Prohibited AI Practices Under the EU AI Act
Eight prohibitions. The highest fines in the regulation.
There’s a moment — and if you work in compliance or risk, you’ve either had it or it’s coming — when someone in a meeting turns to you and says: “So, the AI Act. What do we need to do?”
And you sit there thinking — I barely finished the DORA implementation…
The regulation is 400+ pages. The guidance documents keep stacking up.
Every law firm in Europe has published an “alert” that somehow manages to create more questions than it answers.
And you — the person who already handles GDPR, maybe DORA, maybe NIS2, maybe all three on a good day — just got handed another regulation to figure out.
Because apparently regulatory compliance is like a hotel room minibar: there’s always room for one more.
The instinct is to start reading from Article 1 and work your way through. Don’t.
Start with Article 5. Start with the prohibited practices.
Not because they’re the most complex — they’re not. But because they carry the highest fines in the entire regulation: up to €35 million or 7% of total worldwide annual turnover, whichever is higher. And because they were the first provisions to take effect — 2 February 2025. While the rest of the AI Act rolls out in stages, the prohibitions are already live.
If any of your AI systems are doing something on this list, it doesn’t matter how far along you are with risk classification or documentation or conformity assessment. You have a problem that outranks all of those.
That’s the logic. Start with the biggest exposure. Work down from there.
What the Commission Said — and What It Didn’t
The European Commission published Guidelines on Prohibited AI Practices on 4 February 2025. Over 100 pages. Non-binding, which means the Court of Justice of the EU has the final word on interpretation. But these guidelines are the Commission’s view of what each prohibition means, and they will shape how enforcement authorities approach these cases.
They clarify definitions, provide examples, and take positions on ambiguous questions. They’re useful. They’re also — in a way that’s becoming familiar with the AI Act — incomplete in exactly the places where you most need clarity.
But before we go through the eight practices, one thing. The single most important position in those 100+ pages. The one that changes how you should think about every AI system in your organization.
The Standard “We Didn’t Mean to” Is Not a Defense
Article 5 uses a specific formulation across multiple prohibitions: “with the objective or the effect of.”
That little word — “or” — is doing more work than most people realize.
Intent is not required. If an AI system has the actual effect of materially distorting someone’s behavior — even if nobody designed it to do that, even if the deployer didn’t know it was happening, even if the system sailed through every internal review — the prohibition applies.
The guidelines say it directly: the prohibition applies “even if the material distortion of a person’s behaviour occurs without the intent of the provider or deployer.”
The EU borrowed this approach from the Unfair Commercial Practices Directive. An effects-based standard. A deliberately low bar — designed to protect people regardless of what the company thought it was building.
You can build an AI system with the best intentions. Run bias audits. Hire a responsible AI team. Document everything. And if that system — in practice, in the real world, with real users — has the effect of manipulating behavior or exploiting vulnerable users, you’re in violation of Article 5.
“We didn’t mean to” is not a defence. “We had a governance framework” is not a defence. “Our vendor assured us it was compliant” is not a defence.
The effect is enough.
The Eight Prohibited Practices
1. Subliminal, manipulative, and deceptive AI techniques
Article 5(1)(a). An AI system that deploys subliminal techniques beyond a person’s consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting behavior — appreciably impairing their ability to make an informed decision, causing them to take a decision they would not have otherwise taken, in a manner that causes or is reasonably likely to cause significant harm.
These are the key words: “Subliminal techniques” — imperceptible influences. Visual content flashed during video too fast for the conscious mind to catch. Audio signals below the threshold of awareness. “Material distortion” — borrowed from consumer protection law — means a substantial impact on behavior. Not mere influence. Manipulation.
The grey zone is enormous. Personalized advertising based on user preferences? The guidelines say that’s not inherently prohibited. But an AI system that dynamically hides cancellation buttons, generates artificial urgency, or adjusts scroll behavior in ways the user can’t perceive? Closer. Much closer. An adaptive checkout flow that increases pressure when it detects hesitation? That’s the territory where “personalization” starts looking like “manipulation” — and the only thing separating them is whether the effect materially distorts the user’s decision.
