Can Your Organisation Use AI to Recruit Employees?

Rapid and unprecedented developments in artificial intelligence (AI) technology reshaping industries and revolutionizing traditional business practices. Consequently, the integration and implementation of AI systems into organizations has become a strategic imperative for business. The future AI Act creates a regulatory framework for various sectors, including the critical topic of recruitment.

Recruitment under the AI Act:

Under the Act, the use of AI in recruitment is classified as “high-risk”, due to their significant potential to contribute towards discrimination and exclusion of the protected groups (such as race or ethnic origin, sex). Thus, organizations using high-risk AI systems must comply with strict rules, such as mandatory fundamental rights impact assessment. Moreover, AI systems must be technically robust for their purpose and positive/negative results should not disproportionately affect protected groups. Organizations must also ensure that high-risk AI systems are trained and tested with sufficiently representative datasets. The aim is to minimize the risk of unfair biases. It is crucial to target the risk with appropriate bias detection, correction, and other mitigating measures. Records of activities, audits and in-depth documentation are also important for organizations. Moreover, organizations developing AI must ensure the compliance of the systems, even after they are set on the market.

You can read the details of the AI Act here.

Navigating Automated Decision-Making Restrictions and Exceptions under the GDPR:

The GDPR prohibits solely automated decisions, which have a legal or similarly significant effect on data subjects. The Article 29 Working Party Guidelines on automated decision-making and profiling defines the term ‘similarly significant affect’. It refers to instances where automated decisions have the potential to:

  • significantly affect the circumstances, behaviour or choices of the individuals concerned;
  • have a prolonged or permanent impact on the data subject;
  • as its most extreme, leads to the exclusion or discrimination of individuals.

Using AI for the entire recruitment process is generally prohibited. This is because in case a candidate is automatically rejected based on an AI decision, it may impact the professional, financial, and psychological situation of an individual.

However, Article Art 22(1) of the GDPR allows an automated decision-making process if:

  • it is necessary to enter into or perform a contract between the data controller (e.g., employer organization) and the data subject (e.g., employee candidate)
  • it is based on the subject’s explicit consent.

Assessing the Possibilities of Using AI and Automated Decision-Making in Recruiting:

Organizations, wishing to use solely automated decision-making processes for contractual purposes, need to prove that, such processing is the most appropriate and necessary one. If there is any other effective and less privacy-intrusive method available, then automated decision-making cannot be considered as ‘necessary’. The size of the company is also decisive for this necessity. For example, for multi-national companies, a routine human-carried recruitment process can be impractical or impossible. (For more details, please refer to the Guidelines on automated decision-making and profiling). You can check the DPC’s Guidance.

It is important to note that, consent must be given freely. Yet, according to Article 29 Working Party Guidelines on consent, if there is any element of inability to exercise free will, the condition for consent is not sustained. Especially if there is an imbalance between parties. In the case of recruitment, the asymmetry of the powers between parties is so great that consent can hardly be freely given.

If an organization implements an automated decision-making process, then it must ensure the safeguarding of the rights, freedoms, and legitimate interests of the individuals concerned. Organizations should consider the rights of the individuals; such as the right to obtain human intervention on the controller’s part or the right to challenge the decision. Thus, complying with the laws and taking appropriate measures to mitigate the risks is crucial.

You can contact us for more information and guidance.

By |2024-01-25T08:53:10+01:00January 24th, 2024|AI, AI Act, Data Governance, Data Protection, GDPR, Personal data, Privacy|0 Comments