The EU AI Act: The Download for Employers

The new EU AI Act, which came into force on 1 August 2024, is a comprehensive legal framework designed to harmonise rules on the use of Artificial Intelligence (“AI”) throughout the EU.  The primary aim of the Act is to ensure safe AI systems that respect fundamental human rights, while also fostering innovation. 

In this article in our AI series, we consider the implications of the Act for Irish employers utilising AI systems in the workplace, and outline the practical steps that should be taken to ensure compliance with the Act.

AI in the Modern Workplace

Many employers have already began enlisting the help of AI to streamline tasks across business operations.  AI can be a particularly powerful tool in the employment realm; in the recruitment, performance monitoring, and assessment of employees for promotions and terminations.  While AI is revolutionising the way we work, it is imperative that Irish businesses strike a balance between innovation and safe and ethical work practices.  The parameters set by the AI Act will assist employers in achieving that end.

Overview of the EU AI Act

Regulation under the EU AI Act is based on the level of risk that an AI system poses to an individual’s health, safety, values and fundamental rights. Subject to certain exemptions, the EU AI Act will be fully applicable 24 months after entry into force, namely, from 2 August 2026 (discussed further here).

An employer may be deemed a “provider” and subject to more onerous obligations under the Act where they substantially modify or simply add their logo to a high-risk AI system which is already on the EU market. 

In most cases, however, an employer will be considered a “deployer” of an AI system.  Significantly for employers, several employment use cases fall into the category of “high-risk”. This includes AI use in:

• recruitment, such as the screening of job applications, evaluation or selection of candidates;
• promotion or termination decisions; and
• evaluation or assignment of tasks based on an employee’s performance or behaviour.

In high-risk cases, as a deployer, employers’ obligations include the following:

• Using the AI system in accordance with the provider’s instructions;
• Ensuring human oversight of the AI system by someone with appropriate training and authority;
• Monitoring AI system activity in accordance with instructions and flag any risks or incidents to the AI system’s provider or distributor promptly;
• Identifying whether data input into AI systems and over which they have control is relevant and suitable for intended use;
• Maintaining logs of data generated by the AI system, if under their control; and
• Carrying out a fundamental rights impact assessment (“FRIA”) prior to use, where applicable (eg, if a public body, providing a public service or operating in banking and insurance).

Deployers will also be subject to a new right for individuals to obtain a clear and meaningful explanation of the role of any high-risk AI system in decision-making they have been subject to. At this time, it is unclear how this right may be used in practice. However, it is possible that it may be used by disgruntled employees to put pressure on employers to explain algorithmic decision-making in the workplace and possibly to support potential employment related grievance, protected disclosure and / or other claims. Albeit employers already have an obligation under the GDPR to inform employees about their use of any AI systems used to make automated decisions about them.

In respect of AI activities with limited risk to employees, for instance the use of in-house chatbots to assist with queries, the main requirement is to abide by certain rules on transparency, namely informing employees of their interaction with AI. 

What steps should employers take now?

Employers can expect to receive more detailed guidance in the coming months from relevant EU institutions and supervisory bodies on various aspects of the Act that are yet to be defined. In the meantime, employers should consider the following preparatory steps:

1. Mapping: Identify, audit and understand the current and proposed future uses of AI within the business. Assess what actions may need to be taken in relation to such use to ensure compliance with the AI Act.
2. Governance: Appoint leadership with responsibility for overseeing AI use in the workplace and to engage with relevant stakeholders (including employment / HR, legal, privacy, technology functions) to set the business’ framework for AI implementation.
3. Policies and procedures: Internal policies should be developed to articulate the guardrails for AI usage within the business.
4. Training: Appropriate training and guidance should be provided to all employees using AI systems to ensure they understand how to use the tools in accordance with the provider’s instructions and what their obligations are under the new rules.
5. Supply chain management: Engage with third party suppliers, including a review of existing contract terms, to ensure legal protections and controls are in place in relation to the acquisition of AI.  
6. Risk assessments: Explainability is a key element in reducing the risk of algorithmic bias. Develop a model to holistically assess proposed AI use and the suitability of data used to train AI systems.  
7. Consultation:  Employees and their representatives must be informed that they are subject to an AI system under the Act. Identify any consultation obligations with representative bodies under any collective or works council agreement in relation to current and planned AI deployment and processes. 

Matheson's Employment, Pensions and Benefits Group is available to guide you through the complexities of navigating the ever increasing use of AI in the workplace and new legislation being introduced in this area, so please do reach to our team or your usual Matheson contact.

Our Digital Economy Group have published a comprehensive AI Guide for Businesses, which provides an overview of the AI Act, and will help you to understand the scope of your new obligations.  To get your copies of the Matheson AI Guide for Businesses, please email: AIGUIDE@matheson.com

This article was co-authored by Employment, Pensions and Benefits partner, Alice Duffy, and solicitor, Naomi Douglas.