For most of the life of the UK GDPR, the rule on automated decision-making has been a prohibition with exceptions. Article 22 gave individuals the right not to be subject to a decision based solely on automated processing where that decision produced legal effects or similarly significant effects, unless one of a narrow set of conditions applied. The starting point was that such decisions were not permitted, and a firm had to find its way into an exception to make them lawfully.
The Data (Use and Access) Act 2025, which became law in 2025, reframes that position. The old Article 22 is replaced by a new set of provisions, Articles 22A to 22D, which move from prohibition-with-exceptions to permission-with-safeguards. This is a meaningful shift in posture, and it is easy to read it as a relaxation. In practice, for any firm using AI in decisions that affect people, it raises rather than lowers the bar for what you must be able to show.
What the old regime said#
Under the original Article 22, a solely automated decision with legal or similarly significant effects was prohibited unless it was necessary for entering into or performing a contract, authorised by law, or based on the individual's explicit consent. Even where one of those conditions applied, the controller had to put in place suitable safeguards, including at least the right to obtain human intervention, to express a point of view, and to contest the decision. Where special category data was involved, the conditions were narrower still.
The effect was a regime many firms found awkward. The definition of "solely" automated was contested, the exceptions were narrow, and the result was that organisations often inserted token human involvement to step outside the rule altogether, rather than build genuine safeguards within it. The protection was real on paper but unevenly realised in practice.
What 22A to 22D introduce#
The new framework keeps the central concept, the "significant decision", a decision that produces legal effects for an individual or similarly significantly affects them, but changes how such decisions may be made. Rather than being prohibited save for narrow exceptions, significant decisions based solely on automated processing become permissible more generally, provided the controller secures a defined set of safeguards for the individual.
Article 22A sets out what counts as a significant decision and what it means for a decision to be based solely on automated processing, including how meaningful human involvement is to be assessed. Article 22B establishes the safeguards that must accompany such decisions. Article 22C provides for the detail of those safeguards to be developed through secondary legislation, giving the regime room to evolve. Article 22D preserves stronger protection where special category data drives the decision, so the loosening does not extend to the most sensitive processing.
The safeguards in the new regime will be familiar in substance because they echo the protections that always sat behind Article 22. Individuals must be given information about decisions taken about them, enabled to make representations, allowed to obtain human intervention, and able to contest the outcome. The difference is that these are now the operative conditions for a much larger category of permitted processing, rather than a backstop attached to a narrow set of exceptions.
Why this raises the evidential bar#
It is tempting to treat a move from prohibition to permission as a reduction in obligation. The opposite is closer to the truth. Under the old regime, a firm that kept a human meaningfully in the loop could often place itself outside Article 22 entirely and avoid the question. Under the new regime, more solely automated decisions are squarely permitted, and the legality of each one depends on the safeguards having actually been delivered.
That is an evidential proposition. To rely on the new permission, a firm must be able to demonstrate, for any given decision, that the individual was given the required information, that a route to human intervention existed and functioned, and that a contest, if raised, could be answered with a coherent account of how the decision was reached. A safeguard you cannot evidence is, for regulatory purposes, a safeguard you did not provide.
Consider what answering a contested decision actually requires. The individual asks why a particular outcome was reached. The firm must be able to retrieve that specific decision, identify the inputs and the logic that produced it, show that the process matched what the individual was told, and demonstrate that human intervention was genuinely available. None of this is possible from aggregate model metrics or from operational logs that were never designed to reconstruct a single case. It requires a deliberate, per-decision record.
The interaction with the wider regulatory picture#
No firm operating in the UK reads these provisions in isolation. The same decisions that fall under Articles 22A to 22D will often sit within the FCA's Consumer Duty expectations on good outcomes, and, for firms with an EU footprint, within the high-risk obligations of the EU AI Act. Each of these frameworks approaches the problem from a different angle, individual rights, conduct, and product safety, but they converge on a single underlying capability.
That capability is the ability to produce, for any automated decision, a complete and reliable account of how it was made, the information the individual received, and the human oversight that was available. A firm that builds this once, as infrastructure, satisfies the evidential core of all three regimes at the same time. A firm that addresses each obligation as a separate project ends up building the same record three times, inconsistently, and defending none of them well.
What firms should do now#
The substance of the new safeguards will be filled in through secondary legislation, and the prudent reading is that the detail will favour firms that can demonstrate genuine, functioning protection rather than nominal compliance. The direction is clear enough to act on without waiting for every regulation to land.
The practical priority is to be able to answer, for any significant automated decision, a small set of questions: what was decided, on what basis, what was the individual told, and how could they have contested it. If those answers can only be assembled by cross-referencing several systems after the fact, the firm is exposed. If they fall out of a single, deliberate record captured at the moment of decision, the firm is ready, not only for Articles 22A to 22D but for the conduct and product-safety obligations that ask, in their own languages, the same question.
The move from Article 22 to 22A-22D does not make automated decision-making a lighter obligation. It makes it a more openly permitted one, on the condition that firms can prove they protected the people affected. Proof is the whole game.
Make every automated decision defensible.#
Request early access to Aegis Trace and our technical documentation.