The Digital Services Act already targets manipulative design. Article 5(1)(a) extends the prohibition to AI-driven manipulation specifically. If your company has AI touching customer-facing products — and at this point, whose doesn’t — this is the one that deserves the longest look in the mirror.
2. Exploitation of vulnerabilities
Article 5(1)(b). An AI system that exploits vulnerabilities due to age, disability, or specific social or economic situation — same “objective or effect” standard, same requirement of material distortion and significant harm.
Three categories of vulnerability. Children and elderly (age). Physical or mental disability. Financial desperation or socio-economic disadvantage.
The guidelines give one example that’s worth sitting with: AI systems creating “personalized and unpredictable rewards through addictive reinforcement schedules.” Targeting the underdeveloped impulse control in children. Targeting cognitive decline in the elderly. Designed — or, remember, merely having the effect of — exploiting the people least equipped to resist.
This is where the cases stop being hypothetical.
France’s CAF system. Since 2010, France’s national social security agency has used an AI-driven risk-scoring algorithm to flag welfare fraud — affecting over 13 million households. The parameters that increase your score: low income, unemployment, living in a disadvantaged neighborhood, having a disability while working. The agency’s director confirmed they have never audited the model for bias or discrimination. In October 2024, Amnesty International and 14 coalition partners filed a complaint demanding the system be stopped. Source code obtained by investigators in 2023 exposed the design.
A system built to detect fraud. Scoring people higher for being poor, disabled, or living in the wrong neighborhood. The intent was fraud detection. The effect was systematic targeting of the most vulnerable people in the system. Under Article 5(1)(b) — you already know which word matters.
The Netherlands childcare benefits scandal. Dutch tax authorities used algorithmic profiling from 2013 to 2020 that classified non-Dutch nationals as “higher risk.” Tens of thousands of parents were wrongly accused of fraud. Benefits suspended. Families destroyed. A court ruled the system violated proportionality and privacy under the European Convention on Human Rights (ECHR). The political fallout was severe enough to bring down the Dutch government.
These aren’t edge cases from authoritarian regimes. These are European governments. Well-funded. Democratically accountable. And they built exactly the kind of systems that Article 5(1)(b) now prohibits.
3. Social scoring
Article 5(1)(c). An AI system that evaluates or classifies natural persons based on social behavior or personal characteristics, resulting in detrimental treatment that is either (1) in social contexts unrelated to where the data was collected, or (2) unjustified or disproportionate to the behavior assessed.
This is the one most readers will dismiss. We don’t do social scoring.
Read the cumulative requirements again. The prohibition isn’t about building China’s social credit system. It’s about what happens when a score travels.
A credit score based on financial behavior, used for lending decisions? Not social scoring under Article 5. That same credit score leaking into housing eligibility, school enrollment decisions, or employment screening? Now you’re in Article 5 territory. A customer loyalty score from a retail platform used to determine insurance premiums? Same problem.
The prohibition triggers when evaluation in one context produces detrimental treatment in an unrelated context — or when the treatment is disproportionate to the behavior being assessed.
For compliance teams, the question isn’t “do we score people?” Almost everyone does. The question is: where does the score travel? If the answer is “only within the context it was designed for, with proportionate consequences” — you’re likely fine. If the answer is “we’re not sure” — that’s the assessment you need to do.
France’s CAF system sits here too. A welfare fraud score — collected in the context of benefits administration — used to subject people to invasive investigations that affect their access to housing, childcare, and social services. One score. Multiple contexts. Disproportionate consequences.
4. Predictive policing
Article 5(1)(d). An AI system that assesses or predicts the likelihood of a person committing a criminal offense, solely on the basis of profiling or personality traits and characteristics.
“Solely” — that one word makes this a partial ban, not an absolute one.
