The recent EU guidelines on prohibited AI practices are of great relevance to personal data protection issues posed by the AI Act.
The prohibitions concern activities typically based on the processing of personal data: consider the manipulative or deceptive practices, characterised by a particularly high harmful potential when perpetrated, for example, through the profiling of recipients, carried out by processing of their data; even clearer, on the other hand, are the cases of practices to distort a person’s behaviour by exploiting his vulnerabilities or those concerning social scoring AI systems.
On these issues, the Commission's guidance of 6 February 2025 clarifies the relationship between the consolidated framework on personal data protection and the new AI Act by highlighting several aspects of interest, including one particularly sensitive aspect: the assessment of compliance with the GDPR is an essential criterion for determining whether a given practice should be considered prohibited under the Artificial Intelligence Act. To distinguish between legal persuasion and undue manipulation (Art. 5, par. 1(a) AI act), for instance, it is of significant importance to consider adherence to the privacy principles of lawfulness, fairness and transparency, as well as the structuring of processes to ensure that data subjects’ rights are respected.
