The UK’s recent data-law changes matter for AI governance because they suggest a real divergence from the EU approach to automated decision-making.
If you want the official legislation, the UK law is here: Data (Use and Access) Act 2025.
Under section 80 of the Data (Use and Access) Act, the UK has replaced the old Article 22 framework with a new structure for automated decision-making. The practical signal is a shift toward a more permissive model: automated decision-making with safeguards, rather than a prohibition-first starting point.
Why this is a real shift
Under the classic Article 22 model, the analysis usually began with a restriction. The UK’s newer approach looks more operational and less categorical. The question becomes less “is this forbidden unless an exception applies?” and more “what safeguards, transparency, and review rights are required when this happens?”
That may sound subtle, but it matters. It gives companies more room to deploy automated systems, while also increasing pressure to justify how those systems are used.
Why multinational teams should care
A lot of organizations still hope they can run one clean global policy for AI-enabled decision-making. The UK’s move makes that harder. If the EU and UK keep drifting apart here, legal teams may need separate assessments for profiling, scoring, and model-driven recommendations that affect individuals.
That does not just affect flashy AI products. It can reach ordinary systems used in employment, insurance, financial services, fraud detection, customer eligibility, and prioritization workflows.
The takeaway
The UK is not abandoning regulation. It is choosing a different posture. A permission-with-safeguards model still requires governance, and in some ways it requires better governance because companies have more room to act.
Cross-border AI compliance is starting to look less like one policy problem and more like jurisdiction management. That is the part legal teams should plan around now.