Data haven
A data haven is a physical or virtual jurisdiction engineered to host digital data beyond the reach of extraterritorial laws, offering robust protections against censorship, seizure, or compelled disclosure by foreign governments through minimal local regulation and assertions of sovereignty.[1][2] The concept emerged in the 1990s amid rising concerns over state surveillance and content controls, drawing from libertarian and cypherpunk ideologies that prioritize individual data autonomy via technological and jurisdictional arbitrage, akin to tax havens but for information flows.[3][4] Pioneering efforts, such as HavenCo's 2000 launch on the micronation of Sealand—a World War II sea fort off England's coast—aimed to operationalize this by providing colocation services that ignored external intellectual property, gambling, or encryption bans while prohibiting only child exploitation material and spam, attracting interest from privacy advocates but collapsing by 2008 due to technical unreliability, internal conflicts, and Sealand's precarious legal status.[5][2] Despite such failures, data havens highlight tensions between digital borderlessness and national enforcement, influencing later decentralized alternatives like blockchain storage protocols that seek similar immunity through distributed networks rather than singular territorial claims.[1][2]Definition and Principles
Core Definition
A data haven is a refuge for digital data, providing legal, physical, or technical safeguards against governmental censorship, surveillance, or compelled disclosure, analogous to a tax haven's protections for financial assets. Such havens operate in jurisdictions with minimal regulatory oversight, enabling the storage and dissemination of sensitive or unregulated information without interference from the data's origin country or external authorities.[6][7] This setup typically involves encrypted backups or hosting in extraterritorial locations, prioritizing data persistence and privacy over compliance with international norms.[7] Core to the concept is content neutrality and resistance to adversarial control, where data is distributed across networks to ensure availability despite targeted attacks or node failures. Systems like the Free Haven Project exemplify this by employing information dispersal algorithms—such as Rabin's method, which fragments data into n shares reconstructible from any k subset—and mix networks for anonymous communication, quantifying anonymity through probabilistic models of adversary influence (e.g., fraction of controlled servers).[8] These mechanisms support immutable, long-term storage for publishers, with expiration defined by content creators rather than external mandates, distinguishing havens from ephemeral or popularity-driven platforms.[8] Unlike mere data backups or cloud services bound by national laws, data havens emphasize sovereignty from regulation, often in micronations or decentralized architectures that evade single points of failure. They facilitate anonymous publication for dissidents or whistleblowers by integrating layered encryption, random reordering, and trust-based server dynamics, ensuring computational unlinkability between data shares and origins.[8][6] Empirical designs, such as those avoiding digital cash dependencies or central proxies, underscore a commitment to robustness against powerful opponents, though real-world implementations have varied in achieving full autonomy.[8]Essential Characteristics
A data haven is characterized by a jurisdiction offering robust legal safeguards against compelled disclosure of stored data to foreign governments, typically through non-recognition of extraterritorial subpoenas or warrants.[2][9] This feature stems from the haven's sovereign or semi-sovereign status, enabling it to prioritize data custodians' rights over international cooperation agreements, as exemplified by HavenCo's operations on Sealand, where servers were hosted beyond the reach of UK or EU data access laws.[10][5] Another core trait is minimal content regulation, allowing storage of data irrespective of its legality under external laws, provided it adheres to narrow internal prohibitions such as prohibitions on child exploitation material or spam.[2][11] HavenCo, for instance, pledged to host any non-prohibited content without censorship, positioning itself as a refuge for information facing regulatory threats elsewhere. This laissez-faire approach contrasts with jurisdictions enforcing strict data protection mandates, emphasizing instead the haven's role in preserving data integrity against seizures or deletions ordered by foreign authorities.[7] Data havens typically incorporate physical infrastructure for secure, redundant storage, often in isolated or defensible locations to mitigate risks of physical raids or infrastructure disruptions.[12] Sealand's platform, a World War II-era sea fort, was selected for HavenCo precisely for its geographic separation from mainland enforcement, housing servers in a controlled environment resistant to unauthorized access.[10][2] Support for encryption and anonymity services forms a foundational element, enabling users to maintain control over data access without intermediary vulnerabilities.[11] These havens often facilitate anonymous hosting and encrypted backups, serving as "information equivalents to tax havens" by shielding digital assets from jurisdictional overreach.[6] Empirical implementations, like HavenCo's 2000 launch, demonstrated demand for such features amid rising concerns over state surveillance post-9/11, though sustainability hinged on credible enforcement of these protections.[2][5]Distinction from Related Concepts
