An Amazon logo is seen inside the Amazon corporate headquarters on June 16, 2017 | David Ryder/Getty Images How lobbyists rewrote Washington state’s privacy law Washington state was writing European-style legislation. Then corporate lobbyists got involved.

The latest battle between Big Tech and privacy campaigners is not in Brussels, Berlin or Washington, D.C.

It's in Washington state.

There, lawmakers have days to resurrect data protection rules aimed at giving local residents — as well as Microsoft and Amazon — some of the toughest privacy standards in the United States. The proposals borrow heavily from protections already available in the European Union, including the right for people to demand the removal of information from companies' databases, and may soon become the foundation for potential nationwide U.S. privacy rules.

But as the clock ticks down to pass the legislation by April 28, when the state legislative session ends, consumer advocates and some Washington legislators complain that the process of writing the law — originally some of the strongest privacy rules to be proposed in the U.S. for decades — was co-opted by corporate interests, tech lobbyists and industry-friendly lawmakers.

Tech advocates deny these allegations, saying the proposals would give Washington state residents greater control over how firms collect, manage and use their data.

"We looked to Europe's GDPR standard and the California privacy bill to take the best practices we could find" — Reuven Carlyle Washington state Democratic senator

But as people around the world grow more attuned to how Google, Facebook and others gather personal information on their users, the West Coast stand-off between tech firms and privacy groups has become ground zero for a new battle over privacy rights and the power of large tech corporations.

It also will test U.S. lawmakers' nerve to curb Big Tech's data collection practices amid renewed lobbying in Washington, D.C. over potential federal privacy rules — an effort that has gained significant momentum after California passed its own state data protections last year.

The Washington state proposals similarly represent the first time that Europe's privacy standards, known as the General Data Protection Regulation, or GDPR, have been exported to the United States, raising questions about whether European policymakers can cement their efforts to become the de facto global standard by installing them in the U.S. state that is home to both Microsoft and Amazon.

"We looked to Europe's GDPR standard and the California privacy bill to take the best practices we could find," said Reuven Carlyle, a local Democratic senator who co-sponsored the Washington state privacy legislation. "We're in a new era. We're only now just beginning to understand the importance of what privacy laws could be."

GDPR goes West

What sets Washington state's proposals apart from other U.S. efforts are its ties to Europe's privacy standards.

Almost a year after they came into force in May, 2018, versions of the European Union's data protection overhaul have been adopted, in various forms, by policymakers from Colombia to South Korea. Europe's rules are aimed at handing power back to consumers over how their online personal data is used, and include fines of up to 4 percent of a company's global revenue or €20 million, whichever is higher, in the event of abuse.

In Olympia, the capital of Washington state, the current legislative draft specifically name-checks Europe's rules in its preamble, and copies — sometimes word for word — the rights and obligations for both citizens and companies that routinely collect information on their users. That includes offering people the ability to ask for their data to be removed, as well as putting limits on the type of information that firms can harvest without asking for explicit permission.

Yet as lawmakers began mulling the new standards last fall, campaigners and some Washington legislators said that Microsoft played a significant role in drafting the original bill. Corporate interests, including those of Amazon and Comcast, a cable provider, also have successfully inserted carve-outs for much of their existing data collection practices which make the current proposals almost meaningless, according to these groups.

In total, Microsoft boosted its lobbying spend in Olympia by 11 percent, to around $389,000, over the last 12 months compared to the previous year, according to its regulatory filings. That included Brad Smith, Microsoft's president, calling individual lawmakers to cajole them into backing the proposals, according to several Washington politicians who were contacted by Smith.

In the final draft circulated among local lawmakers last week, which was obtained by POLITICO, Ryan Harkins, a senior public policy director at Microsoft, also wrote notes in the margins, often chiding lawmakers for their legislative approach and deleting sections of the bill that he viewed as unsatisfactory.

Microsoft's full-court press paid off.

While the state's attorney general had called for the inclusion of a right for individuals to sue companies for potential wrongdoing, such a provision was eventually not included in the final proposals. Financial penalties — much-needed teeth to ensure compliance — were capped at just $7,500 for each intentional violation and $2,500 for any unintended infractions.

The basic premise of the law was also based on giving companies the default right to collect personal data, whereas in Europe, consumers are automatically given the right to not have their information harvested unless they give explicit consent.

"I was in some negotiations the governor pulled together and the room had representatives from Microsoft, Amazon, the Association of Washington Business and Comcast, but no one from consumer groups," said Zack Hudgins, a Democratic Washington state congressman who chairs the House's innovation, technology and economic development committee. "From the outside, it looked like a disproportionate influence."

Tech groups deny they had an undue say over Washington state's privacy push.

"Of course, some protections would be better than no protections, but this bill offered only the illusion of privacy, nothing more." — Shankar Narayan, director of the Technology and Liberty Project

Michael Schutzler, head of the Washington Technology Industry Association whose members include Microsoft, Amazon and Comcast, said it was only right that local tech companies, many of which would have to comply with any new legislation, would want to participate in how the rules were drafted.

"If Microsoft didn't participate, they'd be blamed. And when they do participate, they also get blamed," he said.

First Washington state, next Washington, D.C.?

The wrangling has only days to play out before Washington state loses its chance to pass privacy legislation.

After local lawmakers missed a legislative deadline last week to reach agreement on several hot-button topics, including data protections linked to facial recognition technology, Jay Inslee, the state's governor and a Democratic U.S. presidential candidate, now has limited options to reach consensus before the part-time local lawmakers down tools until next year.

Washington state lobbyists and campaigners give the proposals only an outside chance of approval by the end of the month.

Such a failure does not bode well for renewed efforts to pass U.S. federal privacy rules — and highlights how exporting European data protection standards worldwide can quickly fall afoul of local lobbying from both corporate interests and advocacy groups.

For Julie Brill, deputy general counsel at Microsoft and a former U.S. Federal Trade Commissioner, Washington state's take on digital consumer privacy had gone further than other U.S. state-based efforts to curb the excesses of corporate data collection, and would have served as a template for any federal legislation that could have eventually come before lawmakers.

"The current privacy rules are inadequate," she said. The Washington state proposals "took provisions from GDPR and California and built on those concepts."

But Shankar Narayan, director of the Technology and Liberty Project at the American Civil Liberties Union in Washington state, applauded the expected failure by local lawmakers to reach an agreement on new privacy rules. He complained that strong-arm corporate lobbying had taken over the process, watering down consumer rights in favor of protecting business interests.

"Of course, some protections would be better than no protections," he said. "But this bill offered only the illusion of privacy, nothing more."

CORRECTION: This article was corrected on May 4, 2019. Due to a clerical error by Washington State’s Public Disclosure Commission, a previous version of this story incorrectly stated Microsoft’s yearly lobbying spend and the increase in that figure. The correct figures are an increase of 11 percent to $388,500.