By Karl Canby

 

On the second day of August 2022, President Joseph R. Biden ordered the killing of Ayman al-Zawahiri in the Afghani capital city of Kabul.[1] Zawahiri, an Egyptian National, had sat atop of the Federal Bureau of Investigation’s list of most wanted terrorist for his role in the murder of almost 3,000 people in New York City on September 11, 2001.[2] He had been Osama bin Laden’s deputy and eventual successor as the leader of the al-Qaida terrorist organization.[3] However, unlike his predecessor, Zawahiri’s death was not the result of a night insertion by United States Special Forces personnel.[4] Instead, Zawahiri was eliminated with surgical precision by two AGM-114 Hellfire missiles fired from a General Atomics MQ-9 Reaper drone.[5] His death culminated not only 20 years of US Military Operations against global terror but signified the result of two decades of policy change intended to revolutionize the future of warfare carried out by Unmanned Aerial Vehicles (“UAV”).

Increased military drone strikes have fundamentally challenged the international rule of law.[6] Their ambiguous legal nature has increasingly damaged the lines of what violence is acceptable from a state-to-state legal perspective.[7] Nations keen on riding this new wave of global confusion have subtly shifted their domestic policy to reflect their desire to utilize this gap in the commonly understood rules of war.[8] Where a Head of State may have had no choice but to react to violence in the past, they now have the option to qualify or challenge the legality of a drone strike on the global stage.

Look no further than the assassination of Iranian Major General Qassem Soleimani in Baghdad, Iraq, on January 2, 2020.[9] In a move heavily questioned by the international community, US President Donald J. Trump ordered Soleimani’s death through the use of a drone strike.[10] What makes this act so complex from an international legal perspective is the number of entities that it affected. Soleimani was an Iranian General visiting the sovereign nation of Iraq and was killed by a drone strike from a country that was not at war with either. Before the advent of the UAV, the physical nature required to commit such assassination would have clearly violated international rule of law. Both Iran and Iraq would have had a strong legal foundation to retaliate against the United States.[11] Instead, the legal ambiguity of the drone strike gave the United States a way to circumvent accountability while simultaneously preventing Iran and Iraq from seeking legal recourse.[12]

Most recently, the Russian invasion of Ukraine has once again called into question the legal trajectory of the use of drones in combat.[13] Heavy usage by both sides has highlighted the effects that unmanned vehicles have on the battlefield.[14] A particularly alarming issue is the modification and deployment of commercial drones in Ukraine.[15] These products are easily purchased through traditional vendors, which calls into question how insurgents and terrorist groups could use them in the future. As this conflict continues, nations across the globe must ask themselves the difficult question of how they will prepare for the inevitable increase in UAV use in conflicts moving forward. The complicated and intricate international legal system will need to prepare for this increasingly dangerous threat to world peace.

 

 

 

[1] Jim Garamone, U.S. Drone Strike Kills al-Qaida Leader in Kabul, U.S. Department of Defense (Aug. 2, 2022), https://www.defense.gov/News/News-Stories/Article/Article/3114362/us-drone-strike-kills-al-qaida-leader-in-kabul/

[2] Id.

[3] Id.

[4] See generally Kris Osborn & Ho Lin, The Operation that Took Out Osama Bin Laden, Military.com (2022), https://www.military.com/history/osama-bin-laden-operation-neptune-spear (an in-depth explanation of the military operation that resulted in the death of Osama Bin Laden).

[5] Garamone, supra note 1.

[6] Rosa Brooks, Drones and the International Rule of Law, 28 Ethics & Int’l Aff. 83 (2014).

[7] Id.

[8] See Generally American Security Drone Act of 2021, S.73, 117th Cong. (1st Sess. 2021) (An example of United States legislation moving in favor of UAVs).

[9] Michael Crowley et al., U.S. Strike in Iraq Kills Qassim Suleimani, Commander of Iranian Forces, The New York Times (Jan. 2, 2020), https://www.nytimes.com/2020/01/02/world/middleeast/qassem-soleimani-iraq-iran-attack.html.

[10] Id.

[11] See Generally Michael N. Schmitt, Assassination in the Law of War, Liber Institute (Oct. 15, 2021) https://lieber.westpoint.edu/assassination-law-of-war/ (An overview of the legality of assassinations carried out by the military).

[12] Id.

[13] Elias Yousif, Drone Warfare in Ukraine: Understanding the Landscape, Stimson (June 30, 2022) https://www.stimson.org/2022/drone-warfare-in-ukraine-understanding-the-landscape/.

[14] Id.

[15] Ukraine Conflict: How are drones being used? BBC (Aug. 2022) https://www.bbc.com/news/world-62225830.

 

 

Image Source: https://www.goodfreephotos.com/weapons/aircraft/heron-1-drone-UAV.jpg.php

By Michael Alley

 

On May 14, 2018, the gambling world changed forever. On this date, the United States Supreme Court decided the landmark case Murphy v. National Collegiate Athletic Association.[1] This decision limited the federal government’s ability to regulate gambling that occurs in the states.[2]  In this case, New Jersey, along with Governor Phil Murphy, successfully challenged the constitutionality of the Professional and Amateur Sports Protection Act (PASPA), which prohibited states from allowing sports gambling.[3] The court found that PASPA violated the anti-commandeering doctrine because the federal government is explicitly directing states on the laws they may or may not pass.[4] Furthermore, it violates state sovereignty, and Congress must allow the states to regulate gambling as an intrastate activity.[5]

The impact of this decision has been felt immediately. Currently, roughly 30 states have some online gambling, with nearly 20 states allowing an online option.[6] Some states restrict it to tribal grounds while others allow it statewide.  In some states, such as Florida, battles rage between lawmakers and Native American tribal leaders on the effect of online gambling, where the Tribe will undoubtedly lose tourism and gambling dollars if more competition is introduced.[7]

The competition is fierce, with New York set to bring in the most revenue.[8]  New York has a tax rate of 51% and is set to collect just shy of $250 million in revenue for 2022.[9] However, online gambling is a unique issue.  Due to evolving technological advances, people have attempted to gamble through Virtual Private Networks (VPNs).[10] VPNs will hide a user’s IP Address and location, tricking a gambling platform into thinking the person is in a permitted geographical area to gamble when they are not.[11]  It can allow a person in a state where sports gambling is illegal to place a bet as if they are in another state where sports gambling is permitted.[12] Although gambling platforms have done a good job at blocking the popular VPN networks,[13] as the technology advances, there is no guarantee that the success will continue.

Furthermore, people are more interconnected with people in other areas of the country. Although the Fifth Circuit Court of Appeals held that the WIRE Act applied to sports gambling,[14] people in states where sports gambling is outlawed can gamble through proxies in states where sports gambling is legal.[15]  This blurs the line of whether online gambling can be limited to just intrastate commerce. It raises the question of if congress could try to act again in the future to curb sports gambling. States where gambling is illegal still have a populace that engages in the practice yet are not gaining any benefits such as an increase in tax revenue or jobs.