“Personality traits and characteristics” gets a broad reading in the guidelines: gender, race, ethnicity, address, income, health, preferences, behavior, financial status. Non-exhaustive. AI systems that support human assessment based on objective, verifiable facts directly linked to criminal activity are still permitted — provided the human decision-maker actually relies on the assessment. Rubber-stamping an algorithmic output doesn’t count.
Geographic crime mapping — identifying high-crime areas from historical data — is not prohibited. It targets patterns, not people.
Here’s where it gets interesting. Geolitica (formerly PredPol), deployed in Plainfield, New Jersey. A predictive policing system that made over 23,000 crime predictions. Accuracy: less than 0.5%. The system is a case study in two things — the unreliability of person-based prediction, and the loophole built into Article 5(1)(d). Reframe person-based prediction as geographic analysis and you move from “prohibited” to “permitted.” Same underlying data. Different framing. Different legal outcome. The regulation bans predicting whether you will commit a crime. It doesn’t ban predicting whether a crime will happen near you. That distinction is thinner than it looks.
5. Untargeted facial image scraping
Article 5(1)(e). An AI system that creates or expands facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
This is the hardest line in Article 5. An absolute ban. No exceptions. No law enforcement carve-out. No “but we really need it for security” path. Nothing. Of all eight prohibitions, this is the only one where even law enforcement gets no door to knock on.
“Untargeted” means indiscriminate mass collection not focused on specific individuals. “Scraping” means automated extraction using crawlers and bots. And the detail that matters: consent to posting images on social media does not equal consent for facial recognition databases. You put your photo on LinkedIn — that doesn’t mean a company can feed it into a facial recognition system. The guidelines are clear on this.
One more thing. Multiple targeted scrapes that incrementally build the same database still count as untargeted scraping. You can’t slice an ocean into cups and call each one a glass of water.
Clearview AI is the case that defines this category. A US company that scraped the internet to build a database of over 60 billion facial images. GDPR enforcement hit from four directions — Italy fined them €20 million in February 2022, France €20 million in October 2022, Austria issued a decision in 2023, and the Netherlands fined them €30.5 million in October 2024. Total: approximately €100 million in GDPR fines across four jurisdictions.
Under the AI Act, Clearview’s entire model is now explicitly a prohibited practice — not just a data protection violation, but a banned activity carrying up to €35 million or 7% of turnover.
The enforcement gap tells its own story. Those GDPR fines were imposed on a US company with no EU presence. Collection has been... let’s call it aspirational. Noyb went a different route — filing a criminal complaint against Clearview executives in Austria. If successful, that means personal liability for anyone who travels to Europe. The AI Act doesn’t solve cross-border enforcement. But it raises the ceiling on what happens when enforcement catches up.
6. Emotion recognition in workplace and education
Article 5(1)(f). An AI system whose purpose is to infer emotions of natural persons in a workplace or educational institution.
The scope is broader than most people expect. “Workplace” covers any setting where work is performed — including recruitment, hiring, temporary work, remote work. The prohibition applies from the moment someone is a job candidate. Not from day one on the job. From the application. “Educational institutions” means public and private, all levels, in-person and online, including admissions.
Two narrow exceptions. Medical — but only CE-marked medical devices for actual therapeutic purposes. Monitoring employee stress because HR wants a “wellness dashboard”? That’s not medical. Safety — but only for concrete risks to life or health. Construction workers at height. Pilots. Truck drivers on long shifts. A general interest in “employee wellbeing” doesn’t meet the threshold.
If you’ve evaluated — or already deployed — video interview analysis tools, employee engagement monitoring, classroom attention tracking, or proctoring systems that analyze facial expressions... this is the prohibition with your name on it. Remember the person who asked “So, the AI Act. What do we need to do?” in that meeting? This is what I’d tell them to check first. Because these products were actively marketed to companies until very recently. Some still are.