Data havens differ from tax havens primarily in their focus: while tax havens offer jurisdictions with low or zero taxation on financial assets and income to facilitate capital mobility and avoidance of high-tax regimes, data havens emphasize legal protections against government seizure, censorship, surveillance, or compelled disclosure of digital information, irrespective of tax incentives.[13][6] For instance, HavenCo's model on Sealand in 2000 prioritized non-compliance with foreign content regulations and subpoenas for hosted data, excluding only categories like child exploitation material, rather than providing fiscal advantages.[5] Unlike special economic zones (SEZs) or free ports, which incentivize physical trade, manufacturing, or logistics through reduced tariffs, customs duties, and corporate taxes to boost economic activity in delimited areas, data havens target intangible digital assets and operate under frameworks that minimize extraterritorial legal enforcement on data processing and storage.[14] SEZs, such as those in China or Dubai, historically facilitate goods movement and investment but do not inherently shield against data-specific interventions like national security requests or intellectual property disputes originating outside the zone.[15] Data havens also contrast with general privacy-enhancing technologies or offshore cloud services, which rely on encryption or contractual terms within existing national laws rather than jurisdictional sovereignty to evade regulation; the former seeks refuge in minimally governed territories to render external laws unenforceable on hosted data.[16] This distinction underscores data havens' reliance on physical or quasi-sovereign locations, as exemplified by micronations like Sealand, to achieve de facto immunity, unlike purely technical solutions vulnerable to host-country compliance.[2]Historical Origins
Conceptual Foundations in Cypherpunk Ideology
The cypherpunk movement coalesced in 1992 with the launch of an e-mail listserv by Eric Hughes, John Gilmore, and Timothy C. May, among others, to promote cryptography as a tool for preserving privacy against state overreach.[17] This ideology posited that robust public-key encryption systems could enable anonymous digital interactions, rendering coercive government interventions—such as compelled disclosure of communications—technically infeasible.[18] Cypherpunks viewed cryptography not merely as a technical innovation but as a socio-political instrument to foster individual sovereignty in an increasingly digitized world dominated by surveillance-capable authorities. Timothy C. May's "The Crypto Anarchist Manifesto," initially drafted in 1988 and circulated widely by 1992, articulated the core vision of "crypto-anarchy," where strong cryptography facilitates borderless, untraceable exchanges of information and value, effectively nullifying many forms of legal enforcement.[19] May explicitly invoked "data havens" as emerging structures for storing sensitive or legally contested data, predicting their role alongside crypto tax evasion schemes in empowering ordinary users to evade regulatory controls.[20] In this conception, data havens would operate as insulated nodes in a global information network, protecting encrypted payloads from decryption demands by leveraging operators' inability or unwillingness to access plaintext contents. Eric Hughes reinforced these principles in "A Cypherpunk's Manifesto" published on March 9, 1993, asserting that privacy requires proactive construction of anonymous systems, including remailer networks and digital cash protocols, to safeguard against pervasive monitoring.[21] While not naming data havens directly, Hughes' call for "writing code" to build privacy infrastructure aligned with the notion of dedicated repositories that prioritize non-cooperation with authorities, ensuring data integrity through cryptographic guarantees rather than trust in institutions.[22] May elaborated further in subsequent writings, such as his 1994 Cyphernomicon compilation and 1996 essay "True Nyms and Crypto Anarchy," defining a data haven as a physical or virtual locale for data storage and retrieval, often harboring materials deemed illegal elsewhere, with operators contractually bound against disclosure or key escrow.[23][24] This framework emphasized causal mechanisms: encryption's mathematical resistance to brute-force attacks combined with jurisdictional non-extradition policies would deter raids or subpoenas, enabling markets for proprietary, censored, or subversive information flows. Cypherpunk thought thus framed data havens as empirical countermeasures to observed trends in state expansion, such as export controls on cryptography under U.S. munitions laws from the 1990s, prioritizing verifiable technological efficacy over regulatory compliance.[18]The HavenCo Experiment on Sealand (2000–2008)
