Why does GDPR Article 22 reach AI-drafted InMail even when a human reviews before sending?

GDPR Article 22 prohibits decisions based solely on automated processing — including profiling — that produce legal effects on the data subject or similarly significantly affect them, except where the decision is necessary for entering into or performing a contract, authorized by Union or member-state law, or based on the data subject's explicit consent. The 'solely automated' element is the analytical hinge, and the EDPB has consistently held that the human-review step must be substantive to remove the decision from Article 22's scope. The European Court of Justice's Schufa decision in December 2023 (Case C-634/21) sharpened the framework by holding that an automated credit-scoring decision is in-scope for Article 22 even where the human downstream user technically has discretion, because the automated score in practice determines the outcome. The reasoning extends to AI-drafted personalized outreach. The traditional defense — that a recruiter reads each AI-drafted InMail before clicking send — depends on the human review being meaningful and producing real discretion. The EDPB's published guidance distinguishes substantive human review (a reviewer who assesses the output, has authority to change it, and exercises that authority in practice) from rubber-stamping review (a reviewer who clicks approve without substantive engagement). AI-drafted InMail workflows at scale — recruiters running 25 personalized drafts at once through AI-Assisted Messages, AI Hiring Assistant proposing candidates and outreach in batch — produce review patterns that frequently look closer to rubber-stamping than to substantive review. The 'significantly affects' element matters less than recruiters often assume. The Schufa decision and EDPB guidance both establish that the threshold is whether the decision materially affects the data subject's situation, not whether the decision rises to legal-effect level. A recruiter's AI-drafted outreach that influences whether the target receives a job opportunity, sales offering, or partnership proposal materially affects the target even where no formal legal status changes. The bar is lower than many programs assume. The Article 22 safeguards required when the analysis is in-scope include the data subject's right to obtain human intervention, the right to express the data subject's point of view, and the right to contest the decision. The safeguards must be implemented operationally, not just stated in a privacy notice. Programs should provide a clear mechanism for the target of AI-drafted outreach to request human review (typically through a privacy contact email), respond to the request within a defined timeline, and document the response for compliance audit. The ICO's November 2024 AI-in-recruitment audit issued approximately 300 recommendations across the recruitment-AI sector, and several recommendations specifically address Article 22 implementation in outreach contexts. The recommendations include conducting a DPIA before procurement of any AI tool with recruitment use cases, documenting fairness and bias monitoring across protected categories, providing transparency to candidates about AI use, and providing accessible mechanisms for candidate objection. Recruiters running LinkedIn AI features at any scale should treat the ICO recommendations as authoritative guidance and incorporate them into program design. For broader privacy framework alignment see the SaaS and Tech Compliance guide and the Legal Compliance Scan . The Article 22 analysis interacts with the broader transparency obligation under Articles 13 and 14, which require the controller to inform the data subject about automated decision-making and meaningful information about the logic involved. For AI-drafted InMail, the meaningful-information obligation is not satisfied by a generic 'we use AI' notice; it requires specific information about what data the AI processes, how the personalization is derived, and what safeguards apply. Programs that have not updated their transparency notices to address AI personalization specifically should do so before launching the AI feature into EEA-reaching workflows. Two operational implementations work in practice. The first is a substantive human-review step where the reviewer reads the AI-drafted output, considers whether it appropriately serves the recipient's interests, and edits or rejects where necessary, with the review documented in audit logs. The second is a per-campaign DPIA that establishes the AI feature's risk profile and the safeguards in place, refreshed on any material change to the feature or to the use case. Programs that implement both layers generally satisfy the Article 22 framework; programs that implement neither face the strongest analytical pressure during a regulator inquiry.

How does EDPB Opinion 28/2024 reshape legitimate-interest analysis for AI on LinkedIn profile data?

EDPB Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models, adopted on December 17, 2024, established a three-step test for whether legitimate interest can serve as a lawful basis for processing personal data in AI model development and deployment. The three steps are: identifying the legitimate interest pursued by the controller or by a third party, assessing the necessity of the processing for that interest, and balancing the interest against the rights and freedoms of the data subjects. The Opinion explicitly addresses publicly accessible data, including data on professional networking sites, and notes that public availability does not by itself establish a reasonable expectation of all downstream uses. The implications for LinkedIn AI on profile data run in several directions. First, the legitimate-interest defense for AI features that process LinkedIn profile data must articulate a specific interest beyond generic 'improving our products' framing. The Opinion expects the interest to be defined narrowly enough that the necessity test can be assessed against it. 'Drafting personalized InMail to facilitate B2B outreach for our recruiter customers' is the kind of specific interest the Opinion contemplates; 'using AI to make LinkedIn more useful' is not. Second, the necessity test asks whether the same outcome can be achieved with less data or less intrusive means. AI-drafted InMail that draws on the target's full LinkedIn profile to produce personalization may not pass the necessity test where a shorter targeted set of attributes (recent role, recent activity in relevant topics) would produce comparable outcomes. The minimum-data principle has teeth in the Opinion's framework. Third, the balancing test considers the data subject's reasonable expectations, the source of the data, and the consequences of the processing. The Opinion explicitly identifies data subjects' reasonable expectations as a balancing factor and notes that data given in one context (professional networking, the user joining LinkedIn for connections and career opportunities) does not automatically extend to downstream uses (training AI models or fueling AI-drafted commercial outreach by third parties). The CNIL's June 19, 2025 'Legitimate Interest' and 'Web Scraping' AI How-To Sheets operationalize the Opinion's direction in the French regulatory context. The CNIL framework expects controllers using AI on personal data to maintain a documented legitimate interest assessment, a documented necessity test, and a documented balancing test, with the documentation reviewable on request. The 2026 sector sheets planned by the CNIL (work, health, education) will further sharpen the analysis for specific sectors including recruitment. Recruiters and brands using LinkedIn's AI features or third-party AI outreach tools should review the AI's lawful-basis posture against the EDPB Opinion and CNIL framework. The review should produce: a specific articulation of the legitimate interest, a documented necessity test, a documented balancing test, an assessment of whether the data source and reasonable expectations factors favor the controller, and a documented decision about whether legitimate interest is defensible for the use case. Where the review concludes that legitimate interest is not defensible, the controller should either re-design the use case to operate under consent or stop the use case. For broader AI compliance posture see the AI Compliance Audit and the Policy Change Tracker . The Opinion's practical effect on LinkedIn-specific use cases is to narrow the configurations under which legitimate interest can defensibly support AI personalization. 'Using publicly available LinkedIn data to draft personalized B2B outreach' is the configuration that most clearly faces the narrowed analysis. The factors that work against legitimate interest in this configuration include the source of data (LinkedIn profile data was given for professional networking, not for downstream AI training or third-party outreach), the reasonable expectations (a typical LinkedIn user does not expect their profile to fuel AI-drafted cold InMail by recruiters or salespeople they have never engaged with), and the data subject's rights (the user retains rights to access, correct, delete, and object regardless of the publicly available status). Programs that have relied on the legitimate-interest default should re-paper the basis explicitly or shift to consent where the use case can support it. The transition produces operational friction in the short term and structural defensibility in the medium term, and the regulatory direction makes the transition unavoidable for programs running into EEA jurisdictions.

What does the Irish DPC €310m LinkedIn fine signal for AI personalization in outreach?

The Irish Data Protection Commission's October 24, 2024 decision against LinkedIn imposed a €310 million fine for failures in LinkedIn's behavioural analysis and targeted advertising program. The decision had three components: €105 million for invalid consent (LinkedIn's consent mechanism did not meet GDPR consent standards), €110 million for invalid contractual necessity and legitimate interest (LinkedIn's chosen lawful bases for first-party and analytics data did not satisfy GDPR requirements), and €95 million for transparency breaches (LinkedIn's notices did not provide the information GDPR Articles 13 and 14 require). The decision is the most significant single GDPR enforcement against LinkedIn to date and signals the regulatory direction for adjacent processing including AI personalization in outreach. The structural lessons from the decision apply directly to AI-drafted InMail. The first lesson is that lawful-basis claims must be specifically defensible against scrutiny rather than rest on default platform practice. LinkedIn's behavioural-advertising basis claims were standard industry practice in earlier years and produced the €110 million component of the fine when the DPC found the basis did not actually meet GDPR's requirements. AI-drafted InMail run on legitimate-interest claims that have not been documented against EDPB Opinion 28/2024 and CNIL framework face the same structural exposure: the default claim is no longer sufficient as a basis. The second lesson is that consent mechanisms must produce affirmative, specific, informed consent rather than default or implied consent. The €105 million component of the fine addressed LinkedIn's consent mechanism specifically. AI features that rely on consent (whether for AI training under the November 2025 rollout or for AI-drafted outreach in some configurations) face the same standard. Opt-out arrangements where the user is opted in by default and must take action to opt out do not meet the consent standard; opt-in arrangements where the user takes affirmative action to enable the processing do. The third lesson is that transparency must be specific and meaningful, not generic. The €95 million transparency component addressed LinkedIn's notices specifically. AI personalization that operates under a general 'we may use AI' notice without specific information about what the AI processes, how the personalization derives, and what safeguards apply faces the same standard. Recruiters using LinkedIn AI features should update their privacy notices to address the AI use case specifically. The Irish DPC's role as LinkedIn's lead supervisory authority under the GDPR's one-stop-shop mechanism means that future DPC decisions on LinkedIn AI features will set precedent for the broader EEA. The DPC has signalled continuing scrutiny of LinkedIn's AI rollout, particularly the November 2025 expansion of generative AI training to EEA user data, and recruiters running AI-personalized outreach into the EEA should expect that the DPC's posture will continue to tighten through 2026 and 2027. For ongoing regulatory tracking see the Policy Change Tracker and for broader EU regulatory context see the EU DSA and Privacy Compliance Guide . The November 2025 LinkedIn AI training rollout adds a second front to the DPC's continuing review. LinkedIn's decision to use legitimate interest as the basis for training generative AI models on EEA user data, with opt-out only, is structurally similar to the configurations that produced the October 2024 fine, and the precedent makes the legal exposure clear. The implication for recruiters is that they cannot rely on LinkedIn's own basis selection as automatically defensible. Recruiters are independent controllers for the personal data they process when using LinkedIn's AI features, and the recruiter's documented basis must stand on its own regardless of LinkedIn's basis selection for adjacent processing. The right operational posture for recruiters is to assume that LinkedIn's basis claims may face further regulatory challenge through 2026–2027 and to document the recruiter-side basis independently. Programs that depend operationally on LinkedIn's basis selection rather than on independent documentation face cascading exposure if LinkedIn's basis is challenged. For program audit posture see the Legal Compliance Scan and the related LinkedIn Lead Gen Forms 2026 coverage.

Does ePrivacy Article 13 require opt-in consent for AI-personalized InMail to EU recipients?

ePrivacy Directive Article 13 (transposed into national law across EU member states) regulates unsolicited communications for direct marketing purposes through electronic mail and equivalent surfaces. The Article requires prior consent for direct marketing electronic mail except where the recipient has provided their email address in the context of a sale of a product or service, the message relates to similar products or services, and the recipient is given a clear opportunity to opt out at each communication. The Court of Justice of the European Union's StWL Städtische Werke Lauf decision on November 25, 2021 (Case C-102/20) held that inbox-style ads that appear among ordinary email messages count as 'electronic mail' under Article 13 and require prior consent, expanding the Article's reach to inbox interfaces beyond traditional email. The decision had immediate operational impact: LinkedIn restricted EU Sponsored Messaging (the platform's inbox-style advertising surface) from December 15, 2021 as a direct response to the ruling, and the affected feature has remained restricted in the EU since. The application to InMail in 2026 is the analytical question. LinkedIn InMail is not Sponsored Messaging — InMail is the platform's premium messaging feature that lets users (typically Recruiter or Sales Navigator subscribers) send messages to LinkedIn members outside their network, and the feature operates as an inbox-style communication that arrives in the recipient's LinkedIn inbox. The InMail surface is structurally similar to the inbox advertising format the StWL ruling addressed. The CJEU's reasoning extends to any inbox-format communication that the recipient receives without having affirmatively requested the message. The defensive case for InMail differentiation from the StWL framework is that InMail is sent person-to-person rather than as bulk advertising, that the recipient implicitly consented to receiving InMail by joining LinkedIn (which terms include the InMail receipt as part of the platform's services), and that recruiter-style outreach is distinguishable from commercial advertising. None of the three points has been adjudicated at CJEU level, and the prevailing direction of EU regulators favors the broader reading. Recruiters running AI-personalized InMail at scale into EU recipients face a real risk that the activity falls within the broader 'electronic marketing' analysis under Article 13 and the national transpositions. The practical implication is that recruiters cannot rely on the historical 'B2B soft opt-in' framework that some member states have allowed for B2B email marketing. The B2B soft opt-in implementations vary by member state — Germany applies strict consent, the UK retained somewhat more flexible rules post-Brexit, France applies Article 22 of the LCEN — and none of the implementations clearly covers AI-personalized inbox messaging at scale. Programs operating across multiple EU member states should expect the strictest applicable rules to govern. The compliant operating posture for AI-personalized InMail into the EU includes documenting the consent or lawful basis for the outreach, providing clear opt-out at the first communication and at each subsequent communication, honoring opt-outs across the recruiter's full outreach surface (not just the specific tool that produced the original message), and retaining the consent and opt-out records for the EU regulator retention expectation. The CNIL's December 2024 Kaspr fine for scraping approximately 160 million professional contacts and LinkedIn's March 2025 de-platforming of Apollo and Seamless together signalled that the platform and regulator are actively addressing the AI outreach surface; recruiters running on third-party tools that source data through scraping face elevated risk. For broader outreach compliance see the LinkedIn Sales Navigator outreach compliance guide. Two further considerations sharpen the analysis. First, the EU AI Act's Article 50 transparency obligations apply from August 2, 2026 to generative AI outputs in some contexts; AI-drafted InMail may intersect with the obligation depending on the use case framing. Programs should document their Article 50 assessment alongside the Article 13 analysis. Second, the EDPB's 2024 guidance on legitimate interest and direct marketing emphasizes that the legitimate-interest basis for marketing activities is narrower than many programs have assumed; an AI-personalized cold InMail to a target with no prior relationship to the recruiter typically does not produce the reasonable expectation that supports legitimate interest, and consent or B2B soft opt-in (where available) is the more defensible posture. Programs that have not updated their basis selection to reflect the 2024–2026 direction should do so before scaling AI-personalized outreach into the EU.

What's the recruiter and brand playbook for compliant AI-drafted InMail at scale?

The compliant operating playbook for AI-drafted InMail at scale has seven elements that translate the GDPR, EDPB, CNIL, ICO, and ePrivacy frameworks into program-level practice. Programs that implement all seven elements generally resolve regulator inquiries through documented adjustments; programs that miss elements face evidence problems that compound the underlying compliance issue. The first element is a documented lawful basis. The recruiter or brand should produce a written basis assessment for the AI-drafted InMail use case, covering the specific interest (under legitimate interest) or the specific consent mechanism (under consent), the necessity test, and the balancing test against data subject rights. The assessment should reference EDPB Opinion 28/2024 and (for French-targeted programs) the CNIL AI How-To Sheets. The basis assessment should be signed off by the data protection officer or general counsel and refreshed on any material change to the use case. The second element is a DPIA for the AI feature. Before procurement or launch of any AI feature with recruitment or B2B outreach use cases, the controller should conduct a data protection impact assessment that addresses the high-risk processing characteristics, the safeguards in place, and the residual risk. The DPIA should be available to the supervisory authority on request and refreshed annually or on material change. The ICO's November 2024 audit recommended DPIA as a baseline requirement and the EDPB has reinforced the direction. The third element is meaningful transparency. The recruiter or brand should update privacy notices and pre-outreach disclosures to specifically address AI use: what data the AI processes, how the personalization derives, what safeguards apply, and how the data subject can exercise their rights. Generic 'we may use AI' notices do not satisfy the requirement. The disclosure should be reviewed quarterly against current product features and regulatory direction. The fourth element is substantive human review. AI-drafted InMail should pass through a meaningful human review step where the reviewer reads the output, considers whether it serves the recipient's interests, and edits or rejects where appropriate. The review should be documented in audit logs sufficient to demonstrate the substantive nature on regulator inquiry. The fifth element is candidate and target rights handling. The program should provide accessible mechanisms for the InMail recipient to exercise GDPR rights — access, correction, deletion, restriction, portability, objection — with documented response timeline and process. A dedicated privacy contact (privacy@brand.com) should handle the requests, with documented intake and response procedures. The sixth element is opt-out discipline. Where the outreach operates under consent or B2B soft opt-in, the program should honor opt-outs immediately, across the full outreach surface (not just the specific tool), and document the suppression. Universal opt-out signals (where applicable) should be respected. The seventh element is third-party tool governance. Where the recruiter uses LinkedIn's first-party AI features (AI-Assisted Messages, AI Hiring Assistant, Sales Navigator AI), the recruiter's controller-side documentation should cover the LinkedIn feature integration. Where the recruiter uses third-party AI tools (Apollo, Outreach, Lavender, etc.), the data source for each tool should be documented and assessed against the lawful basis, with tools that rely on scraped data treated as elevated-risk and tools that operate within LinkedIn's authorized API surface treated as standard. For broader AI compliance audit see the AI Compliance Audit and the Disclosure Checker . Two operational principles close the analysis. First, the cost of implementing the seven elements upfront is meaningfully lower than the cost of retrofitting them under regulatory pressure. Programs that launch AI-drafted InMail without the elements typically discover the gaps when a regulator inquiry surfaces them, by which point the remediation has to be conducted under enforcement pressure with worse negotiating position than a pre-launch implementation. Second, the regulatory direction through 2026–2027 is unambiguous: lawful-basis claims are narrowing, transparency expectations are rising, Article 22 safeguards are increasingly expected, and ePrivacy reach is expanding. Programs that plan for the direction rather than against it produce defensible records and operational stability; programs that plan against the direction usually find themselves remediating in cycles that do not converge.

LinkedIn InMail AI 2026: When AI Drafting Triggers GDPR

Quick Answer

LinkedIn's AI-Assisted Messages in Recruiter, the AI Hiring Assistant launched in 2024–2025, and 3rd-party AI outreach tools all process EEA personal data when they draft personalized InMail at scale. GDPR Article 22 reaches the human-review boundary, Article 6 lawful-basis analysis narrowed materially after EDPB Opinion 28/2024 and the CNIL's 2025 AI sheets, the Irish DPC's October 2024 €310m LinkedIn fine signalled that legitimate-interest-as-default no longer works, and ePrivacy Article 13 with the 2021 StWL CJEU ruling reaches inbox-style direct outreach. Recruiters and brands are controllers for the AI-drafted output and need transparency, lawful-basis documentation, and Article 22 safeguards before launch.

LinkedIn InMail AI Personalization 2026: When AI Drafting Triggers GDPR

Why AI-Drafted InMail Hit the GDPR Spotlight

LinkedIn's AI features moved from optional product enhancement to default workflow over 2024–2025: AI-Assisted Messages within LinkedIn Recruiter went mainstream during 2024, the AI Hiring Assistant launched in October 2024 and reached global English availability in September 2025, and Sales Navigator added an expanding set of AI-driven account intelligence and outreach features. The features make personalized outreach at scale operationally trivial — a recruiter can draft 25 personalized InMails through AI-Assisted Messages in less time than a single hand-written message — and they shift the compliance picture from a manual review problem to an automated processing problem. The shift is the source of the 2026 GDPR scrutiny.

The structural problem is that AI personalization combines the elements that GDPR's strictest frameworks were designed to address: automated processing of personal data, profiling of the data subject, downstream commercial decision-making (whether the target receives a job opportunity, sales offering, or partnership proposal), and use of data given in one context (professional networking on LinkedIn) for purposes the data subject did not specifically anticipate (third-party recruiter or brand outreach). The combination engages Article 22 (automated decision-making), Article 6 (lawful basis), Article 13 and 14 (transparency), ePrivacy Article 13 (direct marketing), and a developing layer of EU AI Act obligations. The Irish DPC's October 2024 €310 million LinkedIn fine signalled that the legal-basis-as-default approach no longer works for adjacent processing, and the EDPB's December 2024 Opinion 28/2024 narrowed legitimate-interest defensibility for AI use cases specifically.

"Publicly available data does not automatically establish that the controller's processing is necessary or that data subjects have a reasonable expectation that their data would be used for the controller's specific purpose. The balancing test should reflect the actual data flows, not the data's availability.
— EDPB Opinion 28/2024 on AI models, December 17, 2024"

This guide covers LinkedIn's AI features in 2026 and which trigger GDPR analysis, the specific GDPR articles in scope, the EDPB and CNIL and ICO position, the Irish DPC enforcement signal, the recruiter and brand operating playbook, and the operational checklist. For broader EU regulatory context see the EU DSA and Privacy Compliance Guide and the LinkedIn Lead Gen Forms 2026 coverage.

The Structural Reason AI Personalization Is in Scope

The reason AI personalization sits at the intersection of so many GDPR provisions is that the activity processes personal data, produces personalized outputs targeted at the individual, and operates at scale. Any one of these elements engages parts of GDPR; all three together engage the framework's strictest provisions. Recruiters and brands often treat AI personalization as a productivity feature whose compliance picture should mirror manual outreach, but the regulatory framework treats automated personalization differently from manual personalization specifically because the automation enables scale and the scale changes the data subject's reasonable expectations. The compliance program should reflect the structural difference rather than treat the AI as an invisible enhancement to manual workflows.

LinkedIn's AI Features in Recruiter, Sales Navigator, and Hiring Assistant

LinkedIn's AI feature catalogue in 2026 spans the platform's premium product surfaces, with the features differing in their mechanics but sharing the structural pattern that triggers GDPR analysis.

Feature Comparison

Feature	Mechanic	Data Source	Output
AI-Assisted Messages (Recruiter)	AI drafts personalized InMail in the composer; tunable tone, length, language (EN, FR, ES, IT, PT)	Target's LinkedIn profile, recruiter's job description, recent activity signals	Personalized InMail draft for recruiter review and send
AI Hiring Assistant (Recruiter)	LinkedIn's first AI agent; proposes candidates and outreach	Recruiter's job posting, LinkedIn member network	Candidate shortlist + personalized outreach suggestions
Sales Navigator AI	Account intelligence, buying signals, suggested next steps	Account network signals, member activity, recent role changes	Account recommendations + outreach prompts
Generative AI training (Nov 2025 EEA rollout)	LinkedIn trains generative models on EU/EEA/Swiss user data	LinkedIn profile and activity data	Improved model performance across product features

The Common GDPR Trigger Pattern

Automated processing: Every feature processes data without manual intervention at the data-handling step.
Personal data: The target's LinkedIn profile and inferred attributes are personal data under GDPR.
Profiling: The AI infers attributes (relevant role match, likely buying intent, fit for the recruiter's pitch) from the data.
Targeted output: The output is personalized to the individual target, not generic.
Commercial purpose: The output drives recruitment or sales decisions that affect the target.

Each feature engages the full GDPR framework — Article 22 on automated decision-making, Article 6 on lawful basis, Articles 13 and 14 on transparency, the data minimization and accuracy principles, and the data subject rights — and the analysis runs against the recruiter or brand as controller for the personal data they process. For program-level audit see the AI Compliance Audit.

The November 2025 EU AI Training Decision

LinkedIn's decision to begin training generative AI models on EU, EEA, and Swiss user data on November 3, 2025, after excluding the EU through 2024, added a second front to the regulatory analysis. The decision is implemented under a legitimate-interest basis with opt-out via the 'Data for generative AI improvement' toggle in account settings. The structural set-up — using data given for professional networking to train a generative AI used in product features that target the same users — closely tracks the configuration that produced the Irish DPC's October 2024 €310 million LinkedIn fine. The opt-out implementation also faces the consent-vs-legitimate-interest tension that GDPR makes operationally meaningful. Recruiters operating into the EEA cannot rely on LinkedIn's own basis selection as automatically defensible and should document their controller-side basis independently of LinkedIn's.

GDPR Article 22, Article 6, and ePrivacy in Outreach

Three GDPR-adjacent frameworks reach AI-drafted InMail directly: Article 22 on automated decision-making, Article 6 on lawful basis, and ePrivacy Directive Article 13 on direct marketing. The frameworks operate independently and stack rather than substitute.

What Each Framework Requires

Article 22 (automated decision-making): Prohibits decisions based solely on automated processing that produce legal effects or similarly significantly affect the data subject; safeguards include right to human intervention, right to express point of view, right to contest.
Article 6 (lawful basis): Requires one of six bases — consent, contract, legal obligation, vital interest, public interest, legitimate interest — with the choice carrying operational consequences (consent withdrawal, legitimate interest balancing test).
ePrivacy Article 13 (direct marketing): Requires prior consent for direct marketing electronic mail with limited B2B soft opt-in carve-outs; the StWL CJEU ruling (Nov 25, 2021) extended the framework to inbox-style ads.
Articles 13 and 14 (transparency): Require meaningful information about automated decision-making and the logic involved.

The Schufa Decision and the Human-Review Boundary

The European Court of Justice's Schufa decision in December 2023 (Case C-634/21) sharpened the Article 22 analysis by holding that an automated credit-scoring decision is in-scope for Article 22 even where the human downstream user technically has discretion, because the automated score in practice determines the outcome. The reasoning extends to AI-drafted personalized outreach where a recruiter reviews each AI-drafted InMail but the review is brief enough that the AI output effectively determines the message sent. Programs running AI-Assisted Messages at scale should design the human-review step to be substantive (reviewer reads, considers, edits or rejects, with documentation) rather than rubber-stamping. For lawful-basis assessment see the SaaS and Tech Compliance guide.

The 'Significantly Affects' Threshold

The Article 22 'significantly affects' threshold matters less than recruiters often assume. The Schufa decision and EDPB guidance establish that the threshold is whether the decision materially affects the data subject's situation, not whether the decision rises to legal-effect level. A recruiter's AI-drafted outreach that influences whether the target receives a job opportunity, sales offering, or partnership proposal materially affects the target. The bar is lower than many programs assume.

EDPB Opinion 28/2024 and the ICO and CNIL Position

Three regulatory documents define the operational direction for AI on professional-network data in 2026: the EDPB's Opinion 28/2024, the CNIL's AI How-To Sheets, and the ICO's November 2024 AI-in-recruitment audit outcomes report.

EDPB Opinion 28/2024 (Dec 17, 2024)

Three-step legitimate-interest test: Identify the interest, assess necessity, balance against data subject rights.
Publicly available data: Public availability does not automatically establish reasonable expectation of downstream uses.
Source of data factor: Where the data came from is a balancing-test factor in the controller's favor or against it.
Necessity narrowing: Same outcome achievable with less data weighs against legitimate interest.

CNIL AI How-To Sheets (2024–2025)

First set published April 2024: Initial framework for AI on personal data.
Legitimate Interest and Web Scraping sheets (June 19, 2025): Operationalize the EDPB Opinion in the French regulatory context.
Sector sheets planned for 2026: Work, health, education sectors will receive specific guidance.
Operational documentation expected: Documented LIA, necessity test, balancing test reviewable on request.

ICO AI-in-Recruitment Audit (Nov 6, 2024)

Approximately 300 recommendations: Issued to recruitment AI providers and deployers.
DPIA before procurement: Required as a baseline.
Fairness and bias monitoring: Documented per protected category.
Transparency to candidates: Specific information about AI use, not generic notice.

For privacy framework alignment see the Legal Compliance Scan.

The Irish DPC €310m Fine and What It Signals

The Irish Data Protection Commission's October 24, 2024 decision against LinkedIn imposed €310 million in fines for failures in LinkedIn's behavioural analysis and targeted advertising program. The decision sets precedent for AI personalization in outreach in three structural ways that recruiters and brands should treat as binding direction.

Three Structural Lessons

Decision Component	Amount	Lesson for AI Personalization
Invalid consent	€105 million	Opt-out arrangements do not meet the consent standard; affirmative opt-in required where consent is the basis
Invalid contractual necessity and legitimate interest	€110 million	Default basis claims are no longer sufficient; specific documented basis required against EDPB Opinion 28/2024
Transparency breaches	€95 million	Generic 'we may use AI' notices do not satisfy Articles 13 and 14; specific information about processing required

The November 2025 Front and the Continuing Review

LinkedIn's decision to begin training generative AI on EEA user data in November 2025 under legitimate-interest opt-out adds a second front to the DPC's continuing review. The configuration tracks the October 2024 fine's structural failures closely, and recruiters should expect the DPC's posture to continue tightening through 2026–2027. The right operational posture is to assume that LinkedIn's basis claims may face further regulatory challenge and to document the recruiter-side basis independently. For policy tracking see the Policy Change Tracker.