Gambling companies such as DraftKings and FanDuel have achieved massive success and must focus on this issue. If they don’t limit gambling across state lines, it opens these companies to the mercy of federal government regulation. Congress may renew an argument that online gambling in its current form must be interstate commerce and can be regulated federally, either by the WIRE Act or other means.

 

 

[1] Murphy v. National Collegiate Athletic Ass’n., 138 S.Ct. 1461 (Westlaw 2018).

[2] Id. at 1485.

[3] Id.

[4] Id. at 1481.

[5] Murphy v. National Collegiate Athletic Ass’n., 138 S.Ct. 1461, 1478.

[6] Sam McQuillan, Where is Sports Betting Legal? Projections for all 50 states, Action Network (Sept. 14, 2022, 9:08 AM), https://www.actionnetwork.com/news/legal-sports-betting-united-states-projections.

[7] See Daniel Wallach, Feds, Seminole Tribe Invoke IGRA ‘Jurisdiction—Shifting’ In Bid To Revive Online Sports Betting in Florida, Forbes (Sept. 29, 2022, 4:16 PM), https://www.forbes.com/sites/danielwallach/2022/09/29/feds-seminole-tribe-invoke-igra-jurisdiction-shifting-in-bid-to-revive-online-sports-betting-in-florida/?sh=4090c002c2a6

[8] Justin Byers, New York’s Sports Betting Tax Revenue Hits Record High, Front Office Sports, (July 11, 2022, 5:14 AM), https://frontofficesports.com/new-yorks-sports-betting-tax-revenue-hits-record-high/.

[9] Id.

[10] See Robert A, Cronkleton, How many Missourians tried to gamble in Kansas on first day of legal sports betting?, The Kansas City Star, (Sept. 2, 2022, 12:49 PM), https://www.kansascity.com/news/local/article265242136.html (explaining how Kansas blocked 16,000 attempts by gamblers who were illegally trying to gamble from Missouri).

[11] Dalvin Brown, When to Use a VPN–and When IT Won’t Protect Your Data, The Wall Street Journal, (Sept. 6, 2022, 10:00 AM), https://www.wsj.com/articles/vpn-data-protection-privacy-tips-11662155750 (explaining how VPNs can mask location).

[12] See id.

[13] See Cronkleton, supra note 10.

[14] Aalok Sharma, The First Circuit Rules that the Wire Act Applies to Sports Betting Only, JDSUPRA (May 6, 2021), https://www.jdsupra.com/legalnews/the-first-circuit-rules-that-the-wire-9621258/ (explaining how the First Circuit Court of Appeals found that the WIRE Act prohibited interstate sports gambling).

[15] See id.

Image Source: https://depositphotos.com/stock-photos/online-sports-betting.html

By Yanrong Zeng

 

In 2020, Congress passed the Holding Foreign Corporation Accountability Act (“HFCAA”) and required foreign governments to provide U.S. regulators with full access to the audit working papers to examine the financial integrity of foreign companies listed in the U.S. stock exchanges.[1] Otherwise, the HFCAA will delist these companies after three years. Audit working papers are broadly defined as first-hand information that provides all the factual basis for a company’s financial statements. [2] When the U.S. regulator expanded its extraterritorial oversight over foreign audit firms and companies,[3] the ambiguous definition of audit working papers opened the door to foreign governments’ concerns about information confidentiality, such as the position taken by Japan in 2003.[4]

The international framework requires overseas regulators to comply with the domestic laws before directly investigating or requesting auditing material.[5] The European Union chooses the principle of “full trust” to identify the audit supervision system of 10 countries (including China) as equivalent to the E.U.’s audit supervision system and fully trust the audit supervision results of foreign regulators.[6] In contrast, the United States is the first one to break through the traditional regulatory jurisdiction based on national borders and expand its regulatory capabilities in accordance with the principle of “long-arm jurisdiction.”[7]

China allows accounting firms to provide audit working papers to foreign regulators after redacting sensitive information during the cybersecurity screening and using appropriate regulatory cooperation channels.[8] Both methods are in line with common international practices.[9] On the other hand, U.S. regulators protect the interests of U.S. investors by requiring direct inspection and full disclosure of audit working papers. The U.S. regulator is concerned that Chinese auditing firms would remove harmful information in the original audit working papers.[10] Against the backdrop of the U.S.-China trade war and economic decoupling, some market watchers[11] and academics[12] in both the U.S. and China view the HFCAA as an ultimatum to the decade-long bilateral negotiation. An American scholar pointed out that the HFCAA “weaponized access to the U.S. capital market to punish the Chinese firms.”[13]

However, the fundamental disagreement over redaction is caused by the two countries’ different definitions of “national security information.” The Director of International Affairs at the U.S. Securities and Exchange Commission (“SEC”) recently stated, “Sensitive information pertaining to national security—and by that, I mean the ability for the state to cater to the protection and defense of its citizenry—should not be in the auditor’s files.”[14] In comparison, the Chinese definition includes a wide range of sensitive information relating to cybersecurity, data security, and protection of personal information.[15] Chinese regulators attach great importance to commercially sensitive information because most Chinese companies listed in the United States are pan-Internet companies focusing on online games and searches, education and chain operations, new energy, medicine, and high-end manufacturing.[16]

These pan-Internet companies have been adversely affected by Chinese law requiring cybersecurity review. “Security-related information” include personal privacy information from (1) online platform with more than 1 million users,[17] and (2) “critical information infrastructure” in the areas of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, and defense technology.[18]

The new cybersecurity law was enacted in response to the July 2021 information breach caused by Chinese ride-hailing company Didi Global. Didi surged into the U.S. stock market with a nearly $70 billion pre-IPO valuation but chose not to hold any bell-ringing ceremony or official press release.[19] With 15 million active drivers and 156 million monthly active users globally, Didi is naturally closely regulated because of its scale.[20] Didi has demonstrated predictive capabilities based on big data and artificial intelligence. In 2015, Chinese government and Didi jointly released a statistical report that counted the workload of each governmental agency over a certain period and the addresses of everyone working in that department.[21]

 

 

[1]  See Holding Foreign Companies Accountable Act, Pub. L. No. 116-222, 134 Stat. 1063.

[2]  AU Section 339: a Working Papers, Pub. Co. Acct. Oversight Bd., https://pcaobus.org/oversight/standards/archived-standards/details/AU339A.

[3]  International, Pub. Co. Acct. Oversight Bd., https://pcaobus.org/oversight/international.

