Table of contentsClick link to navigate to the desired location
This content has been automatically translated from Ukrainian.
Imagine: you are an HR in a product IT company. Hundreds of resumes – the deadline was "yesterday". The suggestion: “Connect AI – it will do everything by itself.” Convenient? Yes. But if the bot filters out a strong candidate or reads facial expressions without consent — the responsibility is on you.
In 2024, the British regulator ICO conducted an audit of companies using AI in the recruitment process. The results revealed a number of risks: automatic rejections without human involvement, lack of clear information, and collection of sensitive personal data without consent. Ukrainian legislation does not yet contain specific provisions regarding AI, but practice is confidently moving towards more responsible use.
IT lawyersStalirov&Co shared practical observations – how the application of recruiting AI in the IT business can lead to legal complications and how to avoid them.
Key Risks: What You Need to Know About the Legality of AI
Before entrusting AI with part of the recruitment process, it is worth assessing the possible legal consequences. Here’s what lawyers advise IT projects to consider:
Discrimination and Bias
AI learns from the past. If previously mostly men were hired – the system will repeat this. This is how Amazon had to abandon its own hiring tool after a sexist scandal: AI systematically downgraded female candidates if their resumes mentioned women's colleges or experience in women's communities.
Data Privacy
Many tools process biometric data – facial expressions, voice, emotions. In the EU, Canada, Australia, the USA, and Ukraine, such information is considered sensitive. Its processing is only allowed with explicit consent.
Lack of Transparency (Black Box AI)
A "black box" is an algorithm whose decisions are difficult or impossible to explain. If AI rejects a candidate — you will not be able to explain to them why. However, according to Article 22 of the GDPR (European General Data Protection Regulation), a person has the right not to be subject to a decision based solely on automated processing if it has legal effects or significantly affects them. In Ukraine, similar principles are enshrined through judicial practice: a candidate has the right to review such decisions — otherwise, legal risks increase.
How to Reduce the Likelihood of Complaints
To minimize the risks that lawyers face in practice in IT, it is advisable to follow these steps:
- Leave the final word to a human. Do not make final decisions without HR involvement.
- Conduct a DPIA (Data Protection Impact Assessment) – an assessment of the impact on personal data. This is important to do when you are implementing a third-party product or ordering the development of your own software. In both cases, your company acts as the "controller" — you decide why and how personal data is processed. Some technical processing operations can be delegated to an external contractor – the so-called "processor". However, even in this case, the primary responsibility for compliance with data protection requirements remains with the controller: if the instructions are unclear, the level of security is insufficient, or the data is used beyond the defined purpose, the responsibility lies with you.
- Just-in-time notifications. If your AI system uses video interviews or video recording — it is effectively collecting biometric data. And this is sensitive information. To avoid forcing candidates to scroll through five pages of the Privacy Policy, provide a short notice at the time of collection: “This part of the process involves video recording. Do you consent?”.
- Formalize documents. The terms of use of AI should be described in agreements, contracts, and public offers.
- Choosing an AI provider: due diligence. When a company decides to implement an AI system for recruitment, the choice of the right provider should not be based solely on functionality and price criteria. It is important to consider legal risks, transparency, and compliance with future legislative requirements. During negotiations with the provider, pay attention to the following:
- Is it possible to explain the logic of the decisions made?
- Is there a mechanism for appealing or reviewing results?
- What are the terms regarding intellectual property? Who owns the algorithm, the collected data, and the analysis results? In some cases, standard terms stipulate that everything belongs to the provider – which means losing control over the system.
- Who has rights to the code? Without access to it, your team will not be able to adapt the tool or scale the solution in the future – for example, for a new vacancy or within another internal development.
Conclusion
Recruiting AI systems are not just about saving time, but also about balancing automation and responsibility. Excessive trust in algorithms without human oversight can lead to complaints, fines, and lost reputation.
To avoid such risks, it is advisable to build the process from the very beginning on clear principles:
- with human oversight,
- transparent information for candidates,
- risk assessment (DPIA),
- legal support for IT projects.
Teams that consider these principles from the start reduce risks and build trust – both from candidates and regulators.
Author: Valeriy Stalirov, CEO of the IT lawyers company Stalirov&Co
This post doesn't have any additions from the author yet.
