AI-powered candidate screening tool that ranks applicants for entry-level roles
In accordance with our privacy statement.
High-risk employment AI under EU AI Act and GDPR, with NYC LL144 and Colorado AI Act obligations running in parallel.
This tool is a high-risk AI system under the EU AI Act, a covered ADMT under Colorado law, and an AEDT under NYC Local Law 144, meaning three distinct compliance regimes attach before a single application is processed. The most material risk is the 85% recruiter follow rate, which collapses the legal fiction of human oversight and makes the automated output functionally determinative under both GDPR Art. 22 and Art. 14 of the AI Act, exposing the company to findings that it is running an unlawful automated decision-making system without a valid legal basis or adequate safeguards. Compounding that, the March 2026 retraining on five years of historical hiring decisions creates a live disparate impact exposure that must be audited and documented before launch across all three jurisdictions, not after the first round of rejections. Copyright provenance of the training data is a secondary but real tail risk given the sourcing of historical applicant materials.
- 1Resolve the GDPR Art. 22 legal basis question before EU deployment . determine whether candidate consent, contract necessity, or Member State law authorization applies, document it in the privacy notice and DPA, and implement a substantive (not checkbox) human review protocol that can withstand regulatory scrutiny given the 85% follow rate.
- 2Complete the NYC LL144 independent bias audit of the March 2026 retrained model for disparate impact by race, gender, and ethnicity across entry-level applicants, publish the results, and post the required 10-business-day advance candidate notice before any New York screening begins.
- 3Commission the GDPR Art. 35 DPIA and EU AI Act Art. 27 Fundamental Rights Impact Assessment as a combined workstream, covering training data composition, model fairness metrics stratified by protected class, and the identified risk that historical hiring decisions embed prior discriminatory patterns.
- 4Conduct a pre-launch bias audit for Colorado applicants under the Colorado AI Act deployer risk management obligation, document disparate impact findings by protected class using the March 2026 model, and stand up the required risk management program before Colorado screening goes live.
- 5Run a training data provenance audit to identify any third-party copyrighted materials (candidate writing samples, licensed assessment rubrics, external job descriptions) included in the five-year historical dataset, and obtain or confirm written clearance before the next retraining cycle.
Whether the 85% recruiter follow rate, combined with the absence of documented independent deliberation, is sufficient for a supervisory authority or court to find that this tool produces decisions "based solely on automated processing" under GDPR Art. 22, regardless of the nominal human-in-the-loop structure.
AI laws that may apply
21 surfaced across 6 lensesGrouped by legal lens. Click any provision to see how it applies to this launch specifically.
AI-specific
8High-risk AI systems must include human oversight measures to minimize risks to health, safety or fundamental rights.
- Accuracy, robustness, security (AI Act Art.15)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must achieve and maintain a high level of accuracy, robustness and cybersecurity, with continuous testing to prevent malfunctions.
- Provider obligations for high-risk AI (AI Act Art.16)Settled rule, unsettled applicationVerified 2026-05-25
Providers of high-risk AI must ensure system compliance, affix CE mark, maintain quality management and documentation, and handle logging, conformity assessment, and corrective actions.
- Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).
- Explanation of high-risk decisions (AI Act Art.86)Settled rule, unsettled applicationVerified 2026-05-25
Individuals subject to high-risk AI decisions that significantly affect them have the right to obtain a clear, meaningful explanation of the AI system role and the main decision elements.
Colorado AI Act defines an automated decision-making technology as one that processes personal data to generate recommendations or scores used to make consequential decisions.
A developer of a high-risk AI system must use reasonable care to prevent known or foreseeable algorithmic discrimination.
A deployer of a high-risk AI system must use reasonable care to address discrimination risks and implement an iterative risk management program.
Privacy
5- Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
- Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Controllers and processors must implement appropriate technical and organizational measures to secure personal data according to the risk (e.g. encryption, resiliency).
- Data Protection Impact Assessment (GDPR Art.35)Settled rule, unsettled applicationVerified 2026-05-25
Requires DPIA before processing that is likely high-risk to rights, e.g. systematic automated profiling with significant effects.
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).
Employment
2NYC Local Law 144 mandates that employers using automated employment decision tools must conduct an annual bias audit of the tool and publicly post a summary of the results before use.
Under NYC law, employers must notify job candidates and employees at least 10 business days before using an automated employment decision tool.
Security
2Under CIRCIA, designated critical-infrastructure companies must report covered cyber incidents to CISA within 72 hours of discovery.
NY SHIELD Act requires entities holding private information to implement reasonable safeguards and notify affected NY residents of data breaches.
Liability
1The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.
other
3Requires certain deployers of high-risk AI systems to perform a Fundamental Rights Impact Assessment (FRIA) before first use. Applies to public bodies, private entities providing public services, and deployers of high-ri…
Grants data subjects the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects them. Three exceptions: contract n…
Establishes an affirmative defense for developers and deployers of high-risk AI systems. A defendant escapes liability if it (1) discovered and cured the violation through user-feedback channels, red-teaming, adversarial…
Worth watching
3Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.
- Copyright and AI Training DataRecent court guidance indicates that copying copyrighted works into AI models may infringe unless clearly tran…skadden.com ↗
- NYT v. OpenAI (Training Data)The New York Times has sued OpenAI, alleging that using its copyrighted articles to train ChatGPT without perm…theverge.com ↗
- AI-Related Copyright CasesCourts are grappling with AI and IP: e.g., in Thomson Reuters v. ROSS, a judge held that output of an AI model…skadden.com ↗
Other flags
Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.