AI Rejected Your Job Application: Your Rights under UK Law in 2026

Most large UK employers now use software to screen, rank, or reject job applications before a human reads them. CV parsers score your experience against the role. Assessment platforms grade recorded video interviews. Ranking tools order the shortlist. If you have applied for jobs in the last two years, an algorithm has almost certainly made a decision about you.

Two pieces of law changed recently, and most of what is written online about AI and hiring predates both. The Data (Use and Access) Act 2025 rewrote the UK's automated decision-making rules with effect from 5 February 2026. The EU's Omnibus agreement of 7 May 2026 moved the AI Act's high-risk deadlines. This article sets out where that leaves you as a candidate in 2026, and what employers running these tools now have to get right.

The new automated decision-making rules

For years, Article 22 UK GDPR worked as a near-prohibition: solely automated decisions with legal or similarly significant effects were banned unless an exception applied. The Data (Use and Access) Act 2025 replaced that single article with Articles 22A to 22D, in force since 5 February 2026.

The default has flipped. Solely automated significant decisions are now permitted, provided safeguards are in place. For a rejected candidate, the safeguards are the point. Where an employer takes a significant decision about you based solely on automated processing, it must provide:

1. Information about the decision, including that automation was used
2. A way to make representations about the decision
3. Human intervention on request
4. A way to contest the decision

A hiring rejection is the textbook significant decision. Regulators and practitioners consistently list recruitment screening alongside credit scoring and benefits eligibility as the use cases most exposed under the new regime.

Two qualifications matter. First, the new permissive regime applies to ordinary personal data. Where the decision relies on special category data, such as health information, ethnicity, or biometric data used for identification, the stricter pre-2026 position still applies and the processing generally needs explicit consent or another narrow gateway. Second, "solely automated" is about substance. A human who rubber-stamps the algorithm's output without genuine engagement does not turn an automated decision into a human one. The Information Commissioner's Office consulted on draft guidance covering exactly this through spring 2026, and meaningful human involvement is the consistent theme.

What the Equality Act adds

The Equality Act 2010 has applied to algorithmic hiring all along, and it remains the sharper risk for employers because the exposure is uncapped and the law looks at outcomes.

Effect, then justification. An algorithmic screen is a provision, criterion or practice. If it puts people who share a protected characteristic at a particular disadvantage, the employer must objectively justify it as a proportionate means of achieving a legitimate aim, or it is indirect discrimination under section 19. Intention is irrelevant. A tool trained on historical hiring data that learned to prefer the people historically hired can discriminate at scale without anyone intending anything.

The employer owns the risk. Liability lands on the employer using the tool. A vendor contract does not move Equality Act exposure to the vendor, and a tribunal will not accept the algorithm produced the shortlist as a defence.

Claims have started arriving. An Uber Eats courier, backed by the Equality and Human Rights Commission, brought a claim after facial recognition identity checks repeatedly failed him. The case settled in 2024 and is widely treated as the marker for algorithmic discrimination claims in the UK. On the regulatory side, the ICO audited AI recruitment tool providers in late 2024 and found, among other failures, tools filtering candidates by protected characteristics and collecting far more data than the task required. Its follow-up work through 2026 has pushed nearly 300 recommendations into that market.

For a candidate, the practical consequence is that a rejection produced by a biased tool can ground a tribunal claim even where the employer shows you the safeguards were all in place. Data protection compliance and discrimination law run on separate tracks.

Where the EU AI Act fits

The EU AI Act classifies AI systems used for recruitment and selection, including CV filtering and interview assessment, as high-risk. High-risk status brings duties on providers and deployers: risk management, data governance, transparency to candidates, human oversight, and logging.

The dates moved in May 2026. Under the Omnibus agreement of 7 May, the obligations for standalone high-risk systems under Annex III now apply from 2 December 2027. Separately, the Article 50 transparency duties, which require people to be told when they are interacting with an AI system, still take effect on 2 August 2026. An AI-conducted video interview for an EU employer falls within that disclosure duty.

The Act reaches UK situations in two main ways: where the hiring organisation is established in the EU, and where the system's output is used in the EU. A UK candidate applying to a Dublin or Berlin employer will eventually get the benefit of the high-risk regime. For purely domestic UK hiring, the Act does not apply, and your protections are the UK GDPR rules above and the Equality Act.

What to do if you suspect an algorithm rejected you

Read the candidate privacy notice. Employers must describe automated decision-making in their privacy information. Absence of any mention, combined with an instant rejection, is worth noting.

Make a subject access request. Article 15 UK GDPR entitles you to confirmation of whether automated decision-making was used, meaningful information about the logic involved, and the personal data the employer holds on you. Email the employer's privacy or HR contact, state that you are making a subject access request, and keep the thread. The response deadline is one month.

Use the safeguards. Ask in writing for human intervention and state your representations: what the screen appears to have missed, and why the outcome was wrong. The employer must enable this for solely automated significant decisions.

Watch the clock if discrimination is in play. Employment tribunal discrimination claims must generally be brought within three months less one day of the act complained of. Acas early conciliation pauses the clock, but the window is short. If the timeline matters, take advice before it closes.

Keep everything. The job advert, your application, the rejection, timestamps showing how quickly it arrived, and every response to your requests. Algorithmic claims are evidence-heavy, and candidates who keep a clean record are in a different position from candidates who deleted the email.

If you are the employer

The same developments read as a compliance checklist from the other side. A DPIA is required before deploying screening tools that profile candidates at scale, and our guide to when a DPIA is needed for an AI system covers the threshold. Vendor due diligence needs to reach the training data and the bias testing, because the Equality Act exposure stays with you. The four Article 22A safeguards need working mechanics behind them: a named route for representations, a reviewer with authority to change outcomes, and records that show the review was real. The ICO's audit findings make clear that buying an established product is no assurance the product is compliant.

When to instruct a solicitor

Most rejected applications do not justify legal action. Some do.

Instruct an employment solicitor when:

• A pattern suggests a protected characteristic is doing the work: for example, strong applications failing instantly at the same automated stage
• A subject access request reveals automated decision-making the employer denied or failed to disclose
• You asked for human intervention and were refused, or the review was plainly a formality
• The role and the loss are substantial enough that a discrimination claim is worth the process
• You are inside the three-month window and need the deadline protected

For data protection complaints that do not warrant a claim, the ICO accepts complaints directly and is actively focused on this market.

---

Current as at 12 June 2026. This is educational. For your specific facts, instruct a qualified employment solicitor.

Part of the Janus Compliance Employment Law cluster. See also: Whistleblower Protection in the UK, Negotiating a UK Settlement Agreement in Redundancy, Legal hub, Immigration, Family law.