The UK's statutory AI and automated-decision-making code: the principles-only model gains a hard edge

The United Kingdom has built its reputation on regulating artificial intelligence without a horizontal AI statute — five non-binding principles applied by sector regulators, and a frontier bill still in preparation. That description remains true, but in 2026 it became incomplete. A genuinely binding AI obligation has arrived in British law, and it came not from a new AI Act but from the country's data protection regime. The instrument is technical and easy to overlook; its reach is not.

A statutory code, by Regulations

On 16 April 2026 the government made the Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026. They were laid before Parliament on 21 April and came into force on 12 May 2026. Their effect is short and mandatory: the Information Commissioner must prepare a code of practice giving guidance on good practice in the processing of personal data in relation to (a) developing and using artificial intelligence and (b) automated decision-making. The code must also address the processing of children's personal data.

This is not guidance the regulator chose to write; it is guidance Parliament has ordered it to write. The power sits in new sections 124A and 124B of the Data Protection Act 2018, inserted by sections 92 and 93 of the Data (Use and Access) Act 2025. Once issued and approved, an ICO statutory code is not itself the law, but courts and the Commissioner must take it into account — which makes it the closest thing the UK has to a binding, cross-sector AI rulebook.

The reform underneath: Article 22 rewritten

The code does not stand alone. Section 80 of the Data (Use and Access) Act 2025 replaces Article 22 of the UK GDPR — the long-standing restriction on decisions made solely by automated means — with a new set of Articles 22A to 22D. The shift is deliberate and consequential. Under the old Article 22 a significant solely-automated decision was, in principle, prohibited save for narrow exceptions. Under the new regime such a decision is permitted, provided safeguards are in place.

A stricter rule is retained where it matters most. Where a significant decision is based on special category data — health, biometrics, beliefs and the like — solely-automated processing remains barred unless the data subject has given explicit consent, or it is necessary for a contract or authorised by law with a substantial-public-interest basis. Decisions resting on the new "recognised legitimate interests" ground may not be fully automated at all.

Four safeguards that travel with every automated decision

For the decisions the new regime allows, controllers must guarantee four things. The data subject must be informed that a significant decision about them is being taken by automated means; must be able to make representations about it; must be able to obtain human intervention by the controller; and must be able to contest the decision. These are the substance the forthcoming ICO code will operationalise, and the Secretary of State may add to them by regulation. On 31 March 2026 the ICO opened a consultation on draft guidance on automated decision-making and profiling — its first detailed reading of these changes — which ran until 29 May 2026, with final guidance expected in the summer of 2026. Alongside it the ICO published a report on ADM in recruitment, drawing on engagement with more than 30 employers, that names the gaps it expects firms to close: organisations relying on automated tools without effective human oversight, candidates given no way to challenge a decision, and a lack of transparency about how their data drives the outcome. For the many organisations using AI to screen and rank applicants, that report is the clearest signal yet of how London reads the new rules — and it bites on AI in recruitment wherever the data subjects are British.

Set against the AI Act

The contrast with the European Union is instructive, and it cuts both ways. On automated decisions the UK has moved in the opposite direction from Brussels: where the EU's GDPR Article 22 keeps a default prohibition, the UK has switched to a permission-plus-safeguards model. But on AI specifically the UK has, for the first time, created a hard-edged horizontal instrument — a statutory code that reaches every sector touching personal data, where the AI Act reaches through product law and conformity assessment. The two regimes now bite at different points: Brussels at the product and the model, London at the decision and the data behind it.

For an international organisation the practical reading is simple. The UK GDPR follows the data, not the border, so a controller serving British data subjects is in scope wherever it sits. Anyone who concluded that "no UK AI Act" meant "no binding UK AI rule" now has a date to mark — 12 May 2026 — and a code to watch for. As our survey of the UK approach notes, the British model is moving; this is the first piece of it that is already law.