← All articles

consultant

Profiling and automated decisions: CJEU vs UK — two opposing lines

The UK replaces Article 22 UK GDPR with 22A–22D (a “permitted subject to safeguards” model), while the CJEU (SCHUFA) confirms in the EU a default ban on fully automated decisions with legal or similarly significant effects.

Summary — On 5 February 2026, the UK replaced Article 22 UK GDPR with Articles 22A–22D (Data Use and Access Act), moving to a “permitted subject to safeguards” model. In the EU, the CJEU (7 Dec 2023, SCHUFA) confirms a default ban on fully automated decisions with legal or similarly significant effects. For Luxembourg, the EU/CJEU/EDPB line remains the baseline.

The case

  • United Kingdom — reform: the Data (Use and Access) Act 2025 replaces Article 22 UK GDPR with 22A–22D, shifting from a default prohibition to a safeguards‑based regime with rights to challenge. Official source: GOV.UK — factsheet.
  • CJEU — EU case‑law: in two judgments dated 7 December 2023 (C‑26/22 and C‑64/22, “SCHUFA”), the CJEU held that credit scoring, when the score plays a decisive role in the decision (e.g., granting/refusing credit), is an “automated individual decision” generally prohibited under Article 22 GDPR, subject to strict exceptions. See CJEU press release 186/23.
  • ICO — evolving guidance: in March 2026, the ICO launched a consultation on draft guidance for “automated decision‑making, including profiling” to reflect Articles 22A–22D. See ICO 2026 consultation.

As a result, in the EU (and Luxembourg), Article 22 GDPR remains a default ban on fully automated decisions with legal or similarly significant effects, guided by WP29/EDPB. In the UK, the reform more broadly permits ADM subject to enhanced safeguards.

Legal reasoning

EU law (applicable in Luxembourg)

Article 22 GDPR grants the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects, except where (i) necessary for a contract, (ii) authorised by law, or (iii) based on explicit consent, with safeguards (human intervention, expressing a view, and challenging the decision). References: CNPD — Chapter III; WP29/EDPB — ADM & Profiling Guidelines. For local context, see the GDPR framework in Luxembourg.

In SCHUFA, the CJEU confirms that a score decisive for granting/refusing credit falls under Article 22(1) (default ban), subject to strict exceptions and strong safeguards. See the CJEU press release.

UK law (post‑Brexit)

The UK government explains that Articles 22A–22D introduce a “permitted subject to safeguards” model with emphasis on challenge and explainability. Source: GOV.UK — factsheet. The ICO maintains detailed resources on automated decisions and “similarly significant effect,” and is updating doctrine via the 2026 consultation: ICO — Rights related to ADM and 2026 consultation.

What this changes in practice

  • Credit, insurance, dynamic pricing: in Luxembourg, if an algorithm decides “alone” with significant effect (accept/refuse, individual pricing), you fall under Article 22(1) GDPR. Either avoid exclusive ADM (build in real human oversight) or rely on a narrow exception with full safeguards (detailed information, human review, challenge). For a robust AI governance approach, ensure explainability and traceable human intervention.
  • Automated hiring: CV screening/video interviews with scoring that determines the outcome without effective human input is generally banned in the EU; in the UK, it may be permitted subject to safeguards. Examples: ICO — Rights related to ADM.
  • EU/UK groups and UK processors: even if processing physically occurs in the UK, a Luxembourg establishment remains subject to the GDPR and the CJEU/EDPB standard. Avoid “UK‑only alignment” for EU data subjects: keep the GDPR/CJEU baseline and contract for effective human oversight, logic traceability, and a meaningful challenge channel. Our contact point can help scope these controls.

Common pitfalls

  1. Token human intervention: a rubber‑stamp click without real power to revise is not enough. Human oversight must be qualified and documented. Ref: WP29/EDPB.
  2. Misjudging “similarly significant effect”: credit refusal, termination, punitive pricing, blocking access to an essential service, adverse HR outcomes… typically qualify. Ref: ICO examples and WP29/EDPB.
  3. Poor transparency: Articles 13/14/15 require meaningful information about the logic and envisaged consequences. Generic notices are insufficient. Ref: CNPD — Chapter III.
  4. Over‑reliance on “explicit consent”: consent must be real, freely given and specific; it does not remove safeguard obligations. Ref: WP29/EDPB; CJEU — SCHUFA.
  5. “One zone, one rule” thinking: for EU data subjects, Article 22 GDPR (as read by the CJEU/EDPB) applies. Ref: CNPD.

Official sources

Recommendation

Use the CJEU/EDPB/CNPD line as your baseline (default ban on fully automated decisions with legal or similarly significant effects), retain genuine human oversight, formalise explainability and challenge rights, and treat the UK doctrine as a distinct regime. For implementation support, consider our compliant AI services and the GDPR landscape in Luxembourg.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.

LUXGAP NEWSLETTER

Get our analyses the moment they drop.

GDPR, NIS 2, AI expertise articles, plus invitations to free webinars + trainings at Luxgap. 1 to 2 emails per week max, one-click unsubscribe.

Your data is never shared. GDPR-compliant (we're DPOs after all).

A question on this topic?

Our team usually replies within one business day. Configure your quote or write to us.

Build my quote →