Can algorithmic recruitment systems lawfully utilise automated decision-making in the EU?

2.1 Applicant's right not to be subject to automated decisions

As several scholars have remarked, GDPR Article 22(1) could be considered an enforceable right of the data subject not to be subject to automated decisions. ²⁶ If this interpretation is adopted, employers may, in general, use algorithmic recruitment systems that resort to automated decision-making. However, if some applicants exercise the right not to be subject to automated decisions, then the employers must consider whether they can continue the automated decision-making. This may be possible, if some of the exceptions listed in GDPR Article 22(2) apply and the employers implement the additional safeguards required by GDPR Article 22(3) or the legislation referred to in Article 22(2)(b). If no exceptions apply, human recruiters must make decisions regarding the applicants who have exercised the right. Nevertheless, automated decision-making concerning other applicants can continue.

This interpretation finds support in varying arguments presented, among others, by Mendoza, Bygrave and Tosoni. Firstly, if interpreted literally, GDPR Article 22(1) seems to create a right. It explicitly refers to ‘a right’, whereas some other provisions, such as GDPR Article 22(4) ²⁷ and Article 11(1) of the Law Enforcement Directive (hereinafter ‘the LED’), ²⁸ are more clearly termed prohibitions. ²⁹ Allegedly, Article 22(1) would have been worded unambiguously as a prohibition if it was intended as such. ³⁰

Secondly, internal contextual reading of the GDPR could, to some extent, support this interpretation. For instance, Article 22 is placed in Chapter III titled ‘Rights of the data subject’, and other provisions, such as Article 12(2), refer to it regarding ‘exercise of data subject rights’. ³¹ However, this does not necessarily denote that Article 22 was intended as a right. Article 22(3) safeguards are phrased as data subject rights, which could explain the placement and references. ³² Moreover, the rights framing of Chapter III should not be overemphasised as other provisions in the chapter could also be read as establishing duties on controllers rather than conferring rights to data subjects. ³³ Further, the title of Article 22 does not frame the provision as conferring a right, as do many other provisions of Chapter III. ³⁴ In addition, this interpretation could render the consent derogation in Article 22(2)(c) meaningless since the data subject cannot object and explicitly consent to the same automated decision-making. ³⁵

Thirdly, external contextual arguments could be presented in favour of this interpretation. The legislative history of the GDPR does not strongly indicate that Article 22(1) was meant to be a prohibition, as Bygrave and Tosoni have pointed out. ³⁶ The wording of GDPR Article 22(1) is, in this regard, similar to its predecessor, Article 15(1) ³⁷ of the former Data Protection Directive (hereinafter ‘the DPD’), ³⁸ which, based on its legislative history, was intended as a right to object. ³⁹ Thus, Tosoni has argued that if the legislator had intended GDPR Article 22 to be a prohibition, it would be visible in its drafting history or it would be worded otherwise. ⁴⁰ Furthermore, this interpretation can be supported by external documents of the Council of Europe, which provide for rights and with which the GDPR should be harmonised. ⁴¹

By contrast, teleological arguments mostly contradict this interpretation. Whereas the main purpose of the GDPR appears to be the protection of natural persons’ fundamental rights, especially data protection and privacy, ⁴² GDPR Article 22 apparently aims, among other things, to protect the dignity of humans, ⁴³ to protect them from the potentially negative effects of automated decisions, ⁴⁴ to ensure the quality of the decisions ⁴⁵ and to protect the right to due process. ⁴⁶ It could be questioned whether the rights interpretation sufficiently fulfils these objectives. When this interpretation is chosen, employers are not obliged to assess the permissibility of automated decision-making under the exceptions of Article 22(2) or to implement the safeguards of Article 22(3) if the applicants do not exercise the right. Among others, Brkan has considered that this interpretation could lead to extremely unfavourable consequences for the data subjects if they fail to exercise the right. ⁴⁷

In practice, several obstacles could prevent applicants from exercising this right. First of all, applicants may not be aware of the automated decision-making, even if they are informed as required by GDPR Article 13(2)(f). ⁴⁸ Applicants might not have the time to read through all the information provided to them ⁴⁹ or they may not understand it even if they read it. ⁵⁰ Moreover, applicants may be oblivious of their right to object, as the employers are not obliged to inform them about it. ⁵¹ Even if applicants know of the right, they might not be otherwise prepared to intervene and object to the automated decision-making. ⁵² Objection requires active effort, which makes it easier to accept the default option. Furthermore, applicants could also fear losing their opportunity to be selected for the job if they use the right, and hence tolerate automated decision-making. The rights interpretation could lead to differing treatment of applicants based on their activity and thus impair the already marginalised applicants’ situation, if they do not, for instance, have the capability or resources to exercise the right.

