Discussion Summary: Enhancing GDPR's Automated Decision Opt-Out Mechanism: Striking a Balance Without Negatively Impacting Users
The UK government is currently re-examining Article 22 of the General Data Protection Regulation (GDPR), a provision that gives individuals the right to opt out of decisions based solely on automated processing producing legal or similarly significant effects. The main arguments for removing Article 22 in the UK's data strategy revolve around enabling greater flexibility and promoting innovation in automated decision-making (ADM), particularly in AI-driven processes.
Omer Tene, a partner at Goodwin Procter LLP, has proposed that regulators could give data processors the option of offering data subject informed consent and contracts of adhesion, enabling innovation while protecting consumers. This approach would allow organisations to use any lawful basis—including legitimate interests—for ADM with significant effects, except for special category data which remains highly protected.
The UK’s 2025 Data (Use and Access) Act (DUAA) replaces Article 22 with new provisions (Articles 22A–22D) that reflect this shift. The aim is to reduce regulatory burdens and streamline compliance while fostering economic growth and innovation.
However, arguments against removing Article 22 focus on the risk of weakening individual data protection and transparency safeguards. Critics worry that loosening this provision could reduce transparency, accountability, and the ability of individuals to contest unfair automated decisions. There are concerns about balancing transparency with protecting trade secrets in automated decision-making systems—the GDPR requirement to explain ADM logic must not infringe proprietary rights, but less stringent rules may make meaningful explanations harder to ensure.
To compensate for the removal of Article 22, the UK's DUAA introduces enhanced safeguards. Organisations must provide detailed transparency about ADM processes, and data subjects have rights to make representations, contest ADM decisions, and request human intervention. The legislation maintains special restrictions and safeguards for special category data, and new statutory codes for ADM are expected after sector consultations to ensure fairness and clear standards. The Information Commissioner’s Office (ICO) plans to issue further guidance in 2026 to help ensure organisations comply effectively.
Thus, while the right to avoid automated decisions outright is removed, alternatives centre on transparency, contestation rights, human review options, and regulatory guidance, aiming to balance innovation with fairness and individual rights.
| Aspect | For Removal | Against Removal | Alternatives Considered | |----------------------------|----------------------------------------------------|----------------------------------------------------|------------------------------------------------| | Purpose | Flexibility for innovation and ADM use | Strong individual data protection and transparency | Expanded transparency and contestation rights | | Lawful basis for ADM | Allows any lawful basis except special category data | Restricts ADM use with opt-out rights | Procedural safeguards and human intervention | | Consumer protection rights | Reduced explicit opt-out from ADM | Rights to explanation and human oversight | New statutory codes, ICO guidance | | Trade secrets and explainability | More relaxed balancing with innovation | Concern over effective explanation of ADM logic | Legislative and regulatory mechanisms |
In summary, the UK's approach retains core protections but recalibrates the balance in favor of economic competitiveness and ADM innovation, implementing refined safeguards rather than the strict ban on solely automated decisions previously set by Article 22.
- The UK government is reevaluating Article 22 of the GDPR, aiming to promote flexibility and encourage innovation in automated decision-making (ADM), particularly in AI-driven processes.
- Omer Tene, a partner at Goodwin Procter LLP, suggests allowing data processors to offer informed consent and contracts of adhesion to enable innovation while safeguarding consumers, with the exception of special category data.
- The UK's 2025 Data (Use and Access) Act (DUAA) replaces Article 22 with new provisions, aiming to reduce regulatory burdens, foster economic growth, and streamline compliance.
- Critics argue that removing Article 22 might weaken individual data protection, transparency safeguards, and the ability to contest unfair automated decisions.
- To compensate for the removal of Article 22, the DUAA introduces enhanced safeguards, such as increased transparency, rights to representation, contestation, and human intervention, along with new statutory codes and ICO guidance.
- The UK's approach balances innovation with fairness and individual rights, retaining core protections but shifting the focus in favor of economic competitiveness and ADM innovation, with refined safeguards rather than a strict ban on solely automated decisions.
