Edition 20

The original ambition for Profiles in Legal was always to surface thoughtful conversations with people shaping the future of legal and governance in practice.

If someone comes to mind whose thinking deserves wider attention, I read every reply.

While last week’s oxygen was consumed by lawyers debating EU AI Act delays and “Claude for Legal” updates (Edition 19), the UK moved along with more immediate and practical changes for businesses rolling out AI. This is more about deployer accountability than foundation model behaviour, and that is where AI is showing up in legal team work today.

DUAA: I got new rules

Until recently, the UK still broadly mirrored the EU’s rules for using fully automated decision-making (ADM) to make decisions about individuals. If the decision created legal effects or similar, like a job rejection or denial of credit, it was prohibited by default.  GDPR gave three narrow exceptions: contractual necessity; authorised by law, usually for public interest reasons; or explicit consent. Even then, individuals had rights to contest a decision by asking for an explanation or meaningful human intervention. And ADM for special category data was more tightly restricted.

The UK’s Data (Use and Access) Act 2025 completely flipped this narrative. Rather than being banned by default, ADM is now generally permitted for non-sensitive data, provided the right safeguards are in place. Organisations no longer have to jump through those three narrow hoops and can instead rely on broader justifications, like their own 'legitimate interests,' to deploy automated tech.

Last week formally committed the ICO to finalise its draft code of practice on AI and automated-decision making, which wraps up its consultation period this month. It specifically covers the overlap between ADM and AI. 

In practice, the code is more than voluntary best practice - it is part of a statutory framework admissible in court evidence and one that the ICO will weigh heavily during enforcement decisions. For businesses, compliance with the code will be the ultimate shield against regulatory action. 

Why it matters

The code gives legal teams a strong authority to anchor their instincts. When working through the impact, lawyers will identify many familiar themes from their day to day projects.

🛂 Click to approve. The ICO rejects “token gestures”, giving examples of a manager reviewing an AI-driven CV shortlist for a few seconds as insufficient to overcome the decision being fully automated. Employees should understand the AI’s logic, connecting to their own AI literacy, and have practical authority and ability to override it. 

🌓 Yes or no. Lawyers are used to thinking of ADM in terms of binary legal outcomes: You get the loan or you don't. You get the job or you don't. The new code expands the horizon to a contextual view of what constitutes a “significant decision”. Think: dynamic pricing and algorithmic recommendations. ADM isn’t just in the obvious places like HR and credit control. It’s another example of where Legal can close gaps at the product design and even organisational design stages.

📜 See our privacy notice. Many organisations try to satisfy transparency rules by putting a generic paragraph about AI in their public-facing privacy policy. The ICO has effectively called time on this practice. The guidance draws a bright line between the general "right to be informed" and "information about decisions." A general privacy notice is no longer enough. When ADM is used, the individual must be given decision-specific information explaining the actual outcome and the exact factors that influenced their specific result. Product lawyers will ask software engineers how AI systems can generate individual, modular explanations for challenging data subjects.  

🧩 Proxy data. The “permitted by default” approach for ADM does not extend to special category data. Entry-level advice to engineering teams is to avoid inputting health data into the AI. That falls apart when AI models routinely recreate special category data using proxies and inferences. Consider asking product teams to audit models for concepts like “feature significance” and “proxy bias”. If the model is inferring sensitive traits to make its decisions, the legal basis for those decisions is in peril.  

👀 Retrospective DPIAs. Stretched teams have a habit of only getting around to drafting data protection impact assessments (DPIAs) after a product has launched, or even worse, when a regulatory complaint arrives. While GDPR always required these to be completed in advance, the new legislative structure puts automated tech in the spotlight for enforcement. Handing the regulator a post-hoc, backdated DPIA may read like an admission to deploying high-risk AI without checking the safety rails first. GCs can use the statutory timing rule as leverage to insert their privacy teams at the early sandbox stage, not the launch party. 

The consultation closes next Friday. The code launches in the summer. It’s another example of how practical AI rules are here already.

Last week we asked “Will the EU AI Act delay materially change your organisation’s AI governance plans?” You suggested it will. 

The responses were an even split between pragmatic pessimism (“🧊 Yes, compliance work will likely slow”); honest candour (“😶 No, we were not yet actively preparing anyway”) and ambient unease (“🤷 It just adds to existing organisational uncertainty”). Resource constraints and competing priorities left one option without any votes: that governance is bigger than one regulatory deadline.

🇪🇺 Yesterday, the EU published its long-awaited guidelines on the classification of high-risk AI systems - more on this next week. 

🧑‍⚖️ Bar Standards Board releases ethical guidance to allow for “safe and responsible” use of AI

🐭 Meta implements employee mouse-tracking to train AI, employees protest

If this edition would help a colleague thinking through AI governance, enterprise risk or legal operating change, feel free to forward it on.

💬 Forward to a colleague

🧠 Was this forwarded to you? Subscribe here to get Profiles in Legal every Wednesday.

I advise technology businesses and leadership teams on AI, product and regulatory strategy and enterprise readiness to move from informal AI adoption to scalable governance.

If your organisation is navigating AI deployment, maturity or commercial negotiation challenges, feel free to reply directly.

- Philip

Profiles in Legal examines how AI, governance and technology are reshaping modern businesses and legal teams.

This publication is for general information only and does not constitute legal advice. Seek professional advice for specific situations.