Key Takeaways
- Same question; different tests. The EU AI Act, the GDPR and the UK GDPR distinguish between AI tools that make recruitment decisions and those that assist humans to make recruitment decisions, but the frameworks apply different legal thresholds and trigger different obligations on employers.
- Mind the gap. A recent UK Information Commissioner’s Office (“ICO”) report found that employers often believe they are using ‘decision support’ tools when, in practice, those tools are making fully automated decisions with no meaningful human involvement.
- Audit reality, not documentation. Organisations should audit their AI recruitment tools against the EU and UK frameworks, focusing on the day-to-day reality rather than designing documentation for documentation’s sake. They should also revisit those assessments as tools and guidance evolve.
An AI recruitment tool screens 500 CVs overnight, scores the suitability of each candidate, and presents the hiring manager with a shortlist of what it considers to be the 10 individuals that are most suitable for the role. The manager glances at the list and invites all of the shortlisted candidates to interview. Has the AI made the decision, or the human?
From 2 August 2026, the answer will sit at the intersection of three regulatory frameworks: (i) the EU AI Act, which classifies certain AI recruitment tools as “high risk”; (ii) the GDPR’s regime for automated decision-making (“ADM”); and (iii) the lighter-touch ADM regime in the UK that was introduced by the Data (Use and Access) Act 2025. Each framework draws a line between AI tools that make recruitment decisions and those that assist humans to make recruitment decisions – but the legal thresholds, obligations and consequences of getting the classification wrong differ materially.
The Shared Question: Decision or Assistance?
Annex III(4) of the EU AI Act classifies AI systems as high risk where they are “intended to be used” for recruitment, selection or evaluation decisions in the employment context. The critical question is whether the tool determines or materially shapes the employment decision and, if so, whether a human is genuinely exercising oversight of that process. Where a system is intended only to assist a human reviewer, it may still be high risk, but the classification analysis often turns on whether it materially influences the outcome and whether human oversight is genuine rather than nominal.
The GDPR and the UK GDPR apply comparable, but distinct, tests. Article 22 of the GDPR refers to a decision “based solely on automated processing”, whereas under the reformed Articles 22A–22D of the UK GDPR, the focus is on a “significant decision” based solely on automated processing, with “based solely” meaning “without meaningful human involvement”. Under both regimes, if a manager only interviews candidates from an AI-generated shortlist at which they have merely glanced, that is likely to be ADM. A multinational using a single AI recruitment tool across its EU and UK operations therefore faces multiple assessments under three similar but distinct frameworks – each of which it must pass independently.
Mind the Gap: Human in the Loop, or Just in the Room?
The ICO’s guidance on AI and data protection confirms that ‘decision support’ tools sit outside the ADM regime. However, its recent “Recruitment rewired” report into the use of AI and ADM in recruitment found that many employers believed they were using decision support tools when those tools were, in practice, making fully automated decisions with no meaningful human involvement. This brings into focus the central question under both the UK and EU frameworks: is a human genuinely in the loop, or merely in the room?
The answer is best thought of as a spectrum. At the extremes, the position is clear: a purely administrative tool that schedules interviews sits firmly outside both frameworks, while a fully automated system that screens and rejects candidates with no human review sits squarely within them. The contested ground lies between, where a human is present, but the meaningfulness of their involvement varies. Consider two zones: the ‘AI-assisted’ zone, where the human reviews the tool’s output, exercises independent judgement and retains the authority to override, and the ‘AI-shaped’ zone, where the human is nominally part of the process, but their involvement is too limited to satisfy either regime.
As the ICO report demonstrates, classification depends less on how a tool was designed or marketed than on how it is actually used in practice. So-called feature creep – where a tool’s functions gradually expand to shape substantive decisions – can move a tool from AI-assisted, into AI-shaped, territory. ‘Rubber-stamping’, where a human reviews the AI’s output but routinely defers to it, will usually have the same effect. What began as decision support becomes, in substance, ADM, and would also be classified as a high-risk system under the AI Act.
Where do the Regimes Diverge?
The AI Act imposes systemic, lifecycle obligations on providers and deployers of high-risk AI systems, regardless of whether any individual has been affected. Deployers must use the system in accordance with the provider’s instructions, assign human oversight to competent individuals, monitor the operation, retain automatically generated logs, carry out a fundamental rights impact assessment and inform workers’ representatives where required before deployment.
In addition, employers deploying AI recruitment tools in the EU must separately comply with Article 22 of the GDPR, which prohibits solely automated decisions with legal or similarly significant effects unless the decision is necessary for a contract, is authorised by law or is based on the individual's explicit consent. The frameworks apply concurrently: AI Act compliance does not automatically satisfy EU GDPR obligations, and EU GDPR compliance does not meet the AI Act requirements, although measures taken to comply with each regime will often overlap and go some way towards satisfying requirements under the others.
Following the reforms enacted by section 80 of the Data (Use and Access) Act 2025, Article 22 of the UK GDPR has been replaced by new Articles 22A–22D. A controller may take a “significant decision” (i.e., one producing a legal effect or similarly significant effect) that is based solely on automated processing on any Article 6 UK GDPR lawful basis except Article 6(1)(ea) (recognised legitimate interests), provided that the controller has in place the Article 22C safeguards. Those safeguards must consist of or include measures that provide the data subject with information about the decision, enable them to make representations, enable them to obtain human intervention and enable them to contest the decision.
Where the significant solely automated decision is based entirely or partly on special category data within Article 9(1) of the UK GDPR, Article 22B prohibits it unless either (i) the decision is based entirely on processing of personal data to which the data subject has given explicit consent, or (ii) the decision is necessary for entering into or performing a contract with the data subject or is required or authorised by law, and Article 9(2)(g) of the UK GDPR (i.e., substantial public interest) applies.
What’s on the Horizon?
EU: The European Commission's guidance on Annex III(4) classification has not yet been published, despite the anticipated 2 February 2026 deadline. The Digital Omnibus proposal, currently in trialogue, would push back application dates for Annex III high-risk obligations to December 2027 for standalone systems and August 2028 for embedded systems.
UK: The ICO has signalled that ADM in recruitment is a priority enforcement area and has launched a consultation on draft ADM guidance that is open until 29 May 2026.
What Should Employers Do Now?
- Audit reality, not documentation. Review how AI recruitment tools are actually used, not merely how they were designed or marketed. The audit should capture who reviews the tool’s output, what discretion they exercise and whether the human involvement is genuine or nominal.
- Assess each tool against both frameworks independently. The AI Act's high-risk classification and the GDPR and UK GDPR ADM thresholds involve different tests, and the answers may differ for the same tool. Document your reasoning under each regime separately and be prepared to revisit those assessments as tools and guidance evolve.
- Invest in genuine human oversight. Under each regime, a human decision-maker is genuinely in the loop if they have the competence and authority to disagree with the machine. Review whether your processes and training genuinely support independent human judgment.
- Monitor the regulatory calendar. The European Commission's delayed Annex III guidance, the Digital Omnibus trialogue and the ICO’s ADM consultation all have the potential to reshape the compliance landscape in the coming months, but organisations that have done the foundational work (i.e., understanding their tools, mapping their obligations and documenting their assessments) will be well placed to adapt.
Subscribe to Ropes & Gray Viewpoints by topic here.
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.