EU AI Act: Prohibited Practices and Compliance Obligations

by

The European Union Artificial Intelligence Act (EU AI Act) introduces a comprehensive legal framework to regulate artificial intelligence systems within the EU. Grounded in a risk-based approach, the regulation classifies AI systems based on their potential impact on fundamental rights and public interest.

Among its strictest provisions are certain explicitly prohibited AI practices—those considered fundamentally incompatible with EU values such as human dignity, individual autonomy, democracy, and the rule of law.

Banned AI Practices in the EU

The EU AI Act defines a set of practices that are banned due to the unacceptable risks they pose. These include:

  • Subliminal or deceptive manipulation: AI systems designed to influence individuals’ behavior in ways they cannot consciously perceive, potentially leading to physical or psychological harm.

  • Exploitation of vulnerable persons: Systems that target people due to their age, disability, or social condition in a way that impairs decision-making.

  • Social scoring systems: Assigning individuals scores or classifications based on behavior or personal traits for purposes unrelated to the context of the behavior.

  • Predictive policing: AI used to forecast future criminal conduct based on profiling, without a direct connection to specific incidents.

  • Mass extraction of facial images: Collecting biometric data from online or public surveillance sources to build facial recognition databases.

  • Emotion recognition in sensitive settings: Use of AI to analyze emotions in workplaces or educational institutions, where power imbalances may undermine consent.

  • Biometric categorization: Sorting individuals into groups based on sensitive data such as ethnic origin or political beliefs.

  • Live biometric identification in public spaces: Real-time facial recognition technologies deployed in publicly accessible areas, subject to narrow exceptions.

Compliance Considerations

While these prohibited practices are broadly defined, limited exceptions exist—particularly for law enforcement and national security purposes. The European Commission is empowered to issue guidance and implementation rules under Article 96 to clarify how these bans apply in practice.

Importantly, compliance with the EU AI Act does not override other legal obligations. For instance:

  • Under Article 22 of the GDPR, decisions based solely on automated processing of personal data are restricted.

  • Existing rules on non-discrimination, consumer protection, and data privacy remain fully applicable to AI systems.

In other words, AI solutions that comply with the AI Act may still be non-compliant under other EU laws. Businesses developing or deploying AI in the EU must take a holistic compliance approach, assessing legal risks across multiple regulatory layers.