Does UK GDPR apply to AI systems after Brexit?

Yes. UK GDPR (the retained and amended EU GDPR) applies to any organization processing personal data of UK individuals regardless of where the organization is based. AI systems that train on UK personal data, generate personal data outputs about UK individuals, or use UK personal data as inference inputs are within scope. UK GDPR is enforced by the Information Commissioner's Office (ICO), not the EU supervisory authorities.

What is a 'solely automated decision' under UK GDPR Article 22?

A decision is solely automated if there is no meaningful human involvement. ICO considers a human review to be meaningful only if the reviewer genuinely and independently assesses the individual's circumstances — has access to all relevant information, has authority to override the AI output, and actually exercises independent judgment. A human who approves AI outputs without genuine review is not meaningful involvement. Nominal human sign-off does not avoid Article 22 obligations.

What must UK GDPR Article 22 explanations include for AI decisions?

ICO's 'Explaining Decisions Made with AI' guidance requires explanations to be: (1) intelligible to a layperson — not technical model documentation; (2) specific to the individual's decision — not a generic description of how the AI works; (3) actionable for challenging the outcome — identifying key factors and whether they can be corrected; and (4) counterfactual where possible — explaining what would have changed the outcome. Generic statements like 'we use machine learning to evaluate applications' are insufficient.

When is a DPIA mandatory for an AI system under UK GDPR?

DPIAs are mandatory for AI systems involving: solely automated decisions with legal/significant effects (Art. 22); large-scale processing of special category data (health, biometric, racial origin, sexual orientation); systematic large-scale monitoring of individuals; novel use of new technologies for profiling; processing children's personal data in high-risk ways; and large-scale inference of sensitive attributes from non-sensitive data. Most production AI used in fintech, healthtech, HR, or customer decisions requires a DPIA before deployment.

What does the Clearview AI £17.1M fine mean for AI model training?

Clearview scraped billions of facial images to build a facial recognition AI. ICO found: no valid lawful basis for collecting UK biometric data; 'publicly available' data does not satisfy legitimate interests for intrusive and unexpected biometric processing; no transparency mechanism for UK individuals. The precedent: training AI on scraped personal data requires a valid lawful basis — not just 'it was public.' This applies to web scraping for NLP, behavioral profiling from public social media, and aggregating public records for AI scoring.

Does UK GDPR apply to AI that infers sensitive attributes from non-sensitive data?

Yes. UK GDPR Article 9 restricts processing of special category data including health, racial/ethnic origin, sexual orientation, religious beliefs, and biometric data. AI systems that infer these attributes from non-sensitive inputs (inferring health from purchase history, inferring religion from name or location) are processing special category data. ICO has confirmed this interpretation — inference of special category data requires a lawful basis under both Article 6 and Article 9, regardless of whether the input data is itself special category.

Does the EU AI Act apply to UK-based AI companies?

Not to UK domestic operations. The EU AI Act applies to providers placing high-risk AI on the EU market or deployers operating in the EU. UK companies with UK-only operations are not subject to EU AI Act obligations. UK companies with EU customers must comply with the EU AI Act for those EU-facing operations. UK domestic AI is regulated by UK GDPR (ICO), sector regulators (FCA for fintech, CQC for health), and the emerging sector-based framework under the UK AI Regulation White Paper.

How does Tenet AI support UK ICO AI compliance?

Tenet provides three things ICO requires. First, per-decision audit logs for Article 22 explanations: every inference is logged with input features, output, and key contributing factors — enabling intelligible, individual-specific explanations. Second, DPIA evidence: Tenet's anomaly detection and decision analytics provide empirical data on model behavior, bias indicators, and drift — supporting DPIA completion and ongoing monitoring. Third, individual rights: Tenet's per-individual query capability lets organizations locate all AI decisions affecting a specific person within the 1-month SAR response deadline.

UK ICO AI Guidance: Data Protection for AI Systems — Auditing, Bias Testing, and Subject Access Rights

UK Information Commissioner's Office (ICO) enforces UK GDPR against AI systems processing personal data of UK individuals. All six data protection principles apply: lawfulness/fairness/transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. UK GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects — individuals have the right to a meaningful, individual-specific explanation of the AI logic and the right to request human review. ICO's "Explaining Decisions Made with AI" guidance requires explanations that are intelligible to a layperson, specific to the individual decision, and actionable for challenging the outcome. DPIAs are mandatory for AI systems involving automated decision-making, profiling, or large-scale sensitive data processing. ICO enforces with fines up to £17.5 million or 4% of global annual turnover — the Clearview AI £17.1M fine established that scraping public data to train facial recognition AI requires a valid lawful basis. UK AI regulation post-Brexit is sector-based (ICO for data protection, FCA for fintech AI, CQC for health AI) rather than a single AI law like the EU AI Act.

