Abstract
This article examines the expansion of the EU's risk-based approach to the governance of algorithmic management and its implications for labour law. Risk-based regulation – as embodied in the GDPR, the AI Act, and the Platform Work Directive – relies on anticipatory and context-sensitive mechanisms, most notably impact assessments, to identify and manage risks before harm occurs. These techniques remain largely unfamiliar to labour law, which has traditionally relied on a rights-based approach based on prescriptive norms generally aimed at the outright prevention of harm. As a result, scholars have expressed concern that importing a logic of risk tolerance into the domain of workers’ rights may erode established protections and trigger deregulatory drift. After analysing the core features of the EU's risk-based approach and its interaction with labour law, the article argues that these tensions can be generally reconciled through interpretation. When impact assessments concern workers’ rights, they should be read as requiring risk elimination rather than mere mitigation, thereby aligning risk-based regulation with the protective core of labour law. Although enforcement challenges remain and are primarily a matter for policy intervention, the article contends that risk-based regulation – if properly framed and interpreted – does not necessarily undermine labour law's foundational logic, but can enhance its anticipatory and preventive capacity in the governance of algorithmic management.
Keywords
Introduction
Recent technological developments are reshaping the world of work, primarily through the rise of ‘algorithmic management’ (AM). This expression refers to the deployment of algorithmic tools and the use of artificial intelligence (AI) systems to automate workforce monitoring and decision-making. 1 While AM first emerged in digital labour platforms, it has gradually extended to more conventional employment settings, 2 transforming workplace dynamics at an unparalleled pace. 3 Its impact is therefore progressively extending across a much wider spectrum of workers, explaining its growing relevance for labour lawyers.
Despite the advantages of AM for employers, particularly in terms of productivity and the accuracy of decision-making processes, extensive scholarship has highlighted the significant risks it poses to workers. 4 These include the unprecedented expansion of managerial prerogatives, which threatens to render obsolete the body of labour law traditionally aimed at limiting such powers, particularly with respect to monitoring powers and the use of workers’ personal data. 5 The growing reliance on AM systems has also exacerbated occupational safety and health (OSH) risks, while simultaneously generating new ones. 6 Moreover, AM may facilitate arbitrary or discriminatory decision-making in the workplace, potentially amplifying such practices at scale. 7 These risks are further compounded by algorithmic opacity and the dehumanisation of these algorithmic decision-making processes. Such systems are often opaque, especially to non-specialists, 8 and workers may find themselves subject to decisions they cannot understand, potentially taken without any human involvement. 9 This opacity not only hinders the identification of violations and the collection of evidence to seek redress, 10 but also makes it difficult for workers to meaningfully contest managerial decisions. 11 In the absence of effective regulatory safeguards, this dynamic risks rendering algorithmic power – and the employers who deploy it – effectively immune from accountability.
How, then, has the law responded to these challenges? On the one hand, particularly in relation to employment classification – which, in the context of AM, has primarily concerned platform work – the dominant strategy has been to rely on existing labour law frameworks, applying them with appropriate judicial and, later, legislative adaptations. 12 On the other hand, it became apparent early on that the EU legal order had already embarked on a parallel regulatory path, developing legislative instruments outside the traditional domain of labour law and relying on qualitatively different regulatory techniques. 13 These include the promotion of algorithmic transparency, fairness, and accountability, the guarantee of human oversight, and, most importantly, the requirement to conduct impact assessments to identify and manage the risks arising from the use of these technologies. The first and most significant instruments are horizontal ones, such as the General Data Protection Regulation (GDPR) 14 and the Artificial Intelligence Act (AIA). 15 As they respectively regulate personal data and AI systems in general, they therefore necessarily apply in the workplace, as they impose obligations directly on employers or principals deploying AM systems that use workers’ personal data or classify as AI systems. 16
More recently, this regulatory evolution has taken an additional step with the Platform Work Directive (PWD). 17 Although with a personal scope limited to employers or principals classified as digital labour platforms (DLPs), 18 Chapter III of the PWD adopts and further elaborates the legal techniques pioneered by the GDPR and the AIA. 19 Crucially, it explicitly transplants these techniques – originally developed outside the labour law domain – into the field of labour law.
What links these instruments is a regulatory approach commonly described as ‘risk-based’. 20 Although the specific features of this approach will be examined in more detail below, the risk-based approach, at its core, shifts regulatory attention from the ex-post sanctioning of unlawful conduct to the ex-ante identification, assessment and management of risks before harm occurs, primarily through procedural obligations and contextual safeguards rather than predetermined substantive rules. While this general model has been deployed at least since the late 1980s in EU secondary legislation to regulate risks to health, safety, and the environment 21 to face the challenges posed by the emerging ‘risk society’, 22 its prominence has markedly increased over the past decades, becoming the EU's preferred strategy for governing the risks of emerging technologies. 23 As long as such technologies are deployed in the workplace, labour lawyers must therefore recognise a parallel shift in the regulation of workers’ rights in the AM context through risk-based regulation – a technique that the EU legislator is also deploying in other regulatory instruments that adopt a risk-based approach in domains with implications for workers’ rights, 24 as recently exemplified by the Corporate Sustainability Due Diligence Directive (CSDDD), 25 which is, in any case, outside the immediate scope of this article.