[4]  The Japanese Inst. of Certified Pub. Acct., Re: Public Company Accounting Oversight Board; Notice of Filing of Proposed Rules Relating to Registration System (File No. PCAOB-2003-03) (June 27, 2003), https://www.sec.gov/rules/pcaob/pcaob200303/jicpa062703.htm (“It is commonly understood that the Japanese law does not directly extend to include the laws and judicial proceedings of foreign countries, and accordingly, compliance of a foreign country’s law such as the Sarbanes-Oxley Act or the PCAOB requirements, would not constitute a ‘justifiable reason’”).

[5]  Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information, IOSCO (May 2012), § 7(c) (“Assistance will not be denied based on the fact that the type of conduct under investigation would not be a violation of the Laws and Regulations of the Requested Authority”).

[6]  Commission Decision of 19 January 2011 on the Equivalence of Certain Third Country Public Oversight, Quality Assurance, Investigation and Penalty Systems for Auditors and Audit Entities and a Transitional Period for Audit Activities of Certain Third Country Auditors and Audit Entities in the European Union. Official Journal of the European Union.

[7] Since the PCAOB was established in the same year as Multilateral Memorandum of Understanding Concerning Consultation and Cooperation and the Exchange of Information.

[8] See Zhonghua Renmin Gongheguo Zhengquan Fa [Securities Law of the People’s Republic of China] § 177 (rev’d Dec. 28, 2019, effective Mar. 1, 2020), http://www.gov.cn/xinwen/2019-12/29/content_5464866.htm, (“Without the consent of the securities regulatory authority of the State Council and the relevant competent departments of the State Council, no entity or individual may provide documents and materials related to securities business activities to overseas countries without authorization”).

[9] Id.

[10] See id.

[11]  See Gangku Kejigu Baodie Beihou Fasheng le Shenme? Honghao: Qingxuehua Paoshou, Meigu Shenzhi Keneng Yaozhan [What Happened Behind the Plunge in Hong Kong Technology Stocks? Hong Hao: U.S. Stocks May Even Halve after Emotional Selling], Phoenix News, Mar. 14, 2022, https://finance.ifeng.com/c/8ENa6F54mTo. Hereinafter Honghao.

[12]  See Connie Friesen, Re-Thinking US Policy on Engagement with Chinese Financial Institutions (May 2022) (M.A. dissertation, Harvard University), https://nrs.harvard.edu/URN-3:HUL.INSTREPOS:37371771.

[13]  Venkat Gundumella et. al, Great Power Competition and Chinese Assertiveness in the Covid World Order, SSRN, Apr. 9, 2021, at 10, https://ssrn.com/abstract=3822102 or http://dx.doi.org/10.2139/ssrn.3822102.

[14] YJ Fischer, Director, Office of Int’l Affs., Sec. and Exch. Comm’n, Resolving the Lack of Audit Transparency in China and Hong Kong: Remarks at the International Council of Securities Associations (ICSA) Annual General Meeting (May 24, 2022), https://www.sec.gov/news/speech/fischer-remarks-international-council-securities-associations-052422.

[15] Wangluo Anquan Shencha Banfa [Network Security Review Measures] § 7 (promulgated by Cyberspace Administration of China et. al, Dec. 28, 2021, effective Fed. 15, 2022], http://www.gov.cn/zhengce/zhengceku/2022-01/04/content_5666430.htm.

[16] Id.

[17] Wangluo Anquan Shencha Banfa [Network Security Review Measures, supra note 50.

[18] Guanjian Xinxi Jichu Sheshi Anquan Baohu Tiaoli [Critical Information Infrastructure Security Protection Regulations] § 2 (promulgated by St. Council, July 30, 2021, effective Sept. 1, 2021), http://www.gov.cn/zhengce/content/2021-08/17/content_5631671.htm.

[19] Xiao Wenjie & Wang Shanshan, Gongsi Yanbao: Didi de Zhen Wenti [Company Research Report: The Real Problem of Didi], YiMagazine, Oct. 13, 2021. https://www.yicai.com/news/101196927.html.

[20] Id.

[21] Dashuju Jiemi: Gaowentian Buwei Jiaban Dabiping [Big Data Revealed: Ministries and Commissions Work Overtime in High Temperature Days], Xinhua Net, July 18, 2015, http://www.xinhuanet.com/politics/2015-07/18/c_1115967447.htm.

Image Source: https://www.bloomberg.com/news/articles/2022-05-06/markets-are-weaker-than-u-s-economy-bridgewater-s-prince-says

By Jessica Otiono

 

Electronic Health Records (EHR) utilize modern technology that allows for electronic entry, storage, and maintenance of digital patient data.[1] This data includes patient records from doctors such as demographics, test results, medical history, history of present illness, and past and current medications.[2] In the past two decades, the utilization of information technology in the delivery and management of healthcare, which resulted in the adoption of EHRs, has provided an efficient way of sharing healthcare records between healthcare professionals and patients who enjoy easy access to their records.[3]

However, this ease of access is met with cybersecurity threats and data privacy challenges.[4]  The sensitive and patient-care-centeredness of EHRs make them susceptible to cyber-attacks.[5]  This is because they contain Personal Health Information (PHI), which cyber attackers sell for profit on the dark web.[6] Cyberattacks on EHRs occur in diverse ways. Some of these cyberattacks include:

 

1. 1. Phishing – Phishing attacks are the most rampant cybersecurity threats in healthcare. It is the practice of infecting a seemingly harmless email with malicious links.[7]  The usual form of phishing attack is email phishing.[8]
   2. Malware/Ransomware – This type of malware disables access to computer systems and files until a ransom has been paid.[9]  Ransomware may infect a computer system through a phishing email containing a malicious link.[10]
   3. Distributed Denial of Service (DDOS) – DDOS floods a website or computer network with internet traffic to overwhelm it and impair its performance and availability.[11] Cybercriminals employ bots to submit an excessive number of requests.[12] DDOs used together with Ransomware are one of the most destructive cybersecurity attack combinations.[13]

In dealing with cybersecurity threats to EHRs, Federal compliance laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (Act) were enacted to protect the privacy and data security of Personal Health Information (PHI) which are stored electronically.[14] In addition, the HIPAA privacy rule establishes “national standards to protect individuals’ medical records and other individually identifiable health information….”[15]

The HIPAA Security Rule also establishes appropriate safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.[16] The Security Rule provides administrative, physical, and technical safeguards for managing healthcare data privacy.[17]  Some of these safeguards include: i.) establishing a security management process in which the covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations;[18] ii.) appointing a designated security official who is responsible for the development and implementation of policies and procedures mandated by the Security Rule;[19] iii.) implementing policies and procedures to address security incidents when they occur;[20] iv.) creating policies and procedures for responding to an emergency that damages computer systems containing EHRs;[21] v.) establishing safeguards for workstation security;[22] vi.) implementing audit controls for information systems;[23] and vii.) implementing measures to protect against unauthorized access to electronic personal health information transmitted over an electronic communications network.[24]

In addition, the HITECH Act establishes the Breach Notification Rule. This rule requires Health care providers as well as other covered entities under HIPAA to promptly notify (within 60 calendar days from the day the breach is discovered) individuals of a data breach, as well as the Secretary of the U.S. Department of Health and Human Services (HHS) and the media in cases where the breach affects more than 500 individuals.[25] Breaches of fewer than 500 individuals must be reported to the Secretary of the HHS on an annual basis, no later than 60 calendar days from the end of the year.[26] As healthcare delivery technology continues to evolve, cyber-attacks on EHRs continue to happen. It is therefore imperative that healthcare providers and other key players implement policies that align cybersecurity and patient safety initiatives. These measures will protect patient safety and privacy while ensuring continuity in the delivery of high-quality healthcare by mitigating disruptions.