HavenCo Limited was established in 2000 by American entrepreneurs Sean Hastings and Ryan Lackey as a data hosting service intended to operate from the Principality of Sealand, a self-declared micronation on a World War II-era sea platform located seven miles off the coast of Suffolk, England.[2][5] The venture drew inspiration from cypherpunk ideals of evading state regulation through extraterritorial sovereignty, with negotiations between HavenCo principals and Sealand's rulers, the Bates family, beginning in 1999.[5] Upon launch, HavenCo garnered significant media attention, including a June 2000 Wired magazine cover story, positioning itself as a "data haven" for content unrestricted by national laws, such as online gambling and adult material, while prohibiting child exploitation imagery, spamming, hacking, and money laundering from illegal drugs.[5][25] Operations commenced with ambitious infrastructure plans, including nitrogen-flooded server rooms for fire suppression, armed guards, triple-redundant power generators, and multiple internet connections via satellite and planned fiber optics, though initial bandwidth was limited to 128 Kbps satellite links following the dot-com bust's impact on funding.[2][25] HavenCo offered colocation services at rates starting around $750 per month, targeting clients seeking regulatory arbitrage outside jurisdictions like the United States or United Kingdom.[5] By 2002, it hosted approximately 10 to 12 customers, primarily online casinos, with one reported client being the Tibetan government-in-exile for website hosting, though the platform's physical vulnerabilities—such as exposure to rough seas and denial-of-service attacks—hindered reliability.[2][5] The business model projected $65 million in revenue by its third year, but high operational costs, estimated at 10 times those of land-based facilities, and Sealand's lack of international recognition undermined scalability.[5] Internal conflicts emerged early, with Hastings departing shortly after launch in 2000, leaving Lackey to manage day-to-day affairs amid tensions with Sealand advisors over operational control and public image.[2][25] A pivotal dispute in May 2002 involved allegations of HavenCo hosting unauthorized DVD rebroadcasts, prompting Sealand's rulers to "nationalize" the company, lock out Lackey, and restructure under a new agreement that repaid him approximately $220,000 but excluded him from future involvement.[2][25] Post-nationalization, HavenCo adopted stricter content policies, partly in response to post-9/11 regulatory pressures, and relocated primary hosting to a London data center by 2006 after a generator fire damaged Sealand's facilities.[2][5] These shifts, combined with the absence of true extraterritorial enforcement—Sealand's sovereignty claims held no weight against UK or international law—eroded the haven's appeal.[5][16] By 2008, HavenCo's website went offline, marking the effective end of operations, as the venture succumbed to chronic undercapitalization, technical inadequacies, and the realization that physical isolation did not confer immunity from global legal and cyber threats.[2][16] The experiment demonstrated the practical limits of micronational sovereignty for data protection, with costs exceeding benefits and customer demand failing to materialize beyond niche applications, ultimately validating critiques that regulatory evasion requires robust institutional backing rather than mere geographic separation.[5][25]Motivations and Rationales
Safeguarding Against State Surveillance and Censorship
Data havens address vulnerabilities exposed by state surveillance apparatuses that compel private entities to disclose user data, as exemplified by the U.S. National Security Agency's PRISM program, which granted access to servers of companies including Google and Apple for bulk collection of communications metadata and content, as revealed by Edward Snowden on June 6, 2013.[26] Such programs, authorized under Section 702 of the Foreign Intelligence Surveillance Act and renewed periodically, underscore the risks of jurisdictional cooperation, where hosting providers face legal mandates to surrender data without user consent, often extending to non-citizens via mutual legal assistance treaties.[26] Proponents posit that relocating servers to non-cooperative or sovereign micro-jurisdictions prevents such compelled access, preserving data integrity against warrantless searches or gag orders. The HavenCo initiative on Sealand, operational from 2000 to 2008, embodied this strategy by leveraging the platform's claimed independence to host data "safely beyond the reach of any other country’s courts," explicitly targeting protection from governmental censors, surveillance, and prudish regulations.