This shift raises important questions. As will be explored in this article, EU and national labour law systems have historically been built mainly on an approach that is generally rights-based, marked by features that distinguish it from risk-based regulation, 26 as it is based on prescriptive norms and binary legal standards generally aimed at the outright prevention of harm rather than its mitigation. A number of labour law scholars have already expressed the legitimate concern that the foundations of labour law may be undermined by this new regulatory wave, as it imports the logic of risk tolerance into the field of workers’ rights and may lead to deregulatory outcomes. 27 The aim of this article is to investigate the implications of this regulatory shift and to assess the extent to which risk-based regulation may weaken the protection of workers’ rights.
Before specifically addressing this question, it is necessary to take a step back and clarify the terms of the problem. Section 2 begins by examining the core features of the EU's risk-based approach vis-à-vis the rights-based approach. Section 3 then extends the analysis to how the risk-based approach has been adopted in the EU instruments relevant to the regulation of AM systems. Section 4 considers the implications of applying the risk-based approach to labour rights, highlighting both its benefits and potential drawbacks, with particular focus on the deregulation risks discussed in the literature. Only once this groundwork has been laid can Section 5 address the central research question of the article - ultimately whether the legitimate concerns regarding the risk of deregulation might potentially be overcome through interpretation. Section 6 concludes.
The core features of the EU risk-based approach
Although EU institutions have not yet developed a fully coherent analytical framework for addressing risks, scholars have nonetheless identified several recurring features of the risk-based model emerging at the EU level. 28 This section focuses on the elements that the literature commonly presents as distinguishing the risk-based approach 29 from its identified analytical counterpart, the rights-based one – a contrast frequently invoked in debates on the EU's recent wave on technology regulation. 30
This literature has drawn a contrast between these two approaches along several dimensions. First, they diverge in their underlying logic. The rights-based approach represents a traditional legal model operating according to a binary logic: conduct is either in compliance with the law or it is not. In contrast, the risk-based approach adopts a more nuanced and flexible logic, oriented towards risk analysis. Its emphasis is less on the inherent lawfulness of a certain action and more on determining the level of risk that may be tolerated in relation to that action. 31
The rights-based approach corresponds to a traditional ‘command-and-control’ model, which defines regulatory objectives in advance and codifies them into prescriptive rules, thereby leaving little discretion to regulatees as to how to comply. By contrast, risk-based regulation operates as a form of meta-regulation, within the broader family of principles-based models, insofar as it imposes regulatory goals to be pursued rather than prescribing in advance a fixed behavioural standard for all situations. It thus relies on the regulated entities’ own risk management systems to fulfil regulatory objectives on a case-by-case basis, thereby allowing for discretion and contextual adaptation. 32
Ultimately, both regulatory models aim to manage risks, but they do so in opposite ways. Command-and-control regulation manages risks from the outset: the legislator performs the relevant risk assessment once and for all and regulatees have no option but to comply with it. In contrast, under the risk-based model, risk management is entrusted to a form of private self- or at least co-regulation, predominantly procedural in nature, flexible in structure, and open-ended in its outcomes. Here, the regulatee itself, either directly or through a third party, identifies, within the general framework provided by the legislator, the appropriate safeguards and risk management measures for each particular situation, adopting a tailored and context-specific approach. 33
From this perspective, the distinction between rights-based and risk-based regulation can be understood as reflecting competing approaches to the principle of proportionality. The former is grounded in universal and predetermined balancing tests, with safeguards fixed once and for all by general and abstract legal rules, ensuring the same level of protection for all. The latter, by contrast, relies on contextual and case-specific balancing exercises, whose outcomes – and the corresponding level of protection – are necessarily uneven. 34
The move, therefore, is from a command-and-control model, where the legislator prescribes in advance general rules applicable to all and the judiciary ensures ex post their uniform enforcement, to one in which regulatory responsibility is shared with regulatees. 35 These actors are no longer mere passive subjects of public authority, but accountable co-participants within a framework of self-regulation, exercising functions traditionally reserved for public institutions. 36 This normative function is performed through a collaborative rather than hierarchical model, as the targets of the regulation have more discretion to determine how to achieve the regulatory outcomes, collaborating with regulators and, where envisaged, with other relevant stakeholders. 37 Obligations are thus primarily designed by the regulatees themselves and increasingly tailored to their specific risks, with a view to anticipating their materialisation. 38 It is no coincidence that the typical regulatory technique most closely associated with the risk-based approach is the requirement to conduct an ex-ante impact assessment, 39 where the regulatee first identifies and measures the risks associated with potentially harmful activities, and then implements safeguards tailored to the specificities of each case. 40 This represents a stark contrast with command-and-control models, as will be further discussed in Sections 3 and 4. The latter are typically characterised by prescriptive norms – including strict prohibitions not susceptible to gradation – aimed at the outright prevention of harm, leaving regulatees with no role other than compliance with rules predetermined by the legislator.
