The EU Commission has on February 4 2025 Guidelines on prohibited AI practices after the AI Act published:
- Media release
- Guidelines (140 pages)
These prohibitions are became effective on February 2, 2025 (and the sanctions will become effective on August 2, 2025).
The guidelines explain the concept of prohibited practices and contain examples of their application. They are based on the Commission’s mandate under Art. 96 AIA to issue guidelines for practical implementation (see our FAQ AI Act). Certain practices are prohibited (Use cases – the placing on the market, commissioning or use of systems that do or are intended to do prohibited things) in the categories:
- Manipulation
- Exploiting weakness
- Social scoring
- Biometric categorization
- Emotion recognition
- Predictive policing
- Scraping with facial recognition
- Biometric real-time remote identification in public
The guidelines primarily deal with the interpretation of these use cases. They also deal with a number of related terms:
- the Placing on the market (Art. 3(9) AI Act), which also includes making it accessible via an API;
- the Commissioning (Art. 3(11) AI Act), which includes the transfer for initial use by a third party, but also the company’s own initial use (“in-house development and deployment”);
- the Usenot defined in the AI Act; any use after placing on the market or putting into service. The prohibited practices also include misuse, including unforeseeable misuse (i.e. not only foreseeable misuse as in Art. 3(12) and (13) AI Act);
- Provider – nothing new;
- DeployerThis is the body that uses the AI system (AIS) (not the employees, but their employer), and does so “under its authority”. This means the following (cf. Rosenthal: “It makes sense here to fall back on the practice of the comparable concept of the “responsible party” or “controller” in data protection”):
‘Authority’ over an AI system should be understood as assuming responsibility over the decision to deploy the system and over the manner of its actual use.
The provider may not place AIS and GPAI on the market or put them into operation if their prohibited use is “reasonably likely”. In the case of a GPAI that is used for a chatbot, the provider should therefore install security measures. For its part, the deployer may not use AIS for prohibited purposes. Providers should also prevent prohibited use by deployers contractually exclude and – depending on the case – they should also be used by the deployer. monitor. If they become aware of a prohibited use, they should also react.
The Commission goes on to Application exclusions one for
- the area of national security and the armed forces
- Mutual legal assistance and judicial cooperation
- Research and development
- exclusively personal activity and
- FOSS.
Other topics include the Relationship of the AI Act to other decrees and the Enforcement of the prohibitions.