Discussion Review: Enhancing GDPR's 'Opt-Out from Automated Decisions' Functionality Without Compromising User Privacy

Discussion Review: Enhancing GDPR's 'Opt-Out from Automated Decisions' Functionality Without Compromising User Privacy

In a move aimed at promoting greater flexibility and innovation, the UK has replaced GDPR Article 22 with new provisions under the Data (Use and Access) Act 2025 (DUAA). The reform is designed to strike a balance between fostering technological advancements and safeguarding individuals from algorithmic discrimination.

Arguments for Removing Article 22

The primary reasons for this change focus on enabling broader lawful bases for automated decision-making (ADM) with significant effects, streamlining and clarifying compliance, and adapting safeguards. The replacement provisions (Articles 22A–22D DUAA) allow the use of legitimate interests as a lawful basis, promoting innovation, including in AI, without the previous rigid constraints.

Arguments Against Removing Article 22

Critics of this change express concerns about potential weakening of protections for individuals against unfair or discriminatory automated decisions. They argue that loosening restrictions could increase the harms from bias or lack of human oversight in ADM systems.

Alternatives and Complementing Measures for Consumer Protection

To address these concerns, the UK is considering expanded safeguards within the new Articles 22A–22D, the development of new statutory codes of practice for ADM, enhanced regulatory powers for the ICO, and ongoing monitoring and impact assessments.

The UK government is currently running a public consultation on overhauling its data protection regime, led by the Department for Digital, Culture, Media & Sport (DCMS). A roundtable discussion was convened by DCMS and the Center for Data Innovation to examine whether Article 22 is fit for purpose.

The underlying rationale of Article 22 is to protect against biases and unexplainable decisions, but its intent is to empower humans to challenge such decisions. The panel agrees that consumer protection law is a better avenue to explore redress mechanisms than Article 22, as the power of automated decision-making systems grows.

Kristian Stout proposes giving data processors the option of offering data subject informed consent and contracts of adhesion, allowing for experimentation with automation tools. Omer Tene, on the other hand, believes that the distinction between human- and machine-powered decision-making in Article 22 is outdated.

For instance, personal loans are regulated by the FCA's Consumer Credit sourcebook and policed by the Financial Ombudsman Service, questioning the necessity of Article 22 in credit underwriting.

In summary, the UK has replaced GDPR Article 22 with a more flexible but regulated framework under the DUAA, aiming to balance innovation with individual protections through transparency, contestability, human intervention, and forthcoming statutory codes. Critics worry this reduction in data subject safeguards could facilitate algorithmic discrimination, underscoring the continued importance of the ICO’s regulatory role and legal scrutiny of ADM deployments.

1. The Data (Use and Access) Act 2025 (DUAA) in the UK, introduced to foster innovation and technology, has replaced GDPR Article 22 with provisions aimed at balancing technological advancements and individual privacy.
2. One of the key reasons for this change is to enable broader lawful bases for automated decision-making (ADM), streamlining compliance, and adapting safeguards under the DUAA's Articles 22A–22D.
3. Critics argue that the removal of Article 22 could weaken protections for individuals against unfair or discriminatory automated decisions, potentially increasing harm from bias or lack of human oversight in ADM systems.
4. To address these concerns, the UK is considering expanded safeguards within the new Articles 22A–22D, the development of new statutory codes of practice for ADM, enhanced regulatory powers for the ICO, and ongoing monitoring and impact assessments.
5. The UK government, led by the Department for Digital, Culture, Media & Sport (DCMS), is currently running a public consultation on its data protection regime and has hosted a roundtable discussion about the relevance of Article 22 with the Center for Data Innovation.
6. Kristian Stout suggests offering data subjects informed consent and contracts of adhesion as an alternative to Article 22 for experimentation with automation tools, while Omer Tene contests the distinction between human- and machine-powered decision-making in Article 22 as outdated.
7. Personal loans are regulated by the Financial Conduct Authority's Consumer Credit sourcebook and policed by the Financial Ombudsman Service, casting doubt on the necessity of Article 22 in credit underwriting.
8. The UK's new framework under the DUAA strives to balance innovation with individual protections through transparency, contestability, human intervention, and forthcoming statutory codes, underscoring the continued importance of the ICO’s regulatory role and legal scrutiny of ADM deployments in policy-and-legislation, finance, business, technology, general-news, politics, and AI.

Read also: