AI Act2 Feb 2025
The ban on AI emotion recognition in the workplace and education applies since 2 February 2025 (Art. 5 AI Act). Enforcement is still nascent — no major formal case yet. Fines for prohibited practices are the highest in the regulation.
What to do: Confirm no system implements an Art. 5 prohibited practice; the penalty ceiling is up to EUR 35 million or 7 percent of worldwide turnover.
ECHR / fundamental rights5 Feb 2020
The SyRI welfare-fraud risk system breaches Article 8 ECHR: insufficiently transparent and not proportionate. Use prohibited.
What to do: If you run automated risk-profiling on individuals, test it against fundamental-rights safeguards (proportionality, transparency); the court struck down SyRI for lacking them.
GDPR1 Dec 2021
Years of unlawful and discriminatory processing of applicants' (dual) nationality for childcare benefits; nationality wrongly used as a risk indicator.
What to do: Review automated profiling for unlawful or discriminatory use of personal data; ensure necessity, proportionality and a clear lawful basis.
GDPR3 Sep 2024
Unlawful database of billions of facial images scraped from the internet for facial recognition, without a valid legal basis; processing of biometric personal data.
What to do: Do not use facial-recognition data obtained by untargeted scraping; where you process biometric data, confirm a valid basis and carry out a DPIA.
GDPR20 Dec 2024
ChatGPT trained on personal data without a valid legal basis, breach of transparency duties, failure to report a data breach (March 2023) and missing age verification.
What to do: If you process personal data through a generative-AI service, verify your lawful basis, your transparency notice to users, and any age checks.
AI Act19 Nov 2025art. 6, bijlage III
Commission proposal (19 Nov 2025) to move the application date of the high-risk obligations (Annex III) from 2 August 2026 to 2 December 2027 (Annex I products to 2 August 2028). A simplification, still in the legislative process.
What to do: Plan against the proposed new application date for the Annex III high-risk obligations (2 Dec 2027) rather than the original 2026 date; no action required yet, but track the proposal.
AI Act10 Jul 2025art. 53, art. 55
Voluntary code of practice for providers of general-purpose AI models (Art. 53/55), with three chapters: transparency, copyright and safety/security. Signatories (incl. Anthropic, Google, Microsoft, OpenAI, IBM) use it to demonstrate compliance; Meta did not sign.
What to do: If you build on a general-purpose AI model, obtain and keep the provider transparency and copyright information you rely on (Art. 53), and check whether your provider signed the Code.
AI Act4 Feb 2025art. 5
The Commission's official guidance on the prohibited practices (Art. 5): manipulation, exploitation of vulnerabilities, social scoring, untargeted facial scraping, emotion recognition at work/education, biometric categorisation and certain real-time biometric identification. Non-binding; the CJEU has the final say.
What to do: Check that none of your AI systems fall under the Art. 5 prohibitions (e.g. social scoring, untargeted facial scraping, emotion recognition at work or school); record that assessment.