AI and HR: These are the laws and regulations you need to be aware of

Rune Nordengen, partner at the law firm Bull & Co. (Foto: Bull)

What do HR professionals need to know about relevant laws and regulations for artificial intelligence? We asked a lawyer.

Artificial intelligence and law is a complex field, and unfortunately, there are few clear and simple answers.

To HR workers, AI represents opportunities – but pitfalls as well. Many of these pitfalls are legal.

Here’s our conversation with Rune Nordengen from the law firm Bull & Co, about how the legal landscape affects the use of artificial intelligence in the HR sector:

Which laws affect the HR industry’s use of AI?

If you use artificial intelligence in the HR industry, there are a number of rules you must adhere to, Nordengen explains:

“For instance, GDPR, the Working Environment Act, and the Equality and Anti-Discrimination Act all apply, regardless of whether you use artificial intelligence – or not – to create results and make decisions.”

He gives a practical example:

“Let’s say you gather information about your co-workers related to learning content, or to put together compatible teams. You use their age, CVs and interests to customise content or to identify matching skill sets.

“This will be regulated by GDPR, and you’ll need to make sure that you have the legal basis for processing”, Nordengen says.

In other instances, AI may form the basis of decisions that don’t meet the requirements for a safe working environment, or that discriminate based on gender, sexual orientation, disabilities, ethnicity, or other factors.

Other laws, such as the Marketing Control Act and the Copyright Act, may also be applicable.

Which work processes are affected by these laws?

“We’ve seen examples of AI being used to optimise work instructions, for instance by leaving route planning to AI”, Nordengen says.

Practically, this could mean that automatic decisions are made about how the employees are supposed to perform their tasks. These decisions must be made in accordance with the Working Environment Act and GDPR.

“Although AI may ease working processes, it’s important to stress that decisions can’t be entirely left to AI systems”, he adds, pointing at the General Data Protection Regulation:

“According to article 22 of the GDPR, the data subject – employees included – has the right not to be subject to a decision based solely on automated processing if it has legal effect or significant implications for them.”

Let’s talk about screening of job applications, monitoring productivity and profiling: Are there any risk factors?

“The most recent edition of the upcoming AI Act states that systems that are intended for recruitment, including screening of job applications or targeted advertising, as well as systems intended to make decisions about working conditions or monitor work performance, should be considered high-risk systems”, says Nordengen.

“That is if they can be used in the first place, without violating the Personal Data Act or the Working Environment Act”, he adds.

What about the risk of discrimination?

Another challenge related to the use of AI and profiling, is the risk of discrimination.

“If the data used to train AI algorithms are skewed or biased, the algorithms may absorb and reinforce these biases, for instance by having the system discriminate based on ethnicity and gender”, says Nordengen.

The Equality and Anti-Discrimination Act prohibits discrimination based on factors such as gender, sexual orientation, ethnicity, religion, ability level and age.

“To ensure a just and ethical use of AI in recruitment processes, it’s necessary to implement measures addressing potential challenges associated with this.”

Let’s imagine an HR department creating a “customised chatbot” built on GPT-4. What should they be aware of?

Advanced language models such as GPT-4 raise legal and ethical questions, especially in an HR context:

“It’s essential to make sure that all data processing complies with the legislation, such as GDPR. You need to verify that there is a legal basis for the processing of data, as well as inform the subjects how the data is collected, stored, processed and utilised”, Nordengen says.

Even if services are purchased externally, it’s still the employer’s responsibility to meet the requirements for embedded privacy. Nordengen’s recommendation is clear:

“Choose privacy-friendly solutions and services.”

How can an HR department ensure compliance with the laws and regulations for AI?

A good place to start is by establishing guidelines for artificial intelligence.

“Several laws, including GDPR and the Working Environment Act, require written documentation and that those affected by the technology are informed of how it’s used”, says Nordengen, adding:

“Aside from strictly legal obligations, it’s also wise to give employees clear guidelines on what’s acceptable and what’s not. Language models may create text based on copyrighted material, without the user necessarily being aware of it.”

Having guidelines for the appropriate use of AI provides the company management with the reassurance that the business operates on solid legal ground, the attorney explains:

“Ultimately, management may be held accountable for unlawful use of AI if they haven’t regulated how it’s used properly.”

What will be the requirements for new competence regarding law and AI in the HR sector?

Nordengen explains that interdisciplinary competence will be important:

“First of all, the company’s needs and requirements must be identified, as well as the opportunities provided by new technology and the opportunities and limitations found in the legislation.”

He also mentions data security and control – and procedures for access control – as significant elements:
“The technology may also pose a threat to business secrets, HR and privacy, to mention a few factors.”

On top of that, regulations giving customers the right to access the data they upload, such as the Data Act, are on their way.

“That’s why companies need a data strategy just as much as they need an AI strategy. That includes knowledge about your own industry and organisation, technology and law – areas that are characterised by fast-paced development”, he concludes.