AI offers a wide range of opportunities for more automated decision-making (ADM). However, whenever ADM about individuals occurs, one of the first questions UK and EU businesses need to ask – to comply with data protection laws – is whether there is any meaningful human involvement. This is because ADM is restricted under both UK and EU data protection laws. Those laws currently provide that, subject to limited exemptions, individuals have the right to not be subject to a significant decision, made using any of their personal data, that is based solely on ADM (ie without meaningful human intervention).
Those rules could soon be significantly liberalised in the UK. In line with the UK’s pro-innovation approach towards data privacy, the Data Protection and Digital Information (No.2) Bill (the Bill) would amend the existing ADM restrictions, so that organisations can use ADM in a broader range of circumstances. These changes may create new opportunities for businesses to use ADM and AI in the UK.
Our top takeaways from the Bill in relation to ADM are:
- The existing UK prohibition on the use of personal data in ADM, without meaningful human involvement, for significant decision-making is largely removed. For most business purposes, this rule would only survive in relation to significant decisions based on the use of ‘special category’ personal data. Special category personal data is defined in the UK GDPR to cover only limited categories of personal data such as religious beliefs, political opinions, data concerning health and various other defined categories of potentially sensitive information.
- As a result of the Bill’s reforms, UK business may soon have greater scope to rely on ‘legitimate interests’ as their lawful basis when processing personal data for ADM (except where special category personal data is used). Relying on ‘legitimate interests’ is generally much more flexible and practical than other potential lawful bases such as obtaining consents from individuals.
- Mandatory safeguards are imposed by the Bill. Those include requirements for businesses to provide impacted individuals with rights to obtain human intervention and contest significant decisions. However, those rights require individuals to pro-actively challenge a decision after it has been made (as opposed to the current broad prohibition on using ADM to make significant decision in the first place). Nevertheless, businesses will need to take the possibility of individuals exercising those rights into account when designing their ADM and related compliance processes.
- These reforms will only apply under UK law. In practice they will not assist businesses that wish to undertake ADM based on personal data that is subject to EU data protection laws.
- As a result, businesses in the UK will have more regulatory freedom to adopt AI and other automated ways of making decisions, but should still pay close attention to the required safeguards (and future guidelines) as part of a balanced and ethical approach.
Further details on the proposals are set out below.
For information on the Bill’s implications for data protection more generally, see our previous blog post.
The expanded scope of ADM
As mentioned above, the Bill will reform UK data protection law to generally allow ADM unless it is used to make a significant decision without meaningful human involvement based (even partly) on the processing of special categories of personal data.
Similar to the position under existing UK and EU data protection laws, a decision will be ‘significant’ if it:
- produces a legal effect for the individual that the personal data relates to; or
- has a similarly significant effect on that individual.
Under the Bill, ADM resulting in significant decisions based on ‘special category’ personal data would only be permitted if:
- the decision was based on processing to which the individual has given explicit consent; or
- the processing is necessary for reasons of substantial public interest, occurs based on a UK law that meets various requirements and the associated decision is either: (a) necessary for entering into or performing a contract between the individual and controller; or (b) required or authorised by law.
These changes would mean that organisations have more flexibility to use ADM without human involvement where the decision-making does not concern special category personal data. Brexit-watchers will appreciate that this would result in a notable divergence from the current UK GDPR and equivalent EU GDPR.
It’s about balance: the safeguards for ADM
Although the UK Bill diverges from the EU approach, safeguards for individuals are expressly set out to balance the expanded scope of permitted ADM. Those safeguards must be implemented for any significant decision made without meaningful human involvement based on any personal data and include:
- providing the individual with information about those automated decisions;
- enabling the individual to make representations about such decisions; and
- enabling the individual to obtain human intervention and contest decisions.
To help protect individuals the Bill also makes clear that a new (primarily public sector focused) ‘recognised legitimate interests’ lawful basis cannot be used for any ADM without meaningful human involvement that results in a significant decision.
What next?
The Bill currently sits in the House of Commons and is awaiting its third reading. It will then need to go through the House of Lords, before it achieves Royal Assent and becomes an Act of Parliament.
The Bill proposes to grant the government wide powers to make future changes to the UK’s ADM regime. For example, the government is permitted to add or amend ADM safeguards through secondary legislation. The Bill also helpfully allows the government to issue regulations confirming the meaning of key terms such as ‘meaningful human involvement’ and ‘similarly significant effect’.
Businesses that may be impacted by these changes, or the opportunities they offer, will need to keep abreast of emerging regulations and guidance once the Bill has become law.