Prohibited AI Practices Under the EU AI Act

This ban targets AI systems that use subliminal techniques beyond a person's consciousness, purposefully manipulative techniques, or deceptive methods to materially distort a person's or group's behaviour. The distortion must cause or be reasonably likely to cause significant harm. It doesn't require intent to harm — the manipulative technique itself triggers the prohibition if significant harm is a reasonably foreseeable outcome.

AI systems that exploit vulnerabilities of a specific group of persons due to their age, disability, or a specific social or economic situation are banned when the exploitation materially distorts their behaviour in a harmful manner. This is separate from (a) because it doesn't require subliminal or deceptive techniques — it targets the exploitation of existing vulnerability itself. The test is whether the AI system takes advantage of characteristics that reduce a person's ability to make autonomous decisions.

This bans AI systems used for evaluating or classifying natural persons over a period of time based on their social behaviour or known, inferred, or predicted personal or personality characteristics, where the social score leads to detrimental treatment that's either unjustified or disproportionate to context, or in social contexts unrelated to where the data was originally generated. The ban applies primarily to public authorities but also covers private actors performing public functions.

AI that assesses or predicts the risk that a specific natural person will commit a criminal offence, based solely on profiling that person or evaluating their personality traits and characteristics, is prohibited. The key word is "solely" — the prohibition doesn't apply when AI augments human assessments that are already based on objective, verifiable facts directly linked to criminal activity. This draws a line between pure predictive profiling (banned) and evidence-augmented risk assessment (permitted under high-risk rules).

Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage is outright banned. "Untargeted" is the operative word — this catches bulk, indiscriminate collection without specific suspicion or consent. It doesn't matter whether the scraping is done by a public authority or a private company. If you're hoovering up faces from the open internet or surveillance cameras to build a recognition database, you're violating Article 5.

AI systems that infer emotions of natural persons in workplaces and educational institutions are banned. This covers any technology that attempts to read, classify, or score emotional states — whether through facial expression analysis, voice tone detection, keystroke dynamics, or physiological signals. The ban is context-specific: it applies in workplaces and schools, not everywhere.

AI systems that categorise individual natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation are banned. This doesn't cover lawful biometric processing for other purposes (identity verification, access control) — it specifically targets the inference of sensitive personal attributes from biometric signals.

Using AI for real-time remote biometric identification in publicly accessible spaces for law enforcement purposes is banned, with three narrow exceptions. "Real-time" means the capture, comparison, and identification happen without significant delay — this is live surveillance, not retrospective analysis. "Publicly accessible spaces" covers streets, parks, shopping centres, train stations, and any space the general public can access.