How lobbyists rewrote Washington states privacy law

The latest battle between Big Tech and privacy campaigners is not in Brussels, Berlin or Washington, D.C.

Its in Washington state.

There, lawmakers have days to resurrect data protection rules aimed at giving local residents — as well as Microsoft and Amazon — some of the toughest privacy standards in the United States. The proposals borrow heavily from protections already available in the European Union, including the right for people to demand the removal of information from companies databases, and may soon become the foundation for potential nationwide U.S. privacy rules.

But as the clock ticks down to pass the legislation by April 28, when the state legislative session ends, consumer advocates and some Washington legislators complain that the process of writing the law — originally some of the strongest privacy rules to be proposed in the U.S. for decades — was co-opted by corporate interests, tech lobbyists and industry-friendly lawmakers.

Tech advocates deny these allegations, saying the proposals would give Washington state residents greater control over how firms collect, manage and use their data.

“We looked to Europes GDPR standard and the California privacy bill to take the best practices we could find” — Reuven Carlyle Washington state Democratic senator

But as people around the world grow more attuned to how Google, Facebook and others gather personal information on their users, the West Coast stand-off between tech firms and privacy groups has become ground zero for a new battle over privacy rights and the power of large tech corporations.

It also will test U.S. lawmakers nerve to curb Big Techs data collection practices amid renewed lobbying in Washington, D.C. over potential federal privacy rules — an effort that has gained significant momentum after California passed its own state data protections last year.

The Washington state proposals similarly represent the first time that Europes privacy standards, known as the General Data Protection Regulation, or GDPR, have been exported to the United States, raising questions about whether European policymakers can cement their efforts to become the de facto global standard by installing them in the U.S. state that is home to both Microsoft and Amazon.

“We looked to Europes GDPR standard and the California privacy bill to take the best practices we could find,” said Reuven Carlyle, a local Democratic senator who co-sponsored the Washington state privacy legislation. “Were in a new era. Were only now just beginning to understand the importance of what privacy laws could be.”

GDPR goes West

What sets Washington states proposals apart from other U.S. efforts are its ties to Europes privacy standards.

Almost a year after they came into force in May, 2018, versions of the European Unions data protection overhaul have been adopted, in various forms, by policymakers from Colombia to South Korea. Europes rules are aimed at handing power back to consumers over how their online personal data is used, and include fines of up to 4 percent of a companys global revenue or €20 million, whichever is higher, in the event of abuse.

In Olympia, the capital of Washington state, the current legislative draft specifically name-checks Europes rules in its preamble, and copies — sometimes word for word — the rights and obligations for both citizens and companies that routinely collect information on their users. That includes offering people the ability to ask for their data to be removed, as well as putting limits on the type of information that firms can harvest without asking for explicit permission.

Yet as lawmakers began mulling the new standards last fall, campaigners and some Washington legislators said that Microsoft played a significant role in drafting the original bill. Corporate interests, including those of Amazon and Comcast, a cable provider, also have successfully inserted carve-outs for much of their existing data collection practices which make the current proposals almost meaningless, according to these groups.

In total, Microsoft boosted its lobbying spend in Olympia by 62 percent, to more than $560,000, over the last 12 months compared to the previous year, according to its regulatory filings. That included Brad Smith, Microsofts president, calling individual lawmakers to cajole them into backing the proposals, according to several Washington politicians who were contacted by Smith.

The Visitors Center at Microsoft Headquarters campus is pictured July 17, 2014 | Stephen Brashear/Getty Images

In the final draft circulated among local lawmakers last week, which was obtained by POLITICO, Ryan Harkins, a senior public policy director at Microsoft, also wrote notes in the margins, often chiding lawmakers for their legislative approach and deleting sections of the bill that he viewed as unsatisfactory.

Microsofts full-court press paid off.

While the states attorney general had called for the inclusion of a right for individuals to sue companies for potential wrongdoing, such a provision was eventually not included in the final proposals. Financial penalties — much-needed teeth to ensure compliance — were capped at just $7,500 for each intentional violation and $2,500 for any unintended infractions.

The basic premise of the law was also based on giving companies the default right to collect personal data, whereas in Europe, consumers are automatically given the right to not have their information harvested unless they give explicit consent.

“I was in some negotiations the governor pulled together and the room had representatives from Microsoft, Amazon, the Association of Washington Business and Comcast, but no one from consumer groups,” said Zack Hudgins, a Democratic Washington state congressman who chairs the Houses innovation, technology and economic development committee. “From the outside, it looked like a disproportionate influence.”

Tech groups deny they had an undue say over Washington states privacy push.

“Of course, some Read More – Source