A challenge for employers

(Translated by DeepL)

Artificial intelligence (AI) can prove invaluable in the human resources management of a bank or financial services provider. Employers can use it to automate various tasks, such as sorting applications, assessing performance, issuing warnings and even dismissals. These practices raise various legal questions : to what extent can an employer rely on AI for such tasks ? Can employees challenge the use of AI on them, or obtain explanations of the criteria used by AI ?

In Switzerland, there are no regulations specifically targeting AI. That said, decisions taken with the help of AI, or even exclusively by AI, can be described as automated individual decisions (AID) within the meaning of art. 21 DPA. A AID is deemed to exist when three cumulative conditions are met : (1) the decision is individual, (2) taken without any real human intervention, and (3) produces legal effects or significantly affects the data subject.

Banks and financial services providers must first assess whether the automated processes they use meet the criteria for an AID. This means that the employer must determine whether the automated decision was taken without any significant human intervention and whether it has a significant impact on the employee. For example, the rejection of an application by an algorithm or the determination of the amount of a bonus based on performance criteria are AID if these decisions are not substantially reviewed by a human.

If the processes used by the employer are qualified as AID, the employer must inform the employees or applicants (art. 21 al. 1 DPA). This information must be clear, concise and easily accessible. At the employee’s request, the employer must also inform them of the rationale behind the decision, i.e. explain the criteria on which the decision is based (art. 25 al. 2 let. f DPA).

In principle, employees or applicants have the right to put forward their point of view and request that the AID be reviewed by a human being (art. 21 al. 2 DPA). This means that the employer must put in place procedures to allow human intervention when requested. In addition, a data protection impact assessment is required when the AID presents a high risk for data subjects (art. 22 DPA). This analysis must assess the risks and the measures to mitigate them (see the August 2023 memorandum from the Federal Data Protection and Information Commissioner).

Failure to comply with the legal obligations relating to AID may have various consequences. The person responsible within human resources could be penalised if they wilfully fail to properly inform an employee of the use of a AID (art. 60 al. 1 DPA). In addition, administrative measures may include the suspension of data processing or the deletion of data collected in breach of legal obligations (art. 51 DPA).

At EU level, the GDPR has the same definition of AID as Swiss law. However, it is stricter than the DPA, since it prohibits all DIA in principle, except under three alternative conditions : (1) if the AID is necessary for the performance of a contract, (2) if it is authorised by law, or (3) if the data subject has explicitly consented to it (art. 22 par. 1 and 2 GDPR). Where the AID is lawful, the employer must in particular inform the employee that he or she is the subject of a AID and put in place a process for reviewing decisions (human-in-the-loop, art. 22 par. 3 GDPR). If these rules are breached, the supervisory authority may impose a substantial administrative fine (art. 83 GDPR).

In addition, the Regulation on Artificial Intelligence (AI Act) classifies two AI systems (AIS, cf. cdbf.ch/1382/) in terms of human resources as being at high risk (cf. cdbf.ch/1359/). These are (1) SIAs which analyse, filter and evaluate applications and (2) SIAs which perform human resources tasks, such as promotion, dismissal, assigning tasks or monitoring and evaluating employee performance and behaviour (Annex III ch. 4 AI Act). The ratio legis of this classification as a high-risk SIA stems from the risk of discrimination based on sex, age, racial origin or sexual orientation (recital 57 RIA). If the employer deploys one of these high-risk SIAs, it must in particular inform the employees concerned or their representatives (art. 26 ch. 7 AI Act).

In short, the use of AI can be considered as an AID if it is used to make a decision – and not as a mere aid to decision-making – with significant effects for the person concerned. In the EU, the AI Act will apply in addition to the data protection regime.

For a more detailed analysis of these issues, see Hirsch Célian, Droit du travail et intelligence artificielle : défis des décisions automatisées pour les employeurs, in : Dunand Jean-Philippe et al. (édit.), La protection des données dans les relations de travail à la lumière de la nouvelle loi fédérale sur la protection des données, Zurich 2024.