Automated decision making is under scrutiny in the EU and how is it addressed in other jurisdictions

Published Date
Jan 10, 2024
Alongside the recent CJEU judgment on automated decision making in Schufa (see the Allen & Overy blog ) there are a range of developments related to ADM in other jurisdictions.

UK developments

The UK Parliament is currently debating the Data Protection and Digital Information Bill, which contains a provision to reform Article 22 of the UK GDPR.  This change would remove the general prohibition on decision making based solely on automated processing that produces legal effects concerning the data subject, or similarly significantly affects the data subject (ADM). The reform would narrow the prohibition to circumstances where special category data is processed. For all other ADM, the amended UK GDPR would require controllers to provide safeguards, such as allowing the data subject to obtain human intervention.  If passed in its current form, the legislation would give the Secretary of State specific powers to issue secondary regulations related to Article 22, including providing an indication on whether a decision is, or is not, to be taken to have “similarly significantly" affected the data subject.  

If the Bill passes, the Schufa judgment is likely to have less relevance in the UK, noting that CJEU judgments from the period post-Brexit do not bind the UK courts.  That said, the UK Information Commissioner’s Office (ICO) has continued to reference some EU enforcement actions, when relevant.  The ICO has not yet made any public statements about the relevance of Schufa to their guidance and approach to ADM. 


In California, the Privacy Protection Agency has released draft automated decision making technology (ADMT) regulations.  The proposed regulations would implement a consumer’s right to opt out of, and access information about, businesses’ uses of ADMT, as provided for by the California Consumer Privacy Act. The draft regulations would provide consumers with the following protections for decisions that have the most significant impacts on their lives:

  • Businesses would be required to provide “Pre-use Notices” to inform consumers about how the business intends to use ADMT, so that the consumer can decide whether to opt-out or to proceed, and whether to access more information.
  • The ability to opt-out of the business’s use of ADMT (except in certain cases, such as to protect life and safety).
  • The ability to access more information about how the business used ADMT to make a decision about the consumer.


The response of the Australian Government to the Privacy Reform Review agreed that new transparency provisions should be added the Privacy Act, covering proactive information provision and the right to request information about automated decision making.  These proposals focus on “substantially automated decisions which have a legal or similarly significant effect on an individual’s rights”, noting the focus on “substantially automated decisions” rather than “solely automated” in the EU GDPR. 

Looking ahead

Companies using automated decision making will therefore need to monitor these developments and adjust their governance processes, as these requirements become law.  Any global governance for automated decision making is likely to include specific consideration of local requirements.  

Content Disclaimer
This content was originally published by Allen & Overy before the A&O Shearman merger