AI systems in the employment context: what the DPAs emphasize

During the 45th Global Privacy Assembly held in October 2023, which brought together Data Protection Authorities from around the world to discuss trends related to new technologies, several conclusive resolutions were adopted regarding key aspects relevant to the protection of personal data.

One of the most notable resolutions comes from the Italian Data Protection Authority, in collaboration with the German and English authorities, concerning the use of AI in the employment context (the “Resolution”).

The core of the Resolution aims to ensure that the use of AI systems in the employment context - both during the employment relationship and in the pre-employment phase - is based on a human-centric approach, emphasizing the potential impact of such technologies on the personal and professional lives of workers and outlining specific guidelines.

The main aspects and objectives highlighted in the Resolution include:

1. ensuring that the use of AI systems in the workplace prioritizes human-centered evaluations;

2. developing AI systems in compliance with the principles of privacy by design and privacy by default, as well as the various principles outlined in Article 5 of the GDPR;

3. establishing an adequate legal basis for the processing of personal data throughout the AI usage process in the employment context, considering the limitations of consent, especially given the presumed power imbalance between the employer and the employee (refer to the European Data Protection Board Guidelines 5/2020 on consent, p. 21;

4. adopting adequate safeguards to avoid the risk of disproportionate surveillance of workers and involving trade unions in the decision-making process regarding the implementation of AI systems in the employment context;

5. developing and using AI systems with a holistic approach oriented towards compliance with data protection laws, labor laws, and, in general, human rights frameworks;

6. respecting transparency principles regarding the processing of personal data, considering that the employer (data controller) has the obligation to provide detailed information to the employee (in cases involving algorithmic or AI systems in the employment context) and the union, before implementing any AI system. This includes information about the use and functioning of such systems (e.g., whether the system can affect the ranking of a candidate or employee, task assignments, management, or dismissal);

7. ensuring that candidates/employees subject to an AI-assisted decisions have the right to access information about the data held by the employer and the use of their personal data in relation to the decisions made, including information on data that is inferred and any profiling activities carried out with these AI systems;

8. ensuring that employees/candidates subject to decisions made using AI systems, as well as employers using such systems, can understand the decision made by the AI system and can promptly access to an explanation. The explanation provided to employees should include intelligible information about the logic involved and the significance and envisaged consequences of using AI systems, both in general and in the employee’s specific case, to ensure that they can lodge informed complaints and exercise their right to redress with relevant judicial authorities;

9. ensuring that data subjects have the ability, in the case of AI systems making decisions based solely on automated processing, to obtain human review of the employment decisions, express their point of view, and contest the decision;

10. training users of AI tools to ensure that automated decisions are not subject to automation bias;

11. ensuring that users of AI tools have the requisite expertise, experience and technical qualifications;

12. respecting the principle of accountability for the data controller, who must take into account, mitigate and, if necessary, prevent the risks to the rights and freedoms of data subjects (i.e., candidates and employees) that may arise from the use of AI systems in the employment context and be able to demonstrate that appropriate security measures have been adopted;

13. implementing organizational policies that include data protection impact assessments when using AI systems before proceeding with their implementation, considering all reasonably foreseeable risks to the rights and freedoms of candidates and employees, as well as the identification of reporting and redress mechanisms available to data subjects;

14. reducing and mitigating biases or discriminations, both direct and indirect, that may arise from the use of AI systems in the employment context. This includes adopting appropriate measures to ensure that personal data used in system training is representative to the context in which the system will be used, regularly updated, and implementing appropriate technical and organizational measures to correct parameters used for recruitment and work management systems in case they are inaccurate.

In conclusion, the Authorities:

1. urge companies developing or using AI systems in the workplace to consider the outlined profiles and objectives;

2. invite all members of the Global Privacy Assembly to collaborate, both nationally and globally, with companies developing or using AI systems in the workplace to assist them in incorporating the outlined considerations.

3. commit to updating the results of the investigation conducted by the Working Group on Ethics and Data Protection in Artificial Intelligence in case of possible changes in the legal or technical landscape related to the use of AI in the workplace.

The text of the Resolution is available here.