Why Controller Status Matters for the Recruiter

Recruiters using LinkedIn's AI features are independent controllers for the personal data they process, even though LinkedIn provides the tooling. Controller status carries the full GDPR obligation set — lawful basis, transparency, data minimization, rights handling, accountability — and the obligations run on the recruiter regardless of LinkedIn's own basis selection for adjacent processing. Programs that depend on LinkedIn's basis selection rather than on independent documentation face cascading exposure if LinkedIn's basis is challenged. The defensible posture is to document the recruiter-side basis specifically for the recruiter's use case and to retain the documentation as part of the program file.

Recruiter and Sales-Outreach Playbook

The compliant playbook for AI-drafted InMail at scale has seven elements that translate the framework into program-level practice.

Seven Elements of a Defensible Program

Documented lawful basis: Specific interest articulation, necessity test, balancing test; references EDPB Opinion 28/2024 and CNIL AI sheets; signed by DPO or general counsel.
DPIA before procurement: Data protection impact assessment addressing risk profile, safeguards, and residual risk; reviewable annually.
Meaningful transparency: Privacy notices and pre-outreach disclosures address AI specifically — what data, how personalization derives, what safeguards apply.
Substantive human review: Reviewer reads, considers, edits or rejects each AI output; documented in audit logs.
Rights handling channel: Dedicated privacy contact for access, correction, deletion, restriction, portability, objection; documented response timeline.
Opt-out discipline: Opt-outs honored immediately, across full outreach surface, with documented suppression and (where applicable) universal opt-out signal honoring.
Third-party tool governance: Data source for each tool documented and assessed; tools relying on scraped data treated as elevated-risk.

What a Regulator Review Looks At

A typical EU regulator review of an AI-personalized outreach program requests the documented lawful basis, the DPIA, the privacy notices, the human-review documentation, the rights handling records, the opt-out records, and the third-party tool governance documentation. The review is not about whether every individual InMail was perfect; it is about whether the controller executed a documented program designed to produce compliant outreach. Programs that can produce the seven elements generally resolve reviews through documented adjustments; programs that cannot face evidence problems that compound the underlying compliance issue. For program audit see the Legal Compliance Scan and the related LinkedIn Sales Navigator outreach guide.

InMail AI Compliance Checklist

[ ] Documented lawful basis assessment (consent or legitimate interest) signed by DPO or general counsel.
[ ] DPIA completed before any AI feature is procured or launched into EEA workflows.
[ ] Privacy notices updated with specific information about AI use, data processed, personalization logic, and safeguards.
[ ] Substantive human review step in place for every AI-drafted InMail; documented in audit logs.
[ ] Article 22 safeguards (right to human intervention, right to express point of view, right to contest) operationalized and disclosed.
[ ] Rights handling channel (privacy@brand.com or equivalent) with documented intake, response timeline, and procedures.
[ ] Opt-out honored immediately across the full outreach surface; documented suppression list.
[ ] Third-party AI tool data sources documented and assessed; scraped-data tools treated as elevated-risk.
[ ] LinkedIn's November 2025 EEA AI training treated as separate compliance question from recruiter's controller-side use; documented independently.
[ ] EU AI Act Article 50 transparency obligation (Aug 2, 2026) assessed and addressed for generative outputs in scope.

Don't miss the next policy change.

Create a free account — track every policy change across 8 platforms, get instant alerts, and access every free compliance tool. Or try our AI Compliance Audit first.

Create Free Account

Report Keywords — Run AI Compliance Audit

#LinkedIn#InMail#AI Personalization#GDPR#Article 22#EDPB#ICO#CNIL#Recruiter AI#B2B Outreach#Data Privacy#Compliance Guide 2026

Share This Report

Tweet Share

LinkedIn InMail AI Personalization 2026: When AI Drafting Triggers GDPR