AI-powered candidate screening tool that ranks applicants for entry-level roles
In accordance with our privacy statement.
High-risk employment AI under EU AI Act and GDPR Art. 22 with tristate bias-audit exposure.
This tool is a high-risk AI system under the EU AI Act, a likely Art. 22 automated decision-making system under GDPR, and a covered ADMT under both Colorado and NYC law, meaning every major jurisdiction in scope has mandatory pre-launch obligations that are not yet confirmed as satisfied. The single most material risk is that recruiter follow-through at 85% will almost certainly be treated as de facto automated decision-making by regulators and courts, collapsing the human-oversight defense the team is currently relying on. A DPIA is required before EU deployment, an annual bias audit under NYC LL144 must be completed and posted before NY candidates are processed, and the March 2026 retraining creates a fresh compliance clock across all three regimes. Copyright exposure on five years of training data is a secondary but real tail risk that needs a lineage audit before this goes further.
- 1Complete and document the DPIA under GDPR Art. 35 before EU launch, covering bias in the five-year historical training dataset, the March 2026 retraining, and the 85% recruiter follow-through rate as a proxy for automated decision-making.
- 2Obtain or commission the NYC LL144 annual bias audit from an independent auditor, publish results on the company website, and deliver written candidate notice at least 10 business days before any NY applicant's data enters the screening system.
- 3Establish the GDPR Art. 22 legal basis in writing before EU processing begins, specifically deciding whether contract necessity or explicit consent applies, because that choice determines whether processing is lawful at all for EU candidates.
- 4Run a demographic subgroup accuracy audit on the retrained model across all three jurisdictions and document results under EU AI Act Art. 15 and the Colorado developer duty, so the affirmative-defense record under CAIA § 6-1-1706 is built from day one.
- 5Conduct a training data lineage audit to identify any third-party copyrighted materials in the five-year dataset and confirm what EU candidate personal data was used in the March 2026 retraining, addressing both copyright tail risk and GDPR Art. 25 data-minimization obligations simultaneously.
Whether the 85% recruiter adherence rate is sufficient, as a matter of EU and Colorado law, to constitute automated decision-making that strips the human-in-the-loop defense entirely, or whether documented recruiter discretion can still satisfy the meaningful human oversight standard under EU AI Act Art. 14 and GDPR Art. 22.
AI laws that may apply
21 surfaced across 6 lensesGrouped by legal lens. Click any provision to see how it applies to this launch specifically.
AI-specific
8High-risk AI systems must include human oversight measures to minimize risks to health, safety or fundamental rights.
- Accuracy, robustness, security (AI Act Art.15)Settled rule, unsettled applicationVerified 2026-05-25
High-risk AI systems must achieve and maintain a high level of accuracy, robustness and cybersecurity, with continuous testing to prevent malfunctions.
- Provider obligations for high-risk AI (AI Act Art.16)Settled rule, unsettled applicationVerified 2026-05-25
Providers of high-risk AI must ensure system compliance, affix CE mark, maintain quality management and documentation, and handle logging, conformity assessment, and corrective actions.
- Disclosure of AI interaction (AI Act Art.50(1))Settled rule, unsettled applicationVerified 2026-05-25
Providers must design AI systems interacting with people so that users are informed they are interacting with AI (not a human).
- Explanation of high-risk decisions (AI Act Art.86)Settled rule, unsettled applicationVerified 2026-05-25
Individuals subject to high-risk AI decisions that significantly affect them have the right to obtain a clear, meaningful explanation of the AI system role and the main decision elements.
Colorado AI Act defines an automated decision-making technology as one that processes personal data to generate recommendations or scores used to make consequential decisions.
A developer of a high-risk AI system must use reasonable care to prevent known or foreseeable algorithmic discrimination.
A deployer of a high-risk AI system must use reasonable care to address discrimination risks and implement an iterative risk management program.
Privacy
5- Automated decision-making prohibition (GDPR Art.22)Settled rule, unsettled applicationVerified 2026-05-25
Data subjects have a right not to be subject to solely automated decisions (including profiling) producing legal or similarly significant effects on them.
- Data protection by design and by default (GDPR Art.25)Settled rule, unsettled applicationVerified 2026-05-25
Controllers must implement data-protection principles (e.g. minimization, pseudonymisation) into processing from the earliest design stages.
Controllers and processors must implement appropriate technical and organizational measures to secure personal data according to the risk (e.g. encryption, resiliency).
- Data Protection Impact Assessment (GDPR Art.35)Settled rule, unsettled applicationVerified 2026-05-25
Requires DPIA before processing that is likely high-risk to rights, e.g. systematic automated profiling with significant effects.
Personal data processing must fit at least one lawful basis (e.g. consent, contract performance, vital interests, public task, legitimate interest).
Employment
2NYC Local Law 144 mandates that employers using automated employment decision tools must conduct an annual bias audit of the tool and publicly post a summary of the results before use.
Under NYC law, employers must notify job candidates and employees at least 10 business days before using an automated employment decision tool.
Security
2Under CIRCIA, designated critical-infrastructure companies must report covered cyber incidents to CISA within 72 hours of discovery.
NY SHIELD Act requires entities holding private information to implement reasonable safeguards and notify affected NY residents of data breaches.
Liability
1The EU 2024 update to the Product Liability Directive extends strict liability to digital products including AI-based systems.
other
3Requires certain deployers of high-risk AI systems to perform a Fundamental Rights Impact Assessment (FRIA) before first use. Applies to public bodies, private entities providing public services, and deployers of high-ri…
Grants data subjects the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects or similarly significantly affects them. Three exceptions: contract n…
Establishes an affirmative defense for developers and deployers of high-risk AI systems. A defendant escapes liability if it (1) discovered and cured the violation through user-feedback channels, red-teaming, adversarial…
Worth watching
3Provisions that may not strictly apply today but are close enough to the launch shape that they are worth keeping an eye on. No per-launch analysis is generated for these.
- Copyright and AI Training DataRecent court guidance indicates that copying copyrighted works into AI models may infringe unless clearly tran…skadden.com ↗
- NYT v. OpenAI (Training Data)The New York Times has sued OpenAI, alleging that using its copyrighted articles to train ChatGPT without perm…theverge.com ↗
- AI-Related Copyright CasesCourts are grappling with AI and IP: e.g., in Thomson Reuters v. ROSS, a judge held that output of an AI model…skadden.com ↗
Other flags
Not legal advice. Structured analysis of what a thoughtful counsel would consider given the inputs above. Does not substitute for counsel review or certify compliance.