AI in HR — legal limits in 2026

Why HR is the most delicate AI case

Recruitment, evaluation and termination touch fundamental rights — employment, dignity, equality. When AI enters the equation, three legal sources overlap:

1. GDPR Art. 22 / LGPD Art. 20: data subjects have the right to review of automated decision by a natural person.
2. Labor law + recent jurisprudence: termination for cause requires substantive proof; discriminatory selection process triggers indemnification.
3. Sector laws when candidate is also consumer (rare but possible — ECOA in US for credit-related hiring; FCRA for background checks).

In 2026, we saw 4 significant labor-court cases involving AI in career decisions (Brazil’s TST). Result: AI can assist, never decide alone in high stake.

This post brings what is allowed, restricted, and prohibited in practice. Brazilian framing primary; US/EU equivalents parenthetical.

Allowed cases (with care)

1. CV pre-screening

AI classifies resumes by keywords, ranks by relative fit, flags red flags. Allowed provided that:

• Criteria are pre-defined and auditable.
• Known model bias (gender, age, name origin) is monitored.
• Decision to approve/reject candidate is always human-reviewed.
• Candidate is informed AI participates in the process.

Good example: AI generates report like “Candidate X has 6 of 8 listed technical requirements. Met: A, B, C, D, E, F. Missing: G, H.” Human reads and decides.

Bad example: AI auto-rejects candidate without human looking.

2. Job description generation

AI writes job description from human bullet points. Allowed. Apply review for:

• Inclusive language (no gendered, no excluding groups).
• Realistic requirements (AI tends to inflate requirement lists).
• Labor compliance (don’t ask illegal info: age, marital status, gender, protected class).

3. Interview transcript review

After interview, AI generates summary of what candidate said + points of alignment to the profile. Allowed. Apply review:

• Summary must be faithful to transcript (avoid creative interpretation).
• Do not allow automated “culture fit” scoring without operational definition.

4. Onboarding and training

AI personalizes onboarding material based on employee profile. Allowed without significant restriction, provided material is reviewed.

5. Performance feedback — assistance

AI structures written feedback from manager bullet points. Allowed. Not allowed: AI doing independent performance ratings.

Restricted cases (need approval + strong oversight)

1. Automated candidate scoring

System gives 0-100 candidate score. Allowed only if:

• Criteria are transparent and auditable.
• Candidate can challenge the score (GDPR Art. 22 / LGPD Art. 20).
• Final decision is human.
• Complete documentation for regulator audit.

Main risk: algorithmic bias (model trained on historical hiring data can reproduce historical bias).

2. Sentiment analysis in internal communication

Monitor emails/Slack for “turnover early warning” via tone analysis. Restricted. Requires:

• Written prior notice to employee.
• Limit analysis to aggregated metrics, not individual.
• Don’t use for direct punitive decision.
• Legal + DPO review before rollout.

Electronic surveillance without notice is serious labor violation. US courts (NLRA cases 2025), EU (GDPR fines), Brazilian TST 2025 all converged on this.

3. Predictive performance analysis

“Employee has 73% risk of low performance next semester” — restricted. To use:

• Cannot be used as sole basis for termination decision.
• Employee has right to know it exists and to challenge.
• Model must be auditable.
• Decision follows normal labor process, with AI as additional input.

Real case 2025: company fired employee using predictive score as justification. TST ruled discrimination, ordered indemnification + reinstatement. Similar US cases under disparate impact theory.

4. Automated background check

Automated verification of records, social media profile, court records. Restricted. Requires:

• Legal basis (legitimate interest + balancing test) or explicit consent.
• Cannot use irrelevant info (e.g. political orientation in IT role).
• Final decision human.
• FCRA compliance in US (notice + adverse-action procedure).

Prohibited cases

1. Termination by fully automated decision

AI produces decision “terminate employee X” and HR executes without substantive human review. Prohibited.

GDPR Art. 22, LGPD Art. 20 guarantee right to human review. Labor law requires reasoned grounds for termination. AI decision without human explaining why is null.

