Update February 2018: The Bill has now moved to the Commons, and clauses have been edited and become clauses 185-188. Updates are on the Commons page. This page covers the Bill as it was in the Lords.

Updated early-January 2018 – briefing, including the AI and ethics unit.

Update December 2018: Wider updated briefing for report stage

Imagine a data processing framework for social networks, where facebook get told, don’t worry about all those laws, the framework will take care of what you need to follow; the ICO, Judges, and courts, and human rights can’t touch you; you don’t need to worry anything pesky like following the law, or checking that election ads aren’t paid for in Rubles – since that’s just too hard for you to do, you don’t have to do it.

The first statutory “Framework for data processing” (in Government), snuck into the Data Protection Bill (clauses 175-178, page 99), legalises government using any data for anything it wishes (such Home Office typos or punitive DWP processing). None of the other rules apply besides what Ministers write into the framework, and they can change it at whim.

The framework is only 23 sub-clauses, but 10 of them remove rights, scrutiny, consultation or oversight. It seems this Government has lessons for Henry VIII on using power to show contempt for both citizens and Parliament.

Of course, Government rarely does data processing these days and instead outsources most of it. So this is not just data processing, but a framework about data controllers and the merging data for data processing.  We have spoken of these risks before (and pages 12-13).

If “Data Trusts” replicate the model of tax havens, then this is the framework that lets any sector, starting with Government, be exempted from the law. We have seen the effects of tax loopholes, this creates data loopholes. The next “frameworks” will apply to AI or health data.

Clauses 175-178 and Schedule 2 paragraph 4 must be removed from the Data Protection Bill.