2.2 A prohibition of automated recruitment decisions

The second interpretation considers GDPR Article 22(1) as a prohibition. If this interpretation is adopted, employers are not generally allowed to use automated decision-making in recruitment. However, the prohibition is qualified. Employers can employ automated decision-making if some of the exceptions listed in GDPR Article 22(2) apply and if safeguards required in GDPR Article 22(3) ⁵³ are implemented. If no exceptions apply, or employers are unable to implement the required safeguards, human recruiters must make decisions concerning all applicants.

Various arguments support the prohibition interpretation, even though a purely literal reading of GDPR Article 22(1) seems to be against it. Firstly, several internal contextual arguments seem to endorse this interpretation. The structure of the Article 22, where paragraph 1 provides the main rule, paragraph 2 sets out exceptions to it and paragraph 3 details additional safeguards, supports the prohibition interpretation, according to Dreyer and Schulz. ⁵⁴ Whereas Mendoza and Bygrave have noted that while termed as a right, Article 22(1) differs from other rights as it is not ‘a right to something’ but rather ‘a right not to be subject to a particular type of decision’. ⁵⁵ Further, the section title ‘Right to object and automated individual decision-making’ could, according to the WP29, ⁵⁶ imply that Article 22 is not a right to object similar to that in Article 21. ⁵⁷ Moreover, Article 22 lacks an explicit duty to inform data subjects about the right to object, which is included in GDPR Article 21(4). ⁵⁸ In addition, it could be argued that if intended as an enforceable right, Article 22(1) would have been mentioned in GDPR Article 13(2)(b) which requires controllers to inform data subjects about the other enforceable rights.

GDPR Recitals could also be read as supporting the prohibition. Pursuant to GDPR Recital 71, automated decision-making ‘should be allowed where expressly authorised by Union or Member State law […] or necessary for the entering or performance of a contract […] or when the data subject has given his or her explicit consent’. According to the WP29, this implies that automated decision-making under Article 22(1) would not be generally allowed. ⁵⁹

Further, certain inconsistencies in the logic of GDPR Article 22 could arise, if it is not considered a prohibition. Firstly, the human intervention safeguard, required by GDPR Article 22(3), would be purposeless if Article 22(1) is deemed as a right. ⁶⁰ Secondly, Pehrsson has pointed out that limiting the protection of special categories of data in Article 22(4) to decisions made under Article 22(2) exceptions would be questionable, if Article 22(1) was not intended as a general prohibition. ⁶¹ Thirdly, as mentioned in Section 2.1, the meaningfulness of the consent derogation could be questioned if the other interpretation is chosen. ⁶²

Secondly, external contextual arguments can be presented to support the prohibition interpretation. In recruitment, this interpretation would be in line with section 5.5 of the International Labour Organisation's Code of Practice on the Protection of Workers’ Personal Data (1997), which states that ‘decisions concerning a worker should not be based solely on the automated processing of worker's personal data’. In favour of this interpretation in general, Brkan has referred to the whole data protection framework's coherence and, in particular, to the LED, which explicitly terms a similar provision as a prohibition. ⁶³ However, Tosoni has questioned the coherence argument and has claimed that the differing nature of the GDPR and the LED, as well as the law enforcement authorities’ powers, justify the differences in the protection. ⁶⁴

Thirdly, teleological arguments can be used to strongly promote this interpretation. Since the wording of GDPR Article 22 seems to be ambiguous, interpreting it in the light of its objectives ⁶⁵ appears to have a good foundation. ⁶⁶ The prohibition guarantees stronger protection to applicants by default, as the constraints envisaged in Article 22 always apply when automated decision-making takes place, regardless of the applicants’ actions. ⁶⁷ Automated decision-making can be used in recruitment only if it falls under the exceptions mentioned in GDPR Article 22(2). Further, the applicants will always have the right to resort to the safeguards, such as challenging the automated decision made, even if they have not first objected to the automated decision-making. Hence, the enforcement problems inherent in the rights interpretation will not undermine the protection in this case. The prohibition can better and more uniformly protect applicants’ fundamental rights and guard applicants against the specific risk related to automated decision-making. Consequently, it will conform better to the aims of the GDPR in general and the Article 22 more precisely. ⁶⁸