UK GDPR Data Protection Principles Applied to AI Systems

All six UK GDPR principles apply to AI training and inference. Lawfulness, fairness, transparency: AI systems must have a lawful basis for processing personal data and must be transparent about how AI decisions are made — ICO has held that opaque AI outputs without accessible explanations violate the transparency principle. Purpose limitation: personal data collected for one purpose cannot be reused for AI model training without compatibility analysis — customer service data repurposed for hiring AI is a common violation. Data minimisation: AI training datasets should not capture sensitive attributes unnecessary for the model's purpose — models that encode proxy variables for protected characteristics without justification violate minimisation. Accuracy: model drift is treated as an accuracy violation when AI outputs affect individuals — deployers must monitor and correct degrading AI performance. Storage limitation: AI training data and inference logs must have defined retention periods; indefinite retention without justification is not compliant. Integrity and confidentiality: AI infrastructure must be secured against model extraction, adversarial attacks, and data poisoning proportionate to data sensitivity.

UK GDPR Article 22: Automated Decision Rights and Meaningful Explanation

UK GDPR Article 22 restricts solely automated decisions with legal or similarly significant effects — including credit decisions, employment eligibility, insurance pricing, healthcare access, and other decisions that substantially affect an individual's circumstances. Individuals have the right not to be subject to such decisions unless the organization has a lawful basis (contract, legal authorization, or explicit consent with safeguards). A decision is "solely automated" if there is no meaningful human involvement — ICO considers rubber-stamp human approvals without genuine review to still be solely automated. When Article 22 applies, individuals must receive meaningful information about the logic involved that is intelligible to a layperson, specific to their decision, and actionable for challenging the outcome. Generic model descriptions are insufficient. ICO guidance recommends counterfactual explanations: "if your income had been £X higher, the outcome would have been different."

ICO AI Enforcement: Clearview AI and the Scraping Precedent

ICO fined Clearview AI £17.1 million in 2022 for scraping billions of facial images from the internet to build a facial recognition database without a valid lawful basis under UK GDPR. The ICO found: no valid lawful basis for collecting biometric data about UK individuals at scale; scraping publicly available images does not satisfy legitimate interests when the processing is highly intrusive and unexpected; no mechanism for UK individuals to know they were in the database violated transparency; and retaining the data after the UK ICO investigation order constituted continued unlawful processing. The Clearview case is the foundational precedent for AI training on scraped data — "it's publicly available" does not constitute a lawful basis for processing biometric data or training AI at scale without individual knowledge. Similar logic applies to web scraping for NLP model training, behavioral profiling from public social media, and aggregating public records for AI scoring models.

DPIAs for AI: What the ICO Requires Before Deployment

UK GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) before any processing likely to result in high risk. ICO mandatory DPIA triggers for AI: automated decision-making with legal/significant effects (Article 22 systems); large-scale processing of special category data (health, biometric, racial origin, sexual orientation); systematic monitoring of individuals at large scale; novel use of new technologies for profiling; processing children's personal data in high-risk ways; biometric or genetic data to uniquely identify individuals; and large-scale inference of sensitive attributes from non-sensitive data. A DPIA must describe the processing and purpose, assess necessity and proportionality, identify and assess risks to individuals, and identify mitigation measures. ICO guidance specifically requires DPIAs for AI to include: bias and fairness testing documentation; disparate impact analysis across protected characteristics; documentation of the Article 22 lawful basis and safeguards; and assessment of explanation capability. The DPIA must be completed before deployment and updated on material changes.

UK vs. EU AI Regulation: Post-Brexit Divergence Risk

UK GDPR currently mirrors EU GDPR in all substantive AI-relevant respects. However, the EU AI Act does not apply in the UK — UK companies are not subject to EU AI Act obligations unless they place AI on the EU market. UK AI regulation is developing separately through a sector-based approach: ICO for data protection, FCA for fintech AI (PS 22/1 on model risk management), CQC for health AI, Ofcom for recommender systems. The Digital Regulation Cooperation Forum (DRCF) coordinates multi-regulator AI oversight. The Data Protection and Digital Information (DPDI) Act reforms to UK GDPR may modify the Article 22 automated decision-making regime — AI compliance programs should monitor DPDI Act implementation for UK-specific divergence from EU GDPR. Organizations serving both UK and EU customers currently follow a single UK/EU GDPR-aligned framework, but this may change as UK and EU AI regulation diverge.