 

[1] Electronic Medical Record in Healthcare, U.S. Dept. Health Hum. Serv. 1, 3 (2022), https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.

[2] Id.

[3] Liu Hua Yeo & James Banfield, Human Factors in Electronic Health Records Cybersecurity Breach: An Explanatory Analysis, Perspectives In Health Info. Mgmt. (Mar. 15, 2022), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9123525/.

[4] Id.

[5] Greg Kill, Top 5 Cybersecurity Threats to Electronic Health Records and Electronic Medical Records, Integracon (Apr. 28, 2018), https://integracon.com/top-5-cybersecurity-threats-to-electronic-health-records-and-electronic-medical-records/.

[6] U.S. Dept. Health Hum. Serv., supra note 1, at 6.

[7] Edward Kost, Biggest Cyber Threats in Healthcare, Upguard (Aug. 8, 2022), https://www.upguard.com/blog/biggest-cyber-threats-in-healthcare.

[8] Id.

[9] Cyber Attacks: In the Healthcare Sector, Ctr. Internet Sec., https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector (last visited Sept. 14, 2022).

[10] Id.

[11] Hardik Shah, Top 10 Cybersecurity Challenges in the Healthcare Industry, Global Sign (May 5, 2022), https://www.globalsign.com/en/blog/10-cybersecurity-challenges-healthcare.

[12] Id.

[13] Id.

[14]   Liu Hua Yeo & Banfield, supra note 3.

[15] See The HIPAA Privacy Rule, HHS.gov., https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[16] The Security Rule, HHS.gov.,  https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[17] Ryan L. Garner, Evaluating Solutions to Cyber Attack Breaches of Health Data: How Enacting A Private Right of Action For Breach Victims Would Lower Costs, 14 Ind. Health L. Rev. 127, 139  (2017).

[18] Id.; 45 C.F.R. § 164.308 (a)(3)(i) (2017).

[19] Id. § 164.308(a)(2).

[20] Id. § 164.308(a)(6)(i).

[21] Id. § 164.308(a)(6)(i).

[22] 45 C.F.R. § 164.308(a)(6)(i) (2017).

[23] Id. § 164.312(b).

[24] Id. § 164.312(e)(1).

[25] 45 C.F.R. §§ 164. 400-414 (2009).

[26] Id.

Image Source: https://www.aranca.com/knowledge-library/special-reports/valuation/healthtech-decoded

By Paige Skinner

 

The COVID-19 pandemic came along with several unprecedented changes, including a large-scale transition towards employees working from home. Employees being in the office was no longer viable for many employers, so they moved to a remote work format.[1] With this move came the question of how productive employees could be without the built-in supervision of working from the office. Due to this concern, many employers looked for ways to track employee productivity.[2] They found an answer in software that could be downloaded onto employee devices, such as InterGuard and ActivTrak.[3] InterGuard allows employers to track employee activity through their location, how much time they spend idly on their devices, their perceived level of productivity, and can also secure employer data if the employee is terminated.[4] ActivTrak is similar in that it can provide information on employee behavior, determine how efficient an employee is being, and can help employees set goals and configure their workload balance.[5] These are just two of the numerous programs that employers can use to track their employees while they work from home. Employers can use the information they collect from software programs such as InterGuard and ActivTrak in several ways, including to secure the company’s data and assist them in making personnel decisions.[6]

Many employees may not even be aware that their employers have installed productivity tracking software on their work computers, phones, or tablets.[7] However, those who are aware have expressed concern over their employers tracking them this way.[8] Many argue that installing this technology feels like an invasion of their privacy.[9] These concerns, naturally, raise a question of the legality of software programs like InterGuard and ActivTrak. Concerned employees may be happy to learn that there is legislation that aims to protect them in these situations. The main statute that governs how employers may track their employees at home is the Electronic Communications Privacy Act (ECPA) of 1986.[10] The ECPA allows employers to “monitor employees in the workplace, including both written and verbal communications, for any legitimate business purpose” and can utilize other methods of monitoring if they receive employee consent.[11] A legitimate business purpose means anything that is in furtherance of the employer’s business or mission.[12] This purpose can look like an employer obtaining video footage, monitoring calls made through company phones, or tracking internet usage to ensure productivity.[13] A logical inference can be made that ensuring employee productivity is in direct correlation with a legitimate business purpose, as a business cannot be successful without productive employees. Because employers can easily link tracking employee productivity to furthering their business interests, it appears as though many of the lengths they go to track employees from their homes are, in fact, legal.[14] While this may seem like an invasion of privacy from an employee’s perspective, it is seen as a necessary tool for employers.[15] One employer went as far as claiming they believed “economic ruin” was in store for his company if his employees turned to remote work, and therefore tracking employee productivity was essential to prevent failure.[16]

As technology advances and remote work continues to become the norm post mandatory COVID-19 pandemic restrictions, productivity tracking software will likely continue to soar in popularity.[17] As the technology becomes more refined, employers should make it their priority to be in compliance with the ECPA and maintain transparency with their employees to ensure not only employee productivity but also employee morale.

 

 

[1] Tatum Hunter, Here are all the ways your boss can legally monitor you, The Washington Post (Sep. 24, 2021, 7:01 AM), https://www.washingtonpost.com/technology/2021/08/20/work-from-home-computer-monitoring/.

[2] Id.

[3] Skye Schooley, 5 Tools for Tracking Your Remote Staff’s Productivity, Business.com (Sep. 20, 2022), https://www.business.com/articles/11-tools-for-tracking-your-remote-staffs-productivity/.

[4] Id.

[5] Id.

[6] See id.

[7] Lindsay Lowe, What is ‘tattleware’? How employers may be tracking you at home, Today (Feb. 23, 2022, 9:12 AM), https://www.today.com/news/news/can-companies-track-workers-from-home-what-to-know-rcna17316.

[8] Id.

