Ales Frelih

EU AI Act Article 5: Eight AI Practices That Are Now Illegal in the EU

Robotic hand touching glowing shield with European Union stars symbolizing cybersecurity

The Eight Prohibited AI Practices

1. Social Scoring by Public Authorities

AI systems that evaluate people based on their social behaviour, personal characteristics, or social status — and then treat them differently as a result — are banned when operated by public authorities.

This is the “Black Mirror” provision. The example that appears in every explainer. It is also the one least relevant to most private businesses, which is probably why it gets all the attention.

2. Real-Time Biometric Identification in Public Spaces

AI systems that identify people in real time from CCTV, cameras, or similar feeds in publicly accessible spaces are prohibited — with very narrow exceptions for law enforcement, subject to judicial authorisation.

Private businesses cannot use live facial recognition in their premises to identify customers or visitors. A shop using AI to match faces against a database in real time is running a prohibited system.

3. Subliminal Manipulation

AI that influences people’s behaviour through techniques they are not consciously aware of — bypassing rational decision-making in ways that cause harm — is prohibited.

The law is not targeting ordinary personalisation or recommendation systems. It targets systems specifically designed to exploit cognitive weaknesses without the person’s knowledge, in ways that harm their interests or the interests of others.

4. Exploitation of Vulnerabilities

AI systems that deliberately exploit the vulnerabilities of specific groups — people with disabilities, the elderly, those in financial difficulty — to distort their behaviour in ways that cause them harm are banned.

This provision is specifically about targeting, not general marketing. An AI designed to identify financially distressed people and push them toward harmful financial decisions is the type of system this covers.

5. AI-Based Crime Prediction Using Profiling Alone

AI that assesses the risk of an individual committing a crime based solely on profiling, personality traits, or characteristics — without any objective, verifiable connection to actual criminal behaviour — is prohibited.

Predictive policing tools that work purely on demographic or behavioural profiles, without evidentiary grounding, are the primary target. The key word is “solely” — risk tools that combine multiple evidence types and human review are treated differently.

6. Emotion Recognition in the Workplace and Education

AI that detects or infers the emotional state of employees or students — in professional or educational settings — is prohibited.

This is narrower than it sounds. Emotion recognition in other contexts (clinical, research, road safety) is not automatically banned. The prohibition is specific to workplaces and educational institutions, where the power imbalance makes it particularly problematic.

If you are considering AI tools that read facial expressions, voice tone, or physiological signals to assess staff mood or student engagement, those tools are banned for this use.

7. Biometric Categorisation to Infer Sensitive Characteristics

AI that uses biometric data — facial features, gait, voice — to classify individuals into categories based on race, ethnicity, political opinion, religious belief, sexual orientation, or trade union membership is prohibited.

This covers both direct inference and proxy categorisation. Systems that claim to infer protected characteristics from observable features fall squarely within this ban.

8. Untargeted Scraping of Facial Images

AI systems that build or expand facial recognition databases by scraping images from the internet or CCTV footage without targeting specific individuals are prohibited.

Mass harvesting of facial data for recognition purposes — regardless of whether the images are technically public — is banned.

What the Fines Look Like

Violating Article 5 carries the highest penalties in the EU AI Act: up to €35,000,000 or 7% of total worldwide annual turnover, whichever is higher.

These are not regulatory slap-on-the-wrist numbers. They are the highest tier in the Act, reflecting how seriously the legislature views these prohibitions.

What This Means in Practice

Most businesses will not run into Article 5 accidentally. The prohibitions are written narrowly and target specific harmful uses rather than broad categories of AI.

But three things are worth checking:

HR and monitoring tools. Any AI tool marketed for employee sentiment analysis, engagement scoring, or productivity monitoring through behavioural signals should be reviewed carefully against provisions 4 and 6. The emotion recognition ban applies from 2 February 2025.

Customer-facing AI. Any system that uses biometric data — even indirectly — to infer characteristics or classify customers should be evaluated against provisions 3, 7, and 8.

Third-party tools. If a vendor supplies an AI system that turns out to fall within one of these categories, the deployer — your business — shares responsibility. Vendor agreements should address this.

The prohibited list is not a distant government concern. It is already law. Any AI tool your business uses that touches these areas needs a clear assessment — not eventually, but now.

The next post in this series covers the high-risk AI categories in Annex III: which business functions they cover and what the compliance requirements actually look like in practice.

Response

  1. Ales Frelih Avatar
    Ales Frelih

    : Source: https://artificialintelligenceact.eu/article/5/

    Like

    Reply

Leave a comment