Within this model, the rules on liability also undergo significant transformation. The traditional system, in which liability generally falls on the party who has caused the harm, is complemented by a regime in which responsibility shifts – at least in part – from having caused the harm to having failed, from a compliance perspective, to adopt all necessary measures to eliminate or at least mitigate it. 41 The interpretative criterion of causation underlying this form of liability is therefore ex ante, as it precedes the occurrence of the damage rather than following it. Importantly, ex-ante liability for non-compliance does not replace ex-post liability for having caused harm; rather, the former may serve as a precondition for the latter to arise. 42
The EU risk-based approach to AM in the workplace
It should be noted, however, that the distinctions drawn above are largely analytical constructs. In practice, regulatory texts may combine features of both models. What is evident, however, is that EU regulation has progressively shifted from a predominantly rights-based framework toward one increasingly characterised by risk-based elements: a shift that has become particularly evident over the last decade, at least in data protection 43 and, more broadly, technology regulation. 44
Several factors are typically identified in the literature as having driven this shift. First, it is often argued that it is generally impossible, and frequently prohibitively costly, to eliminate all risks entirely. 45 Consequently, regulation has moved toward setting broad objectives that aim, in general (though not in every case, as will be examined below), to mitigate rather than eliminate those risks. 46 Second, in highly technical sectors with context-dependent risks, such as those involving algorithmic systems, rigid command-and-control frameworks are criticised as overly burdensome and insufficiently responsive to contextual nuances. 47 Moreover, excessive rigidity is frequently criticised for its chilling effects on innovation: by locking actors into rigid binary prescriptions that cannot adapt to evolving technologies, the law may inadvertently stifle experimentation and slow down the development of new promising applications, particularly in the field of AI. 48 By contrast, delegating standard-setting functions to regulated entities, typically providers or users of these systems who are closer to their operational realities, allows for adaptive and context-sensitive regulation. 49 Finally, the risk-based approach is described as preventive and anticipatory, insofar as it renders regulated entities accountable for the risk management measures they implement, ensuring that safeguards are continuously adapted to pre-empt or mitigate risks in technologically complex settings. 50
In any case, the risk-based approach assumes slightly different configurations across the three EU instruments most relevant for the regulation of AM in the workplace – namely, the GDPR, the AIA, and the PWD. Each reflects a shift away from predominantly a command-and-control logic toward a regulatory framework more reliant on anticipatory assessments, contextual safeguards, and accountability of regulated actors. Yet, rights-based and command-and-control techniques do not disappear entirely. As will be seen below, they remain, albeit to a more limited extent, alongside risk-based provisions, with varying intensity and modalities across the three instruments. It is therefore necessary to examine more closely how this interplay of regulatory logics is articulated within each.
The GDPR
The underlying logic of the GDPR has been described as primarily ‘bottom-up’, 51 because the evaluation of risks and the definition of corresponding safeguards are not, for the most part, predetermined by the legislator, but left largely to the discretion of the targets of the regulation, making it an example of co-regulation. 52 This choice reflects the centrality of the principle of accountability (Articles 24 and 5(2)), which makes controllers responsible for both the design and effectiveness of compliance measures. 53 Closely linked to accountability is the principle of proportionality 54 – here understood in the sense typical of the risk-based approach outlined above, as a contextual and case-specific balancing exercises.
The risk-based approach characterising the GDPR emerges clearly from provisions that, in line with its nature as meta-regulation, require contextual calibration of compliance measures. The general principles of processing in Article 5, mostly framed as corollaries of the principle of proportionality, exemplify this rationale: although conceived within a rights-based perspective, they establish open-textured standards to be concretised in light of the circumstances of each case. 55 More distinctly, the principle of data protection by design in Article 25(1) illustrates the tailoring typical of the risk-based approach, requiring controllers to integrate regulatory goals - such as the general principles in Article 5 - directly into their processing operations, embedding safeguards within systems and organisational processes according to risks posed by each processing operation. 56
In practice, however, the technique that best encapsulates the GDPR's risk-based logic is the data protection impact assessment (DPIA) under Article 35. 57 This provision requires controllers, whenever ‘a type of processing in particular using new technologies […] is likely to result in a high risk to the rights and freedoms of natural persons,’ to identify, assess, and implement ‘measures envisaged to address the risks’ prior to the processing. The DPIA – whose scope likely covers most AM systems and the related risks to workers’ rights 58 – distinctly embodies the risk-based approach in two respects. First, it represents the clearest expression, within the GDPR, of the self-regulatory logic characterising risk-based regulation. Once risks are identified, the choice of safeguards rests primarily with the controller, who may exercise this discretion autonomously or by consulting external experts of their choosing. 59 While the Regulation contemplates a potential involvement of supervisory authorities (Article 36), as well as of data subjects and their representatives (Article 35(9)), such participation remains optional rather than mandatory. 60 Controllers may therefore proceed autonomously, deciding which safeguards are most appropriate to address the risks, without any prior engagement with the regulator or other stakeholders. 61 Second and most importantly, with regard to risk management measures, the GDPR adopts a permissive stance: it refers to risk mitigation rather than elimination. 62 Thus, a controller remains compliant with Article 35 even when a high risk is identified, provided that safeguards are adopted to reduce, but not necessarily eliminate, that risk. This framework thus tolerates the persistence of residual risk, embracing – at least in this respect – the risk-based approach in its purest form.
Nevertheless, despite these defining elements of the risk-based approach, the GDPR does not fully abandon command-and-control techniques. Alongside risk-based provisions, it also contains rules that operate according to a binary logic, prohibiting specific types of processing from the outset, such as the processing of special categories of personal data (Article 9) 63 or, despite various carve-outs, automated decision-making (Article 22). 64 In these cases, proportionality functions not as a contextual balancing exercise, as seen in the risk-based provisions discussed above, but as a universal and predetermined test, with safeguards fixed once and for all. The result is a hybrid regime: predominantly risk-based, yet supplemented by prohibitions rooted in a command-and-control logic.