[9] Id.

[10] David C. Wells, Legal Considerations When Monitoring Remote Employees, EmploymentLawFirms, https://www.employmentlawfirms.com/resources/remote-employee-monitoring-laws.html#:~:text=At%20the%20federal%20level%2C%20the,for%20any%20legitimate%20business%20purpose (last visited Sep. 23, 2022).

[11] Id.

[12] See Managing Workplace Monitoring and Surveillance, SHRM, https://www.shrm.org/resourcesandtools/tools-and-samples/toolkits/pages/workplaceprivacy.aspx (last visited Sep. 23, 2022).

[13] Id.

[14] Wells, supra note 10.

[15] See Hunter, supra note 1.

[16] Id.

[17] Lowe, supra note 7.

Image Source: https://neuroleadership.com/your-brain-at-work/stop-the-surveillance

By Shravya Devaraj and Rohit Gupta*

 

I. INTRODUCTION

In 2019, the German Bundeskartellamt (Federal Cartel Office, hereinafter “German FCO”)[1] rendered the first decision[2] linking data protection with competition law. The German FCO made two main observations that have driven competition authorities to reconsider the factors influencing anti-competitive behavior in digital markets. First, it held that voluntary consent for processing information from third parties could not be assumed merely because consent is a prerequisite to accessing the services of facebook.com. Second, combining data collected by Facebook (now, Meta) owned services like WhatsApp and Instagram with Facebook cannot be processed without the users’ voluntary consent. These observations form an uncanny resemblance with the recently announced Competition Commission of India (hereinafter “CCI”) investigation against WhatsApp.[3] The 2021 privacy update[4] by WhatsApp negates the “voluntary” consent requirement by predicating access to the services solely on the acceptance of its new privacy policy. Further, the update introduced combining data collected through WhatsApp with other Facebook companies for marketing and advertising.

Contrasting the two decisions, the German FCO was guided by Article 6(1)(f) of the General Data Protection Regulation (GDPR)[5], whereas WhatsApp’s conduct in unilaterally denying consumers the “opt-out” option constituting a potential abuse of dominance spearheads the CCI investigation. In this piece, I aim to analyze the contours of antitrust scrutiny within the realm of privacy policies, specifically analyzing the role of consent in the CCI investigation.

II. DEFINING THE RELATIONSHIP BETWEEN PRIVACY POLICIES AND COMPETITION LAW

Digital platforms collect and monetize data through a direct subscription model (e.g., Spotify), by using collected data to tailor products directly to users (e.g., Amazon), or by selling targeted advertisements[6] (e.g., Facebook and Google Search). Social media companies like WhatsApp and Instagram also monetize by selling advertisements. Since these products are free platforms, they are called zero-price platforms.[7] The companies use the data they collect when users access their services to generate inferences about consumer preferences and behavior.

In competitive markets, companies compete fiercely for data and use this data to improve the quality and efficiency of goods and services. Since access to zero-price platforms is predicated on the data collected by companies, a lack of data can prevent companies from offering goods and services at competitive levels. This makes these companies less likely to survive in data-driven markets, leading to decreased competition. Courts[8] have previously recognized the role of data privacy as a significant factor of quality, hence an important parameter in analyzing anticompetitive behavior.[9] The value of data collected by zero-price platforms is not limited to the ad-tech industry; it extends to the company’s potential to use the data to innovate and ability to increase barriers to entry for new companies entering the market.

Further, zero-price platforms have forced competition regulators to revisit whether the absence of “data” within the competition law framework definition should preclude the basis for such investigation. For instance, the Competition Law Review Committee in India found the inclusion of data within the definition of price to tackle digital markets was unnecessary since the current definition of price encompasses “every valuable consideration, whether direct or indirect,” is wide enough to encompass any kind of consideration that has a bearing on a service or product. [10]

The relationship between privacy policies and competition law is not mutually exclusive. In the digital market, data substitutes price where the value and contribution of user data to the market prowess of companies are undeniable. For instance, Japan adopted guidelines to include a collection of personal data without consent as a violation of the Japan Anti-Monopoly Act.[11]

III. PRIVACY AS A COMPONENT AFFECTING COMPETITION

A growing sense of reckoning for consumers’ privacy and data protection has influenced conscious privacy policy frameworks. Firms compete by increasing the level of privacy protection through data minimization, storing personal data for shorter time periods (storage limitation), providing clear, precise, and understandable privacy policies (transparency), deploying PETs (data security & privacy by design), and implementing protective privacy features by default.

For instance, Google introduced alternatives to third-party data collection by Tools AI and federated learning of cohorts (FLoC).[12] However, the Competition and Markets Authority (UK’s competition regulator, hereinafter “CMA”) launched an investigation on these privacy policy changes by Google, called the Google Sandbox investigation.[13] The CMA is primarily concerned about the changes resulting in anti-competitive practices where Google would retain the ability to track individual web users on Chrome despite preventing third parties to do the same by the effective implementation of the Privacy Sandbox Proposals. Close involvement and interventions by CMA to ensure Google’s proposals to implement the Sandbox Proposal on Android do not distort market competition is a digression from competition regulators resorting to ex-post regulatory actions.[14] Another example is Apple’s change in its privacy policy which has made it harder for third-party apps to collect data – by introducing an enhanced notice and consent mechanism[15] based on user opt-in but exempting its own apps from the requirement, leading to potential self-preferencing conduct, especially since third-party applications continue to pay Apple a 15-30% fee.[16] Hence, privacy policies have formed an essential component in influencing competition law determinations.

In India, the WhatsApp investigation has presented an opportunity for competition regulators to determine the influence of privacy in influencing anti-competitive behavior. The recent CCI Telecom Report[17] also presented abusive conduct illustrations, including a low privacy standard. This implies a lack of consumer behavior, lower standards of data protection, which could indicate exclusionary behavior, and leveraging a data advantage across various services.

IV. ROLE OF CONSENT THROUGH THE CCI INVESTIGATIONS

Unlike Europe, India does not have exhaustive data protection guidelines. The current Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “SPDI Rules”)[18], and the Information Technology Act, 2000[19] (hereinafter “IT Act”) are insufficient to provide a legal basis for initiating anti-trust scrutiny through an exploitative privacy policy angle. It only provides broad compliance for the collection of sensitive personal data. Instead, the WhatsApp CCI investigation finds that data-sharing by WhatsApp with Facebook amounts to the degradation of non-price parameters of competition. This conduct prima facie amounts to the imposition of unfair terms and conditions upon the users of WhatsApp.