Nevertheless, consequentialist counterarguments can also be presented. Tosoni has argued that this interpretation could impede the development and use of automated decision-making. ⁶⁹ Undoubtedly, the prohibition would restrict employers’ leeway more than interpreting GDPR Article 22(1) as giving rise to a right, since some of the exceptions of GDPR Article 22(2) would always have to apply and safeguards of GDPR Article 22(3) would have to be implemented to make the automated decision-making lawful. However, after assuring that automated decision-making is lawful regardless of the prohibition, employers could utilise automated decision-making consistently to all applicants. Thus, the process could be simpler and more predictable for both employers and applicants.

Noteworthy arguments for both interpretations have been presented and the debate is not finally settled as the Court of Justice of the European Union (hereinafter ‘the CJEU’) has not yet taken its stand on the matter. ⁷⁰ For the time being, the prohibition interpretation, which sets stricter legal boundaries for automated decision-making and provides higher level of protection, seems preferable, especially in algorithmic recruitment. Considering the specific risks related to recruitment and the possibility of tough sanctions for breaching the GDPR, ⁷¹ the prohibition interpretation may be the safest choice for both applicants and employers until the courts or the legislator have clarified the interpretation. Thus, in this article, the presumption is that Article 22 creates a qualified prohibition.

Even if Article 22(1) is later interpreted as giving rise to a right, it remains relevant to know what is considered to be automated decision-making and whether the Article 22(2) exceptions apply in algorithmic recruitment. These questions will be addressed hereinafter.

3.1 Common criteria for automated decision-making

The definition of automated decision-making, derived from GDPR Article 22(1), is crucial in drawing the line between prohibited automated recruitment decision-making and other processing of applicants’ personal data. Common criteria for automated decision-making, which several scholars seem to acknowledge in one form or another, are that (i) a decision is made, (ii) which is based solely on automated processing, and (iii) which has legal or similarly significant effects on the data subject. ⁷² If these three criteria are simultaneously fulfilled, the processing can be considered as automated decision-making. Nonetheless, there seem to be different ways to interpret each of the criteria and also other criteria have been proposed.

The first criterion is that a decision is made. ⁷³ The GDPR does not specify whether the decision has to be final, or whether an intermediate or individual step in the automated process suffices, as Kamarinou et al. have remarked. ⁷⁴ If interpreted narrowly, only the final decisions would count as decisions under Article 22(1). In a broad interpretation, which seems to prevail in previous literature, intermediate actions of wider processes could also be deemed to be decisions. ⁷⁵ The legislative history of the GDPR could support this interpretation, as under the DPD ‘a decision’ was interpreted broadly. ⁷⁶ According to GDPR Recital 71 a decision may include ‘a measure’. Further, it mentions ‘e-recruiting practices’, and not e-recruitment decisions, as one example of decisions. Typically, e-recruiting practices cover several steps of the recruitment process that precede the final recruitment decisions, such as job advertisements or screening. ⁷⁷ Thus, Recital 71 could imply that decisions, as meant by Article 22(1), could also be made in the intermediate steps of the recruitment process.

The broad interpretation would better protect applicants’ personal data and other interests related to automated decisions, as it would cover also the intermediate decisions, which may already have significant effects. For instance, automated screening systems may provide intermediate applicant rankings, on the basis of which most applicants are automatically rejected. If the broad interpretation is adopted, more algorithmic recruitment systems will fall under the scope of Article 22(1) prohibition than in the narrow interpretation. If the decision criterion is interpreted broadly, the different phases of the recruitment process may constitute automated decision-making independently of each other and thus should be assessed separately in the light of the criteria for automated decision-making.

