Automated Decision Making: the impact of The Data (Use and Access Act 2025) and a recent CJEU judgment

There have been two recent interesting updates in relation to automated decision-making (ADM). ADM occurs when data is fed to a programme to allow it to make a decision without requiring human intervention.

These two updates are:

1. From the Data (Use and Access) Act 2025 (the Act), which on 19 June 2025 was given Royal Assent. The Act introduces a risk-based approach to ADM, and different practices in relation to high and low-risk situations; and, 
2. From the Court of Justice of the European Union (CJEU), which recently delivered a significant judgment concerning ADM and the rights of data subjects under the EU’s General Data Protection Regulation (EU GDPR).

With AI’s prevalence in the pensions space increasing, the Act and the CJEU judgment have significant implications for trustees now and going forwards. 

The Data (Use and Access) Act 2025

The Act introduces significant changes to the framework governing ADM in the UK. The Act aims to introduce a system that distinguishes between low and high-risk applications. Drawing the distinction between different risk levels will facilitate and encourage the use of ADM more widely in low-risk situations (such as website logins). 

Widening the ability to use ADM

Under Article 22(2) of the UK’s GDPR, currently decisions can only be made based on ADM in three limited situations. Namely, where the use of ADM is…

1. “necessary for entering into, or performance of, a contract between the data subject and a data controller;
2. required or authorised by domestic law which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
3. based on the data subject's explicit consent.”

The Act disregards this approach in relation to non-special category data but retains it for special category data. The Act therefore represents a softening of restrictions on the use of ADM for all personal data that is not special category data.

Safeguards included

Whilst the above widens the potential use of ADM, the Act does also provide some safeguards that bodies using ADM will need to be aware of, including that individuals:

• Must be provided with information about any significant decisions taken in relation to them based solely on ADM. 
• May contest a decision to use ADM in respect of them. 
• Have a right to require the controller to have a human involved in the decision. 

The CJEU Judgment

This case arose from a dispute in Austria, where a mobile telephone operator refused to allow a customer to conclude a phone contract based on an automated credit assessment it had conducted.

The relevant law

Under Article 15(1)(h) of the EU GDPR, data subjects, where their personal data is being processed, have the right to be provided with information including:

“the existence of automated decision-making, including profiling… [and] meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” 

Further, under Article 22, the “data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her”, unless an exception is present (e.g. necessary to perform a contract or the data subject provided “explicit consent”). 

Questions posed to the CJEU and the CJEU’s judgment 

The CJEU was asked to clarify several key issues:

1. What constitutes "meaningful information about the logic involved" in ADM under Article 15(1)(h) of the EU GDPR?

The CJEU concluded that controllers must describe the procedure and principles applied in such a way that the data subject can:

• understand which personal data has been used,
• understand how the personal data has been used in the ADM, and
• exercise the rights held by them, including that of the right to challenge the automated decision.

The CJEU therefore concluded that simply communicating an algorithm is not sufficient, and further that the information must be “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.

2. What are the obligations of the controller in providing information to the data subject?

The controller must inform the data subject of:

• the extent to which variations in personal data would lead to different results in the ADM process, and 
• details as to enable them to verify the accuracy of the personal data concerning him or her and on which the ADM is based.

This ensures that the data subject can understand the impact of their data on the ADM and challenge it if necessary.

Implications in Pensions 

ADM could have a significant impact on the pensions industry due to the large swathes of data, including personal data, being held by stakeholders (such as administrators and trustees). 

Stakeholders in the industry therefore need to be aware of the Act and the CJEU judgment to:

• understand when they are able to use ADM, noting that the ability to use it has been expanded by the Act (particularly when the ADM is in relation to low-risk usage or data that is not special category data), and
• ensure legal compliance when using ADM, noting in particular that explanations must be clear, concise, intelligible, and must provide sufficient information for data subjects to understand and challenge decisions, in addition to the Act now requiring that the ADM user has in place appropriate safeguards. 

Practical steps for trustees

In terms of practical steps, trustees should consider:

• Reviewing their privacy notices to ensure that they include information specifically relating to ADM (so that members are fully informed as to how their data is being used), and 
• Engaging with their suppliers to understand whether members are subject to ADM (and if so, ensuring that this is being done compliantly). 

For more information on how automation could impact the pensions industry, please see our previous article here.

This article was written by Callum Duckmanton (Solicitor) from Burges Salmon’s Pensions and Lifetime Savings team. 

You can find more information on cyber risk for pension schemes in Burges Salmon’s Cyber Security Compliance Trustee Checklist and you can learn about the team’s experience in advising pension schemes in relation to cyber security here. 

The Data (Use and Access) Act 2025 has loosened restrictions on some use of ADM, which could have a significant impact for the pensions industry due to the large swathes of data, including personal data, being held by stakeholders (such as administrators and trustees).