The CCI has previously investigated WhatsApp in 2016[20] and 2020.[21] The 2016 investigation resembles the current investigation since it involved a change in WhatsApp’s privacy policy.[22] The change in its policy allowed data sharing between WhatsApp and Facebook, though it allowed users to opt-out of this data sharing within thirty days. In 2016, CCI decided against abuse of dominance since the ‘opt-out’ made data sharing optional, and there were legitimate purposes for sharing the data with Facebook-owned companies.[23] The legitimate purposes included using the data for improving user and product experience and overall cyber security. However, the German FCO held that these exact reasons for sharing data were incompatible[24] since it did not ultimately lead to Facebook’s interest in processing data according to its terms and conditions outweighing user interests.

Though some researchers argue that the 2016 and 2020 CCI investigations established an ‘implicit’ and ‘explicit’ user choice standard for determining  unfairness[25] where the implicit element constitutes the user’s ability to opt-out of data sharing without limiting their access to the service – the explicit standard implies taking away additional choices that would have otherwise been available to users resulting in an unfair imposition on users. The 2021 policy is in contravention to both these standards and thus provides a sufficient basis for the CCI to decide against WhatsApp. However, the consequences of establishing anti-competitive behavior only on the competition regulator’s user choice standard of consent limit the extent of the commission in analyzing the repercussion of exploitative privacy policies to consent-based findings. This restricts the far-reaching implications of drafting privacy policies that might impose unreasonable time limits for storing and collecting data for vague purposes to slip between the cracks, especially if they merely fulfill the voluntary consent requirement.

V. CONCLUSION

In India, the scope for including privacy considerations is limited in the competition law legislative framework. The need of the hour is implementing robust data protection principles that have been envisaged in the 2021 Data Protection Bill. Further, addressing the collection of data that contributes to the unequal bargaining power of big tech companies might require an explicit inclusion of such provisions. Hence, instead of data protection standards playing catch up with the competition regulator’s findings, a clear framework for handling data with guidelines on formulating privacy policies will address the lacunae in the existing privacy law framework. Besides directing companies towards adopting better privacy policies, it would also facilitate anti-competitive behavior analysis. Having recognized the intersection of privacy policies and competition law, this article offers insights into the current CCI investigation and the impact of framing privacy policies on anti-competitive behavior. There are significant international differences in approaches to data protection and competition policy, and competition authorities worldwide differ in their mandate and the scope of their competition laws. Thus, applying global best practices in framing privacy policies will harmonize the application of legislative provisions specific to jurisdictions.

 

* Shravya Devaraj and Rohit Gupta are final year law students at West Bengal National University of Juridical Sciences, Kolkata.

[1] The German FCO is Germany’s national competition regulatory agency.

[2] Bundeskartellamt v. Facebook, Case KVR 69/19 (June, 2020).

[3] Re: Updated Terms of Service and Privacy Policy for WhatsApp Users, Suo Moto Case No. 01 of 2021.

[4] We updated our Terms of Service and Privacy Policy on January 2021, (January 2021) https://faq.whatsapp.com/5623935707620435/?locale=en_US.

[5] Processing shall be lawful only if and to the extent that at least one of the following applies:

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

[6] Lina M. Khan, Amazon’s Antitrust Paradox, 126 YALE L. J. 564 (2017).

[7] Maurice Stucke, Allen Grunes, Big Data and Competition Policy, Oxford University Press (2016).

[8] Case No. AT.40684.

[9] CMA investigates Facebook’s use of ad data, (June 4, 2021), https://www.gov.uk/government/news/cma-investigates-facebook-s-use-of-ad-data.

[10] Ministry of Corporate Affairs, Report of Competition Law Review Committee, (July 2019), https://www.ies.gov.in/pdfs/Report-Competition-CLRC.pdf.

[11] Japan Fair Trade Commission, The Guidelines for Exclusionary Private Monopolization under the Antimonopoly Act, (2009).

[12] Federated Learning of Cohorts (“FLoC”), https://privacysandbox.com/intl/en_us/proposals/floc.

[13] Competition & Market Authority, Investigation into Google’s ‘Privacy Sandbox’ browser changes, (2021).

[14] Case Number 50972, Decision to accept commitments offered by Google in relation to its Privacy Sandbox Proposals.

[15] Legal Process Guidelines, Government of Law and Enforcement, https://www.apple.com/legal/privacy/law-enforcement-guidelines-us.pdf.

[16] Epic Games, Inc. v. Apple Inc., 559 F. Supp. 3d 898 (N.D. Cal. 2021).

[17] CCI Workshop on Competition Issues in the Telecom Sector in India (February 2021).

[18] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, (2011).

[19] The Information Technology Act, (2000).

[20] In Re: Shri Vinod Kumar Gupta and Whatsapp, Case No. 99, (2016).

[21] In Re: Harshita Chawla and Whatsapp Inc., Facebook Inc., Case No. 15, (2020).

[22] In Re: Shri Vinod Kumar Gupta and Whatsapp, Case No. 99, ¶14, (2016).

[23] In Re: Shri Vinod Kumar Gupta and Whatsapp ,Case No. 99,¶15, (2016).

[24] Bundeskartellamt v. Facebook, Case KVR 69/19, (June, 2020).

[25] Centre for Internet & Society, The Competition Law Case Against WhatsApp’s 2021 Privacy Policy Alteration (March 2021), https://cis-india.org/internet-governance/blog/the-competition-law-case-against-whatsapp2019s-2021-privacy-policy-alteration.

Image Source: http://www.nlujlawreview.in/integrating-data-protection-and-competition-law-the-why-the-how-and-the-way-forward/

By Taylor M. Sorrells

Since the recent U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, ending the federal constitutional protection of abortion rights,[1] there has been legal uncertainty surrounding how to protect personal data held by third-party apps and software.[2] Specifically, some commentators are concerned that prosecutors in states that have criminalized abortion will access electronic data such as healthcare records, geolocation data, phone call,  text message records, and financial statements to prosecute those suspected of obtaining abortions.[3]

The U.S. Constitution provides very limited protection for data privacy. While the Fourth Amendment offers general protections against unreasonable searches and seizures by government officials,[4] most seizures of data in the abortion context will not be barred by the Fourth Amendment, so long as the prosecutor seeking to access the data obtains a search warrant.[5] Further, the Supreme Court has recognized that, in some cases, law enforcement can subpoena data from third parties without triggering the requirements of the Fourth Amendment—thus requiring no warrant.[6]

While the constitutional protections for data privacy are rather weak, several federal privacy statutes may offer some protection for those seeking reproductive healthcare.[7] However, there is only limited potential for current federal privacy laws to protect the majority of individuals seeking abortions in states that have criminalized the procedure because most of these laws include law enforcement exceptions, which enable third parties to disclose data to law enforcement officials without consumer consent.[8]

