TL;DR. The European Parliament voted on 16 June 2026 (423 in favour, 57 against, 174 abstentions) to push the AI Act's high-risk employment obligations from 2 August 2026 to 2 December 2027 — 16 extra months of ATS limbo. But GDPR Art. 15 + 22 is fully usable today.
You thought the AI Act would shield your application from August 2026 onwards? Bad news.
The European Parliament just voted to delay the high-risk employment obligations to 2 December 2027. Sixteen more months of drift.
So what do you do in those sixteen months — wait politely for Brussels to protect you?
Digital Omnibus, 7 May → 16 June 2026: the surgical timeline
The story played out in two acts. On 7 May 2026, the Cypriot Council presidency (Marilena Raouna, deputy minister for European affairs) announced a provisional agreement with Parliament on the Commission's "Digital Omnibus on AI" (Computerworld, May 2026). On 16 June, the Strasbourg plenary closed the loop: 423 in favour, 57 against, 174 abstentions (Sofia Globe, June 2026).
What slides: the stand-alone high-risk systems (Annex III), covering employment, education, and access to public and private services. New application date: 2 December 2027 (European Parliament Press Room).
What does not slide: Article 50(2) on watermarking AI-generated content — kept at 2 December 2026. Member-state regulatory sandboxes are themselves pushed back to 2 August 2027.
The official technical reason: CEN-CENELEC JTC 21, the European standards body, missed its August 2025 target for harmonised AI Act standards (Tech Times, May 2026). No standards, no conformity assessment. The normative gear jams, the calendar follows.
Annex III point 4 vs Article 50: what actually covers your ATS
Annex III point 4 = employment. Résumé screening, ATS ranking, video scoring, candidate classification. The full machinery that decides whether your CV survives. Postponed to 2 December 2027 (IAPP, May 2026).
Article 50(2) = transparency for AI-generated content. The rejection email drafted by GPT, the auto-generated assessment, the interview summary spat out by an LLM. Brought forward to 2 December 2026 (3 months earlier than the initial Digital Omnibus draft, which targeted February 2027).
The asymmetry is sharp: a recruiter who writes you a ChatGPT-drafted email has to disclose it a full year before the ATS that filtered you out is regulated.
Arba Kokalari (EPP, IMCO co-rapporteur) defends the move as "pressing the pause button on the AI Act" paired with cutting "red tape" (Sofia Globe, June 2026). Michael McNamara (Renew, LIBE) sticks to a more technical line, framing the package as "establishing legal certainty by extending certain timelines while preserving the AI Act's architecture".
Marilena Raouna, on the Council side, owns the economic angle: "reducing recurring administrative costs" for companies (Computerworld, May 2026). Translated for candidates: less friction for ATS vendors, more friction for you.
- ✓Scope: résumé screening, ATS ranking, video scoring, candidate classification
- ✓Regime: high-risk (conformity assessment, registry, human oversight)
- ✓Application date: 2 December 2027
- ✓Enforceable lever in 2026: none under AI Act — only GDPR
- ✗Scope: AI-generated content (emails, assessments, interview summaries)
- ✗Regime: transparency (labelling, candidate disclosure)
- ✗Application date: 2 December 2026
- ✗Asymmetry: enforceable a full year before the ATS that filtered you
The 16-month map: August 2026 → December 2027
For 16 months, AI Act high-risk obligations are not enforceable against employment ATS (Tech Times, May 2026). The regulation exists, the calendar drifts. During those 16 months, GDPR is your only safety net.
There is a second trap. The regulation includes a grandfathering clause: systems placed on the market before 2 August 2027 only fall into the high-risk regime once they undergo a substantial modification. An ATS deployed in 2024 can dodge the high-risk label for a long time.
The tactic of the gap is exactly this: Brussels builds the framework, vendors buy time, and you apply inside a system the AI Act does not yet bite. Quarter after quarter, until late 2027, the only lever you can actually pull is GDPR.
Your playbook today: GDPR Art. 15 + Art. 22
GDPR Article 15 — right of access. The data controller must give you, within one month, meaningful information about the existence of automated decision-making (including profiling) and the logic involved. It's not a favour — it's a legal obligation, with DPA penalties attached.
GDPR Article 22 — solely automated decisions. European data protection authorities explicitly list automatic rejection of an online job application as a textbook example. You can demand the logic, the criteria, a human review, and contest the outcome.
Reality check from noyb (2026): out of 121 Art. 15 requests sent between 2018 and 2026, only 16.5% received a satisfactory reply, 53.7% were incomplete, and almost 30% got no reply at all (noyb, 2026).
Put differently: 83.5% of GDPR Art. 15 requests are mishandled. Plan your DPA complaint upfront, not as a reaction. Recruiter silence is, statistically, more likely than a clean answer.
Max Schrems (noyb) is blunt about why: "The European Commission has fallen for a heavily abused lobbying narrative that the right to access is constantly being abused, when in reality it is largely companies that violate these laws."
The GDPR-only letter (different from an AI Act letter)
The nuance that matters in 2026: do not cite the AI Act. Annex III obligations are not enforceable yet. If you cite a text that isn't binding, the DPO bats it back and you lose the surprise effect.