[5] Founders, influenced by cypherpunk advocacy for cryptographic tools to thwart state monitoring, enforced an acceptable use policy that barred only spam, child exploitation material, hacking facilitation, and certain financial crimes while permitting otherwise restricted content like anonymous payment systems, corporate records immune to subpoenas, adult pornography, and online gambling sites.[5] This policy reflected a first-principles commitment to minimal intervention, asserting that "free communication can never be a crime," thereby resisting extraterritorial enforcement from entities like the UK or U.S. governments, which viewed Sealand as non-sovereign.[5] Technical safeguards in data havens complement jurisdictional evasion, incorporating end-to-end encryption and physical isolation to deter interception; HavenCo planned redundant hardware and cryptographic protocols, though execution faltered due to internal disputes rather than external coercion.[5] Broader empirical demand arises from documented censorship regimes, such as China's Great Firewall, which as of 2025 blocks over 10,000 domains including major social platforms, or Russia's sovereign internet laws enacted in 2019 requiring data localization for easier state access and shutdowns.[27] In democratic contexts, increasing surveillance—evident in 27 of 47 countries rated as high-risk for privacy erosion in 2022 assessments—fuels similar rationales, with dissidents and firms seeking havens to host unredacted archives or whistleblower materials without fear of retroactive takedowns.[28] Cypherpunk-derived resistance techniques, including anonymized hosting, further enable circumvention of deep packet inspection and keyword filtering prevalent in 67% of global internet users' countries.[29][22] Despite operational challenges, the persistence of these motivations is validated by post-Snowden shifts, where revelations of upstream collection affecting global traffic prompted tech firms to enhance offshore storage in privacy-oriented locales like Switzerland or Iceland, though true data havens prioritize non-extradition and non-disclosure policies over mere localization.[30] Critics from state-aligned perspectives dismiss such efforts as enabling illicit activity, yet empirical data on surveillance overreach—such as the NSA's incidental collection of millions of domestic records—supports the causal necessity of decoupled jurisdictions to maintain informational autonomy against expanding legal instruments like the EU's e-evidence proposals.[26][5]Promoting Innovation and Economic Liberty
Data havens are designed to foster innovation by establishing jurisdictions or systems where data storage and processing occur beyond the reach of restrictive national regulations, thereby reducing barriers to experimentation in data-driven technologies. This environment enables developers and firms to host services such as anonymous financial systems, unrestricted content platforms, and privacy-focused applications without the threat of content-based shutdowns or compliance mandates that stifle creativity in onshore locations. For example, proponents envisioned data havens accelerating advancements in cryptography and secure communications by protecting proprietary datasets from seizure, allowing iterative development free from surveillance risks.[18] In terms of economic liberty, data havens promote voluntary exchange in information markets by minimizing coercive state interventions, such as data localization laws or taxation on digital transactions, which can impose disproportionate costs on startups. By offering competitive hosting at lower prices—due to avoided regulatory overhead—such havens attract capital to underserved sectors like online gambling and adult content distribution, where legal hurdles elsewhere limit market entry. HavenCo's 2000 initiative on Sealand exemplified this, planning to deliver nearly 1 Gbps bandwidth at rates below mainland equivalents, with preconfigured secure servers to support e-commerce and data-intensive operations unbound by traditional oversight.[11] Investors committed $1 million in seed funding, anticipating profitability from regulatory arbitrage that would draw clients seeking unhindered data mobility.[11] This model aligns with cypherpunk principles, where protected data flows underpin economic freedom by enabling trustless commerce and innovation in peer-to-peer networks, as encryption and jurisdictional insulation prevent monopolistic control by governments or incumbents. However, realizations like HavenCo underscore that while the intent was to catalyze liberty-driven growth—targeting "almost-anything-goes" hosting for free expression and novel services—sustained success requires robust enforcement beyond mere geographic isolation.[10][31] Empirical demand persists, evidenced by ongoing interest in offshore hosting for privacy-centric apps, though verifiable long-term innovation gains remain tied to technological rather than purely jurisdictional solutions.[10]Empirical Evidence of Demand
