Published on 14 June 2024
When implementing HR software systems, employers face ever more complex legal issues. They must consider not only the question of which systems can be used in the first place, but also if those systems are compliant with data protection and employment law.
What to consider from a legal perspective, in particular when using artificial intelligence, is the topic of the most recent podcast episode of our CMS Employment Snack.
Torn between employment law, data protection, and the AI Act
Employment relationships have come to rely on digital identities of employees. Their work using interconnected devices inevitably entails processing of their personal data. This fact increasingly poses legal issues, because Austria has no codified law on the protection of employees’ personal data. Data protection law stands separately and independently from employment law. And in fact, legislators, literature, and case law have superimposed data protection law onto employment law without any real effort at harmonisation. Unlike Germany, for instance, Austria has also failed to make use of the saving clause in article 88 of the GDPR. It allows national legislators to include specific data protection rules in employment law.
In future, the legal situation will be complicated even further by the AI Act, which is directly legally binding as an EU regulation. It takes a risk-based approach and classifies AI systems into four risk categories:
- Prohibited unacceptable-risk AI systems, e.g. “social scoring” systems
- High-risk AI systems that are admissible subject to strict requirements
- Limited-risk AI systems that are subject to specific transparency obligations
- Minimal-risk AI systems not regulated by the AI Act
As a consequence, it has become almost impossible to keep abreast of what employers are and will be allowed to do, and what rights employees have.
Employment law and data protection – the state of play
In the most recent episode of our webinar and podcast series CMS Employment Snack, Daniela Krömer speaks with Jens Winter and Christoph Wolf about the difficult interplay between employment law and data protection, complicated even further by the AI Act’s entry into force. We highlight that the AI Act merely regulates which tools may be used. Whether or not the use of artificial intelligence is admissible under data protection law and employment law is a question that must be answered separately.
Against this backdrop, we explore why the use of high-risk AI systems, while permitted under the AI Act, is nevertheless problematic. According to the ECJ’s most recent case law on article 22 of the GDPR, use of such systems is mostly prohibited in Europe in terms of data protection law.
Moreover, we discuss the role of works councils, which have a strong position under the Austrian Labour Constitution Act (Arbeitsverfassungsgesetz, ArbVG) when it comes to the use of digital work equipment. Without the works council’s approval in the form of a required works agreement (sections 96 and 96a of the Act), admissible use of digital work equipment is strictly limited under labour constitution law. From the perspective of data protection law, a works agreement may also constitute an additional or supporting legal basis within the meaning of article 6 of the GDPR.
Our CMS Employment Snack podcast is available for free on Spotify, iTunes and Podbean.
