The legal risks of using AI to screen job candidates in the UAE

An automated tool that ranks, filters, or rejects job applicants processes personal data and produces a decision that affects the candidate, and UAE law treats that combination as high-risk. The UAE has no single statute aimed at artificial intelligence in recruitment. The exposure sits in laws already in force: the federal data protection law, the separate data protection regimes of the DIFC and ADGM, and the anti-discrimination provisions of the Labour Law. A screening tool touches all three at once.

An employer that buys a screening tool inherits responsibility for how that tool processes candidate data and what it filters on. The vendor builds the model, but the employer is the one making the hiring decision in law. For employment lawyers in Dubai, the HR team's questions are practical. Does the tool need a formal assessment before it goes live, can a rejected candidate demand a human review, and is a model trained on past hires screening on protected grounds that no one intended?

Why AI screening counts as high-risk processing under UAE data protection law

Onshore, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) governs how candidate data may be used. A CV, a video interview, and a psychometric result are all personal data, and an algorithm that scores them carries out automated processing. The law requires a data protection impact assessment before such a tool goes live, not after a complaint. The trigger is processing that systematically evaluates a candidate's personal aspects and produces a decision that seriously affects them.

The law also gives the candidate a direct right. A data subject can object to a decision based solely on automated processing where it carries legal consequences or seriously affects them. For a recruitment tool, that means a rejected applicant can ask for the automated outcome to be reviewed by a person. An employer that cannot offer that review, because the decision sat entirely with the model, is exposed. The same processing can trigger the obligation to appoint a data protection officer, since profiling and large-scale automated assessment are named grounds for that appointment.

The federal law has been in force since 2022, and the Emirates Data Office oversees it. Enforcement has developed gradually while the executive regulations and the Data Office are operationalised, so most employers have driven compliance through their own assessments rather than in response to regulator action. The direction is toward fuller enforcement, which makes the impact assessment and the human-review route worth building now rather than later.

How the rules differ in the DIFC and ADGM

The federal law does not reach the financial free zones. An employer incorporated in the DIFC or ADGM follows that zone's own regime, and the DIFC regime is the most developed on this point. Regulation 10 of the DIFC Data Protection Regulations governs personal data processed through autonomous and semi-autonomous systems, which is what an AI screening tool is.

Regulation 10 has been enforceable since 2023, with full enforcement from January 2026. It requires systems to be fair, transparent, and accountable by design, backed by an impact assessment for high-risk activities, an AI register, and an Autonomous Systems Officer to own the risk. The DIFC opened a consultation in June 2026 on further amendments, including a clearer certification route, but those changes are a proposal under Consultation Paper No. 3 of 2026 and are not yet law. The current Regulation 10 is the rule a DIFC employer follows today.

Where AI screening collides with UAE labour law

Data protection is only half the exposure. The UAE Labour Law (Federal Decree-Law No. 33 of 2021) prohibits discrimination that weakens equal opportunity or prejudices equal treatment in obtaining or keeping a job, on grounds that include sex, race, religion, national origin, and social origin. A screening model trained on a company's past hires learns the patterns in that history. Where the history skews toward one group, the model can reproduce the skew and rank out candidates on a protected ground, even though no one wrote a rule to do so.

The risk has a local dimension as well. A tool that optimises for resemblance to past hires can work against a company's Emiratisation obligations by down-ranking Emirati candidates who do not match the historical profile. That sits awkwardly next to the Emiratisation quotas and Nafis requirements that MOHRE enforces with fines. An employer can end up paying for non-compliance on one side while its hiring tool deepens the gap on the other.

What a candidate can do if an automated rejection is challenged

A rejected candidate has more than one route. Under the data protection law, the candidate can object to a solely automated decision and ask for human review. Where the employer ignores that right, the candidate can complain to the Emirates Data Office. In the DIFC or ADGM, the candidate can take the same complaint to that zone's data protection commissioner. A discrimination claim runs on a separate track, through MOHRE and the courts, and does not depend on proving how the model worked, only on the outcome it produced.

The employer carries the risk even where a vendor built the tool. Buying a model does not transfer the legal responsibility for the decision, so "the software did it" is not a defence to either a data protection complaint or a discrimination claim. Administrative fines, an order to stop using the tool, and the cost of defending a claim all land on the employer. The reputational exposure of a public finding that a company's hiring was biased can outlast the fine.

How to use AI in hiring without taking on the risk

The controls are practical and they sit before deployment, not after. Run an impact assessment that describes what the tool processes, why, and what it decides, and keep a human in the loop so that no rejection rests on the model alone. Tell candidates that automated tools form part of the process, which the transparency rules already require. Test the model for disparate impact across protected groups and against the company's Emiratisation profile, and repeat the test as the model retrains.

The vendor contract is where much of the protection is won or lost. Require the supplier to support explainability, bias testing, and audit, and confirm where the candidate data is stored and processed. A tool hosted outside the UAE turns every CV into a cross-border data transfer, which carries its own conditions covered in our guide to cross-border data transfers under UAE law. For the wider question of governing AI use across a business, our note on practical AI compliance in the UAE sets out the broader framework that recruitment sits inside.

How should UAE employers approach AI in recruitment in 2026?

Using AI to screen job candidates in the UAE is lawful, but it moves legal risk onto the employer in two directions at once. The data protection regime decides how candidate data may be used and gives the rejected applicant a right to human review. The Labour Law decides what the tool may filter on, and a model that learns from biased history can breach it without any intent. Treating the tool as a neutral efficiency gain is how employers walk into both problems.

The most time-sensitive step is the impact assessment, because it has to come before the tool processes a single application, and DIFC employers face full enforcement of Regulation 10 from January 2026. An employer already running a screening tool without an assessment and a human-review route is carrying an exposure it has not measured.

For employers selecting a hiring tool, writing the vendor contract, or responding to a candidate challenge, our employment lawyers in Dubai advise on the assessments, the disclosures, and the discrimination risk. Legal advice may be needed to confirm which data protection regime applies to a specific entity and where its hiring process is exposed.

‍