The grey zone worth watching: systems that track behavioral signals — cursor hesitation, typing cadence, mouse movement patterns — without calling the output “emotion.” A product labeled “engagement scoring” or “confidence assessment” instead of “emotion recognition”. The guidelines focus on purpose — inferring emotions. But when the function is analyzing human behavior to deduce internal states, the label you put on the output starts to look like a distinction without a difference. This is how I understand it, it’s not the law. But I wouldn’t want to be the test case.
7. Biometric categorization by sensitive characteristics
Article 5(1)(g). Biometric categorization systems that categorize individuals based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation.
One narrow exception: labeling or filtering lawfully acquired biometric datasets for training purposes — ensuring ethnic diversity in medical imaging training data, for example. That’s permitted. Using categorization operationally, against real individuals in real time? That’s the prohibition.
The formulation “deduce or infer” is deliberately broad. A confidence score correlated with race triggers the prohibition — the system doesn’t need to output a categorical label that says “this person is [race].” A probability is enough. A security system that wasn’t designed to infer race but whose outputs happen to correlate with it? Still caught. The question isn’t what you built the system to do. It’s what the system does.
8. Real-time remote biometric identification by law enforcement
Article 5(1)(h). Real-time remote biometric identification in publicly accessible spaces for law enforcement. The most politically charged prohibition in the entire AI Act — and the only one where the EU built a detailed exception framework directly into the article. Which tells you something about the lobbying pressure behind it.
“Real-time” means simultaneous with data capture — live identification as it happens. Analyzing recorded footage after the fact (post-RBI) is a different legal category — classified as high-risk, not prohibited. That distinction sounds clean. In practice, the boundary is blurry. If you analyze CCTV footage ten minutes after capture, is that “real-time”? An hour? The guidelines don’t draw the line.
Three narrow exceptions — all requiring prior judicial or independent authority authorization, a fundamental rights impact assessment, and EU database registration:
Searching for specific crime victims (trafficking, abduction, sexual exploitation)
Preventing a specific, substantial, imminent threat to life — or a foreseeable terrorist attack
Locating suspects for serious crimes listed in Annex II of the AI Act, punishable by at least four years imprisonment
Austria currently has a framework authorizing law enforcement to access public surveillance data in real-time without judicial permission. That framework is non-compliant with Article 5(1)(h). Hungary is developing a nationwide facial recognition database for law enforcement. Compliance status unclear.
For most corporate readers, this prohibition is primarily relevant if you’re a vendor selling biometric identification technology to law enforcement — or if you’re concerned about the “national security” exemption. Article 2(3) exempts AI systems used exclusively for national security purposes. A real-time biometric system reframed as national security escapes Article 5 entirely. The guidelines don’t close this door.
The Patterns Worth Seeing
Eight practices, one article. It’s tempting to treat them as a flat list. They’re not. Step back and three patterns emerge.
Not all prohibitions are created equal. Three tiers. Absolute bans — no exceptions at all. Untargeted facial scraping sits here, with biometric categorization close behind. Near-absolute bans — manipulation, exploitation, social scoring, predictive policing — where the path through is so narrow it barely exists. And conditional bans — emotion recognition and real-time biometric ID — where exceptions are real but come with procedural safeguards heavy enough to deter most uses. Knowing which tier you’re dealing with changes the conversation from “are we allowed to do this?” to “what would we need to do to be allowed?”
Context determines everything for social scoring. The prohibition isn’t about scoring. It’s about spillover. Where does the score travel? Who sees it? What decisions does it touch? A score that stays in its lane is fine. A score that leaks into unrelated contexts — or produces disproportionate consequences — triggers Article 5.
Three prohibitions involve law enforcement — with three different levels of restriction. Predictive policing: partial ban — the “solely” requirement creates a narrow path. Facial scraping: absolute ban — no exceptions at all. Real-time biometric ID: conditional ban — exceptions exist but come with procedural safeguards. The EU drew lines even for law enforcement. But the lines are drawn differently for each practice. And the national security exemption in Article 2(3) creates a potential backdoor for all three.
What the Guidelines Leave Open
Nine questions without answers
100+ pages of guidance. And the hardest questions? Left for another day.
