Share
Relevant DUA Act Provisions: Inserts Articles 22A–22D into UK GDPR; amends the Data Protection Act 2018 (DPA 2018) (Sections 50A–50D, 96–97).
The DUA Act repeals and replaces the original Article 22 GDPR regime with a new set of provisions (Articles 22A to 22D) governing automated individual decision-making. These reforms restructure the legal thresholds, safeguards, and state powers applicable to ADM in the UK.
- Article 22A defines a "significant decision" as one that produces legal effects or similarly significant consequences for a data subject. A decision is considered "based solely on automated processing" if there is no genuine or meaningful human involvement. While "meaningful" remains undefined in the Act, Article 22D empowers the Secretary of State to clarify the threshold through secondary legislation.
- Article 22B prohibits significant decisions based solely on automated processing of special category data unless the data subject has given explicit consent or the processing is required or authorised by law and meets the conditions of Article 9(2)(g). The DUA Act introduces a distinct UK test. Decisions partly based on special category data still fall within scope.
- Article 22C sets out mandatory safeguards for all significant automated decisions. Controllers must:
- Inform the individual of the automated decision;
- Allow them to make representations;
- Offer the right to human intervention on request or by law;
- Enable them to contest the decision.
- Article 22D(3) empowers the Secretary of State to supplement (but not diminish) these definitions and safeguards by regulation.
The DUA Act also replicates this ADM regime across:
- Law enforcement processing (Sections 50A–50D DPA 2018), where safeguards apply unless there is meaningful human reconsideration after the fact as soon as reasonably practicable and specific exemptions apply (e.g., public security or criminal justice).
- Intelligence services processing (Sections 96–97 DPA 2018), with a narrowed version of the rights framework, reflecting national security imperatives.
Divergence
These provisions mirror the original GDPR approach but are now explicitly framed as statutory duties. While aligned in substance, the UK regime clarifies thresholds, extends coverage to partially automated processing involving special-category data, and memorialises safeguards in law—avoiding reliance on interpretive recitals or external guidance.
ICO commentary
The ICO has welcomed the clarification of the ADM provisions, noting that the DUA Act removes the need for Section 14 of the DPA 2018 and instead relies on the strengthened safeguards in the new Article 22C. It supports the consolidation and modernisation of the legal framework for ADM across sectors. The ICO intends to publish in spring 2026 an updated guidance on automated decision-making and profiling including amendments in the DUA Act.
Recommendations
- Identify all automated decision-making operations that may produce legal or significant effects.
- Confirm legal basis under Article 22B where special‑category data is involved.
- Ensure that DPIAs covering ADM incorporate the new statutory criteria under Articles 22A–22C.
- Maintain clear documentation of all ADM-related procedures, including transparency notices and human review protocols.
- Monitor for secondary legislation defining "meaningful" human involvement, and assess ADM systems accordingly.
|
This article is part of a twelve-part series analysing the key legal reforms introduced by the Data Use and Access Act (DUA Act), which came into force on 19 June 2025. The series examines the most significant areas of divergence and convergence between the DUA Act and the EU GDPR, drawing on both the legislation itself and provisional guidance from the Information Commissioner’s Office (ICO). Each article provides legal context, highlights regulatory shifts, and offers practical compliance insights. The twelve core areas covered in this series are: 1. Recognised Legitimate Interests (RLIs) |
United Kingdom