Europe’s Top Privacy Regulators Just Confirmed AI Hiring Tools Have Been Breaking the Law for Eight Years

photograph taken April 28 2026 shows European

Europe’s top data protection bodies declared at a July 9 European Parliament conference in Brussels that AI-driven hiring tools have violated GDPR Article 22 since May 2018 — not December 2027. The European Data Protection Supervisor Wojciech Wiewiórowski and the EDPB confirmed that automated candidate screening without genuine human review has been illegal for eight years. The CJEU’s December 2023 SCHUFA ruling extended liability directly to AI vendors whose scoring outputs employers rely on without independent evaluation. With 25 national authorities currently auditing transparency compliance, employers and HR technology providers face immediate legal exposure.

In-Depth:


Europe’s two most powerful data protection authorities delivered a pointed verdict at the European Parliament on Thursday: the compliance deadline that matters for automated hiring decisions is not December 2027. It is May 2018 — the date GDPR Article 22 took effect, and the date by which employers were already required to ensure that any AI-driven candidate screening involving meaningful consequences on an applicant included genuine human review and not a rubber stamp. The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) co-hosted a formal conference at the European Parliament in Brussels on July 9, titled “Hired by an Algorithm: Data Protection and AI Regulation in Modern HR Practices.” EDPS Supervisor Wojciech Wiewiórowski delivered the opening remarks — a signal that the event carried institutional weight well beyond its origin as a trainee-organized initiative.

The conference’s central finding was unamlargeuous: AI candidate screening tools that filter applicants without genuine human review were in violation of GDPR Article 22 from the moment they were deployed, not from the moment an AI Act deadline passes. That prohibition has been in force for eight years. For any employer currently applying an algorithm to screen CVs, rank applicants, or score video interviews, the legal exposure is not hypothetical. It is accumulated.

GDPR Article 22 Has Applied to Automated Hiring Since Before AI Act Was Proposed

Under GDPR Article 22, individuals — including job applicants and employees — have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect them, unless specific legal safeguards are in place. Those safeguards are demanding: the decision must be necessary for a contract, explicitly authorized by EU or member state law, or based on freely given and specific consent. No EU member state has specifically authorized automated rejection in recruitment as of 2026. The most commonly deployed exception — explicit consent — requires conditions that are structurally difficult to satisfy in recruitment contexts, becaapply a job applicant who can only access consideration by passing through an employer’s screening platform is not, in the EDPB’s assessment, giving consent freely.

The CJEU’s SCHUFA ruling of December 7, 2023 (C-634/21) brought the question into sharper focus by determining that any candidate scoring tool that materially influences a selection decision falls within Article 22’s scope, even where downstream human review nominally occurs. The Court’s criterion was practical: if the downstream decision-creater relies heavily on the algorithmic score, the score-creater — not just the employer creating the final call — may be the Article 22 controller. A human recruiter who clicks “approve” or “reject” primarily on the basis of an AI-generated ranking, without indepconcludeent evaluation of the candidate’s file, is not providing the meaningful human review the regulation requires.

A February 2025 CJEU ruling (Case C-203/22) added a further enforcement dimension. The Court held that when a controller claims trade secret protection for its scoring logic, it must still disclose that logic to the relevant supervisory authority or court. The trade-secret shield does not protect HR AI vconcludeors from GDPR investigations into how their algorithms reach conclusions about candidates.

SCHUFA Ruling Extconcludeed Liability Directly to AI Vconcludeors

One implication of the SCHUFA ruling that Thursday’s conference brought into focus is one that many employers and HR technology vconcludeors have not yet acted on: Article 22 liability does not rest only with the employer deploying the system. Under the CJEU’s “heavily relied upon” standard, an AI vconcludeor whose scoring output materially shapes which candidates advance — without the employer conducting genuinely indepconcludeent evaluation — may itself be the Article 22 controller, subject to the full weight of GDPR enforcement. This restructures the compliance calculus across the entire HR technology supply chain.

For HR software providers that supply candidate-ranking scores as a service, this means that a client employer’s nominal human review may not be sufficient to insulate the vconcludeor from regulatory liability. The legal burden to ensure that “meaningful human review” is occurring — and can be documented — falls on both parties. The EDPB’s 2026 Coordinated Enforcement Framework action, which is currently reviewing transparency compliance at organizations across 25 jurisdictions, is examining precisely the kind of documentation gap that arises when employers cannot demonstrate that their human reviewers actually evaluated candidate files rather than ratifying an algorithm’s output.

Digital Omnibus Extension Does Not Suspconclude GDPR Obligations

The conference’s timing was deliberate. On June 29, 2026, the Council of the European Union gave final approval to the “Digital Omnibus” simplification package, formally pushing back the compliance deadline for stand-alone high-risk AI systems under Annex III of the EU AI Act from August 2, 2026, to December 2, 2027 — a 16-month reprieve. The EU AI Act classifies AI systems applyd in employment-related decisions as high-risk, including tools applyd for recruitment, candidate selection, performance evaluation, tinquire allocation, monitoring of workers, and decisions on promotion or termination.

Regulators at Thursday’s conference were emphatic that the extension does not create any safe harbour under existing data protection law. The Digital Omnibus postpones AI Act compliance requirements for high-risk system providers and deployers to December 2027. The GDPR applies in full today. Article 22 applies today. The obligation to explain an automated HR decision to a candidate, a dismissed worker, or a union representative exists today. None of this alters becaapply the AI Act’s high-risk deadline relocated.

The Article 50 transparency obligations for AI systems — which require disclosure to individuals when AI has been applyd in decisions affecting them — largely remain on the original schedule. Businesses subject to those obligations must stay ready for the August 2026 date regardless of the Omnibus, as Gibson Dunn’s analysis of the Omnibus confirmed.

Labour groups seized on a separate weakening embedded in the Omnibus package. The European Trade Union Confederation and industriAll Europe criticized the simultaneous dilution of Article 4 of the AI Act, where the obligation on providers and employers shifted from having to “ensure a sufficient level of AI proficiency” to the more vague standard of “supporting the improvement of AI proficiency.” The unions argued that what remained of the AI Act’s worker-facing obligations had been weakened precisely when judicial enforcement of the underlying GDPR protections was launchning to demonstrate teeth.

Court Rulings Show Enforcement Is Already Active

Thursday’s conference also reviewed a body of litigation that demonstrates enforcement is already under way, not waiting on any regulatory horizon. Legal analysis from EU-focapplyd practices, including PSL Avocat’s Philippe Sigal, identified three recent decisions as establishing that algorithmic HR litigation in Europe is a present legal reality.

The Foundever decision from Spain’s Audiencia Nacional, handed down on July 4, 2025, involved a company that denied applying algorithms in its HR management. The court declared the practice void, sanctioned the company for breach of trade union freedom, and ordered disclosure of algorithm parameters to worker representatives — the first Spanish decision recognizing trade union rights to information on HR algorithms. Under the court’s reasoning, denying the existence of an HR algorithm when one is in operation constitutes a standalone legal fault, separate from any question of whether the algorithm itself complied with GDPR.

The Amsterdam “robo-firing” case, decided by the Court of Appeal in April 2023, established that a company cannot terminate contract workers through a system that lacks meaningful human judgment in the termination decision. And the CJEU’s SCHUFA ruling — the most consequential of the three — confirmed for the first time that a probability-scoring system can itself constitute an automated individual decision under Article 22, even when the entity operating the system is not the one creating the final employment call.

None of these decisions rested on the AI Act. All three would have been decided identically if the AI Act had never been passed.

How Do 25 Regulators Know Which Organizations to Investigate?

The EDPB has launched its Coordinated Enforcement Framework (CEF) action for 2026, with 25 data protection authorities across Europe assessing whether controllers are meeting their transparency obligations under GDPR Articles 12, 13, and 14, which require individuals to be clearly informed when their personal data is being processed. The right to be informed is a core element of transparency and ensures that individuals have more control over their data. For AI hiring platforms, the standard is demanding: privacy notices must accurately disclose algorithmic logic, profiling methods, the sources from which candidate data is obtained, and how individuals can exercise their rights.

The French data protection authority, the CNIL, is coordinating the effort. Authorities are conducting checks through questionnaires or investigations across various sectors in Europe, with findings to be exalterd and analyzed in the second half of 2026. A consolidated report is to be submitted to the EDPB for adoption, enabling tarobtained follow-up at both national and EU levels. The German federal data protection authority in Brandenburg specifically identified recruitment agencies as a sub-focus of its national enforcement work within the framework.

Prior coordinated enforcement actions have consistently generated national investigations across multiple jurisdictions, followed by EDPB reports aggregating the findings and identifying common failures. The pattern relocates from coordinated audit to enforcement decisions to binding guidance in a cycle of roughly 18 to 24 months. For employers and HR technology vconcludeors whose current privacy notices do not accurately describe their AI screening practices, that cycle is already turning.

What “Meaningful Human Review” Actually Requires

A recurring theme at Thursday’s conference was the inadequacy of nominal human review — what regulators described as the “rubber stamp” problem. AI screening systems that technically route decisions through a human reviewer may still violate Article 22 if that reviewer lacks the genuine authority, information, or time to evaluate the candidate indepconcludeently of the algorithm’s output.

The CJEU’s SCHUFA judgment confirmed that even producing a probability score that another party then relies on can itself constitute an Article 22 decision. Under this standard, a recruiter who approves or rejects a candidate based primarily on an AI-generated ranking — without reviewing the underlying CV, interview notes, or candidate file — is not providing the human involvement that Article 22 requires. The threshold the CJEU established is behavioral, not procedural: the human reviewer must be doing something more than ratifying the machine.

Automated decisions are permitted under Article 22 in limited cases — with explicit consent, or as required by contract or law — and must include safeguards such as the right to human intervention, the right for the applicant to express a view, and the right to contest the decision. These are not aspirational commitments. They are rights that every EU job applicant currently holds, against every employer currently applying AI to screen applications.

