Introduction
On June 19, 2025, the UK’s Data Use and Access Bill received Royal Assent, officially becoming the DUA Act AI regulation. The legislation strengthens the UK’s data protection framework—and introduces significant controls over AI-driven automated decisions.
Regulatory Context
The DUA Act amends UK GDPR, PECR, and the Data Protection Act. With full implementation from late 2025 to mid‑2026, it reflects growing concerns over AI’s role in automated decision-making and data privacy.
Key AI Provisions
- Automated Decision-Making (ADM): Systems with substantial legal effects now require “meaningful human intervention.”
- Transparency Requirements: Clear disclosures for users affected by AI decisions, aligned with non-discrimination laws.
- Data Access and Portability: Introduces “Recognized Legitimate Interests” as a lawful basis for security-related AI.
- Privacy Controls: DSARs refined to be proportionate; organizations must explain legal exemptions.
Implications for AI Systems
The DUA Act AI regulation forces organizations to embed transparency and human oversight into AI systems—especially in finance, healthcare, and policing, where automated decisions are critical.
Expert Commentary
Privacy counsel Anna Flanagan noted the act “could transform how companies use data—and trigger an AI and data revolution.” Legal scholars argue it sets a new global benchmark for AI governance.
Business Impact
Firms leveraging AI must audit automated processes, prepare documentation of oversight, and redesign systems to include human validation nodes. This oversight standard may also apply to imports of AI tools from abroad.
Comparison with EU Policies
The DUA Act AI regulation complements the upcoming EU AI Act. While the EU focuses on categorizing AI by risk, the UK’s act mandates safeguards for ADM regardless of sector, potentially influencing global standards.
Roadmap
Rolling implementation through 2026 will require organizations to review data mappings, ADM processes, and complaint-handling mechanisms. The ICO will publish guidance and collaborate with financial and health regulators.
Conclusion & Call to Action
The DUA Act AI regulation is a milestone in AI governance: mandating human oversight, transparency, and compliance for automated systems. Businesses should audit their AI processes now to ensure alignment before enforcement deadlines.