1. The “solely” threshold. How much additional objective data allows AI use in criminal risk assessment? No standard.
2. How to identify “vulnerability.” Where does “specific socio-economic situation” begin? Is a single parent on minimum wage vulnerable? A recent graduate with student debt? No line drawn.
3. “Reasonably likely to cause significant harm.” What probability? How significant? No quantitative threshold.
4. National security vs. law enforcement. A real-time biometric system reframed as national security escapes the prohibition entirely. The boundary isn’t defined.
5. Untargeted scraping circumvention. Multiple targeted scrapes building the same database — how many? Over what timeline? The principle is stated, the mechanics aren’t.
6. Where “real-time” ends. If you analyze CCTV footage an hour after capture, is that real-time? A day? The line between prohibited real-time identification and permitted retrospective analysis isn’t drawn.
7. Generative AI and manipulation. How does Article 5(1)(a) apply to foundation models and LLMs? The guidelines don’t address this.
8. GDPR and Digital Services Act interplay. The prohibited practices overlap with both. How the obligations interact — or conflict — is unresolved.
9. The “material distortion” threshold. How much behavior change triggers the prohibition? The standard says “material.” It doesn’t say what that means in practice.
These aren’t academic gaps. They’re the questions that will land on your — or someone else’s — desk when trying to answer “what do we need to do about the AI Act?” — and there won’t be a clear answer.
What to Do
Having no clear answer is fine. Having no answer is not. You need an answer that’s something else than “it’s complicated.”
I’d say this:
Start by mapping your AI systems against Article 5. Not a theoretical exercise — a real one, with the technical team in the room. For each system: could it be deploying manipulative techniques, even unintentionally? Could it be exploiting vulnerable users — through its design, its targeting, or its effects? Does any scoring or classification travel across context boundaries? Does anything in the workplace or education space infer emotions or internal states, even under a different label?
The standard isn’t “did we intend this.” It’s “does the system do this.”
Trace where your scores go. If you score, classify, or categorize people — and most AI systems do, somewhere in the pipeline — follow the output. Who consumes it. What decisions it touches. If a score generated for one purpose is influencing decisions in another context, you have an Article 5(1)(c) question that needs an answer.
Check your vendors. If you’re using third-party AI tools — video interview platforms, employee monitoring software, customer analytics, proctoring systems — ask what they actually do under the hood. If a vendor’s product turns out to be prohibited under Article 5, the vendor isn’t the only one with a problem. You’re liable as a deployer. “We bought it from someone else” is not a defense. “Putting into service” triggers the prohibition — regardless of who built the system.
Document your reasoning. For every system where you conclude “this isn’t a prohibited practice” — write down why. Article by article. Element by element. Not because the regulator has asked for it yet. Because when enforcement starts — and it will — a documented assessment is the difference between a defensible position and an assumption you can’t explain.
No AI Act fines for prohibited practices have been issued yet. It’s April 2026. But the machinery is in place. Complaints have been filed — France’s CAF, Clearview’s criminal exposure in Austria. Market Surveillance Authorities are operational. GDPR enforcement against the same conduct has already cleared €100 million. The AI Act just raised the ceiling.
So if someone turns to you in a meeting and asks “what do we need to do about the AI Act?” — you probably don’t need a full answer by Friday. But you need to know three things: the prohibitions exist, they’re already in force, and the law doesn’t care what you intended.
Start there. High-risk classification, documentation, conformity assessment — that all comes next. But it comes after this.
You don’t build a house from the roof down.
This is exactly where it becomes difficult in practice.
The regulation is effect-based - but most implementations still rely on documentation, intent, or post-hoc assessment.
So even if a system ends up violating Article 5, the only thing we can prove is that it happened - not prevent it structurally.
I’ve been working on a different approach where the constraint doesn’t sit at the level of policy, but at the level of when a system is allowed to act at all.
Not limiting outcomes, but limiting action under epistemically insufficient conditions.
Still early — but it seems like the only way to actually bridge that gap.