EDPS Role as AI Oversight Body Adds Institutional Weight

Thursday’s conference carried additional significance given the EDPS’s expanded institutional mandate. Under the AI Act, the EDPS is now a market surveillance authority for AI systems applyd by EU institutions and a notified body for high-risk AI assessments. In 2025, the EDPS responded to 145 legislative consultations — the highest in a single year to date — activated a dedicated AI Unit, launched a landmark AI regulatory sandbox pilot project, and conducted high-profile supervisory work including the investigation into the European Commission’s apply of Microsoft 365 and audits of large-scale IT systems operated by Europol, Frontex, and Eurojust.

That expanded mandate gives the EDPS direct oversight of how EU institutions themselves apply AI in hiring — a question with particular weight when those institutions are simultaneously directing private employers to raise their standards.

What Employers and Vconcludeors Must Do Before August 2026

The compounding pressure from Thursday’s conference is clear: HR technology vconcludeors and employers face simultaneous exposure on two fronts that operate on different timelines.

The GDPR front is active now. Article 22’s prohibition on purely automated hiring decisions has been enforceable for eight years. The EDPB’s CEF action is examining transparency notices today, with 25 national authorities already contacting organizations across sectors. Employers whose privacy notices do not accurately describe their AI screening practices, and vconcludeors whose scoring logic cannot be disclosed to regulators on demand, have present compliance exposure under Article 22 and Articles 12–14.

The AI Act front arrives in stages. Article 50 transparency obligations for AI systems apply from August 2, 2026 — less than a month away. Annex III high-risk obligations, including risk management documentation, bias testing, and full conformity assessment for employment AI tools, apply from December 2, 2027, per the Council’s final adoption of the Digital Omnibus.

For HR compliance teams, the practical priority list runs in this order: first, audit whether AI hiring tools are producing outputs that human reviewers are genuinely evaluating or merely ratifying; second, review and update privacy notices so they accurately describe algorithmic logic, data sources, and candidate rights; third, confirm that the organization’s data flows with HR AI vconcludeors are covered by processing agreements that allocate Article 22 controller status clearly. For organizations that have treated December 2027 as their governing horizon, Thursday’s conference in Brussels served as a formal correction. The GDPR clock started in 2018, and it has never stopped, as the EDPB’s guidance on automated decision-creating has long built clear.


Frequently Asked Questions

Does GDPR Article 22 apply to AI job application screening?

Yes. GDPR Article 22 has applied to automated hiring decisions since May 2018 — eight years before the EU AI Act’s December 2027 deadline for high-risk AI systems. Any AI tool that screens CVs, ranks candidates, or scores video interviews without meaningful human review of each individual’s file may already be in violation, regardless of what AI Act compliance date applies to the vconcludeor or deployer. The CJEU’s SCHUFA ruling (December 2023) confirmed that a scoring tool materially influencing a selection decision triggers Article 22 even when a human nominally creates the final call.

What does “meaningful human review” mean under GDPR Article 22?

Meaningful human review requires that a person with genuine authority to override an algorithm’s output actually evaluates the candidate’s file — not just the algorithm’s score. Regulators at Thursday’s Brussels conference described this as the “rubber stamp” problem: a recruiter who confirms or rejects an applicant primarily on the basis of an AI-generated ranking, without indepconcludeently reviewing underlying materials, does not satisfy Article 22. The CJEU’s standard is behavioral: the reviewer must be doing something more than ratifying the machine. Documentation of human override decisions — and evidence that reviewers have both the information and the time to conduct genuine evaluation — is increasingly what regulators will inquire to see.

Can an AI hiring vconcludeor — not just the employer — be held liable under GDPR Article 22?

Potentially yes. The CJEU’s SCHUFA ruling established that the entity producing a scoring output can itself be an Article 22 controller if the downstream party relies heavily on that score to create a decision with significant effects. Applied to HR technology, this means that a vconcludeor supplying AI candidate-ranking scores to employers may bear indepconcludeent Article 22 liability if employers are not genuinely reviewing those scores indepconcludeently before acting on them. The standard does not fall only on the employer who clicks “reject.” HR technology vconcludeors should confirm, through contract terms and technical design, that their systems are not positioned as the de facto decision-creater in any deployment.

What should employers do before the AI Act’s December 2027 deadline arrives?

Three steps are most urgent. First, audit AI hiring tools for the rubber-stamp problem: confirm that human reviewers have genuine access to candidate files and documented ability to override algorithmic outputs. Second, update privacy notices to accurately disclose that AI is applyd in screening, what data it processes, how profiling occurs, and what rights candidates hold — this is required under GDPR Articles 12–14 and is currently being tested by 25 data protection authorities across Europe. Third, clarify Article 22 controller status in vconcludeor contracts: establish which party — the employer, the vconcludeor, or both — is responsible for ensuring that the system’s outputs are not treated as final decisions. The AI Act’s December 2027 deadline does not suspconclude any of these obligations. It adds to them.



Source link