Hello and welcome back to the Pinsent Masons podcast, where we keep you up to date with the most important developments in business law around the world every second Tuesday. My name is Matthew Magee and I am a journalist here at Pinsent Masons. And this week we ask what is the sovereign cloud and why is it becoming more important as geopolitical turmoil increases. And we investigate what could be a profitable decision for whistleblowers by the UK’s tax authority. But first, here is some business law news.
UAE Central Bank pursues single rule book for financial services
AI compliance will be overseen by 10 Dutch regulators and
Sports teams using AI to recruit need to be wary of data protection law
Financial services firms in the UAE should welcome plans for the development of a single rule book governing a range of regulated financial services, an expert has said. Dubai-based Marie Chowdhry said the plan set out by the Central Bank of the UAE during a briefing to market participants last week should make it easier for firms to understand and comply with their regulatory obligations. The Central Bank confirmed it intends to consolidate nine existing activity-based regulations into one rule book, including rules governing retail payment systems and large value payment systems. It said it wanted to establish clear regulations that could evolve with business models and enable businesses to better self assess their regulatory position.
Responsibility for overseeing Dutch companies’ compliance with the EU AI Act will be handed to 10 different regulators under new plans published this week. The EU AI Act is the world’s first AI law and entered into force in August 2024. Some of the strictest regulatory requirements concern high-risk AI systems and general-purpose AI models with systemic risk. EU countries need to legislate to allocate responsibility for enforcing the law, and the Dutch government has proposed a hybrid model involving 10 regulators. Amsterdam-based Nienke Kingma said that there will be new supervision tasks for the Dutch Data Protection Authority and the State Inspectorate of Digital Infrastructure, which will be the coordinating supervisory authorities for AI in the Netherlands.
UK and European sports organisations must be careful not to break data protection rules as they adopt AI to help with player recruitment, experts have warned. American sports organisations are increasingly turning to automated decision-making and AI systems when it comes to recruitment, and the practice is spreading to other parts of the world and sports outside of American football and baseball. But teams in the UK and Europe making use of these systems have to make sure they are not breaching strict data rules. Data protection expert Dom White said that AI’s use in profiling, ranking and filtering players brings it squarely within the scope of UK and EU data protection law. He said player recruitment typically involves the processing of identifiable personal data and may also involve sensitive health or physiological information, particularly where performance analytics, injury history or predictive modelling are used. These risks are likely to be heightened where similar tools are extended to youth academies or age-grade pathways, particularly given the involvement of children’s data, longer-term profiling and the potential to limit future sporting opportunities, he said.
Every aspect of our lives is touched by data, is governed by data and generates data. It is at once a principal resource for and principal output of our economic, social and personal lives. So what it is, where it is, and who has access to it has never been more important. And as globalism fractures and countries act increasingly in their own interests rather than in ways governed by multilateralism, the literal location of your data is more important than ever. So this could be the sovereign cloud’s moment. The cloud is the amorphous metaphor we use to describe the very real computers, cables and warehouses, where our information’s housed, bouncing around the world in ways we rarely think about. So the sovereign cloud is the same, but just restricted to a single country, as London-based technology expert Simon Colvin explains.
Simon Colvin: Sovereign cloud, it’s a set of cloud environments that are entirely operated, located and governed within a country’s borders. It has principally been used by governments for their most sensitive data. Across the globe, there is a raft of legislation that enables nation states to access data offshore that is being processed or sitting on servers that are operated by entities that run out of their country. So if you have a US business that is providing cloud services into the UK, the US government has the ability to access that data.
Matthew Magee: Some countries have always had laws that allow them to access foreign people’s and companies’ data if it was stored on their territory, but increasingly fractured geopolitics is focusing minds on what that might mean in practice, says Simon.
Simon: There’s always been the sensitivity over who has access to data, and particularly when we’re looking at this from a global perspective. So this issue has been live for quite some time, but with the geopolitical state as it is, that has given rise to not only increased sensitivity, but just that general awareness that operating in a truly global manner can give rise to unknown consequences, particularly when we see the conflict between China and the US, the approach of the US more recently, and obviously the impact on the Middle East. And so the risks have jumped out loud and kicking from what we’ve seen from the geopolitical situation.
Matthew: When the latest conflict erupted in the Middle East earlier this year with the US and Israel’s attacks on Iran, it quickly spread to the whole region, including cities where much multinational business is done. Some authorities recommended moving data out of the region so that any destruction of data facilities wouldn’t affect the information. So this brought home to lots of businesses a fundamental tension. In some circumstances, data is safer in one fixed place, but in other circumstances it’s only safe if it can move around freely and is backed up in several different locations.
Simon: There was significant attack on data centres in the region, and so a number of operators actually advised at the time that the crisis started that they were advising their clients to move their data out of the Middle East and into Europe. So it shows the complexity, because sovereign cloud in a sense is driven by the desire to protect data within the national boundaries, but also it can create a significant risk and sensitivity in its own right if it can be penetrated in the sovereign environment by attack. The whole point of sovereign cloud is that not only is the data located and operated within the jurisdiction, but all accesses and controls are limited to within the boundaries of the country as well. So no extra territorial access permitted of a true sovereign cloud environment.
Matthew: Which of course means that if it’s in a sovereign cloud that is physically attacked, when the data’s gone, it’s gone. No backups on a server in California somewhere. So how are companies coping with this dichotomy? It’s not easy, says Simon. But taking a hybrid approach is a start. And the sovereign cloud’s use is spreading beyond governments and into companies operating critical national infrastructure.
