Limits of Data Privacy Laws Create Tax Audit Compliance Tension

State efforts to obtain customer identifying information as part of digital goods audits have put a spotlight on data privacy concerns. State tax authorities often request customer names, addresses, telephone numbers, and even Social Security numbers and tax IDs—claiming this sensitive information is vital to determine how to source digital transactions.

The Streamlined Sales Tax Governing Board, which administers a 24-state pact to simplify sales tax codes, took the first step last month to amend its sales and use tax agreement. That effort would resolve a years-long discussion over how to assign a local sales-or-use-tax rate to a transaction when the seller doesn’t collect the complete street address from the purchaser.

Under the proposed amendments, transactions would be assigned within nine-digit and five-digit ZIP codes. However, collecting this type of customer information, and disclosing it in an audit, may run afoul of data privacy laws or other legal restrictions on use of customer data.

US companies may be unfamiliar with the breadth and scope of data privacy laws because the US is a global outlier in this area. It’s one of the few countries with no national data privacy law, and only a handful of states, such as California, have robust data privacy laws. While the California Consumer Privacy Act restricts companies from collecting and maintaining certain customer information, it generally doesn’t restrict a business’s ability to comply with federal, state, or local laws, such as tax laws.

Most state privacy laws include a similar exemption. But is a state tax authority’s administration of its tax law included in the exemption for compliance? What about the information requested in an audit?

US telecommunications companies have been subject to “compliance with the law” type provisions in the Telecommunications Act of 1996 for decades and frequently request tax authorities issue administrative summons before providing customer identifying information.

California’s Consumer Privacy Act was modeled after the EU’s General Data Protection Regulation. Generally, GDPR prohibits companies from transferring EU citizens’ personal data outside of member states unless an exception applies.

GDPR not only governs all data within the European Economic Area, but it also has extraterritorial reach. The regulation applies to companies established outside the EU if the company either provides goods or services to individuals located in the EEA or monitors the behavior of individuals in the EEA.

GDPR in Audits

Notwithstanding GDPR, the US has successfully argued that its interest in tax compliance outweighs any countervailing privacy concerns. In United States of America v. Eaton Corp., the IRS issued a summons requesting employee performance evaluations from certain domestic and foreign employees in a transfer pricing audit. The district court judge ruled for the IRS, holding that GDPR didn’t prohibit the transfer and disclosure of the requested information.

In Eaton, the court held that GDPR didn’t prohibit Eaton from transferring the data from Ireland to the US and disclosing the data to the IRS because the transfer was necessary for important reasons of public interest. The public interest exception only applies when there is an important public interest for transferring the data, including “in the spirit of reciprocity for international cooperation.”

The judge reasoned that because there was a tax convention between Ireland and the US, and an objective of the convention was to prevent evasion of taxes, the exception was met. The judge also held that comity weighed in favor of enforcing the IRS summons because the US has a “paramount interest in collecting taxes,” and Ireland has little interest in blocking the US from tax investigations despite Ireland’s interest in protecting its citizen’s private information.

The analysis in Eaton may not directly apply to state and local tax compliance because state and local jurisdictions generally aren’t parties to US treaties or conventions with foreign jurisdictions.

However, other exceptions in GDPR, which may allow for disclosure of data to comply with a law or government regulation, may be relevant in a tax audit. The analyses under GDPR are stringent, and companies should carefully document the reason for their disclosure and that the disclosure is necessary.

Protective Measures

There are other ways companies can protect themselves and ensure compliance with data privacy laws, such as:

• Providing customer account numbers and a ZIP code instead of names and addresses, which should protect customers’ personally identifying information
• Removing numbers that identify a specific device or its location if IP addresses are requested
• Requesting that all audit-related document and information requests be in writing
• Requesting an administrative summons if personally identifying information is required

Companies should consider other federal and state laws that may apply to their industry. Under Section 222 of the Telecommunications Act, telecommunications carriers (including interconnected voice over internet protocol providers) that obtain customer information generally are barred from disclosing customer billing information unless required by law. Requesting an administrative summons may be a good practice in this context.

Companies also should consider additional precautions when working with third-party auditors, such as the Multistate Tax Commission and for-profit companies that local jurisdictions hire.

Tax departments are increasingly using third-party auditors. Requesting a copy of the agreement between the tax jurisdiction and the third-party auditor should identify the taxes the third-party auditor is authorized to investigate. Requesting a nondisclosure agreement is also a good practice when working with a third-party auditor.

The gray area between tax compliance and data privacy laws is continuously changing. However, companies can protect themselves by regularly reviewing their audit practices and implementing internal processes.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Eric S. Tresh is partner at Eversheds Sutherland’s state and local tax practice and member of the firm’s global board of directors.

Chelsea E. Marmor is counsel at Eversheds Sutherland and advises clients in the communications, technology, and public utilities sectors.

Write for Us: Author Guidelines