In an executive order dated July 8, 2022, the Biden administration, seeking to strengthen federal protections for abortions, ordered the Federal Trade Commission (FTC) chair to “consider actions, as appropriate and consistent with applicable law . . . to protect consumers’ privacy when seeking information about and provision of reproductive healthcare services.”[9] Under the FTC Act, the FTC has broad authority to address consumer privacy violations by diverse entities.[10] Similarly, President Biden instructed the Secretary of the Department of Health and Human Services (HHS) to strengthen existing privacy protections for individuals seeking reproductive healthcare.[11]

While the order signals the Biden administration’s interest in preserving data privacy rights within the reproductive healthcare context, for abortion advocates, it will not likely provide sufficient protection because of the law enforcement exceptions that are written into most of the statutes from which these executive agencies derive their authority.[12] Further, the Health Information Portability and Accountability Act (HIPAA), which HHS administers, has a privacy rule which specifically allows abortion providers to share information with law enforcement, and some state laws require sharing under certain circumstances.[13] Because of these weaknesses in current federal law, commentators believe that absent a change in law or a new rulemaking, patients’ sensitive data will remain at risk.[14]

Post-Dobbs, members of Congress have proposed several bills intended to preserve reproductive health data rights.[15] One of the strongest bills proposed so far is the My Body, My Data Act, which would require the FTC to enforce a national privacy standard for reproductive health data collected by third-party apps, cell phones, and search engines.[16] The bill has been introduced in both the House and Senate, but with the Senate deeply divided on the issue of abortion, its future remains uncertain.[17]

Without stronger federal privacy laws, in most cases, prosecutors in states that have criminalized the procedure will be able to use suspected abortion-seekers’ electronically stored data as evidence against them in criminal prosecutions. For many commentators, new federal laws governing data protection have been long overdue.[18] However, in the post-Dobbs era, abortion advocates’ calls for increased data privacy protection have taken on a new urgency.

Keep an eye on this evolving area of the law.

 

[1] 142 S. Ct. 2228 (2022) (overruling Roe v. Wade, 410 U.S. 113 (1973), and Planned Parenthood v. Casey, 505 U.S. 833 (1992)).

[2] Abby Vesoulis, How a Digital Abortion Footprint Could Lead to Criminal Charges—And What Congress can do About it, Time (May 10, 2022, 4:20 PM), https://time.com/6175194/digital-data-abortion-congress.

[3] Id.

[4] U.S. Const. amend. IV.

[5] Riley v. California, 573 U.S. 373, 377 (2014) (holding that police must obtain a warrant before searching a seized cell phone).

[6] United States v. Miller, 425 U.S. 435, 446 (1976) (upholding the warrantless subpoena of bank records); Smith v. Maryland, 442 U.S. 735, 745–46 (1979) (ruling that law enforcement did not need a warrant to access phone records).

[7] See, e.g., Health Information Portability and Accountability Act of 1996, Pub. L. No. 104-191, 110 Stat. 1936 (imposing federal privacy requirements upon entities within the healthcare industry); Gramm-Leach-Bliley Act, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (requiring entities within the banking industry to protect customer data); Stored Communications Act, 18 U.S.C. 121 §§ 2701–12 (1986) (addressing data privacy within electronic communications); Privacy Act of 1974, 5 U.S.C. § 552a (safeguarding data privacy within federal agencies).

[8] Chris D. Linebaugh, Cong. Rsch. Serv., LSB10786, Abortion, Data Privacy, and Law Enforcement Access: A Legal Overview, at 3 (2022).

[9] Exec. Order No. 14076, 87 FR 42053 (2022).

[10] See Federal Trade Commission Act of 1914, 15 U.S.C. §§ 41-58.

[11] Exec. Order No. 14076.

[12] Linebaugh, supra note 8.

[13] Allie Reed & Christopher Brown, Abortion Privacy Push Pits Biden Against Criminal Laws in States, Bloomberg Law (Aug. 3, 2022, 5:45 AM), https://www.bloomberglaw.com/bloomberglawnews/health-law-and-business/XEHPIBOK000000?bna_news_filter=health-law-and-business#jcite.

[14] Id.

[15] E.g., Stop Anti-Abortion Disinformation Act, S. 4469, 117th Cong. (2022) (directing the FTC to prescribe rules prohibiting disinformation in advertisements for abortion services); Health and Location Data Protection Act, S. 4408, 117th Cong. (2022) (prohibiting data brokers from selling and transferring certain sensitive data).

[16] H.R. 8111, 117th Cong. (2022).

[17] Nik Popli & Vera Bergengruen, Lawmakers Scramble to Reform Digital Privacy After Roe Reversal, Time (July 1, 2022, 12:44 PM), https://time.com/6193224/abortion-privacy-data-reform.

[18] See, e.g., Cameron F. Kerry, Why Protecting Privacy is a Losing Game Today—and how to Change the Game, Brookings (July 12, 2018), https://www.brookings.edu/research/why-protecting-privacy-is-a-losing-game-today-and-how-to-change-the-game.

 

Image Source: https://www.nbcnews.com/tech/security/abortion-clinics-providers-digital-privacy-roe-overturn-rcna30654

 

AI: Artificial or Artistic Intelligence?

By Austin Wade-Vicente

“We see this technology as an engine for the imagination,” emphatically stated David Holz, creator of the popular online AI art generation program Midjourney.[1] The same program table-top games creator James Allen used this past month to win first-place in digital art at the Colorado State Fair ahead of 20 other artists.[2] Allen’s above pictured “Théâtre D’opéra Spatial” is undoubtedly an appealing work of art, but, in the era of these AI-generated masterpieces, who can legally claim ownership of this blue-ribbon piece?

Read More

By Owen Giordano

 

In just over a decade, cryptocurrency has radically altered our society’s notion of currency.[1] With a growing number of United States (US) citizens holding onto cryptocurrency, many states are at an impasse as to how they should collect tax on the transactions made with the medium.[2] However, under Virginia’s sales tax statute, the state is allowed to levy a tax on transactions.[3] The scope of this tax is broad and allows taxation on transactions done with currency or through bartering (i.e., property for property).[4] As such, retail sales transactions involving cryptocurrency are likely taxable in the state of Virginia, and that retailer would be obligated to collect the tax on Virginia’s behalf.[5] This development would lead to multiple issues for retailers in Virginia.

Foundational knowledge of this topic is necessary before discussion. To start, cryptocurrency refers broadly to a decentralized, digital currency.[6] This medium lacks any sort of centralized oversight that traditional currencies have, with cryptocurrency transactions recorded on a digital register known as a blockchain.[7] A blockchain is best described as a “ledger” that records and tracks the transactions of all assets (tangible and intangible) done with a specific cryptocurrency. Further, a cash equivalent refers to any form of investment security that can be readily liquidated (turned into cash), such as checks.[9] Put bluntly, a cash equivalent is any medium that works like cash in a transactional setting. Finally, and importantly, this blog assumes that, because cryptocurrency is a medium that can be readily liquidated and is ultimately designed as a substitute for cash, Virginia designates cryptocurrency as a cash equivalent.[10]

Through both the relevant sales tax statute and the choice to label cryptocurrency as a cash equivalent, transactions conducted with cryptocurrency would assuredly be taxable, and retailers would be obligated to collect the associated sales tax.[11] While this creates various possibilities, the decision is not without issues.