The AIA
The AIA follows a different structure, that has been described as ‘top-down’ in its design. 65 The reason for this classification is that the legislator directly categorises AI systems into four risk levels – unacceptable, high, limited, and minimal – attaching to each a corresponding regulatory regime, without leaving the task of evaluating such risk scores to the regulatees. 66
At this macro level, proportionality takes the form of a universal and predetermined balancing test: unacceptable systems are banned outright, while others are permitted subject to progressively stricter safeguards depending on risk level. This reflects a classic command-and-control logic, since the law fixes the safeguards ex ante through abstract rules that apply uniformly to all actors, especially with respect to unacceptable-risk systems, which are prohibited according to a binary logic (Article 5).
Yet at the micro level, particularly for high-risk systems, the AIA relies predominantly on risk-based elements, albeit accompanied by a more stringent set of duties than those under the GDPR. 67 High-risk systems are of greatest relevance for present purposes, as they generally include AM systems (Article 6), except where they fall under the unacceptable risk category (Article 5). 68 For high-risk systems, risk evaluation and safeguard selection are largely entrusted to regulated entities. Unlike the GDPR, however, these duties are split between two categories of actors, i.e. providers and deployers, although the primary burden of risk management lies with the former.
Providers are required, among many duties, to undergo a conformity assessment procedure to ensure that the technology complies with predetermined requirements (Articles 16 and 43) and to establish and maintain a risk management system (Article 9), covering, among other aspects, risks to workers’ rights. 69 Regarding AM systems, the legislation relies on the provider's self-assessment, without the mandatory involvement of public authorities or other stakeholders, 70 exemplifying the self-regulatory logic of risk-based regulation. Similarly, the AIA adopts a permissive stance on risk management measures: while Article 9 contemplates both elimination and mitigation of risks, it affords providers a degree of discretion that may, in practice, allow them to confine their compliance efforts to mitigation alone. 71 As in the GDPR, therefore, the framework seems to tolerate the persistence of residual risk following the assessment.
Deployers, by contrast, are subject to less onerous obligations than providers in terms of risk management. They are, nonetheless, of greater importance from a labour law perspective, since employers and principals using AM systems will generally fall within this category and will therefore be bound by the corresponding obligations. 72 Among many duties, deployers must monitor system operation, cooperate with providers, and use the information received from providers to fulfil their DPIA obligations (Article 26). Most importantly, the AIA requires deployers to carry out a specific risk assessment of fundamental rights, the so-called Fundamental Rights Impact Assessment (FRIA) (Article 27). The FRIA obligation, which appears always to apply when an AM system may adversely impact workers’ rights, 73 nonetheless has a narrow personal scope: it does not, for instance, extend to the vast majority of private employers or principals intending to use AM systems. 74 Moreover, the FRIA itself is characterised by a predominantly self-regulatory logic, since deployers are required to conduct it autonomously, with stakeholder involvement remaining optional. 75 A role for the public regulator is envisaged through the mandatory notification to the market surveillance authority, but only after completion of the FRIA. 76 In terms of risk management measures, the AIA appears aligned with the GDPR in referring primarily to risk mitigation rather than elimination, thereby tolerating residual risk after the assessment and adopting a risk-based approach in its most genuine form. 77
The AIA thus displays a hybrid structure partially akin to the GDPR's in being predominantly risk-based, yet supplemented by command-and-control techniques. Within the AIA's architecture, however, the weight of these command-and-control elements is more significant than in the GDPR, with a more systemically rigid framework.
The PWD
The PWD represents the explicit transplantation of these regulatory techniques into the labour law domain, with a particular focus on AM in platform work. As with the GDPR and the AIA, a dual regulatory structure emerges, combining risk-based and command-and-control elements.
On the one hand, the Directive retains a command-and-control logic where, for instance, it prohibits the processing of particularly sensitive categories of data through automated systems used in the workplace (Article 7) or ‘any decisions to restrict, suspend or terminate’ the relationship with a platform worker taken by an automated system (Article 10(5)). 78 This design, compared to the broader frameworks of the GDPR and AIA, is therefore tailored to the risks of AM systems.
On the other, the PWD makes extensive use of risk-based techniques to regulate the deployment of AM systems. It strengthens the DPIA obligations under the GDPR (Article 8), introduces autonomous duties of assessment with stricter safeguards (Article 10), and mandates specific evaluations of health and safety risks associated with AM systems (Article 12).
However, the PWD also marks a significant evolution in the implementation of the risk-based approach. Unlike the GDPR and the AIA, where risk assessment is primarily a self-regulatory exercise, the PWD establishes a more shared and participatory model. 79 Article 8 goes beyond the GDPR by requiring that, in the context of the DPIA, the views of platform workers and their representatives must be sought. More substantially, Article 10 mandates that DLPs carry out an evaluation of the impact of individual decisions taken or supported by AM systems, including on working conditions and equal treatment, with the involvement of workers’ representatives. Similarly, Article 12 sets out requirements for information, consultation, and participation of platform workers and/or their representatives regarding OSH risks. 80 The PWD also introduces notable innovations in relation to risk management measures, particularly in Article 10. Unlike the DPIA and the FRIA, which primarily focus on risk mitigation, Article 10(3) directs that, once a risk to workers’ rights is identified within the evaluation carried out with workers’ representatives, the DLP ‘shall take the steps necessary, including, if appropriate, the modification’ of the AM system ‘or the discontinuation of its use, in order to avoid such decisions in the future’. In other words, at least in the assessment provided by Article 10, residual risk is no longer tolerated: the PWD requires effective measures to eliminate identified risks, by preventing their recurrence.
