UC Irvine Law Review

Tech companies have gradually and informally assumed the role of international lawmakers on global cybersecurity issues. But while it might seem as if the international community and Internet users are the direct beneficiaries of private tech industries’ involvement in making law, there are many questions about this endeavor that require a thorough examination. The end goal and risks associated with such ventures are largely obscure and unexplored.

This Article provides an analysis of how tech companies are effectively becoming regulators on global cybersecurity, based on states’ inability to overcome geopolitical divides on how cyberspace ought to be regulated globally. This Article looks primarily at three separate proposals representing the larger trend of the privatization of cybersecurity law: the Digital Geneva Convention, the Cyber Red Cross, and the Cybersecurity Tech Accord. These, as well as other initiatives, reflect the gradual and uncontested assimilation of private tech companies into the machinery of international lawmaking.

This Article argues that state governments, civil society organizations, Internet users, and other stakeholders need to step back and carefully evaluate the dangers of ceding too much lawmaking control and authority to the private tech sector. These private actors, while not yet on an equal footing to states, are increasingly displacing states as they seek to create their own privatized and unaccountable version of cybersecurity law.

Debates over inequality have largely ignored the largest body of people living in poverty. Although anti-poverty policymaking focuses overwhelmingly on the chronic poor, a far larger number of people suffer occasional acute bouts of poverty. The causes of the acute poor’s problems, and their needs, differ significantly from those of the chronic poor. Even short spells of poverty can cause serious, physical, psychological, and material harm as well as impairment in their ability to return to their former circumstances.

Demographically, the acute poor resemble the general population far more than the chronic poor, yet they receive little sympathy: politicians may praise them in the abstract, but all too often the acute poor become collateral damage in struggles over the treatment of the chronic poor. The standard model of public welfare law, which is built around avoiding moral hazard, ill-fits the acute poor. A combination of eligibility limits, arduous procedures, deliberate stigmatization, waiting lists, and conduct requirements reduces the chronic poor’s receipt of aid but often affects the acute poor even more powerfully. More recently, some politicians have begun to attack the acute poor directly. The acute poor pay for the safety net in good times but cannot access it in bad.

Replacing the standard model of public welfare law would allow limited public funds to better serve all low-income people, acute and chronic alike. Greater attention to the acute poor would reduce their hardship and could lead to reexamination of some overly simplistic ideas about the chronic poor as well.

The decision to issue a preliminary injunction is enormously consequential; it has been likened to “judgment and execution before trial.” Yet, courts regularly say that our primary tool for promoting truth seeking at trial—the Federal Rules of Evidence—does not apply at preliminary injunction hearings. Judges frequently consider inadmissible evidence to make what may be the most important ruling in the case. This Article critically examines this widespread evidentiary practice.

In critiquing courts’ justifications for abandoning the Rules in the preliminary injunction context, this Article introduces a new concept: “meta-evidence.” Meta-evidence is evidence of what evidence will be presented at trial. I demonstrate that much evidence introduced at the preliminary injunction stage is, in fact, meta-evidence. And I show why meta-evidence that initially appears inadmissible under the Rules is often, in fact, admissible. Applying the Rules at the preliminary injunction stage, then, would not exclude nearly as much evidence as courts may have assumed.

I offer two proposals for how courts should use the Rules at the preliminary injunction phase. More ambitiously, I suggest courts should apply the Rules with an exception directly tailored to the dangers of limiting admissible evidence when the parties are under time pressure. Alternatively, I suggest that courts simply recognize when evidence is actually meta-evidence and weigh it appropriately. Courts should acknowledge that meta-evidence is probative only to the extent it tends to show the proponent will produce admissible evidence at trial.

Consumers have been left out of the great debate over the mission of the firm, in which advocates of shareholder value maximization face off against advocates of corporate social responsibility, who would allow management leeway to allocate profits to workers and other non-shareholder insiders of the firm. The consumer welfare standard adopted by antitrust law in the 1970s requires that firms allocate their profits neither to shareholders nor to workers or other firm insiders. Instead, the standard requires that firms strive to have no profits at all, by charging the lowest possible prices for their products. Such a profit-minimization requirement, which, as federal antitrust law, would bind all state-level corporate law regimes, would preserve incentives for businesses to perform efficiently because any incentive payments necessary for efficiency count as costs, not profits, and could therefore be retained by firms.

On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect. The GDPR is expected to reshape web use and overhaul data privacy laws beyond Europe in how businesses and organizations can handle customer and user information. Only a month after, California passed the California Consumer Privacy Act of 2018 (CCPA). The CCPA is one of the most significant regulations overseeing data-collection practices of businesses in the United States. It is the first of its kind and is expected to provide the most comprehensive data privacy measures in the United States. As such, the combined CCPA and GDPR data privacy regulations will likely usher in a tidal wave of changes, most likely setting new data privacy standards for other jurisdictions to model.

Drawing from these events, this Note will examine the EU’s and California’s newest data privacy laws, studying the immediate and potential effects of GDPR and CCPA regulations on the existing data privacy regime. Through a comparative study of GDPR and CCPA provisions, this Note attempts to answer key questions in discourse today—to what extent are the CCPA and GDPR moving towards convergence or divergence, and how will the laws affect businesses and consumers? Is the U.S. data privacy environment veering away from its hands-off approach and drawing closer to the comprehensive approach of the EU data privacy regime? This Note will explore these questions looking at two particular provisions in the GDPR and CCPA: (1) the opt-in vs. opt-out consent and (2) the right to be forgotten/right to delete personal data.

Lastly, this Note analyzes the practical implications of the GDPR and CCPA regulations on businesses in terms of how receptive businesses are to the regulations, how well businesses strive to conform to the regulatory boundaries of data privacy regimes, and whether the regulations will have the intended effect of strengthening consumer rights by putting heavier restrictions on businesses.