The second criterion that the decision is based solely on automated processing has been debated more in the previous research. The main lines of interpretation can be divided into a narrow and a broad approach. ⁷⁸

The narrow approach rests on a literal ⁷⁹ and formalistic ⁸⁰ interpretation of the wording ‘based solely on automated processing’. The word ‘solely’ would suggest, according to Wachter et al., that a strict reading has been intended. They refer also to the legislative history, namely, to the rejected broader wording proposed by the European Parliament, which would have included decisions based ‘predominantly’ on automated processing. ⁸¹ Hence, Wachter et al. have considered that the wording permits an interpretation where ‘nominal human involvement’ or ‘any human involvement’ is sufficient to make processing not solely automated. ⁸² Along the same lines, Zarsky has considered that introducing ‘very minimal human interaction’ would suffice to circumvent Article 22(1). ⁸³ If this approach is adopted the processing is solely automated only when there is no human involvement whatsoever in any phase of the process. For instance, in recruitment this interpretation would mean that the processing is not automated decision-making if the human recruiter, without thinking, pushes a button and accepts machine-made applicant rankings. ⁸⁴

In contrast, the broad approach appears to depart from the strict literal interpretation. In this approach decisions are deemed solely automated if humans are only nominally involved. However, it is unclear what kind of more substantial human involvement is required to make the second criterion inapplicable. For instance, Mendoza and Bygrave consider that processing will be solely automated if the human involved in the processing ‘fails to exercise any real influence on the outcome of the decision-making process’. ⁸⁵ Such a failure could occur, for example, if the human does not evaluate the automated results before a decision based on them is finalised. ⁸⁶ On a similar note, the WP29 seems to consider that decisions are solely automated if the human involvement is fabricated or the human oversight is not meaningful. According to the WP29 meaningful human oversight seems to require that the human has ‘the authority and competence to change the decision’ and to examine all the relevant data. ⁸⁷

Systematic and teleological arguments seem to support the broad approach. Since there is nominal human involvement at some point of most automated processes, ⁸⁸ the scope of automated decisions, and thus protection under Article 22, will be very limited if the narrow approach is chosen. The functionality and effectiveness of the provision under the narrow approach may be questioned, as it could be doubted whether Article 22 would ever apply. In comparison, the broad approach places more automated processing situations within the scope of Article 22 and, thus, gives it more effect. It limits the scope of allowed automated decision-making much more than the narrow approach. For instance, many algorithmic recruitment systems could be considered solely automated, since the humans might not be more than nominally involved due to lack of time, limited technical understanding, non-transparent systems or over reliance on the machines. ⁸⁹ In line with the objectives of the GDPR and Article 22 more specifically, ⁹⁰ the broad approach provides stronger protection for the applicants.

The third criterion requires that the decision has legal or similarly significant effects on the data subject. The first part of this criterion, the legal effects, does not seem to induce interpretative debate. Several scholars appear to consider that the decision has legal effects if it changes, shapes or determines the legal rights and duties or the legal status of the data subject, ⁹¹ whereas the second part of the criterion, the ‘similarly significant effects’, leaves room for more interpretation. While legal effects could be objectively assessed, the assessment of significant effects could require consideration of more subjective elements as the significance of the effects could vary between data subjects. ⁹² In recruitment, the employers are typically unaware of the applicants’ specific situations and have to consider the potential higher-level effects of the decisions before the processing is initiated.

Varying ways of outlining the similarly significant effects in general have been proposed. For instance, Mendoza and Bygrave seem to consider that the similarly significant effects should have a ‘non-trivial impact on the status of a person relative to other persons’. ⁹³ The WP29 appears to perceive that a decision of similarly significant effects should have (i) the potential to significantly influence the ‘circumstances, behaviour or choices of the individuals’; (ii) an extended or standing impact on the data subject; or (iii) lead even to ‘the exclusion or discrimination of individuals’. ⁹⁴ Dreyer and Schulz have noted that the economic and practical importance of the decision and permanence of adverse effects are central in the assessment. ⁹⁵ Likewise, Mendoza and Bygrave have highlighted that the more adverse the effects, the more likely they are to be significant for the data subject. ⁹⁶ Hence, merely emotional, ⁹⁷ troublesome or inconvenient effects ⁹⁸ will probably not cross the threshold. However, some recruitment practices could have similarly significant effects on the applicant. ⁹⁹ For example, decisions that deny an employment opportunity or position applicants at a serious disadvantage could, according to the WP29, have similarly significant effects. ¹⁰⁰