Taken together, these provisions show that the PWD maintains the dual structure observed in previous instruments – a predominance of risk-based elements complemented by command-and-control rules – while recalibrating the approach compared to the GDPR and AIA. First, it tempers self-regulation by mandating worker participation. Second, it starts departing from the traditional permissive stance on risk mitigation, advancing toward a legal obligation to eliminate risks once they have been identified. In this respect, the PWD constitutes a labour-protective evolution of the EU's risk-based model, ensuring stronger safeguards for platform workers against the risks of AM.
The risk of a deregulatory drift in labour rights under the risk-based approach to AM in the workplace
These three instruments – GDPR, AIA and PWD – illustrate how the EU's technology regulation strategy has embedded risk-based tools into the governance of AM, making them directly relevant to labour law along two axes. The GDPR and the AIA operate as horizontal instruments: they apply whenever workers’ personal data are processed or AI systems are deployed in the workplace. In doing so, they indirectly reshape the coordinates of labour law, as technology regulation defines – through a predominantly risk-based framework – the conditions under which workers are managed by AM. Although not originally conceived within the labour law domain, these regulatory instruments therefore acquire significant relevance for labour law analysis and, as a result, must be interpreted and integrated with sector-specific provisions at both EU and national levels. By contrast, the PWD represents a direct labour-focused shift. It takes regulatory techniques first elaborated within the broader field of technology governance and transposes them into the labour law context, governing AM systems through a predominantly risk-based framework reoriented to the specific logic of the field. Together, these instruments reveal a dual dynamic: risk-based regulation both permeates the general governance of technology and is selectively internalised within the employment domain.
The result is, however, a fragmented regulatory framework with respect to AM, 81 as the material and personal scopes of the GDPR, AIA, and PWD differ and overlap. Depending on their features, individual AM systems may fall under one or more of these instruments, while employers or principals may be governed by all or only some of them. The main limitation is that the PWD, the most mature risk-based regulation in terms of labour protection, applies solely to DLPs, leaving other workers exposed to AM systems with only the weaker safeguards of the GDPR and the AIA.
Beyond fragmented scopes of application, regulation is nonetheless pervasive, establishing a framework in which the risk-based approach has become preponderant – though not exclusive, as some command-and-control provisions persist – in the governance of AM at work at EU level. It is therefore important for labour law scholars to assess the broader implications of this shift, particularly since, as noted at the outset and elaborated below, the risk-based approach has long remained largely external to the field.
Indeed, scholars examining the relationship between labour law and risk have long observed that the traditional system of labour law and its norms can be understood as mechanisms for protecting employees from social risks. 82 Yet, relying on the analytical framework outlined above, it does so in a manner fundamentally distinct from the risk-based approach applied to AM systems. Labour law has traditionally operated under a rights-based approach and command-and-control logic, relying on proportionality tests in which rights are balanced once and for all through rigid rules grounded in a predominantly binary logic. 83 These features reflect the genetic traits that have characterised the field for decades at least in Continental Europe and that, despite their partial crisis, continue to define it: the non-waivability of rights, and the mandatory and especially inderogable character of norms. 84
Many labour law provisions establish minimum floors of protection, typically non-derogable except in favour of the worker, and impose absolute limits or strict prohibitions not susceptible to gradation. Examples – selected among many, as these will be revisited below – include maximum working time and minimum rest periods; absolute limits on managerial prerogatives, including forms of unilateral employment regulation traditionally issued through the employer's power of direction and control, exercisable only under strict statutory prescriptions; and outright prohibitions on direct discrimination. Other provisions, while still framed in substantially binary terms, are drafted with greater open texture, allowing some contextual adaptation. For instance, limits on managerial prerogatives may be expressed through general clauses or subjected to proportionality assessments; similarly, indirect discrimination, though prohibited like direct discrimination, may be objectively justified if pursuing a legitimate aim with proportionate means. In this sense, the introduction of risk-based regulation for AM systems intersects with a traditionally rights-based legal system, where norms are strict or, at most, subject to controlled derogations or exceptions set by statute and subsequently subject to judicial review confined to compliance with the legislative model.
However, the risk-based approach, though not part of labour law's genetic traits, is not entirely alien to the field. 85 Early waves of EU risk regulation already encompassed labour law, most notably in the OSH sub-domain, 86 which indeed contains some of the earliest EU legislation adopting a risk-based approach 87 – a particularly relevant reference point for this analysis, given the OSH risks associated with algorithmic management. 88 The OSH Framework Directive, 89 which constitutes the primary normative reference in the field, requires employers to conduct risk assessments in respect of OSH risks. Its logic is based on the general principle of prevention: employers must implement ‘all steps and measures […] to prevent [i.e., eliminate] or reduce occupational risks’ (Article 3). Interestingly, the Directive appears to prioritise elimination over mitigation. 90 This emerges from both its definition of objectives, which expressly includes only ‘the elimination of risk’ among the general principles (Article 1(2)), and, more explicitly, the list of measures within risk assessments, which require risks to be avoided or, if unavoidable, merely evaluated (Article 6(2)). This, in a way, resembles the PWD's approach, primarily oriented toward risk elimination 91 – unlike the GDPR and AIA, which tolerate residual risk. Yet even in the OSH context, the risk-based approach is embedded in the broader framework of closure norms at EU and national levels, framed in binary logic obliging employers to safeguard workers’ health and safety. 92 This confirms the persistence of command-and-control features in what remains a substantially labour-protective sub-domain, which can explain why the OSH regime, though generally risk-based in form, has been oriented more toward elimination than mitigation 93 , thus, from this perspective, mirroring the approach embodied in the PWD.