Minimum structure:
- Header. Full name, role applied for, application date, exact wording of the rejection you received (or its absence).
- Legal grounds. "Pursuant to GDPR Art. 15(1)(h) and Art. 22(3), I request: (a) the logic behind the automated decision, (b) the scoring criteria used, (c) a human review of my application, (d) the opportunity to state my point of view."
- Deadline. "Statutory one-month deadline from receipt."
- Escalation. "Failing a complete reply, I will file a complaint with my national data protection authority."
Why this works: the DPO knows a DPA complaint is a real, traceable process that pulls in internal resources. The asymmetric cost tilts in your favour. And in 2026, this is the only door open — the AI Act one is still locked.
Subject: GDPR Art. 15 and 22 request — application for [role] dated [date]
Dear Sir or Madam,
Pursuant to GDPR Art. 15(1)(h) and Art. 22(3), I request, within the statutory one-month deadline from receipt:
(a) the logic underlying the automated decision applied to my application; (b) the scoring criteria used by your ATS; (c) a human review of my application; (d) the opportunity to state my point of view before any final decision.
Failing a complete reply within one month, I will file a complaint with my national data protection authority.
[Full name — signature]
The 2 August 2027 grandfathering trap
The regulation includes a legacy clause. Systems placed on the market before 2 August 2027 only flip into high-risk obligations once they go through a "substantial modification". Translation: as long as the ATS vendor does not materially touch its engine, it stays off the hook.
Real risk: an implicit freeze on updates to dodge requalification. Why improve your scoring engine if the slightest rebuild forces a conformity assessment?
Implication for candidates: your CV may be scored by a system designed in 2024, deployed in 2025, never requalified as high-risk, and that filters you out into 2028 and beyond. The only angle that stays open is GDPR.
On Hacker News, the user Yaina captures the mood: "It's an attrition game" (HN). Constant lobbying on the Brussels side, constant vigilance on the civil-society side. Activating your rights is refusing to give up out of fatigue.
"I like the EU, but what's annoying about things like this, or the Chat Control law that keeps getting pushed, is that civil society and privacy advocacy groups always need to stay vigilant and keep mobilizing people. It's an attrition game." — HN thread
FAQ
Has the AI Act been cancelled?
No, it has been postponed. The European Parliament voted on 16 June 2026 (423/57/174) to delay Annex III employment obligations from 2 August 2026 to 2 December 2027. The architecture of the regulation is preserved — only the calendar slides.
Is my ATS legally unframed for 16 months?
No. AI Act high-risk obligations step back, but GDPR (Art. 15, 22) remains fully applicable. You can demand the logic of any automated decision and a human review starting today.
What is the difference between Article 50 and Annex III?
Article 50(2) covers transparency for AI-generated content (a recruiter email drafted by GPT) — applicable on 2 December 2026. Annex III point 4 covers employment systems (ATS, scoring) — postponed to 2 December 2027.
How long does a recruiter have to answer a GDPR Art. 15 request?
One month from receipt, extendable by two months in case of complexity. You can file a complaint with your national DPA if there is silence or an incomplete reply.
What is the probability of getting a satisfactory reply?
Low. According to noyb (2026), out of 121 Art. 15 requests sent between 2018 and 2026, 16.5% were satisfactory, 53.7% incomplete, and nearly 30% went unanswered. Plan the DPA escalation upfront.
Why this delay — lobbying or a technical reason?
Officially technical: CEN-CENELEC JTC 21 missed its August 2025 target on harmonised standards. Unofficially, industry pressure was owned by the Cypriot Council presidency around lowering recurring administrative costs.
Are ATS deployed before 2027 covered?
Partly. The regulation includes a grandfathering rule: systems placed on the market before 2 August 2027 only flip into the high-risk regime once they undergo a substantial modification. Hence the importance of the GDPR lever.
Can I cite the AI Act in a letter to a recruiter in 2026?
No, it would be counterproductive. The high-risk obligations are not yet enforceable. Anchor your letter exclusively on GDPR Art. 15 and 22 — the only enforceable ground until December 2027.
What if the recruiter says "the AI decided, not me"?
GDPR Art. 22(3) gives you the right to human intervention, to express your point of view, and to contest the decision. EU data protection authorities explicitly list automatic rejection of an online job application as a textbook example.
Is the existing Velyq article on AI Act candidate rights still valid?
It is being updated in parallel to reflect the 2 December 2027 date. The ten rights themselves do not change — only the calendar of enforceability shifts.
Takeaways
- EP vote, 16 June 2026: 423/57/174 — Annex III employment pushed to 2 December 2027.
- 16 months of AI Act gap on the ATS side, August 2026 → December 2027.
- Article 50(2) (generative-AI watermarking) stays at 2 December 2026 — exploitable asymmetry.
- GDPR Art. 15 + 22 = the only enforceable lever today for candidates.
- 83.5% of Art. 15 requests are mishandled (noyb) — plan the DPA escalation upfront.
- 2 August 2027 grandfathering = your 2024 ATS may stay outside the high-risk frame well beyond 2028.
- GDPR-only letter, never AI Act, all the way to late 2027.
Prep the interview the ATS may not have let you through. And audit your CV before a 2024 scoring engine sends you home until 2028.
