Automated Decisions Under UK Law (2026): The New Article 22A-22D Safeguards Regime

If your organisation runs AI that makes decisions about people, the UK rulebook changed under you on 5 February 2026, and a lot of compliance documentation has not caught up.

The Data (Use and Access) Act 2025 (Royal Assent 19 June 2025) replaced Article 22 of the UK GDPR with a new set, Articles 22A to 22D. The change is not cosmetic. The default flipped. The old Article 22 read as a near-prohibition on solely automated decisions with legal or similarly significant effects. The new regime permits those decisions, provided the controller can evidence safeguards. Your job moved from finding an exception to proving the safeguards are real.

This article sets out what the four articles do, what you now have to provide, and where the open questions still sit.

The shift in one line

Old position: a significant solely-automated decision was not permitted unless you fell within an exception (contract necessity, legal authorisation, or explicit consent).

New position: a significant solely-automated decision is permitted, provided the safeguards in Article 22C are in place, with a tighter rule for special category data in Article 22B.

The ICO has described the reform as restoring a permissive, safeguard-led approach in place of the general prohibition. For a deployer, the practical consequence is that the work is now evidential. You are not arguing why you are allowed to do this. You are showing that the person on the receiving end has the protections the law requires.

What each article does

Article 22A: scope and the meaning of "solely automated". This sets out when the rules bite. They apply to a significant decision, one with a legal effect or a similarly significant effect on the person, that is based solely on automated processing. "Solely" is the load-bearing word. A decision is solely automated where there is no meaningful human involvement. A human who reviews the output without the authority, information, or time to change it does not make the decision non-automated. The rubber stamp does not count.

Article 22B: special category data stays restricted. Where a significant solely-automated decision is based wholly or partly on special category data (the Article 9 categories: health, ethnicity, biometric data used to identify someone, and the rest), the permissive default does not apply. This is the high-risk case. You generally need explicit consent or a substantial-public-interest condition, alongside the safeguards. If your model uses, infers, or proxies special category data to decide about people, treat it as the tightly regulated path.

Article 22C: the safeguards you must provide. This is the operational core. Where a significant decision is solely automated, the controller has to give the person safeguards that let them:

• receive information about the decision,
• make representations about it,
• obtain human intervention from the controller, and
• contest the decision.

These are not optional extras to bolt on after a complaint. They are the condition of being allowed to run the system at all. Each one needs working mechanics behind it: a route for representations that a real person reads, a reviewer with authority to change the outcome, and records that show the review happened and what it considered.

Article 22D: the Secretary of State's regulation power. This gives the Secretary of State power to make regulations, including on what counts as meaningful human involvement. It means the detail of the regime can move by secondary legislation. Anyone relying on a particular reading of "meaningful" should watch this space rather than treat it as settled.

The open question: what is "meaningful human involvement"?

The whole regime turns on whether a decision is solely automated, and that turns on whether the human in the loop is meaningful. The statute does not define it exhaustively, Article 22D lets the Secretary of State regulate on it, and the ICO has been working through it: a consultation on draft automated-decision guidance ran over winter 2025/26 with final guidance following in 2026. The ICO also published a report on automated decision-making in recruitment in April 2026, which is a clear signal that this is an enforcement priority and that recruitment screening is squarely in scope.

Until the guidance is fully bedded in, the safe working test is substance over form. Ask whether the human reviewer actually has the information, the authority, and the time to reach a different decision. If the honest answer is that they approve what the system produces because overriding it is impractical, the decision is solely automated and the Article 22C safeguards apply.

What deployers have to do now

The change is permissive, which makes it easy to assume there is less to do. The opposite is true at the documentation level, because the safeguards now have to be evidenced rather than assumed.

1. Inventory the decisions themselves. Find every point where automated processing produces a significant decision about a person: credit, hiring, insurance pricing, fraud flags, eligibility, account closures. The decision is the unit to inventory, system by system.
2. Classify each as solely automated or not, honestly. Apply the meaningful-human-involvement test in substance. Document the reasoning.
3. For each solely-automated significant decision, build the four safeguards as working mechanics. Information, representations, human intervention with authority to change the outcome, and a contest route.
4. Treat special category decisions as the restricted path under Article 22B. Confirm the explicit consent or substantial-public-interest basis, and the extra documentation.
5. Update the DPIA and the privacy notice. A DPIA that still cites the old Article 22 prohibition is describing a regime that no longer exists. The privacy information has to tell people the decision is automated and how to exercise the safeguards.
6. Keep the records. The regime is evidential. If you cannot show the safeguards operated, you cannot show compliance.

How this sits with the EU AI Act

These are separate tracks and you may be on both. The UK GDPR Articles 22A to 22D give the individual their automated-decision rights. The EU AI Act adds provider and deployer obligations where the system is high-risk under Annex III, such as recruitment, credit, and essential services. After the May 2026 Omnibus, the AI Act's high-risk obligations apply from 2 December 2027, while the Article 50 transparency duties apply from 2 August 2026. Clearing your data protection safeguards does not clear your AI Act obligations, and the reverse is also true.

When to take advice

Most automated processing will not need outside help to map. Some situations are worth a specialist eye.

Instruct a data protection specialist when:

• a significant decision is made wholly or partly on special category data,
• you are unsure whether your human review is meaningful enough to take a decision out of scope,
• you are deploying a bought-in model and need to know where the controller obligations land,
• a regulator or a data subject has challenged an automated decision, or
• the system sits in a sector the ICO has flagged, recruitment being the clearest current example.

---

Current as at 16 June 2026. This is educational. For your specific systems, instruct a qualified data protection adviser.

Part of the Janus Compliance AI and your rights theme. See also: AI Rejected Your Job Application: Your Rights, Do I need a DPIA for my AI system?, Legal hub.