Deploying ChatGPT without consulting staff: courts order suspension — and Luxembourg is not immune
On 21 May 2026, the Paris Court of Appeal suspended ChatGPT and an internal AI assistant at a press group, under a EUR 1,000 daily penalty: the works council had not been consulted before deployment. The fourth such ruling in a year. In Luxembourg the logic already exists — staff delegation, co-decision from 150 employees, AI Act in August 2026. What to check before deploying.
On 21 May 2026, the Paris Court of Appeal ordered the immediate suspension of ChatGPT and of an internal AI assistant at a professional press group, under a penalty of EUR 1,000 per day. The reason fits in one sentence: the works council (CSE) had not been consulted before deployment. No security breach, no data leak — an ignored social process was enough to freeze a generative-AI project already in production.
For any organisation rolling out Copilot, ChatGPT or an internal assistant today, these rulings deserve better than an alarmist headline. Here is what they actually say, why they are not isolated, and what the same logic looks like under Luxembourg law — where it already exists, with an additional European layer arriving in August 2026.
What the court actually decided: a suspension, not a ban
The case (Paris Court of Appeal, 21 May 2026, nos. 25/13232 and 25/13234) pitted the works council of Groupe Moniteur (Infopro Digital group) against its employer, which had deployed an internal AI assistant called DIGI on the intranet and authorised ChatGPT through its IT charter — without prior consultation of the council. The court ordered the suspension of both tools until the CSE consultation is completed, under a EUR 1,000 daily penalty, and awarded EUR 5,000 in provisional damages compensating the employees' anxiety — an AI project introduced without transparency or safeguards generates a legitimate concern about jobs and the evolution of skills, the court says in substance (plus EUR 3,000 in appeal costs).
Contrary to what some headlines suggest, this is not a "ban on ChatGPT at work". It is a scheduling block: the employer regains its freedom to deploy once the consultation has run its course. But a block that is costly, public, and effective overnight.
The three arguments the courts rejected
The value of these rulings lies less in the sanction than in what they clarify about when the obligation is triggered. The employer argued three things, all rejected:
- "The tool is optional." Irrelevant: the mere fact that the assistant is available to everyone on the intranet characterises a project of collective rollout.
- "ChatGPT is a public, external tool." Irrelevant: once the IT charter authorises its professional use, the employer has introduced it into the organisation of work.
- "Employees were already using it informally." Irrelevant: the duty to consult arises the moment the employer officialises, frames or facilitates the use — not before, but not after either.
The court also refused to treat generative AI as "ordinary office software": it is a new technology affecting the organisation of tasks and working conditions within the meaning of Article L.2312-8 of the French Labour Code. And that is the second key point: the breach qualifies as a manifestly unlawful disturbance, allowing the interim-relief judge to order suspension without having to establish urgency. In practice: a fast procedure, available to any unhappy council, with immediate effect.
A consistent line of case law, not an accident
These rulings are part of a coherent series of French decisions handed down in just over a year:
- Nanterre, 14 February 2025 (no. 24/01457): five AI-powered applications launched as a "pilot phase" while the CSE consultation was still ongoing. The judge answered that a pilot is already "a first implementation": suspension, under a EUR 1,000 penalty per recorded breach.
- Créteil, 15 July 2025 (no. 25/00851): generative-AI tools deployed at a press group without consultation; use suspended until the process is closed.
- Paris, 2 September 2025 (no. 25/53278): an internal platform giving access to generative AI qualified as a new technology; consultation of the central works council ordered.
- Nanterre, 29 January 2026 (no. 25/02856, CS Group France): two AI-driven skills-management tools deployed without the consultation having even been opened; the judge ordered the consultation to be opened and the rollout suspended, under a EUR 500 daily penalty.
The message is uniform: whatever the size of the project, its phase (pilots included) or the nature of the tool (internal or public), the social process comes before deployment. Judges are sanctioning decisions taken, mostly, without bad intent — simply without anyone putting the "employee representatives" box in the project plan.
