UK AI/ADM Code Regs (SI 2026/425)
The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026
Statutory instrument requiring the Information Commissioner to prepare a statutory code of practice on processing personal data in artificial intelligence and automated decision-making systems, with specific provision for protecting children's personal data.
Jurisdiction
United Kingdom
Enacted
Apr 16, 2026
Effective
May 12, 2026
Enforcement
Information Commissioner's Office (ICO)
SI 2026/425, made April 16, 2026; laid before Parliament April 21, 2026; in force May 12, 2026. Enabling instrument under the Data (Use and Access) Act 2025 amendments to the Data Protection Act 2018.
legislation.gov.uk (SI 2026/425)Why It Matters
Operationalises the Data (Use and Access) Act 2025's requirement for a statutory AI/automated-decision-making code, anchoring UK data-protection expectations for AI systems with a specific children's-data focus.
Recent Developments
Came into force May 12, 2026, triggering the Information Commissioner's process to develop the statutory AI and automated-decision-making code of practice.
At a Glance
Applies to
Who Must Comply
- The Information Commissioner (preparing the code)
- Organisations developing or deploying AI and automated decision-making systems that process personal data (once the code is issued)
Safety Provisions
- Requires the Information Commissioner to prepare a statutory code of practice on personal-data processing in AI and automated decision-making
- Requires the code to make specific provision for the protection of children's personal data
- Establishes the consultation panel and process for developing the code
Exemptions
National Security
The code may not address national-security matters
- • Processing for national-security purposes
Compliance & Enforcement
Penalties
No direct penalties; the resulting code of practice is admissible in evidence and taken into account by courts and the ICO in UK GDPR and Data Protection Act 2018 enforcement.
View on map
United Kingdom
Focus Areas
Cite This
APA
United Kingdom. (2026). The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.
Related Regulations
DUA Act 2025
Omnibus data legislation covering customer data access, digital verification services, the Information Commission, and AI-related provisions including copyright/training transparency requirements and new criminal offenses for creating AI-generated intimate images (deepfakes).
UK DPA 2018
The UK's foundational data protection law, incorporating the UK GDPR (retained EU GDPR post-Brexit). Substantively mirrors EU GDPR with ICO as sole enforcer. Article 22 restricts automated decision-making; Article 9 classifies mental health as special category data; children's consent age set at 13. Parent framework for UK Children's Code; amended by DUA Act 2025.
TX TDPSA + SCOPE
Texas AG Paxton is the MOST AGGRESSIVE enforcer against AI companion companies. December 2024 investigations launched against Character.AI, Reddit, Instagram, Discord.
UK OSA CSEA Reporting Regs 2026
Statutory instrument implementing section 69 of the UK Online Safety Act 2023, requiring regulated user-to-user service providers (UK and non-UK) to report child sexual exploitation and abuse (CSEA) content to the National Crime Agency under tiered priority-based timeframes.
UK OSA
One of the most comprehensive platform content moderation regimes globally. Creates specific duties around suicide, self-harm, and eating disorder content for children with 'highly effective' age assurance requirements.
UK AI Approach
Sector-specific, principles-based approach using existing regulators. Five cross-sector principles guide regulatory application rather than horizontal AI legislation.
Last updated June 3, 2026. Verify against primary sources before relying on this information.