Following the 2013 revelations by Edward Snowden regarding National Security Agency surveillance practices, U.S.-based cloud computing adoption slowed significantly in several markets due to heightened privacy concerns, with German cloud usage growing only 3% in 2013 compared to 9% the prior year.[32] This shift prompted businesses and governments to explore offshore alternatives, as evidenced by a reported "race to create offshore havens for data" to evade U.S. jurisdiction over stored information.[33] Such migrations reflect causal demand driven by fears of compelled data disclosure under laws like the U.S. PATRIOT Act, with surveys indicating 49% of Americans perceived their personal data as less secure post-revelations.[34] Empirical indicators include rapid expansion of data infrastructure in jurisdictions with robust privacy protections, such as Iceland and Switzerland. Iceland's data center industry achieved a compound annual growth rate exceeding 100% from 2015 to 2018, fueled by its renewable energy, natural cooling, and stringent data privacy laws modeled after European standards, positioning it as a potential "Switzerland of data."[35][36] Switzerland similarly saw accelerated development of secure hosting facilities, supported by constitutional privacy guarantees and non-cooperation with extraterritorial data requests absent mutual legal assistance treaties.[37] These trends correlate with global offshore hosting market projections estimating a 10.6% CAGR from 2025 to 2032, driven by demands for jurisdictional autonomy.[38] Proxy measures further underscore demand, as increased adoption of circumvention tools signals broader aversion to state-accessible data repositories. VPN usage, often employed to route traffic through privacy-friendly jurisdictions, surged 301% in regions facing censorship spikes, with global VPN app revenue reaching $5.9 billion in 2024 amid surveillance fears.[39][40] In the U.S., 53% of individuals reported using privacy tools like VPNs in response to foreign surveillance disclosures, while the VPN market is forecasted to triple by 2030 due to cybersecurity and privacy anxieties.[41] These patterns, observed across empirical datasets, demonstrate sustained demand for data havens as bulwarks against compelled access, rather than mere compliance exercises.Prominent Implementations
Physical Jurisdictions and Micronations
Iceland has emerged as a prominent physical jurisdiction for data hosting due to its robust privacy protections, renewable energy resources, and commitment to freedom of expression, attracting operators seeking refuge from surveillance-heavy regimes. The country's Data Protection Act aligns with EU standards while emphasizing individual rights, including no mandatory data retention for webmail services and legal safeguards for anonymity and whistleblowers.[36][42] In 2011, advocates proposed Iceland as a "data haven" akin to Switzerland's banking secrecy, with initiatives like the Internet Archive considering storage there to leverage proposed media protections following the 2008-2010 Icelandic Modern Media Initiative, which aimed to enhance source protection and limit data seizures.[43] Data centers in Iceland benefit from cold climate cooling and geothermal power, hosting services for global clients prioritizing privacy, though recent registrations of anonymity services have raised concerns about misuse for illicit content.[44] Próspera, a semi-autonomous zone on Roatán island in Honduras established in 2017 as a Zone for Employment and Economic Development (ZEDE), represents an experimental physical jurisdiction tailored for technological innovation, including data and blockchain operations. Governed by private contracts rather than full national laws, it permits cryptocurrency as legal tender, minimal regulatory oversight, and opt-in civil codes that prioritize economic liberty, drawing crypto enthusiasts and firms evading traditional financial controls.[45][46] Promoters envision it as a haven for decentralized data services, with infrastructure supporting high-tech ventures, but it has encountered resistance, including a 2022 Honduran Supreme Court ruling challenging ZEDE autonomy and ongoing disputes over sovereignty that threaten its operational stability as of 2025.[47][48] Micronations have sporadically pursued data haven ambitions through claims of extraterritoriality and crypto integration, though lacking international recognition limits their viability. The Free Republic of Liberland, proclaimed in 2015 on a 7 km² disputed Danube River plot between Croatia and Serbia, embodies this approach by adopting libertarian principles, zero income taxes, and blockchain-based governance to attract digital assets and services.[49] It issues native tokens—the Liberland Dollar for transactions and Merit for voting—facilitating decentralized data and financial operations while aspiring to function as a "blockchain tax haven" extensible to privacy-focused hosting.[50][51] Access remains restricted due to border enforcement by neighbors, confining activities to virtual citizenship sales and symbolic infrastructure, with no verified large-scale data hosting as of 2025.[52] These efforts highlight persistent challenges in physical data havens, including jurisdictional disputes and enforcement gaps, underscoring a shift toward decentralized alternatives over territorial claims.Crypto-Friendly National Policies
