The Impact of the Data (Use and Access) Bill on Automated Decision-Making and AI

One of the key elements of this bill is its focus on aligning with and adapting existing frameworks like the UK General Data Protection Regulation (UK GDPR) to address the unique challenges posed by rapidly advancing AI technologies. This blog aims to set out the changes the Bill is set to introduce in relation to automated decision-making and AI, and how these changes will interact with the current data protection laws under the UK GDPR..

What do we mean by ‘Automated Decision-Making and AI’?

Automated decision-making refers to processes where decisions are made without human intervention. This can range from simple tasks, like sorting emails, to more complex decisions, such as recruitment, credit scoring, and even judicial sentencing. AI systems are, in many cases, becoming central to these processes, as they use algorithms to analyse large datasets and make predictions or recommendations that would be difficult or impossible for a human to perform manually.

The role of AI in decision-making brings both benefits and concerns. On the one hand, AI can improve efficiency, accuracy, and scalability, leading to better outcomes. On the other hand, it raises significant questions around transparency, fairness, accountability, and the potential for bias in decision-making processes.

The Data (Use and Access) Bill: What’s Changing?

The Data (Use and Access) Bill is designed to provide a more streamlined and modernised framework for the UK’s data protection laws. While the Bill addresses a broad range of issues, its impact on automated decision-making and AI is particularly notable. Here are some of the key changes it introduces:

1. Enhanced Transparency Requirements: The Bill proposes clearer guidelines for how businesses and public bodies should communicate with individuals about automated decisions that affect them. This includes providing individuals with more accessible and understandable information about the logic behind automated decisions, as well as the data used to make these decisions. This is likely to mean, in practice, more detailed privacy notices that specifically address any automated decision-making and AI processing.
   
   This will increase transparency and help individuals understand how and why they were subject to automated decisions.

2. Focus on Individuals’ Rights: Under the UK GDPR, individuals have the right not to be subject to decisions based solely on automated processing that significantly affects them, unless certain conditions are met. The Data (Use and Access) Bill is expected to clarify and extend these rights, giving individuals more control over automated decisions that could affect them.
   
   For example, individuals could be granted a right to contest automated decisions that they believe are unfair or biased. This would align with the GDPR’s provisions for ensuring human intervention in certain automated decision-making processes.

3. Algorithmic Accountability: One of the brand new aspects of the Bill is its focus on ensuring that AI systems are auditable. This includes measures that will require organisations to assess and demonstrate the fairness, accuracy, and accountability of decisions driven by AI models. The Bill is likely to introduce provisions that mandate audits, ensuring that AI systems adhere to ethical standards and are subject to scrutiny.
   
   This directly supports the UK GDPR’s principle of accountability, which requires data controllers to take responsibility for the data processing activities they carry out, including automated processing.

4. Specific AI Regulations and Ethical Standards: The Bill is expected to lay out specific regulations governing the use of AI technologies, particularly in high-risk areas like healthcare, finance, and law enforcement. These regulations will focus on minimising the risks of discrimination and bias through the use of AI systems.
   
   This is set to include setting guidelines for ensuring that AI models do not perpetuate or exacerbate biases in decision-making, a significant concern for the responsible use of AI. The ICO’s guidance on fairness, bias and discrimination will likely be supported by the new regulations, ensuring that automated decisions do not disproportionately harm individuals based on characteristics like race, gender, or disability.

How Does This Tie Into the UK GDPR?

The Data (Use and Access) Bill and the UK GDPR are heavily linked, with the Bill enhancing the UK GDPR’s existing framework on automated decision-making and AI. Several provisions in the GDPR are directly relevant to the regulation of AI systems, particularly:

• Article 22 of the UK GDPR: This article limits the circumstances in which organisations can make solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals. Giving individuals the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect them. The Data (Use and Access) Bill is likely to build on this provision, providing greater safeguards and clarification around when and how automated decisions can be made.
  
• Accountability and Transparency: Both the UK GDPR and the Data (Use and Access) Bill place significant focus on transparency and accountability. Under the GDPR, organisations must ensure that individuals are appropriately informed about the processing behind automated decisions, the significance of these decisions, and the consequences. The upcoming Bill will likely strengthen these requirements, particularly in terms of explaining how AI systems are designed, tested, and monitored.
  
• Data Subject Rights: The GDPR grants individuals several rights related to data processing, including the right to access information about the data being processed and the right to rectify or erase their data. The Bill is expected to enhance these rights in the context of AI-driven decisions, ensuring that individuals can exercise more control over how their data is used in automated processes.