Against this backdrop, it is useful to assess the potential systemic effects, positive and negative, of applying risk-based regulation to AM systems within labour law.
The benefits are manifold. First, impact assessments reinforce the anticipatory dimension of protection as they enable a holistic evaluation of potential infringements, allowing earlier identification of harms – including those unforeseen or apparently invisible – and thus fostering a more proactive response, with the potential to reduce workplace rights violations in advance at an aggregate level. 94 When coupled with robust transparency rights, a pre-existing document identifying and assessing risks to workers’ rights in relation to a specific AM tool can also help address justice gaps created by algorithmic opacity, providing an evidentiary baseline that reinforces the enforceability of those rights. 95
Second, by shifting attention from abstract and universal rules to context-specific solutions, risk-based governance can provide more finely tailored protections. For instance, the obligation to carry out an ex-ante impact assessment of an AM system may operate as a mechanism capable of orienting the unilateral exercise of managerial prerogatives in an anticipatory manner, steering them towards compliance with statutory limits and, potentially, beyond minimum legal requirements. In addition, oversight closer to system providers and users allows AM tools to be designed and deployed in ways that may enhance job quality within a given work environment, 96 even moving beyond minimum compliance and signalling a shift toward deliberate design and deployment of AM systems to promote positive outcomes. 97 This effect is stronger where trade unions and works councils participate in assessments, as collective actors are better placed to influence systems affecting groups of workers and contribute to context-specific solutions, especially at workplace level where AM systems are deployed. 98 Such participation resonates with classical labour law techniques, even if only the PWD expressly mandates it. 99
However, the approach has clear limitations. As noted above, only the PWD – and before it the OSH Framework Directive – seems to prioritise risk elimination, whereas the GDPR and AIA tolerate residual risk. A key concern is whether frameworks based on mitigation are compatible with the labour law norms, generally designed to prevent harm outright under a binary logic. 100 If pushed to extremes, this may partially reshape the labour law system towards risk reduction, diluting the safeguards offered by effective ex-post protection of rights. 101 Consider, for instance, an AM tool where an impact assessment identifies a risk of discrimination but only partially mitigates it without fully neutralising it: a measure consistent with regimes that allow residual risk, yet at odds with labour law prescriptions prohibiting discrimination, at least with reference to direct ones, outright. 102
A further problem lies in the self-regulatory nature of risk-based tools, often described as embodying a neoliberal regulatory ideal in which preventive compliance risks being instrumentalised by the targets of regulation as a mere self-legitimation exercise. 103 Impact assessments generally remain at the discretion of employers or their consultants, turning evaluations into self-certification. Even formally independent audits are not immune, as external experts are remunerated by the entities they assess and therefore face structural conflicts of interest. 104 Outside the PWD framework, the absence of mandatory stakeholder participation further risks transforming anticipatory safeguards into instruments favouring employers rather than workers. The issue here is that, in practice, an impact assessment may end up being read, in the context of judicial review, as evidence of the legitimacy of the use of AM systems in the workplace, with two potential consequences. 105 First, employers may attempt to use impact assessments as a legal shield, claiming exoneration – or at least limitation – of their ex-post liability once ex-ante compliance with assessment duties is satisfied. 106 Second, from a more practical standpoint, such mechanisms may reinforce a veneer of legitimacy constraining enforcement, particularly where additional evidence may be required from workers to challenge the assumption, established through the impact assessment, that a given AM tool has been designed and/or deployed in compliance with workers’ rights. 107
How to reconcile the risk-based approach to AM in the workplace with the labour laws
As claimed above, the adoption of a risk-based approach to AM raises the risk of deregulation drift, insofar as risk-based regulatory frameworks may come into conflict with labour law norms traditionally grounded in the outright prevention of harm. This is more acute when regulation, such as the GDPR and the AIA, is premised on the acceptability of residual risk, and less so where, as in the PWD and earlier the OSH Directive, the orientation is primarily toward risk elimination. The pressing question, therefore, is whether the concerns regarding this potential deregulatory drift can be alleviated through interpretation, ensuring that risk-based regulation does not erode the substantive protections traditionally safeguarded by labour law. Two interpretative strategies can serve this purpose.
A first strategy is limited to the GDPR and linked to the reference, in the discipline of the DPIA, to the principle of proportionality. Article 35(7) requires that any DPIA include ‘an assessment of the necessity and proportionality of the processing operations in relation to the purposes’. On this basis, it has been argued that employers must justify the use of a specific AM system for a given organisational objective, in the absence of less intrusive alternatives for the rights and freedoms at stake. 108 From this perspective, even the DPIA can be seen as oriented primarily toward elimination: only when this proves impossible does the focus shift to mitigation. 109 For example, if an AM system carries residual risks of discrimination, the employer will have to modify the system to eliminate them or, failing that, refrain from using it.
