This is especially challenging given the onslaught of new regulations, the patchwork of existing data protection and discrimination laws, and heightened regulatory enforcement. For example, there has been a considerable uptick in European data protection authorities investigating how organizations are deploying workforce AI tools in the monitoring space, including time and activity trackers, video surveillance, network and email monitoring, and GPS tracking. Authorities have issued substantial fines for alleged privacy law violations, including for "unlawfully excessive" or "disproportionate" collection. For example, the French data protection authorities recently imposed a USD 34 million fine related to a multinational e-commerce company's use of a workplace surveillance system.

The AI regulatory landscape is rapidly evolving, and in most places compliance is still voluntary. However, organizations should build their AI governance programs to include key privacy, data protection, intellectual property, anti-discrimination and other concepts – and a good place to start is with these HR tools given their widespread use and the increased scrutiny. Legal Departments should consider these five key actions:

(1) Understand current use of AI technologies

As a starting point, organizations should understand the AI tools used, how tools are deployed, what data is collected, and how the data is used. Organizations may be using these tools throughout the employment life cycle, including in recruitment, onboarding, and HR and performance management. Many organizations have utilized these technologies for years, without much legal oversight. Circulating a questionnaire or survey amongst HR professionals, hiring managers and business leaders (and including members of the company's IT and information security department), or otherwise taking an inventory of all the existing tools, is an essential first step towards mitigating risk.

(2) Review recent changes to the regulatory and enforcement landscape

The EU AI Act, which became effective 1 August 2024, is the first comprehensive AI regulatory framework. Enforcement of the Act is set to begin in 2026, and it aims to regulate AI systems that may impact people in the EU. Like the EU's General Data Protection Regulation, this means that the Act will impact organizations around the world if the system is used within the EU. Under the Act, systems are ranked by risk levels, which determines the compliance requirements. Some systems may be identified as posing an "unacceptable risk," and use would be prohibited; this includes the use of AI-based emotion-recognition systems in the workplace.

Recruitment systems, including systems to place targeted job advertisements, to analyze and filter applications, to evaluate job candidates, to monitor and evaluate performance, or to make decisions about employment are considered high risk under the Act. Employers are required to explain and document their use of such systems. Additionally, GDPR principles for lawful processing of data, transparency around processing, accuracy of data, purpose limitation, data minimization, storage limitation, data integrity, and confidentiality also still apply. In most cases, when using these tools, organizations will be required to conduct a data protection impact assessment and there will be a requirement for human intervention. In some jurisdictions, introduction of new technology that impacts the workforce will trigger information and consultation obligations with worker representatives under local law; in some cases, their consent to implementation may be required.

In the US, while the AI regulatory landscape is evolving, many of the existing laws in place are focused on AI tools in human resources. There is a patchwork of federal and state regulations in the employment and privacy space that may regulate these technologies, including from the Federal Trade Commission, the Department of Labor, and states Attorneys General, among others. Recently, the US Consumer Financial Protection Bureau issued guidance reminding organizations that compliance with the Fair Credit Reporting Act is still required when utilizing AI for employment decisions.

In August, Illinois became the second state, after Colorado, to target workplace algorithmic discrimination. H.B. 3773, effective 1 January 2026, makes it unlawful for organizations to use HR AI tools that could discriminate based on a protected class. Like Colorado, Illinois companies must also notify applicants and employees when using AI for various HR functions. (Read more about the IL and CO legislation here). Additionally, in 2023, New York City began enforcing a law imposing strict requirements on employers that use automated employment decision tools to conduct or assist with hiring or promotion decisions in NYC. The law prohibits the use of automated decision tools unless the company provides on its website the summary of an independent audit of the tool for bias. (Read more about NYC's AEDT ordinance here).

(3) Data minimization is still paramount

Before the deployment of these technologies, employers should review the tool in detail and determine the legal basis and necessity for the collection and processing of personal data. Like the EU GDPR, the California Consumer Protection Act includes data minimization principles that require all data processing activities be assessed for necessity and proportionality. (Read more about obligations under the CCPA here).

(4) Always keep a human in the loop

In October, the US Department of Labor published "Artificial Intelligence and Worker Well-Being: Principles and Best Practices for Developers and Employers." This non-binding guidance prioritizes the well-being of workers in the development and deployment of AI in the workplace. DOL urges employers to establish governance structures to oversee the implementation of AI systems and keep a human in the loop for any employment decisions. Thus, training HR staff and managers on the proper use of AI when it comes to making hiring or employment-related decisions is critical. DOL's recommendations align with jurisdiction-specific AI laws and regulations in places like New York City, Colorado, and Illinois, and will likely dovetail with further regulation to come in this space.

(5) Assess and document risk

Organizations should review these technologies for legal, ethical, and reputational risk, including for issues related to data privacy, cybersecurity, intellectual property, employment, and vendor and supplier risks. While some laws already require such assessments, it is expected that many new laws will also include this requirement.

Baker McKenzie has put significant resources into the development of our AI capabilities.

Wherever your organization is on its AI journey, our cross-disciplinary team of experts can assist in balancing these new opportunities while mitigating risk.

For legal counsel responsible for mitigating risk related to AI in HR, we've developed a three-part framework for risk mitigation.

1. Know the law: Multijurisdictional Matrix, addressing all of the applicable regulations and compliance steps where you have headcount
2. Know what to do: Practical AI in HR Implementation Step Lists and Compliance Checklists for use in certain key jurisdictions, including where / when it is necessary or advisable to negotiate with works councils or worker representatives
3. Know how to document: Appropriate employment documentation (e.g., standard policies, notices and consents, etc.) and internal training programs.

Please contact us for more information.