Protecting digital data necessitates updating laws for the artificial intelligence age
The UK's Data Protection and Digital Information Bill, enacted as the Data (Use and Access) Act 2025 (DUAA), introduces significant changes to data protection laws, particularly regarding automated decision-making (ADM) with AI systems.
The DUAA aims to modernize the UK’s data protection framework, making it more innovation-friendly, especially for sectors like AI. Key proposed changes include relaxing the previous general prohibition on solely automated decision-making for significant decisions that affect data subjects. Now, this prohibition applies only when such ADM involves “special category” personal data (sensitive data such as health or biometric data). For ADM not based on special category data, a wider range of legal bases is permitted, including "legitimate interest," making it easier for organizations to deploy AI-driven decisions without requiring explicit consent.
Despite this relaxation, safeguards remain mandatory for all significant ADM, including requirements for transparency, human intervention, and allowing individuals to contest decisions. For ADM involving special category data, stricter conditions persist: it must rely on explicit consent or other specific legal bases and comply with the safeguards.
These changes represent a shift toward balancing innovation with privacy rights under the UK's updated data protection laws. However, some concern has been raised about the proposed reforms weakening existing data protection protections.
A survey of the UK public shows concern about an over-reliance on technology affecting people's agency and autonomy. The Post Office scandal, which involved hundreds of postmasters being prosecuted for theft and fraud due to flawed accounting software, illustrates the dangers of integrating complex technological systems into the economy.
In light of these concerns, Ada, a UK-based charity focused on promoting ethical AI, is calling on the Government and Parliamentarians from all parties to work together to make improvements to the Bill. They are advocating for strengthening data protection for the AI era, particularly by ensuring people affected by automated decisions have the right to receive detailed contextual or personalized information about how a decision was reached.
Moreover, Ada is emphasizing the importance of meaningful human review as a key component for achieving appropriate oversight over automated decision-making, for protecting individuals from unfair treatment, and for offering an avenue for redress. To be meaningful, a review needs to be performed by a person with the necessary competence, training, understanding of the data, and authority to alter the decision.
The DUAA also provides an opportunity to provide people with greater transparency about when automated decision-making is being used and the right to opt out of this. However, independent legal analysis suggests that these changes are likely to erode the incentives for organizations to properly assess and manage automated decision-making systems.
For instance, the Italian Data Protection Authority found Deliveroo's use of the 'Frank' platform to manage gig worker delivery riders through automated decision-making to be unlawful. This underscores the need for robust safeguards to prevent the misuse of AI systems in decision-making processes.
In conclusion, the DUAA expands permitted legal bases for automated decision-making with AI systems outside sensitive data categories while enforcing transparency and contestability safeguards to protect data subjects. However, it is crucial that these changes are implemented in a way that maintains core privacy protections and addresses public concerns about the impact of technology on agency and autonomy.
[1] Data Protection and Digital Information Bill - Explanatory Notes [2] Data Protection and Digital Information Bill - Clauses and Schedules [4] Information Commissioner's Office - Data Protection and Digital Information Bill: A summary of the key changes
- The Data (Use and Access) Act 2025 (DUAA) in the UK seeks to modernize the data protection framework by introducing changes that are more conducive to innovation, especially in sectors like AI and technology.
- As part of these changes, the DUAA proposes to relax the previous general prohibition on automated decision-making (ADM) that affects data subjects, with stricter conditions applying only to ADM involving special category data.
- In light of concerns about the impact of technology on agency and autonomy, organizations like Ada, a UK-based charity focused on ethical AI, are urging the government and parliamentarians to strengthen data protection, particularly by ensuring people affected by automated decisions have the right to receive detailed contextual or personalized information about how a decision was reached and by emphasizing the importance of meaningful human review as a key component for achieving appropriate oversight over automated decision-making.