However, this strategy has limits. The principle of proportionality, here operating as a contextual balancing exercise, does not lead to predetermined and uniform outcomes. Where the balancing test favours the employer's organisational needs, it may justify mere mitigation, even at the expense of rights otherwise protected by inderogable norms, absolute limits to managerial prerogatives or strict prohibitions not susceptible to gradation. Thus, while this interpretative approach helps reconcile the risk-based framework of the GDPR with labour law, it offers only a partial solution. Relying on proportionality alone does not fully exclude deregulation risk, as workers in different organisations, subject to different AM tools or performing different tasks may experience different levels of protection even below the inderogable minimums established by labour law, with rights in some situations sacrificed for the sake of managerial interests.
A second strategy moves in a different and broader direction, aligning more closely with the structure of many labour law norms, which – in line with a rights-based approach – operate in a binary logic and generally require outright prevention rather than mitigation. The crucial point is that while risks are quantitative and probabilistic, rights are qualitative and either violated or not. 110 Risk-based methodologies are suitable for harms or damages that can be quantified, but when the risk involves the violation of a right – as in the case of all impact assessments analysed here – the situation is different. 111 The assessment tends to be black or white: either a right is violated or it is not. This is why some scholars have suggested reframing the matter in terms of ‘interference’ rather than ‘violation’, a move that may help bridge the gap between rights safeguards and risk-based assessment. 112 Yet this notion of interference must still account for the nature of the right at stake. 113 For certain rights – such as broad principles, which can be subject to proportionality in the strict sense – the quantitative logic of interference may work and, thus, mitigation may suffice. This seems coherent, for instance, with the general principles of processing under Article 5 of the GDPR, which, though rights-based, ‘are inherently scalable’, 114 so that mitigation measures could well temper the severity of an AM system's interference with one of those principles. But for other rights – particularly those guaranteed by inderogable norms or formulated as absolute limits or strict prohibitions – even the language of interference does not fit. To make them compatible with a risk-based framework, the standard must shift toward risk elimination.
The consequences are straightforward. Where an impact assessment identifies risks of violating inderogable norms, absolute limits to managerial prerogatives, or strict prohibitions, the measures adopted must aim at eliminating the risk. Merely mitigating such risks would, in practice, mean acknowledging that there is a certain probability of its future violation: something generally admissible under the GDPR or the AIA, but irreconcilable with the strict binary logic of many labour law norms. From this perspective, it is significant that both the PWD and, before it, the OSH Framework Directive – the only two EU labour law instruments characterised by a risk-based approach – are nonetheless framed primarily towards elimination rather than mitigation. This may be interpreted as an implicit but normatively important recognition: when workers’ rights are at stake, impact assessments must primarily reflect the logic of risk elimination rather than mitigation, precisely in light of the structure of many labour law norms – so pervasive as to constitute genetic attributes of the field – that are framed in a strict binary logic and, therefore, do not generally tolerate residual risk. This reasoning is reinforced by provisions of the GDPR and, even more clearly, of the AIA, which acknowledge that they do not replace labour regulation but rather establish a minimum horizontal framework of harmonisation, not precluding Member States from adopting ‘more specific’ 115 or ‘more favourable’ 116 rules for workers aimed at ensuring stronger protection of their rights. 117 It follows that, since GDPR and AIA – but even the PWD – provisions can be interpreted in two ways, only one consistent with the safeguarding of workers’ rights, the interpretation aligned with the more specific and/or favourable features characterising labour laws must prevail. Consequently, labour law norms – at least those framed as inderogable or introducing absolute to managerial prerogatives or strict prohibitions – should be exempt from proportionality review within impact assessments, which, lacking predetermined outcomes, risk undermining them.
Examples illustrate the point. If an AM system used to organise shift schedules risks infringing rules on maximum working time and minimum rest periods – rights established by norms classically formulated as inderogable, at least in their core provisions 118 – the system must be modified to eliminate the risk or, failing that, must not be used. The same reasoning applies, to give another example, taking into account the limits to the dismissal power of an employer. If an AM system risks triggering a dismissal on a ground prohibited under national law, 119 the appropriate course of action is to modify the system so that it considers only factors that may lawfully justify a dismissal 120 – or, if such modification is not possible, to refrain from using the system for dismissal purposes altogether. Similarly, where AM systems engage in the remote monitoring of workers, the response depends on the legal framework: in jurisdictions where such monitoring is prohibited with predetermined exceptions, 121 the system must be adapted to fall within the exceptions or not be used. Where monitoring is instead subject to a proportionality review under national law, 122 risk-reduction measures may suffice. The same distinction applies to discrimination: if an AM system creates a risk of direct discrimination, 123 the employer must remove the risk entirely or abstain from using the system. By contrast, indirect discrimination may be addressed by mitigation, since it can be justified if pursuing a legitimate aim with proportionate means. 124
After all, a closer look shows that the same conclusion holds for certain provisions of the GDPR and the AIA – and, with even greater force, of the PWD. Despite their general risk-based design, both contain rules framed in command-and-control terms, leaving no room for context-specific adaptations. For example, measures must necessarily be adopted to eliminate the risk that a dismissal could be imposed by an AM system without any human intervention, 125 or that such a system could infer a worker's emotions, without justification on grounds of health and safety. 126 In such cases, compliance with outright prohibitions requires elimination, not mitigation, of risk: precisely because these provisions of the GDPR and the AIA – and even more so of the PWD – are shaped according to a logic closer to that of the labour law norms analysed above, notwithstanding the predominantly risk-based orientation of these instruments.
