AI Regulation Tracker / Legislation in force
UK lifts near-total ban on solely automated decisions under DUAA section 80
Since February 5, 2026, UK controllers may run solely automated significant decisions if they supply legal safeguards. The old default prohibition is gone, and the tighter restriction applies where special-category data is used, subject to the statutory conditions.
The United Kingdom has reversed the starting position of its law on automated decisions. Since February 5, 2026, section 80 of the Data (Use and Access) Act 2025 has been in force, brought in by regulation 2 of the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, published as SI 2026/82. The commencement instrument lists "section 80 (automated decision-making)" among the provisions taking effect on that date. The practical result is that a solely automated significant decision is no longer prohibited by default. It is permitted, provided the controller meets a set of statutory safeguards.
From a ban to a conditional permission
Under the previous framework, a decision based solely on automated processing that produced a legal or similarly significant effect was, in most cases, not allowed unless a narrow exception applied. Section 80 flips that logic. The default is now permissive: controllers may run these decisions, but they must attach safeguards. Those safeguards are a right to human intervention, a right to contest the decision, and a right to be informed that such a decision has been made. The burden moves from asking whether the decision is banned to asking whether the controls are present and working.
Where the strict rule still bites
The old restriction has not disappeared. It has been repositioned. The tighter regime now applies mainly where special-category data drives the decision. Special-category data covers information such as health, race, religion, and other sensitive attributes. A firm that feeds sensitive data into an automated significant decision faces the more demanding requirements, while a firm running an automated decision on ordinary personal data operates under the lighter, safeguard-led standard. That distinction is now the deciding point for compliance analysis.
What it does not do
Section 80 is not a blanket clearance to automate. It does not remove the need for a lawful basis, and it does not switch off the safeguards for automated significant decisions; it makes those safeguards the price of running them. It does not repeal the special-category protections; it concentrates the strict controls there. It also does not, by itself, tell controllers exactly how to operate the safeguards in day-to-day systems. That interpretive detail is the job of the Information Commissioner's Office, whose guidance on automated decision-making and profiling hangs on this statutory backbone. Section 80 is the "what changed in law" anchor; the regulator's guidance is the "how."
Who needs to act, and why now
The affected group is concrete. Lenders making automated credit decisions, employers and recruiters using automated screening and ranking, insurers pricing and underwriting by model, and any firm setting prices algorithmically are all in scope where a decision is both solely automated and significant. For these controllers the immediate task is to map where such decisions occur, confirm whether special-category data is in the pipeline, and verify that a person can ask for human review, contest the outcome, and be told the decision was automated.
Turning the safeguards into practice
The three safeguards are simple to state and harder to operate. A right to human intervention means a real person must be able to step in and look again at the outcome, not merely wave it through. A right to contest means the affected person needs a clear route to challenge the result. A right to be informed means the controller has to tell people that a solely automated significant decision was made about them. Each of these has to exist as a working process, with someone accountable for it, rather than as a line in a policy document. Because the statute sets the standard but not the operational detail, controllers should record how each safeguard functions, who owns it, and how an intervention or challenge is logged and resolved. That record is what turns the permission into defensible compliance if a decision is later questioned.
The cross-border angle for US firms
For a US reader running a single transatlantic programme, the change matters because it pulls the UK away from the European Union. The EU's General Data Protection Regulation keeps a near-prohibition on solely automated significant decisions under Article 22. The UK has now moved to a permissive, safeguard-led model. A multinational that once ran one automated-decision policy across the UK and the EU can no longer assume the two regimes line up. The same hiring or credit model may be permitted in the UK on ordinary data yet remain constrained under EU law, which means US firms operating in both markets need to handle them as two separate compliance tracks rather than one.
Frequently Asked Questions
What exactly changed in UK law on automated decisions?
Section 80 of the Data (Use and Access) Act 2025, in force since February 5, 2026 via SI 2026/82, replaced the near-total ban on solely automated significant decisions with a permissive regime. Controllers may now make such decisions if they provide a right to human intervention, a right to contest, and a right to be informed.
Who is affected by the new automated decision-making regime?
Any UK controller making solely automated significant decisions. In practice that includes lenders, employers and recruiters, insurers, and firms running algorithmic pricing. The stricter version of the rule applies mainly where special-category data is used.
Does this mean UK firms can automate significant decisions freely now?
No. The decision is permitted rather than banned by default, but only if the three safeguards are in place. Where special-category data drives the decision, the tighter restriction still applies.
How does this differ from the EU position?
The EU keeps a near-prohibition under GDPR Article 22. The UK has moved to a permissive, safeguard-led model, so multinationals running one UK/EU programme must now treat the two regimes differently.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.