Guidelines for Prohibited AI Practices Under the EU AI Act

EU Commission Publishes Guidelines on Prohibited AI Practices under the AI Act

The European Commission has recently released guidelines outlining the practices of artificial intelligence (AI) that are considered prohibited under the AI Act. These guidelines serve as a crucial step towards ensuring compliance and understanding of the legal landscape surrounding AI technologies.

Background

As of February 2, 2025, the general provisions and rules on prohibited AI practices within the AI Act came into effect. Article 5 specifically prohibits practices that pose risks to fundamental rights and values, such as:

• Manipulative or deceptive AI techniques
• Untargeted facial data scraping
• Exploitative systems targeting vulnerable groups
• Certain forms of biometric categorization and emotion recognition in sensitive contexts

Additionally, the AI Act mandates companies to implement AI literacy among their workforce, ensuring that employees are well-versed in the ethical and legal implications of AI technologies.

Guidelines on Prohibited AI Practices

The Commission’s comprehensive document details prohibited AI practices that threaten fundamental rights. Key areas of focus include:

• Interpretation of the prohibitions aimed at balancing the protection of rights with fostering innovation.
• Scope of the AI Act, including exclusions like open-source AI.
• Material and personal scope of Article 5, covering the “placing on the market,” “putting into service,” and “use” of AI systems.

Prohibited Practices Explained

Only practices explicitly listed in Article 5(1) of the AI Act are deemed prohibited. These include:

1. Harmful manipulation and deception: AI systems employing subliminal, manipulative techniques to distort behavior and potentially cause significant harm.
2. Harmful exploitation of vulnerabilities: Systems that exploit individuals’ vulnerabilities based on age, disability, or socio-economic situations.
3. Social scoring: Classifying individuals based on social behavior, leading to unjustified or disproportionate treatment.
4. Individual criminal offense risk assessment: Predicting criminal behavior based on profiling unless backed by objective, verifiable facts.
5. Untargeted scraping for facial recognition: Building databases through indiscriminate scraping of facial images.
6. Emotion recognition: Inferring emotions in workplaces or educational settings, except for safety or medical purposes.
7. Biometric categorization: Categorizing individuals based on biometric data to infer attributes like race or political opinions, unless lawfully acquired for specific uses.
8. Remote biometric identification: Real-time identification in public spaces by law enforcement under strict conditions.

Exclusions and Responsibilities

Article 2 of the AI Act outlines general exclusions, such as AI systems released under free and open-source licenses, unless they are marketed as high-risk or fall under prohibited practices.

The AI Act categorizes various operators, focusing on providers and deployers of AI systems:

• Providers: Entities that develop AI systems for the market.
• Deployers: Entities that use AI systems under their authority, excluding personal activities.

Conclusion

Companies must evaluate their specific AI applications to determine compliance with Article 5 of the AI Act. The guidelines, while non-binding, offer interpretative aids to facilitate understanding. As the legal landscape evolves, attention remains on the Court of Justice of the European Union (CJEU) for authoritative interpretations.