Your Recruitment AI May Be Sending Your Candidates' Resumes Under US Law

On June 12, 2026, an administrative decision unplugged an artificial intelligence model for every foreign national on the planet. In a single day.

That day, the US Department of Commerce ordered Anthropic to suspend access to its Claude Fable 5 and Mythos 5 models for any foreign national, whether located outside the United States or inside the country. Unable to filter its users by nationality, Anthropic disabled both models. The official reason: a disputed security flaw. The real scope: the first known use of an export control to regulate a frontier AI model in the name of national security.

Remember the mechanism, not the case. A model everyone assumed was available stopped being so through a unilateral decision from Washington. For every tool that depended on it, the cut-off point was not in the contract, it was in the jurisdiction.

We got the debate wrong

For years, digital sovereignty boiled down to a question of address. Where is my data? In France? Check the box. Except geography was never the real subject.

A datacenter in Marseille owned by an American company remains subject to US law. The Cloud Act, adopted in 2018, allows US authorities to obtain data held by an American company, wherever it is stored. Physical location changes nothing. What matters is the entity that operates and the law that governs it. We already detailed this "hosted in France" trap in a previous article: jurisdiction attaches to the actor, not to the data.

This reasoning applies to storage. From now on, it also applies to AI.

Sovereignty has three layers

Think of a recruitment tool like a building: the land, the structure, and what runs inside. Three layers, three possible owners, three applicable laws.

The first layer is the data. Resumes, contact details, evaluations. We have learned to ask where it resides and who can access it.

The second layer is the host. The company that operates the servers, its capital, its law. This is where exposure to the Cloud Act plays out, regardless of the country where the machines sit.

The third layer, long ignored because it is recent, is the AI. The model that reads, classifies, scores applications. And it is precisely the layer that just demonstrated it could be cut off.

We secured the land and the structure. We forgot who holds the switch on the floor above.

The Cloud Act does not just cut off, it siphons

The June 12 cut-off has one merit: it is visible. But the Cloud Act has two faces, and the second is quieter and more serious. The first is availability: access is taken from you. The second is confidentiality: your data is accessed. Cutting off is annoying. Siphoning is lasting.

The mechanism is legal, not technical. As soon as a model edited by an American company processes data, that data enters the perimeter of US law. It becomes requisitionable, cross-referenceable, retainable without your knowledge. It has not moved servers, it has changed jurisdiction. And data that has changed jurisdiction does not come back.

Take the most ordinary recruitment case. A French candidate sends a resume to a French company that, to save time, has it analyzed by an American model. At that precise moment, the resume, the contact details, the career history, and any sensitive signals have left French jurisdiction. The candidate did not choose it, the company often did not measure it, and the shift happened anyway.

Why is this serious? Because a resume is not neutral data. It can contain travel, associative commitments, hints of opinion or health. The kind of data that should never leave its original law. One example is enough: since 2021, a single trip to Cuba causes the loss of ESTA eligibility, which allows entry to the United States without a visa. A foreign administration thus already treats a trip as information that changes a status. This is exactly the kind of data one hands over to a model without thinking.

Let us be precise about the limit. Nothing here says a model transmits a resume to a border service, nor that an application analysis triggers an entry refusal. That is neither proven nor the point. The only certain fact is legal: data processed by an American actor becomes requisitionable under US law. The rest is a matter of caution, and in recruitment caution is an obligation toward the candidate.

The candidate scored by a model that can be switched off

Here is the concrete scenario. A French ATS vendor hosts its data with a French operator. On paper, two layers out of three are sovereign. But to analyze resumes and propose a ranking, it calls a large American model via an API. Convenient, performant, invisible to the client.

The day access to that model is suspended, as on June 12, the screening function stops. Not because the vendor made a mistake, not because a server burned down, but because a foreign administration decided that model would no longer be accessible to non-Americans. The recruiter who opens the ATS that morning finds that half of the tool no longer responds. And there is nothing they can do.

This is not a meeting-room hypothesis, it is a dated precedent. The Center for Strategic and International Studies noted it bluntly: European officials cited this episode as proof that a sovereign AI must be developed. Technological dependence is not an architectural detail. It is a breaking point that can be activated by a third party that does not know you.

In recruitment, this is no longer optional

In most professions, an AI cut-off is an inconvenience. In recruitment, it is a regulatory risk.

Recruitment is classified as high-risk activity by the AI Act, European Regulation 2024/1689, in its Annex III. The reason is simple: we process sensitive personal data and make decisions about people. On top of that comes the foundation already in force. The GDPR has prohibited, since 2018, in its Article 22, decisions based solely on automated processing that significantly affects a person. The SCHUFA case law of the CJEU, on December 7, 2023, hardened this reading. And the AI Act will add fines up to 35 million euros or 7% of global revenue, with main application on December 2, 2027.

In this framework, depending on a model you do not control raises two problems at once. A continuity problem: your process can be interrupted without notice. And a control problem: you must document, audit, and supervise a screening system whose keys and availability guarantee you do not own. The sovereignty of the AI layer stops being a marketing argument. It becomes a compliance condition.

The real question to ask

Do the exercise this week. Take your recruitment tool, or the one you are evaluating, and ask the vendor a single question: which AI model analyzes the applications, who edits it, and under what law?

Three possible answers. No AI at all: the question does not arise yet. An American model via API: you have just identified your cut-off point, and you now know it is real. A French model, self-hosted by the editor: the switch is in hands subject to the same law as you.

Sovereignty is not declared, it is verified layer by layer. Data, host, AI. If even one of the three answers to a foreign law, the whole is not sovereign. Geography reassures you, jurisdiction protects you, technological independence keeps you running.

For JobAffinity, we made the three layers coincide under a single law. Candidate data stays in France, hosting is operated by a French actor, and our AI runs on our own infrastructure, never delegating the analysis of a resume to an American model. A HR director who chooses us can therefore tell their DPO something simple: no, your candidate's resume has never left French jurisdiction. That is less a sales argument than a line we refuse to cross.

Sources

• National Law Review, "Anthropic Suspends Access to Claude Fable 5, Claude Mythos 5 Following US Export Control Directive", June 2026
• Al Jazeera, "US asks Anthropic to block global access to top AI models: Why it matters", June 14, 2026
• CSIS, "The Department of Commerce Restricted Access to Anthropic's Latest Models. What Comes Next?", June 2026
• The Conversation, "Why the US government shut down Anthropic's latest Claude AI model", June 2026
• Congress, CLOUD Act H.R. 4943, 2018
• EUR-Lex, Regulation (EU) 2024/1689 (AI Act)
• Fragomen, "CBP Fully Implements ESTA Ineligibility Due to Cuba Travel", 2023