2. Documented algorithmic discrimination

Model known to discriminate by gender, race, age, sexual orientation — and company uses anyway. Prohibited. Configures direct discrimination under labor law + constitutional protections.

Burden of proof: company must demonstrate it monitors bias and mitigates. Vendor must deliver model bias audit.

3. Continuous non-disclosed surveillance

AI system monitoring employees 24/7 (movements, tools, communication) without clear prior notice. Prohibited in most jurisdictions.

Surveillance can exist but must be:

• Formally communicated in contract/policy.
• Proportional to risk (don’t monitor intern with same rigor as CFO).
• Limited to professional context.

4. Non-disclosed emotional analysis

Emotional analysis via camera/microphone (in interview, meeting) without explicit consent. Prohibited in many scenarios and will be prohibited in EU in Dec 2026 (Article 50 AI Act).

5. “Pregnancy prediction” or “leave prediction”

Trying to use AI to identify pregnant employee before she discloses, or predict maternity leave to “adjust planning”. Prohibited. Direct discrimination + protected-category violation (GDPR sensitive data, LGPD Art. 5°II).

Recent jurisprudence — selected cases 2025-2026

Case 1 — Brazilian TST 2025 (Banco do Brasil)

Company used predictive risk model to decide promotions. Employee with bad evaluation challenged in court. TST decided: model is valid input, but decision must be humanly justified with criteria beyond the model score. Bank ordered to redo process.

Lesson: model can inform, doesn’t decide.

Case 2 — Brazilian TST 2025 (national retail)

Company fired employee after “AI alert” on low performance. Employee was pregnant. TST: indirect discrimination (model picked up metrics correlating with pregnancy — absences for appointments). Reinstatement + indemnification.

Lesson: algorithmic bias has objective employer liability.

Case 3 — Brazilian TST 2026 (BTG Pactual)

Interesting case. Company used AI for PRE-SELECTION of trainee program candidates. Rigorously documented criteria, monitored bias quarterly, guaranteed human review on 100% of cases. Rejected candidate sued alleging bias. TST ruled in favor of company — diligence proven.

Lesson: company doing right can use AI calmly. Documentation saves.

Case 4 — EEOC 2026 settlement (US)

US Equal Employment Opportunity Commission settled with major retailer over algorithmic age discrimination in hiring tool. Tool penalized resumes with employment gaps over 2 years. Settlement: USD 12M + algorithmic audit annual requirement for 5 years.

Lesson: US regulators are active even without specific AI law.

Practical checklist for 2026

For any AI use in HR at your company:

• DPO + legal reviewed the use case?
• Legal basis identified and documented?
• Candidates/employees informed?
• Final decision is human with traceable justification?
• Model audited for known bias?
• Accessible challenge process exists?
• Complete documentation for regulator audit?
• Training of person using the system?

If any item is empty, rethink before rolling out.

FAQ

Can I use personal ChatGPT to write employee feedback? Not recommended. Pasting employee personal data on consumer-tier tool violates GDPR/LGPD without consent + legal basis. Use approved corporate tool.

ATS (Applicant Tracking System) vendor with AI — who’s responsible? Hiring company is controller; vendor is processor. Company needs DPA + verify vendor’s AI Act compliance + audit bias.

Can I process EU candidates via my US/BR ATS? Yes, but EU AI Act + GDPR apply. System falls in Annex III high-risk (HR). Heavy compliance mandatory.

Can employee sue me for using AI to write feedback without them knowing? Likely yes if case reaches court. Data-protection law requires transparency on processing. Better to disclose.

Next steps

• Apply the checklist to any AI use in HR still in rollout.
• SkilLab Workshop — Consulting & Training. Labor compliance + applied AI in regulated sector HR. Details.
• SkilLab AI Newsletter. Sign up below.

Also read

• EU AI Act 2026: what changes for non-EU companies — HR falls in Annex III high-risk.
• Internal AI usage policy — template — template with HR section.

---

By Ivan Prado · SkilLab AI · May 2026. Translated and adapted from the PT-BR original.

Disclaimer: this article is editorial reference, NOT a substitute for legal counsel specific to your case. Consult labor attorney + DPO before implementing.