That said, impact assessments operate ex ante, before rights are violated, and are by nature prognostic regarding potential violations of rights. 127 The fact that a violation subsequently occurs – even one whose risk should have been eliminated – does not automatically entail ex-ante liability for non-compliance, 128 at least where the failure to eliminate the risk is due to unusual or unforeseeable circumstances or exceptional events. 129 Aside from such possible exclusions, however, liability for non-compliance does not replace but rather complements the employer's liability for the actual violation, 130 nor does it constitute, in legal terms, a precondition for ex-post liability to arise. Employers therefore cannot invoke prior mitigation to escape responsibility. Labour law protections, including liability and damages, thus remain fully applicable and unaffected – an approach also justified by EU provisions allowing more specific and/or more favourable rules to safeguard workers’ rights 131 and reinforced by interpretative positions already affirmed in the OSH context. 132
Conclusion
The expansion of risk-based regulation to AM in the workplace has raised legitimate concerns among labour law scholars. The issue is that importing the logic of risk tolerance into a field historically premised on the outright prevention of harm could open the door to deregulatory outcomes – a risk that is already visible today and may grow further if the EU legislator continues to rely on these techniques.
However, the analysis undertaken here suggests that this legitimate concern can be tempered through interpretation. As shown, it is no coincidence that labour law instruments such as the PWD – and, before it, the OSH Framework Directive – exhibit no particular tension, as they already employ risk-based tools primarily oriented towards risk elimination. Rather, the real challenge arises with the GDPR and the AIA, horizontal instruments that intersect labour law only indirectly, yet have risk mitigation at their core. Nonetheless, these frameworks must be interpreted in an integrated way, with impact assessments being oriented primarily towards risk elimination, so that labour law is not displaced but rather complemented by risk-based techniques.
At the same time, these techniques reveal a positive potential: impact assessments can strengthen the anticipatory dimension of protection by enabling a proactive evaluation of risks, thus reducing rights violations ex ante. When coupled with transparency duties, impact assessments may also help bridge justice gaps created by algorithmic opacity, offering an evidentiary baseline that enhances enforceability. Finally, where workers’ representatives are involved, such mechanisms may revive classical participatory techniques of labour law within a renewed regulatory architecture.
This also helps clarify the architecture of liability, as ex-ante liability may arise where employers fail to foresee and manage risks during the assessment phase, while ex-post liability under labour law remains intact for the actual infringement. In this sense, the risk-based framework does not erode the remedial apparatus of labour law, but rather overlays it with an additional layer of accountability.
A more substantive and still unresolved issue, however, operates at practical level. The main challenge is that enforcing workers’ rights in the context of AM may become increasingly complex due to the reliance on impact assessments, particularly where these take the form of self-certification without mandatory stakeholder involvement, as under the GDPR and the AIA. In such settings, risk-based mechanisms may confer a veneer of legitimacy on AM practices, rendering them harder to contest. In the absence of effective union participation in the assessment process and robust transparency obligations, violations may remain concealed behind self-certified compliance documentation. This dynamic, as shown above, ultimately translates into an enforcement deficit, as self-certified impact assessments risk shifting informational and evidentiary burdens onto workers, thereby weakening the practical justiciability of labour rights.
This leads to two concluding reflections from a systemic perspective. First, as argued above, the tension between risk mitigation and risk elimination appears largely resolvable through interpretation, although a clarifying intervention, extending the logic of the PWD beyond its current scope, could nonetheless be desirable. Second, enforcement challenges raise more structural concerns that cannot be addressed through interpretation alone and instead require policy-level responses.
In this respect, the PWD provides a useful reference model both for the fine-tuning of existing legislation and for the design of potential future instruments embedding a risk-based approach. Its emphasis on enhanced transparency, meaningful collective involvement in risk assessment processes, and effective oversight mechanisms illustrates how risk-based tools can be embedded within a labour-protective framework capable of preventing self-certification from degenerating into mere formal compliance. Extending similar safeguards beyond platform work would help address the current fragmentation of EU regulation governing data protection and AM in the workplace. This perspective aligns with a growing body of scholarship and policy-oriented contributions highlighting the incoherence of the existing fragmented framework and calling for a dedicated and generalised EU regime governing data protection and the use of AM systems in the employment context, even as recent legislative developments point to a more cautious and less ambitious stance than that envisaged in the previous legislative cycle. 133
In any case, at a broader analytical level, the inquiry into the relationship between risk-based regulation and labour protection remains necessarily preliminary. Risk-based regulation, although with different features, is now extending even beyond technology regulation, as illustrated by the CSDDD and other similar initiatives likely to affect workers’ rights. 134 The paradigm shift lies in the growing centrality of risk-management techniques in regulatory design. For labour lawyers, the challenge is not to reject these techniques as alien, but to ensure they are embedded in ways that preserve, rather than dilute, the genetic rights-based traits of labour law, including the inderogability of its normative core. In this sense, the inquiry is only at its beginning – and much remains to be explored.
Footnotes
Declaration of conflicting interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author received no financial support for the research, authorship, and/or publication of this article.