Automated recruitment decisions could have legal effects, similarly significant effects or neither, depending on the situation. A decision has legal effects on the applicant, if the applicant is provided with an employment opportunity and an employment contract is entered into. In the screening phase this is a rare outcome, as typically even the most successful applicants are subject to further testing and interviews, based on which the employer makes the final decisions. Thus, screening decisions rarely have legal effects. However, screening decisions will likely have similarly significant effects on the applicants, as they can affect applicants’ choices and have significant impact on their economic situation, welfare and circumstances in life, even for an extended period. The significance of the effects can differ considerably depending on the applicants’ current employment and financial status. Further, the effects might not be as significant if there is a positive outcome from the screening decision for the applicant. When the decision possibly affects even some of the applicants significantly, it is safer to consider that the third criterion is fulfilled.

3.2 Other proposed criteria for automated decision-making

In addition to the three most commonly accepted criteria for automated decision-making introduced above, other criteria, such as the processing of personal data, ¹⁰¹ the individuality of the decisions ¹⁰² and profiling, ¹⁰³ have also been proposed. These other criteria will be briefly presented and analysed in this subsection.

The first additional criterion is that the decision must be based on personal data. ¹⁰⁴ This requirement emerges directly from the scope of application of the GDPR ¹⁰⁵ and is a prerequisite for the applicability of the GDPR. ¹⁰⁶ Hence, this criterion seems natural, but superfluous when assessing the special requirements set for automated decision-making. Consequently, it is understandable that this criterion has not been separately acknowledged in most accounts.

The second additional criterion is that the decision must be individual. This would leave collective decisions out of the scope of GDPR Article 22 protections. Brkan has noted that such a reading could be justified by the general scope of application in GDPR Article 1(1), the ratione personae and the textual interpretation of Article 22. However, after considering the imbalance and loopholes such an exclusion would create, Brkan proposes that collective automated decisions should be included in the scope of Article 22, for instance, by considering a group decision as a cluster of individual decisions. ¹⁰⁷ Likewise, Mendoza and Bygrave seem to interpret Article 22, and particularly its reference to the ‘data subject’, as meaning that the decision has to be targeted at a person. ¹⁰⁸

In recruitment, the decisions are often targeted at individual applicants. For instance, if in the screening phase certain groups are excluded based on political activity or ethnicity, the decision could be seen as targeted at such applicants, who belong to those groups. Nevertheless, the situation will be more complicated if those groups are already excluded in the job advertising phase, ¹⁰⁹ as there might not be any identifiable applicants. ¹¹⁰ If no potential applicants are identifiable based on the data, the GDPR will not apply, since it applies only to the processing of personal data. Consequently, the requirement of individuality of the decision does not appear to be decisive in recruitment.

The third, and possibly the most relevant, additional criterion is that the decision must be based on profiling. According to GDPR Article 4(4) ‘“profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements’. This criterion is understandable, as GDPR Article 22(1) explicitly mentions profiling. ¹¹¹ In support of this criterion Sartor and Lagioia have referred to GDPR Recital 71, which states that ‘such processing includes “profiling”’. ¹¹² Furthermore, GDPR Recital 73 mentions ‘decisions based on profiling’ when referring to Article 22. Mendoza and Bygrave have considered that the preparatory works and prior versions of the GDPR, which focus particularly on profiling, also promote this criterion. ¹¹³

In contrast, valid counterarguments against this criterion have also been presented. For instance, Bygrave has, in his later writings, considered that commas have been used in Article 22(1) and its title to separate profiling from other automated processing in order to indicate that profiling is optional, unlike in the DPD Article 15. ¹¹⁴ Further, if this criterion is accepted, the mention of ‘automated processing’ in Article 22 will be superfluous. ¹¹⁵ Teleological counterarguments can also be presented. The profiling criterion adds one more hurdle for the applicability of GDPR Article 22, thus, limiting its scope and the protection it provides. Hence, the objectives of the GDPR will possibly be better achieved if this criterion is not included. Albeit profiling often precedes automated decision-making, ¹¹⁶ that is not necessarily always the case. ¹¹⁷ In algorithmic recruitment automated decisions can also be made without profiling. For instance, screening decisions could be made simply based on qualifications, without further evaluation of applicants’ personal data. Even though such decisions might not be as risky or problematic as decisions based on profiling, such simple automated decisions could also have significant negative effects on applicants and would thus deserve protection under GDPR Article 22.

While all the additional criteria are conceivable, the criteria of personal data processing and individuality of the decisions are not included in the specific criteria for automated decision-making, since the general scope of the GDPR already seems to cover them. Moreover, the teleological and systematic arguments seem to question the profiling criterion. Until the ambiguities of GDPR Article 22 are clarified by the CJEU or the legislator, it may be safer for the employers to adopt a reading which provides broader protection.

3.3 When algorithmic recruitment systems resort to automated decision-making

Before implementing any algorithmic recruitment systems, employers should examine whether the system utilises automated decision-making. This can be done by assessing whether the following three criteria are simultaneously fulfilled in some phase of the algorithmic recruitment process, namely, whether (i) a decision is made, (ii) which is based solely on automated processing, and (iii) which has legal or similarly significant effects on the applicant. ¹¹⁸ However, the exact contents of these criteria seem to remain unconfirmed. In recruitment process in particular, where applicants are typically in a subordinate position and in need of greater protection, a teleological and broader interpretation of the criteria may be justified. In such an interpretation the decision criterion would include intermediate decisions, such as screening decisions. The second criterion would encompass automated processing, where humans are only nominally involved and do not actively influence the outcome of the decision-making. Finally, the third criterion would cover, for instance, decisions which significantly influence applicants’ opportunities to proceed in the recruitment process.

Some parts of the algorithmic recruitment systems could rather easily fulfil all the criteria and thus be deemed to use automated decision-making. This could be the case for instance, if (i) algorithms screen applications and provide rankings, and (ii) human recruiters continue the process based on the rankings, without considering the merits of the applications themselves, which (iii) leads to denying some applicants an employment opportunity or otherwise significantly influencing their opportunities to proceed in the recruitment process. When the algorithmic recruitment system utilises automated decision-making employers must ensure that it is permitted under some of the Article 22(2) exceptions before they proceed.

Nonetheless, not all algorithmic recruitment systems necessarily utilise automated decision-making. If all the criteria (i-iii) do not simultaneously apply at some stage of the recruitment process, that stage does not constitute automated decision-making and is not prohibited under Article 22(1). Automated decision-making is not used, for example, if a screening algorithm is employed only for assisting human recruiters in the process so that humans consider all the applications themselves, take into account the algorithm's recommendations, but make the final decisions as regards which applicants they invite to an interview independently of the algorithm, and, at times, also diverge from its recommendations.

4.1 Can automated decision-making be necessary for entering into an employment contract?

The first potentially applicable exception is contractual necessity. According to GDPR Article 22(2)(a), the prohibition of Article 22(1) does not apply if the decision ‘is necessary for entering into […] a contract between the data subject and a data controller’. Neither the preparatory works nor Recitals of the GDPR elaborate this exception. ¹²⁰ Thus, it remains unclear how this exception should be interpreted and whether automated decision-making may, under some circumstances, be necessary for entering into an employment contract.

The requirement of contractual necessity in GDPR Article 22(2)(a) is not unique or novel. A similar requirement concerning lawful grounds for processing existed, for instance, in DPD Article 7(1)(b), and can now be found in GDPR Article 6(1)(b). The case law of the CJEU indicates that the necessity requirement should be interpreted strictly. ¹²¹ Moreover, the data protection authorities have supported a narrow interpretation of necessity. ¹²² This strict approach could be the starting point also when interpreting the contractual necessity exception of Article 22(2)(a).

Scholars and authorities have presented varying interpretations of the contractual necessity exception. Mendoza and Bygrave have deemed that the exception should not require indispensability, as the processing seldom actually has to take place without humans. ¹²³ Thus, in order to fall under the scope of Article 22(2)(a) exception, automated decision-making should be ‘required for the purpose of entering into […] the contract with the data subject’. ¹²⁴ Brkan has stated that the necessity should be perceived ‘as an “enabling” requirement for the conclusion of a contract’. ¹²⁵ According to Sartor and Lagioia, automated decision-making may be necessary for entering into a contract, for instance, due to a high number of cases and the capacity of machines to outperform human judgment. ¹²⁶ The WP29 seems to consider that automated decision-making for contractual purposes or pre-contractual processing may be needed, for instance, if the quantity of the data to be processed makes regular human involvement impractical or impossible. However, it emphasises that automated decision-making will not be necessary if other ‘effective and less intrusive means’ to achieve the same result exist. ¹²⁷

The applicability of the contractual necessity exception in recruitment is open to debate. Sartor et al. and Grozdanovski have considered that the contractual necessity exception can enable automated decision-making in recruitment. ¹²⁸ Likewise, the WP29 seems to accept this view, at least under certain circumstances, since it provides an example where automated decision-making is deemed necessary in e-recruitment. ¹²⁹ Even though Sanchez-Monedero et al. seem to find it unlikely that the contractual necessity exception would apply in recruitment, they acknowledge that in certain cases, where there are many thousands of applications, automated decision-making could be required and not just beneficial. ¹³⁰ While Kelly-Lyth has not completely excluded the applicability of the contractual necessity exception, she has highlighted the importance of demonstrating the necessity of automated decision-making when the recruitment process has been handled without it in the past. According to her, the exception could apply, for instance, if, due to the volume of applications, the employer cannot process them without fully automated means, and previously the employer has been compelled to utilise gate-keeping measures such as screening out applicants who have graduated from less well-respected universities. ¹³¹

In recruitment, a balanced interpretation of the contractual necessity exception could be advocated. This interpretation would acknowledge the legislator's apparent aim to limit the scope of the exception by giving weight to the necessity criterion. Thus, this interpretation would also support the protective purpose of the GDPR. Simultaneously, the balanced interpretation would aim to preserve the functioning of the exception by enabling automated decision-making in certain cases. ¹³² Automated decision-making could be considered necessary, for instance, if it would be practically impossible or unreasonable to handle the applications by other less privacy- and rights-intrusive means.

Employers must carefully and objectively assess whether the contractual necessity exception applies in algorithmic recruitment. Employers must examine possible alternatives ¹³³ for conducting the recruitment process without automated decision-making, taking into account their effectiveness, ¹³⁴ capabilities ¹³⁵ and the effects on applicants’ privacy and other fundamental rights. ¹³⁶ Employers’ circumstances as a whole could probably be taken into consideration in the assessment, as they may affect, for instance, the other available processing options. The assessment could note, among other considerations, the number of applications expected, the size of operations, the number of personnel, the total number of applications received per year and the financial resources. More case-specific factors could also possibly be considered, such as the schedule of the recruitment process and number of simultaneously vacant positions.

Automated decision-making may be considered necessary for entering into an employment contract if it would be practically impossible or unreasonable to handle certain parts of the recruitment process without it by other less privacy- and rights-intrusive means. This could be the case, for instance, in the following scenario: An aspiring start-up company, with basically no current revenue, modest financing and only a handful of employees, is opening a new logistics facility where it needs 500 employees within a month's time. The facility is located in an area with a high number of potential applicants and the company is expanding amidst a recession. Thus, it expects to receive thousands of applications per position. In such a situation, it could be deemed impossible or impracticable to go through thousands of applications by hand in a reasonable time and manner. Hence, for example, the automated screening of applications could possibly be deemed necessary for entering into employment contracts. However, some other parts of the recruitment process, such as interviews, could possibly still be conducted without automated decision-making.

4.2 Can applicants give explicit consent to automated decision-making?

The second potentially applicable exception is explicit consent. Pursuant to GDPR Article 22(2)(c), the prohibition of Article 22(1) does not apply if the decision ‘is based on the data subject's explicit consent’. Article 22(2)(c) demands that the consent is ‘explicit’, but it does not further elaborate on that requirement. ¹³⁷ According to the EDPB guidelines on consent, it should be interpreted as requiring ‘express statement of consent’. ¹³⁸ Based on the guidelines, explicit consent could be obtained, for instance, through a signed written statement, electronic signature, filled electronic form, two stage verification or an email. ¹³⁹ Since many of these measures to obtain an explicit consent could technically also work in algorithmic recruitment, the requirement of consent being explicit probably does not cause serious problems. Instead, the general consent requirements set out in GDPR Articles 4 and 7 may prove to be more problematic in algorithmic recruitment.