Simon: What we’re seeing is a lot of businesses are taking a sort of hybrid approach. So they may be locating their more sensitive data in a sovereign cloud environment, and then they’re able to place a lot of the rest of their data in a standard cloud environment. And so they can triage between the two types of environments according to the sensitivity of the data that’s being held. Historically, it’s been for governments, but we’re now starting to see it moving very much into regulated sectors. And obviously we’ve got general operators of critical national infrastructure. So you know you’re talking financial services, you’re talking critical national infrastructure in terms of energy. We can really see that this is going to proliferate into those areas where the data that’s being held is really of significance from a national security perspective.
Matthew: The business world once saw data as this free flowing, ubiquitous resource that could be everywhere at once, interacting with other data to bring unimaginable benefits. But now this flight to sovereign cloud in light of global political instability is understandable, but it does undermine some of the past promises of data visionaries, says Simon.
Simon: It’s obviously introducing friction back into processes where the global approach was designed to reduce down the friction. And obviously it comes at a cost, as we know, because there is an increased level of infrastructure that’s required to create this cloud approach. But I guess those complexities, the price, they are there because there’s a very significant demand for this type of protection now.
UK tax authority, HMRC, has made a pretty major change to how it seeks to gather intelligence on large scale corporate tax evasion. It’s now offering whistleblowers almost a third of multi million pound recovered tax. That’s a pretty big payday for an eagle eyed employee keen to spill the beans. So how will it work and why is HMRC making this change? London based forensic accountant Hinesh Shah told me first exactly what it is that’s changing.
Hinesh Shah: From the 6th of April, there’s been a fairly significant change in how HMRC, so the UK tax authority, approaches whistleblower rewards. And before April the 6th, HMRC did have legal powers to pay rewards to whistleblowers. But this was, I guess, three points to note here. Largely discretionary, not linked to a percentage of tax recovered, and it tended to be low value and not publicised. So the new scheme demonstrates a shift to a much more clearer, more structured scheme. Individuals who provide information about serious tax avoidance or evasion are now able to receive a financial reward that is directly linked to the outcome. So if HMRC ends up recovering at least £1.5 million sterling as a result of the information provided by the whistleblower, the new scheme allows for the whistleblower to receive between 15% and 30% of the tax collected. So even at the de minimis level, that is a financial reward of between £225,000 and £450,000.
So the potential monetary reward now available to whistleblowers and the transparency of the scheme is really the key change here.
Matthew: This might sound like quite a broad brush measure, but actually corporate tax evasion of this scale is quite rare and is structured in ways that are very difficult to detect. So in fact it’s quite a targeted measure. But to succeed, it needs to tempt whistleblowers who are worried about their future.
Hinesh: A lot of HMRC’s important activity probably tends to be at the lower end, and the reason for that is to recover £1.5 million in tax. That is some of the most serious non compliance tax issues that take place, and that tends to take place inside complex corporate groups or sophisticated group structures that are difficult to identify through HMRC’s routine inquiries or supervisory powers, or their own data and analytics. Now if you think about this scheme, employees and third parties such as advisers are the ones who are likely to have early visibility of these issues that regulators simply do not see from the outside. So the key policy aim here is to encourage these individuals to come forward when they become aware of significant non tax compliance, particularly where they might previously have been scared or deterred to do so by the concerns that of the impact their whistleblowing may have had on their careers and livelihood in the absence of significant financial reward.
This fits with a wider shift across UK enforcement. So the SFO made some comments last year and publicly acknowledged that many UK whistleblowers choose to report to non UK authorities and that is because of the financial incentives available in other jurisdictions. And key to this, he labelled this as an intelligent strain from the UK.
Matthew: Hinesh says that lots of regulators and enforcement authorities are putting in place these kinds of schemes as a cost effective way to pursue wrongdoers, but also to act as a deterrent.
Hinesh: HMRC are probably hoping for a couple of things here. They're likely hoping that actually the number of good quality whistleblowing reports coming forward that identify issues relating to significant non tax compliance increases. They are also going to hope that this new scheme does not lead to a large volume of over opportunistic or less relevant tip offs. But I think more importantly this scheme is another tool to their armoury such that it will act as a deterrent for companies to engage in non tax compliance because the chances of any misconduct now getting flagged to HMRC are higher than they might otherwise have been before.
Matthew: So aside from refraining from large scale corporate tax fraud, what should companies do to prepare now that this new right to a share of recovered tax has been introduced in the UK?
Hinesh: Companies that believe they are doing the right thing already probably don't need to do too much, but they should make sure that their, I guess their internal whistleblowing programs are accessible to employees that they are working. So if a company's got a whistle blowing policy or program and they've had no reports in the last 10 years, it's probably something I'm missing. It probably needs to be re reviewed. But companies where they might have had tax issues in the past or where they have concerns that actually their tax compliance is not up to scratch, they probably need to be reviewing their tax compliance programs at the same time as considering whether they're whistleblowing processes are genuinely trusted and whether individuals genuinely feel like they can speak up and that they are protected when they do speak up. The key issue here is if a whistleblower does go externally to HMRC, that the corporate loses all control over timing, scope and then the investigation process. So this scheme is much more about doing the right thing. It’s about governance and good tac compliance. So I think all companies should be reviewing, assessing and looking at their tax compliance programs to make sure they are happy with the way it's operating and that it is operating effectively.
Well, thank you for your time, for your attention. Thanks for sticking with us. If this is your first time listening, please do review or rate it on your podcast platform. And please do share it with anyone you think it might be helpful to. Until next time, Goodbye.
The Pinsent Masons Podcast was produced and presented by Matthew Magee for international law firm Pinsent Masons
