What should employers expect from the EU AI Act?

AI is increasingly revolutionising how businesses manage recruitment, hiring, employee management and monitoring. AI solutions are already adept at personalising employee experiences, such as benefits and training, streamlining HR processes throughout the employment lifecycle, boosting efficiency and significantly reducing administrative burdens. Additionally, AI provides critical workforce insights, facilitating data-driven decision-making and management. However, these advancements also present potential risks related to discrimination, privacy protection and other fundamental rights that employers must carefully manage.

As the EU AI Act entered into force on 2 August 2024 and should generally be applicable 24 months after this date (with several exceptions), it is crucial to define the role of employers in the AI chain to clarify their obligations. While the Act includes provisions on extraterritorial application that could affect AI developers and model creators in Serbia, the question arises: Can it also apply to Serbian employers? Specifically, as deployers of AI systems, some of which may be classified as high-risk, can Serbian employers be subject to the obligations that apply to EU-based employers under the EU AI Act?

Applicability of the EU AI Act

The EU AI Act includes provisions for extraterritorial application, meaning it can apply to Serbia, as a non-EU entity, under certain circumstances. For instance, AI system providers based in Serbia could fall under the EU AI Act if their systems are used within the EU. However, the Act does not apply to Serbian employers who act as deployers (users) of AI systems for their needs within Serbia.

For employers in the EU, the EU AI Act introduces strict requirements related to high-risk AI systems. These systems typically monitor employee performance, profile individuals or make automatic decisions regarding working conditions, promotions or terminations. Many tools used in employment processes fall into this
high-risk category, especially those involved in employee profiling. Additionally, some of the AI tools are strictly prohibited, like AI systems for emotions detection or biometrics categorisation, which lead to the obtaining of sensitive data.

The EU AI Act outlines conditions under which high-risk systems, as defined in Annex III, could claim exemption from the high-risk classification. However, these exceptions do not apply to AI systems used for employee profiling, which are always classified as high-risk.

Consequently, employers in the EU are required to conduct Data Protection Impact Assessments (DPIA) for high-risk systems and adhere to strict implementation procedures. Upcoming guidelines from the European Commission, expected by mid-2025, will provide concrete examples of high-risk AI uses, helping employers navigate the new regulatory framework.

It is important to note that while the EU AI Act mandates DPIAs for high-risk systems, local data protection regulators in EU Member States also adopt their own lists of cases where DPIAs are mandatory. These lists may not align perfectly with Annex III of the Act, potentially expanding the scope of AI-related activities requiring a DPIA. This is a notable aspect for Serbia, as the country does not yet have AI-specific legislation. However, a working group is currently drafting new AI regulations, making it interesting to observe how these developments will align with EU standards.

Intersection with GDPR and local privacy regulations

The EU AI Act specifies that deployers of high-risk AI systems must conduct a DPIA as regulated under the General Data Protection Regulation (GDPR).

However, the scope of high-risk systems covered by the EU AI Act may be even broader compared to circumstances under the GDPR for which a DPIA is necessary (including circumstances triggering a DPIA under Serbian privacy regulations, such as the Commissioner's decision on the list of processing activities requiring a DPIA).

In addition to the DPIA, the EU AI Act requires employers to conduct Fundamental Rights Impact Assessments (FRIA) in certain cases and to notify employee representatives prior to deploying high-risk AI systems in the workplace.

Under the EU AI Act, employers are also responsible for ensuring that their workforce has an adequate level of AI literacy to handle these systems. AI literacy encompasses the skills, knowledge and understanding that allow providers, deployers and affected persons to make an informed deployment of AI systems, as well as to gain awareness about the opportunities and risks of AI and the possible harm it can cause. This requirement will take effect on 2 August 2025, providing employers with a sufficient grace period to ensure compliance.

What about Serbian employers?

Currently, Serbian employers who use AI systems for their internal needs are not subject to the requirements of the EU AI Act. A working group has been established to draft new AI legislation in Serbia, with the law expected to be completed within a year. Until then, the use of AI systems by Serbian employers will remain governed by the Data Protection Act (DPA).

That said, in addition to ensuring that employees are duly informed about the processing of their data and that a legal basis for processing is ensured (which can be challenging when employee data is processed), using any AI systems classified as high-risk under the EU AI Act also requires a DPIA under the Serbian DPA. Specifically, a DPIA is mandated by the Serbian DPA when personal data processing is conducted using new technologies (namely AI) and represents a potential risk to the rights and freedoms of the individuals whose data is being processed. For instance, it is explicitly required if automated processing or profiling results in a decision that significantly influences the life of an individual. According to the Commissioner's decision, a DPIA and the DPO's opinion are mandatory for specific processing activities, such as the use of employee monitoring tools based on biometric data.

Thus, employers as controllers who are processing personal data using AI systems that could be qualified as high-risk systems under the EU AI Act are obliged under the DPA to: (i) conduct a DPIA; (ii) seek the opinion of the Data Protection Officer (DPO); and (iii) request prior consultation with the Commissioner for Data Protection (before any processing takes place).

Consequences of non-compliance

Under the EU AI Act, employers using high-risk AI systems face significant penalties for non-compliance. However, it is important to note that these penalties are not applicable to Serbian employers using AI systems solely for their internal operations, as the EU AI Act's extraterritorial provisions do not extend to such cases. The relevant penalties for Serbian employers will be those prescribed by national law on AI, or for any privacy implications penalties under the DPA.

Conclusion

Although the EU AI Act does not currently apply to employers in Serbia, and the signing of the Stabilisation and Association Agreement obliges Serbia to align its legislation with that of the EU, Serbian employers should closely monitor developments in this new legal area within the EU to prepare for potential applicability to them in the same or a similar scope. Regardless, employers must continue to comply with the DPA and conduct audits of the AI systems they currently use to ensure full compliance with the DPA, create records of AI systems used by their employees, and establish internal rules and policies concerning the compliant use and application of AI systems by their employees, all to prevent any potential liability in this regard.