What about Luxembourg? The same logic, with its own texts
There is no CSE in Luxembourg: the representative body is the staff delegation (délégation du personnel), mandatory from 15 employees (Art. L.411-1 of the Labour Code). And Luxembourg law already organises a social process around technology projects, on two levels:
- From 15 employees: the employer must inform and consult the delegation on "decisions likely to lead to significant changes in the organisation of work or in employment contracts" (Art. L.414-3, § 3). A generative-AI rollout that changes how people produce, draft, analyse or answer clients falls naturally within that category.
- From 150 employees: an additional prior information-consultation applies to any significant decision on the introduction or transformation of equipment and working methods (Art. L.414-5) — Luxembourg's counterpart of the French new-technologies provision. Above all, Article L.414-9 imposes genuine co-decision: certain decisions must be taken "by mutual agreement" between employer and delegation. Three of them concern AI directly: technical installations designed to monitor employees' behaviour and performance (algorithmic monitoring), the general criteria for selection in hiring, promotion or dismissal (AI-driven CV screening), and the general criteria for employee appraisal (performance scoring). On those grounds, co-decision is stronger than a French-style consultation: no agreement, no compliant rollout.
- Employee monitoring: any processing of data for surveillance purposes is additionally governed by Article L.261-1 — mandatory prior information of the delegation (failing that, of the ITM) and of the employees concerned, with a little-known safeguard: the delegation can refer the matter to the CNPD within 15 days, and that referral has suspensive effect. For certain purposes, mutual agreement is required. Breaches carry criminal sanctions (Art. L.261-2).
An honest nuance: the French-style interim relief for "manifestly unlawful disturbance", which can freeze a project within weeks, has no equally sharp equivalent in Luxembourg. The risk of immediate paralysis is therefore lower. But the underlying logic is identical, the levers exist (suspensive CNPD referral, co-decision, criminal sanctions on monitoring), and a forced rollout remains a documentable breach — before the labour courts as in an audit report.
The AI Act adds the European layer in August 2026
The European AI Regulation (AI Act, Regulation (EU) 2024/1689) makes part of this debate unavoidable across the Union: its Article 26(7) requires employers deploying a high-risk AI system in the workplace to inform workers' representatives and the affected workers before putting it into service. High-risk systems notably include (Annex III, point 4) AI for recruitment and application screening, systems weighing on promotion or termination decisions, task allocation, and the monitoring and evaluation of performance. This obligation applies from 2 August 2026.
Mind the exact scope: the AI Act imposes information, not consultation — and only for high-risk systems. Consultation remains governed by national law (the Regulation says so itself, recital 92). In other words: the AI Act sets a European floor, and each country's labour law adds its own process on top. A general-purpose ChatGPT is typically not a high-risk system — but its officialised introduction still triggers the national layer, as the French case law has just made clear.
Before deploying: the social checklist, on a par with the DPIA
For a group present in several countries, the matter gets harder: a rollout decided at headquarters with a single date for all subsidiaries can create simultaneous breaches under several national laws — consultation in France, co-decision of the delegation in Luxembourg above 150 employees, co-determination of the Betriebsrat in Germany, often stricter still. Hence a simple checklist before any AI deployment:
- Map the tools concerned — including public tools whose use is officialised through a charter: authorising ChatGPT in the IT charter is precisely the act that triggers the obligation;
- Qualify each tool: high-risk system under the AI Act? surveillance within the meaning of L.261-1? a co-decision matter under L.414-9 (monitoring, recruitment, appraisal)?
- Inform and consult the staff delegation before making the tool available — pilots included —, country by country for groups, and document every step;
- Complete the file: a GDPR impact assessment (DPIA) where the processing requires one, an AI usage charter, individual information of employees, decision traceability;
- Keep the evidence: the documented file is what makes the difference the day a delegate, an auditor or a judge asks the question.
How Luxgap helps
Luxgap brings lawyers, cyber engineers and developers together in one team. On this precise subject we work on both sides: our DPO mandates and our AI compliance practice integrate the social track (tool qualification, delegation information-consultation timeline, usage charter, DPIA, evidence file) on a par with the data track. And when we deploy our sovereign AI at a client's, that process is part of the project — not an after-the-fact regularisation.
Planning an AI rollout, or already officialised one without going through the staff delegation? Let's talk: an honest diagnosis beats a daily penalty.
See also: Understanding the AI Act · Understanding the GDPR · AI & compliance · DPO mandate
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →