The European Commission has released guidelines clarifying prohibited artificial intelligence (AI) practices under Regulation (EU) 2024/1689, also known as the AI Act. These guidelines, outlined in the Communication C(2025) 884 final, aim to provide clarity on the scope and enforcement of the prohibitions established in Article 5 of the AI Act.
Overview of Prohibited Practices
The AI Act bans specific AI practices deemed to pose unacceptable risks to fundamental rights and EU values. These prohibitions cover a range of applications, including:
- Harmful Manipulation and Exploitation: AI systems that use subliminal techniques to distort behavior or exploit vulnerabilities related to age, disability, or socio-economic status.
- Social Scoring: AI systems that evaluate or classify individuals based on their social behavior or personality traits, leading to detrimental treatment in unrelated contexts.
- Predictive Policing Based on Profiling: AI systems used to assess the risk of an individual committing a crime based solely on profiling or personality characteristics.
- Untargeted Scraping of Facial Images: The indiscriminate collection of facial images from the internet or CCTV footage to create facial recognition databases.
- Emotion Recognition in the Workplace and Education: AI systems used to infer emotions in workplace and educational settings, with limited exceptions for medical or safety reasons.
- Biometric Categorization of Sensitive Characteristics: AI systems that categorize individuals based on biometric data to infer characteristics like race, political opinions, or sexual orientation.
- Real-Time Remote Biometric Identification (RBI) in Public Spaces for Law Enforcement: The use of real-time facial recognition in public spaces for law enforcement purposes, with limited exceptions and strict safeguards.
Scope and Enforcement
The prohibitions apply to the ’placing on the market’, ’putting into service’, or ’use’ of AI systems within the EU. While there are exclusions for activities related to national security, defense, research and development, and personal non-professional use. Enforcement will be the responsibility of Market Surveillance Authorities in member states, and penalties for violations can be upto 35 million or 7% of the company’s global annual turnover. The guidelines also address the interplay between these prohibitions and other EU laws, such as those related to data protection and consumer protection.
Real-Time Remote Biometric Identification (RBI) and Exceptions
The use of Real-time Remote Biometric Identification (RBI) systems for law enforcement purposes, prohibitions and clarifies exceptions the AI Act establishes strict conditions and safeguards for the use of RBI, including the need for prior authorization from a judicial or independent administrative authority. The exceptions are limited to:
- Targeted searches for victims of serious crimes and missing persons.
- Prevention of imminent threats to life or terrorist attacks.
- Localisation and identification of suspects of certain crimes
The use of RBI under these exceptions requires adherence to safeguards, including a Fundamental Rights Impact Assessment and registration of authorized systems. Additionally, member states must have national laws in place to provide the legal basis for the authorization and supervision of RBI use. The European Commission and national authorities will produce annual reports on the application of these rules. These guidelines are crucial for ensuring consistent interpretation and enforcement of the AI Act across the EU, promoting responsible AI innovation while protecting fundamental rights.
Terms
- Placing on the Market
This refers to the first availability of an AI system or general-purpose AI model on the EU market. It involves supplying the system for distribution or use in a commercial context, whether for payment or free of charge. This applies to providers established within or outside the EU if their systems are made available in the EU for the first time.
- Putting into Service
This term pertains to deploying an AI system for its intended purpose by an end user within the EU. It signifies that the AI system is operational and actively being used in its designated environment, typically after meeting compliance requirements such as conformity assessments.
- Use
”Use” refers to employing an AI system under one’s authority, usually by deployers, for professional activities. This excludes personal, non-professional use. The obligations associated with ”use” focus on ensuring responsible and safe operation of AI systems, particularly those classified as high-risk.
Reference:
1. https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
2. Regulation (EU) 2024/1689