are the GDPR and the Personal Data Protection Code.
First, it is necessary to identify which kind of personal data are incurred in such e-invoices and are there any personal data of special categories59. In Italy, when the supplier or customer is an individual
registered for VAT purposes, the e-invoice will contain the identification data of such individual. Such identification data includes, in particular, names and surnames, residence or domicile, the tax representatives, VAT numbers, addresses. As it was mentioned earlier in this paper, when there are personal data in an e-invoice, these personal data make also personal the data about the goods sold, services supplied, their nature, quality and quantity, consideration, and taxable amounts. There is no doubt that the data of the individuals indicated in the e-invoices constitute personal data. It was admitted by the EDPS, that in e-invoices, “[w]here the contracting entities are natural persons, their data will be considered personal data”.60 As a result, “personal data will require appropriate protection”
and national laws on personal data protection become applicable.
It was found out in Section 3.2 above that in Italy, the B2B e-invoices do not contain personal data of employees. Therefore, this category of personal data shall not be considered here.
Second, it is necessary to define the scope of the GDPR and Personal Data Protection Code. The GDPR “applies to the processing of personal data wholly or partly by automated means (…)”. The e-invoicing systems are automated systems. Therefore, the GDPR shall be applicable to the personal
95/46/EC (2003).
56 Ibid. Section 2 57 Ibid. Section 1
58 Federal Service for Supervision of Communications, Information Technology, and Mass Media -
Roskomnadzor, ‘Роскомнадзор - Реестр операторов, осуществляющих обработку персональных данных - Registry of operators processing personal data’ (2020) https://rkn.gov.ru/personal-data/register/?id=10-0083835 accessed 06 March 2020.
59 GDPR Art. 9(1): “Processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited”.
data indicated in the e-invoices. And where the GDPR applies, the Personal Data Protection Code “provisions [adapting] the national legislation to the provisions of”61 the GDPR shall also be applicable.
Thus, the GDPR and Personal Data Protection Code of Italy cover the personal data indicated in B2B e-invoices.
3.4.2. Coverage of B2B e-invoices by the Law on Personal Data in Russia
In Russia, e-invoices issued in a B2B transaction may contain personal data of two categories of data subjects: (i) taxpayers that are individual entrepreneurs; (ii) the person who accepted the delivered goods, provided works and services, being employed by organisations and the person entitled to sign the e-invoice (e.g. director and (or) chief accountant of a legal entity).
Regarding the first category of data subjects, when the taxpayer is an individual entrepreneur, the personal details (such as name, surname, taxpayer’s identification number, address, contacts) also need to be indicated. These personal data shall be covered by the Law on Personal Data in Russia, and they are included into the categories of data subjects in the Register of operators processing personal data.
Regarding the second category of personal data, the personal data of employees or other representatives (such as full name, position in the company, the basis for accepting the delivered goods, provided services, name of the persons signing invoices, etc.) may be indicated in B2B e-invoices. These data are covered by Labour Code of Russia62, as it is the matter of obtaining consent
of employees for processing and fulfilment of obligations prescribed in laws by employers.
The Law on Personal Data shall be applicable to the first category of personal data, i.e. to personal data of taxpayers that are individual entrepreneurs. The FTS conducts the Unified State Register of Taxpayers, which already include these personal data and has them collected at the registration of a person as an individual entrepreneur. This tax database has a special status and is protected by the Law on Personal Data along with other regulations on information security.63 Therefore, the Law on
Personal data shall be applicable to this category of personal data provided in e-invoices and transmitted to FTS as well.
4.
Balancing taxpayers’ rights to privacy and data protection and fight against
tax fraud and evasion
4.1. Limitation of privacy and personal data protection for public interest 4.1.1. Limitations in the EU and in Italy
It is important to note that the right for privacy and “the right to the protection of personal data” are two separate rights. Although the Charter of Fundamental Rights does stipulate the right to personal data protection as a fundamental right, in other instruments of protection of human rights (such as UDHR, ICCPR, ECHR) this is regarded as an element of the right for privacy and not stipulated separately. Both the right for privacy and the right for personal data protection are not absolute. They can be restricted when the laws provide so.
There are number of cases considered by the ECtHR related to interference with taxpayers’ personal data and privacy. These cases are helpful in defining the level of intrusion of tax administrations with personal data and privacy of individuals.
It was stated in case Digital Rights Ireland, and in other case law of the ECJ, that “to establish the existence of an interference with the fundamental right to privacy, it does not matter whether the
61 (n 55). Section 2
62 Трудовой кодекс Российской Федерации от 30.12.2001 N 197-ФЗ: Labour Code (2001). Article 86(1) 63 Приказ Федеральной налоговой службы от 13 января 2012 г. № ММВ-7-4/6@ “Об утверждении
Концепции информационной безопасности Федеральной налоговой службы” (Order of the FTS On Approval of the Concept of Information Security of the FTS): Concept of FTS Information Security (2012).
information on the private lives concerned is sensitive or whether the person concerned have been inconvenienced in any way”.64 “Furthermore, the access of the competent national authorities to the
data constitutes a further interference with that fundamental right”.65 Thus, notwithstanding the level of
interference (i.e. the categories or amount of personal data, scale of use of those personal data), the fact of interference with personal data means the limitation of the fundamental right to privacy and personal data protection. Therefore, it is necessary to analyse whether the limitation is lawful.
Article 52(1) of the Charter provides the conditions for limiting the right for protection of personal data. The limitation must (1) be provided by law, (2) respect the essence of those rights, (3) be necessary, (4) be proportionate, and (5) meet objectives of general interest.66
One of the recent important cases on limitation of rights to privacy and to protection of personal data provided in the Charter is the case Passenger Name Record, where the elements of limitation were analysed by the ECJ. In this case, the ECJ issued its opinion on compatibility of the envisaged agreement between Canada and the EU on the transfer and processing of Passenger Name Record data with the provisions of the TFEU and the Charter as regards the right of individuals to the protection of personal data.67 The envisaged agreement and request to European airlines to transfer
the passengers’ personal data was proposed by Canada in fight against terrorism and other serious transnational crimes. Since the EU laws do not allow the European carriers operating flights from the EU to transfer the passengers’ data, the legal basis for such disclosure was necessary. In addition, Court sought the balance between fight against crime, “respect of individuals’ rights to the protection of personal data as well as their physical security”.68 The Court’s decision was that the transfer of
personal data is incompatible with provisions of the TFEU and the Charter as long as they concern (transfer, use and retain) sensitive data from the EU to Canada.69
Regarding “being provided by law”, the Court states that “(…) the requirement that any limitation on the exercise of fundamental rights must be provided for by law implies that the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned”.70
For the purposes of this paper, we need to consider, whether OCRs and e-invoicing systems of Italy and Russia respect the rights to privacy and protection of personal data. Article 23(1)(e) of the GDPR provides the possibility of limitation for the purposes of safeguarding general interest, such as taxation matters in Member States. However, the prerequisites for such limitation are “respecting the essence of the fundamental rights and freedoms and [being] a necessary and proportionate measure in a democratic society”.71 Thus, the GDPR “defines the scope of the limitation” on the right to protection of
personal data.
The second element and the prerequisite established by the GDPR is “respecting the essence of the fundamental rights and freedoms”. The limitation must respect the essence of the right for protection of personal data. According to the interpretation by the EU Agency for Fundamental Rights and the Council of Europe, “[t]his means that limitations that are so extensive and intrusive so as to devoid a fundamental right of its basic content cannot be justified”.72 The fact of the interference with the
essence of fundamental rights “should be determined on a case by case basis”.73
64 Digital Rights Ireland Ltd (Joined Cases 293/12 and 594/12) [2014] (ECJ) para. 33. See also cases
C-465/00, C-138/01 and C-139/01.
65 Ibid. para. 35
66 Office (n 5). Article 52(1)
67 Passenger Name Record [2017] CURIA (Grand Chamber). p. 4 68 Ibid. p. 9
69 Ibid. p. 53
70 Ibid. para. 139. (see, to that effect, judgment of 17 December 2015, WebMindLicenses, C-419/14,
EU:C:2015:832, paragraph 81)
71 European Parliament (n 2) Art. 1
72 European Union Agency for Fundamental Rights and Council of Europe (eds), Handbook on European data
protection law (Handbook / FRA, European Union Agency for Fundamental Rights, 2018 edition Publications
Office of the European Union, Luxembourg 2018). p.44