GDPR Article 4(11) states that consent ‘means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. GDPR Article 7 sets further conditions for consent. It requires, among other conditions, that the controller must be able to show that a consent has been given. ¹⁴⁰ Further, it states that the consent may be withdrawn at any time and as easily as it was given. ¹⁴¹

The first, and possibly the major, question mark is around whether the applicants are in a position to freely give their consent. GDPR Recital 43 indicates that consent will not be valid if there is a clear imbalance between the data subject and the controller. Generally, an imbalance of power exists between the employer and the applicants. ¹⁴² In mass-scale low-level recruitment in particular, where algorithmic recruitment systems often are used, ¹⁴³ applicants are typically in a subordinate position. Thus, due to the imbalance of power, it is unlikely that an applicant's consent is freely given. ¹⁴⁴ However, in theory, it is possible to imagine recruitment situations where no such imbalance of power exists, which would render the applicant's consent invalid. This could be the case, for instance, if there is a shortage of qualified applicants and there are only a few experts, who several employers want to hire.

Nonetheless, even if an imbalance of power exists, it does not mean that the applicant's consent can never be freely given. ¹⁴⁵ Applicants are free to give their consent if they have a real opportunity to choose whether they consent to the automated decision-making or not. ¹⁴⁶ Applicants must not feel compelled to consent ¹⁴⁷ or face any negative consequences for not consenting. ¹⁴⁸ Further, applicants must also be free to withdraw their consent at any time. ¹⁴⁹ Consequently, if the employer relies exceptionally on the applicants’ consent, it should be able to demonstrate that the refusal of consent and subsequent processing of the application by human recruiters will not have any negative consequences for the applicants, such as discrimination or clearly longer processing times. ¹⁵⁰

The second question mark is around whether applicants can give informed consent. The consent may be informed only if the applicant has been transparently ¹⁵¹ notified of factors that are necessary for deciding whether to consent or not. ¹⁵² In addition to general issues, such as the purpose of the processing, the type of data processed and the right to withdraw consent, the applicant should be informed of automated decision-making. ¹⁵³ Several scholars seem to consider that the information listed in GDPR Article 13(2)(f), including the existence of automated decision-making, meaningful information about the logic involved as well as the significance and the envisaged consequences of automated decision-making for the applicant, should be provided before consent is given. ¹⁵⁴ Based on the information, applicants should be able to assess the significance of the consent and understand what they are agreeing to. ¹⁵⁵

Even if all the required information is provided, there are certain practical difficulties that could prevent consents from being truly informed. Firstly, due to the technical complexity of automated decision-making, applicants may not understand what they are consenting to and what the risks of automated decision-making are. ¹⁵⁶ Secondly, the lack of time or energy to attentively examine the information provided can exacerbate this problem. ¹⁵⁷ Hence, applicants might not factually be informed, even if they are provided with the required information. Consequently, it may be difficult for employers to demonstrate that the consent has been informed. ¹⁵⁸

The requirements that consent must be specific and unambiguous are closely linked to the above-discussed preconditions. To comply with the specificity requirement, the employer should clearly clarify and inform the applicants for which data processing operation and purposes the consent is required. ¹⁵⁹ In order to be unambiguous, the process should be designed so that the active notion or declaration asked of the applicant leaves no doubt as to whether consent is granted or refused. ¹⁶⁰ The fulfilment of these two requirements could depend more on the way employers obtain consent. However, the complexity of algorithmic recruitment processes also complicates the fulfilment of these criteria. ¹⁶¹

To conclude, it seems that the possibilities for applicants to freely give or refuse consent after being sufficiently informed are limited. ¹⁶² The consent exception could possibly apply in certain extraordinary cases, such as in recruiting exceptionally talented and technically knowledgeable professionals, who have leverage as regards the employer due to the job market situation and understand the automated process as well as the consequences of consenting. However, even in such situations the applicants’ have a right to withdraw consent under GDPR Article 7(3), ¹⁶³ which makes consent a faltering basis for automated decision-making. If employers exceptionally rely on explicit consent as a justification for automated decision-making, they must have a backup plan for situations where applicants decide to refuse consent or withdraw consent at a later stage in the process. Such backup plans could curtail the efficiency benefits of automated decision-making. Consequently, employers should not put much weight on the consent exception, as in most algorithmic recruitment cases it is likely to be invalid, and at any rate, it is uncertain.