To begin, cryptocurrency on paper seems more portable than tangible currency due to the medium’s digital (and thus intangible) nature.[12] The closest analogy would be making a purchase via check or card payment for an expensive transaction, in that those mediums save consumers from the hassle of carrying thousands and thousands of coins or dollars. However, the ability to “carry” cryptocurrency has higher barriers to access than carrying cryptocurrency. As a digital currency, the use of cryptocurrency requires some sort of digital device with internet access to engage in a transaction.[13] Conversely, access to such devices and services is not needed for all-cash transactions because of cash’s tangible nature. While over ninety percent of US adults have access to the internet, adding such hurdles makes cryptocurrency a less efficient medium than tangible currencies.[14] One could argue that this issue applies to check or card payments as well. Yes, but the tangible nature of check payments does not require the additional requirements of constant access to digital devices or the internet. Simply put, the current business infrastructure in Virginia (and the country at large) remains lacking for transactions involving cryptocurrency. Therefore, to fully benefit from the use of cryptocurrency, investment in blockchain technology, as well as the ability to access said platforms more readily and freely, is needed.

Secondly, there is the question of cryptocurrency’s acceptability as a form of payment. Cryptocurrency is notable for its oscillating value.[15] This is partly due to the medium’s decentralized, where there is no regulatory body helping to stabilize the medium.[16] The unstable value contributes to businesses’ apprehension towards accepting cryptocurrency, as a profit could turn into a loss within the span of a day.[17] In the realm of sales tax collection obligations, the oscillating values raise concerns as to when the tax should be collected and what a retailer should do about their tax collection obligation when there is swift and dramatic change in the value of a cryptocurrency.[18] As such, Virginia would need to develop policy to address this key issue.

To conclude, cryptocurrency offers potential as a cash equivalent. Its promise of decentralization and minimal regulatory interference offers many valid reasons for its adoption and use in transactions. However, due to the medium’s novel nature, there is still much planning and development needed to support its use. As such, should cryptocurrency qualify as a cash equivalent, investment in the appropriate technological infrastructure would be necessary for Virginia to reap the benefits this medium offers.

 

[1] “Cryptocurrency” is used this blog post to the broad concept of cryptocurrency, rather than a particular type of cryptocurrency.

[2] Eswar S. Prasad, Are Cryptocurrencies the Future of Money?, EconoFact (Oct. 19, 2021), https://econofact.org/are-cryptocurrencies-the-future-of-money#:~:text=Cryptocurrencies%20have%20captured%20the%20public,end%20from%20a%20societal%20perspective; Cryptocurrency Sales and Use Tax by State, The Bureau of National Affairs, Inc. https://pro.bloombergtax.com/brief/cryptocurrency-tax-laws-by-state/  (last updated: Nov. 22, 2021).

[3] For the purposes of this paper, a “transaction” concerns the retail sale of a taxable good or service. Other types of transactions, such as exchanges for cash equivalents or non-tangible goods, exist, with different states adopting different views on the taxability of such transactions. See Casey W. Baker et al., U.S. State Taxation of Cryptocurrency-Involved Transactions: Trends & Considerations for Policy Makers, 75 Tax Law. 601, 625-26 (2022); Va. Code §§ 58.1-603 (authorizing sales tax)

[4] Va. Code §§ 58.1-602, 58.1-603 (definitions, authorization of a sales tax for both transactions using currency or property).

[5] Va. Code § 58.1-612.

[6] Kate Ashford, What Is Cryptocurrency?, Forbes, https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/ (Jun. 6, 2022).

[7] Id.

[8] What is Blockchain Technology?, International Business Management, https://www.ibm.com/topics/what-is-blockchain#:~:text=Blockchain%20for%20Dummies%22-,Blockchain%20overview,patents%2C%20copyrights%2C%20branding (last visited: Aug. 18, 2022).

[9] James Chen et al., Cash Equivalents¸ Dotdash Meredith, https://www.investopedia.com/terms/c/cashequivalents.asp#:~:text=Cash%20equivalents%20are%20the%20total,are%20the%20most%20liquid%20assets (last updated: Nov. 27, 2020).

[10] See Eswar S. Prasad, Are Cryptocurrencies the Future of Money?, EconoFact (Oct. 19, 2021), https://econofact.org/are-cryptocurrencies-the-future-of-money#:~:text=Cryptocurrencies%20have%20captured%20the%20public,end%20from%20a%20societal%20perspective (contemplating the effects of using cryptocurrency in a transaction setting, in a manner similar to most cash equivalents); Paulina Likos & Coryanne Hicks, The History of Bitcoin, the First Cryptocurrency, U.S. News & Report, L.P. (Feb. 4, 2022), https://money.usnews.com/investing/articles/the-history-of-bitcoin (mentioning Bitcoin’s, a cryptocurrency, use in transactional settings in a manner similar to cash equivalents); Nathaniel Popper, Bitcoin Has Lost Steam. But Criminals Still Love It, N.Y. Times (Jan. 28, 2020), https://www.nytimes.com/2020/01/28/technology/bitcoin-black-market.html (criminals using cryptocurrencies in transactional settings, further comparison of the medium to cash equivalents).

[11] Va. Code §§ 58.1-602, 58.1-603, 58.1-612.

[12] Kate Ashford, What Is Cryptocurrency?, Forbes, https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/ (Jun. 6, 2022).

[13] The Basics about Cryptocurrency, State University of New York at Oswego, https://www.oswego.edu/cts/basics-about-cryptocurrency (last visited: Aug. 28, 2022).

[14] https://www.pewresearch.org/internet/fact-sheet/internet-broadband/

[15] Eswar S. Prasad, Are Cryptocurrencies the Future of Money?, EconoFact (Oct. 19, 2021), https://econofact.org/are-cryptocurrencies-the-future-of-money#:~:text=Cryptocurrencies%20have%20captured%20the%20public,end%20from%20a%20societal%20perspective

[16] Id.

[17] Ryan Haar, You Can Buy More Things Than Ever With Crypto. Here’s Why You Shouldn’t, NextAdvisor, LLC, (May 3, 2022) https://time.com/nextadvisor/investing/cryptocurrency/should-you-use-crypto-like-cash/ (citing only 20% of people will use cryptocurrency as a cash substitute).

[18] Va. Code § 58.1-612.

 

Image source: https://time.com/nextadvisor/investing/cryptocurrency/should-you-use-crypto-like-cash/