Artificial Intelligence (AI) is transforming workplaces, introducing automation and efficiency in hiring, monitoring, and decision-making processes. However, AI’s use raises significant legal risks, particularly in discrimination, privacy, and accountability. Employers must ensure that AI complies with relevant laws, including specific EU Regulations, Directives and Cypriot legislation.

Potential Discrimination and Bias in AI Systems

AI tools can inadvertently discriminate against individuals, particularly if they rely on biased training data. This can lead to unfair treatment in hiring, promotions, or performance evaluations, potentially breaching legal protections.

Relevant Laws

1. EU Directive 2000/78/EC – Equal Treatment in Employment and Occupation

• Prohibits discrimination based on religion or belief, disability, age, or sexual orientation.
• Ensures equal treatment in hiring, promotions, training, and other employment decisions.

2. EU Directive 2000/43/EC – Racial Equality Directive

• Prohibits discrimination on the grounds of race or ethnic origin in employment and access to goods and services.
• Covers both direct and indirect discrimination, harassment, and victimization.

3. Cypriot Equal Treatment in Employment and Occupation Law (L. 58(I)/2004)

• Transposes Directive 2000/78/EC into Cypriot law.
• Prohibits direct and indirect discrimination, harassment, and victimization in the workplace.

4. Cypriot Combating of Racism and Other Discrimination (Commissioner) Law (L. 42(I)/2004)

• Implements Directive 2000/43/EC in Cyprus.
• Provides mechanisms for individuals to report and challenge discriminatory practices.

AI-Potential Concerns

• Example of Potential Breach: An AI recruitment tool trained on biased historical data may favour younger male candidates over equally qualified women or older applicants.

Employer Responsibilities

• Conduct regular audits of AI tools to detect and address biases.
• Use diverse and inclusive datasets for AI training.
• Ensure that a human reviews critical employment decisions.

Data Privacy and GDPR Compliance

AI tools often process personal data to make decisions, raising concerns about data protection and privacy. Employers must comply with strict data processing rules to avoid breaching privacy rights.

Relevant Laws

1. General Data Protection Regulation (GDPR – EU Regulation 2016/679)

• Article 5: Establishes principles of data processing, including lawfulness, fairness, transparency, and data minimization.
• Article 6: Requires employers to have a lawful basis for processing personal data.
• Article 9: Prohibits processing sensitive personal data (e.g., racial or health information) without explicit consent or necessity.
• Article 22: Grants employees the right not to be subject to decisions solely based on automated processing, including profiling, unless specific exceptions apply.

2. Cypriot Data Protection Law (L. 125(I)/2018)

• Complements the GDPR and establishes procedures for local data protection enforcement in Cyprus.

AI-Potential Concerns

• Example of Potential Breach: Using AI-powered employee monitoring systems without informing staff or obtaining consent could violate GDPR and Cypriot data protection laws.

Employer Responsibility

• Conduct Data Protection Impact Assessments (DPIAs) to identify risks before deploying AI tools.
• Inform employees about the purpose and scope of data collection.
• Limit data collection to what is strictly necessary for AI operations.

Employee Monitoring and Surveillance

AI-powered monitoring tools can track employee productivity, attendance, and even emotional well-being. However, excessive or unjustified monitoring may infringe on employee privacy.

Relevant Laws

1. GDPR – EU Regulation 2016/679

• Article 5: Requires monitoring activities to be lawful, fair, and transparent.
• Article 6: Monitoring must have a legitimate purpose and adhere to proportionality principles.
• Recital 47: Monitoring must balance business interests with the employee’s right to privacy.

2. European Convention on Human Rights (ECHR – Article 8)

• Protects the right to respect for private and family life.
• Requires employers to justify workplace monitoring practices.

3. Cypriot Data Protection Law (Law 125(I)/2018)

• This law complements the General Data Protection Regulation (GDPR) and ensures its implementation in Cyprus. It governs the collection, processing, and protection of personal data, including in workplace monitoring activities.

Key Provisions:

• Employers must ensure that any monitoring activities are lawful, fair, and transparent, in line with GDPR requirements.
• Employees must be informed about the nature, purpose, and scope of monitoring activities.
• Data collection must be limited to what is necessary and proportionate.

4. Cyprus Constitution (Article 15)

• Protects the right to private and family life, mirroring the protections provided by Article 8 of the European Convention on Human Rights (ECHR).
• Employers must justify workplace monitoring practices, ensuring they do not disproportionately infringe on employees' privacy rights.

AI-Potential Concerns

• Example of Potential Breach: Installing an AI system that monitors keystrokes and emotional expressions without informing employees could breach GDPR and ECHR protections.

Employer Responsibility

• Clearly communicate monitoring policies and obtain employee consent.
• Ensure that monitoring is proportionate to the business’s legitimate needs.
• Regularly review AI tools to ensure compliance with privacy standards.

The EU Artificial Intelligence Act: Preparing for the Future

The EU Artificial Intelligence Act, which entered into force on 1 August 2024, establishes a regulatory framework for AI systems in the European Union.

Provisions will apply gradually, with most enforceable from 2 August 2026. This law classifies workplace AI systems, such as recruitment or monitoring tools, as "high-risk," imposing additional compliance obligations.

Key Provisions

• Risk Management: Employers must test AI systems for bias, accuracy, and fairness.
• Transparency Requirements: Employers must disclose AI use and ensure employees understand its implications.
• Penalties: Non-compliance could result in fines of up to €30 million or 6% of global annual turnover.

Preparation Steps

• Begin auditing AI tools to align with the EU AI Act requirements.
• Establish accountability frameworks and internal review processes.
• Monitor updates and guidance for full compliance by 2026.

Conclusion

AI’s role in the workplace offers significant benefits but comes with substantial legal responsibilities. Employers in Cyprus must ensure compliance with EU law and Cypriot law to mitigate risks related to discrimination, privacy, and accountability.

By proactively addressing these issues and preparing for future regulations, businesses can responsibly harness the potential of AI while safeguarding employee rights.

At Economou & Co LLC, we can navigate the complexities of Cypriot and European AI regulations, offering tailored solutions that protect your business and employees. From reviewing policies to providing expert legal representation, we are dedicated to safeguarding your interests every step of the way.