Several nations have adopted policies that foster cryptocurrency adoption and blockchain infrastructure, creating environments conducive to data havens by minimizing regulatory barriers to hosting encrypted data, smart contracts, and decentralized networks. These policies often include legal recognition of digital assets, tax incentives, and clear licensing frameworks for virtual asset service providers (VASPs), which reduce risks of asset seizure or data disclosure under international pressure. Such measures attract firms offering privacy-focused services, as they prioritize innovation over stringent surveillance mandates.[53] El Salvador pioneered national-level cryptocurrency integration by enacting the Bitcoin Law on June 9, 2021, designating Bitcoin as legal tender alongside the U.S. dollar and mandating its acceptance for goods, services, taxes, and debts. This policy aimed to enhance financial inclusion for the unbanked population—estimated at 70% of adults—and promote remittances, which constitute over 20% of GDP, by leveraging Bitcoin's borderless transfer capabilities. Despite initial volatility and low domestic adoption rates (under 20% usage by 2023), the government invested in Bitcoin mining using geothermal energy from volcanoes, establishing a state-backed wallet (Chivo) with $30 signup incentives. In March 2025, amid IMF negotiations, the Legislative Assembly modified the law to remove "currency" from Bitcoin's designation while retaining its legal tender status, allowing continued promotion without full reversal. These steps positioned El Salvador as a testing ground for crypto-enabled data sovereignty, though empirical data shows limited impact on GDP growth or remittance costs reduction.[54][55][56] Switzerland's Canton of Zug, dubbed "Crypto Valley," exemplifies decentralized yet supportive policies through favorable taxation and regulatory clarity under the Swiss Federal Act on the Adaptation of Federal Law to Blockchain Developments (DLT Act), effective August 1, 2021. The canton imposes low corporate tax rates (around 12-14%) and has accepted Bitcoin and Ethereum for tax payments since 2021 via partnerships like Bitcoin Suisse, hosting over 1,100 blockchain firms and generating an ecosystem valued at billions in assets under management. Federal guidelines classify tokens as assets, not securities by default, enabling innovation in decentralized data storage without mandatory KYC for non-custodial protocols. This framework has drawn data-intensive crypto projects, supported by crypto-friendly banks and proximity to research institutions like ETH Zurich, though critics note potential risks from unharmonized EU-Swiss data-sharing agreements.[57][58][59] The United Arab Emirates (UAE), particularly Dubai, has aggressively pursued crypto hub status via the Virtual Assets Regulatory Authority (VARA), established in 2022, which issues licenses for VASPs including exchanges, custodians, and advisory services under a comprehensive rulebook emphasizing AML compliance and investor protection. No capital gains tax applies to crypto trading for individuals, and free zones like Dubai International Financial Centre (DIFC) offer 0% corporate tax on qualifying income until 2026, attracting over 500 crypto firms by 2025. Abu Dhabi’s ADGM similarly regulates via the FSRA, permitting tokenized assets and DeFi pilots. These policies facilitate data haven operations by shielding blockchain data from extraterritorial claims, bolstered by the UAE's non-extradition stance on certain financial offenses, though federal oversight mandates reporting for suspicious activities exceeding AED 55,000 (about $15,000).[60][61][62] Singapore maintains a progressive stance through the Monetary Authority of Singapore (MAS), which under the Payment Services Act (2019, amended 2023) licenses digital payment token (DPT) services with exemptions for non-custodial wallets, imposing no capital gains tax on crypto for individual investors while taxing business income at 17%. This clarity has hosted major exchanges and blockchain R&D, with policies like Project Guardian (launched 2022) testing asset tokenization. Portugal, post-2023 reforms, exempts long-term crypto gains (over 365 days) from tax while levying 28% on short-term trades and professional activities, positioning it as a European entry point for crypto data services amid EU MiCA harmonization. Both nations prioritize economic incentives over prohibition, evidenced by inflows of crypto capital exceeding $10 billion annually in Singapore alone.[63][64][65]| Country | Key Policy Features | Implementation Date | Tax Treatment |
|---|---|---|---|
| El Salvador | Bitcoin legal tender; mandatory acceptance; state mining | June 2021 (modified March 2025) | No capital gains tax on Bitcoin |
| Switzerland (Zug) | Token classification; crypto tax payments; low corp tax | DLT Act: Aug 2021 | Asset taxation; ~12% corp rate |
| UAE (Dubai) | VARA licensing for VASPs; free zone incentives | VARA: 2022 | 0% cap gains; 0-9% corp in zones |
| Singapore | DPT licensing; no cap gains for individuals | PSA: 2019 | 0% cap gains; 17% business income |
| Portugal | Long-term gains exemption; short-term 28% | Reforms: 2023 | 0% >365 days; 28% <365 days |