Interplay between EU AI Act prohibited practices and the GDPR, DSA

The Future of Privacy Forum (FPF) has published the first in a series of articles exploring the prohibited practices set out in the EU Artificial Intelligence Act (AI Act). These non-negotiable red lines represent specific AI behaviours deemed too dangerous or unethical to permit within the EU. Prohibited practices include harmful manipulation, social scoring, untargeted facial image scraping, emotion recognition, and real-time remote biometric identification for law enforcement.

FPF writes that while such boundaries have historically existed as soft law or self-regulation, the AI Act is the first global legislation to codify these prohibitions into law. Article 5 of the AI Act, which governs these practices, became applicable in February 2025 and has been enforceable by member state authorities and the European Data Protection Supervisor since August 2025.

The analysis focuses on the interplay between the AI Act and existing frameworks: the EU General Data Protection Regulation (GDPR) and the Digital Services Act (DSA). It aims to clarify the scope of prohibited practices and identify legislative overlaps or areas of uncertainty. 

Training Announcement: Freevacy offers a range of independently recognised professional AI governance qualifications and AI Literacy short courses that enable specialist teams to implement robust oversight, benchmark AI governance maturity, and establish a responsible-by-design approach across the entire AI lifecycle. Find out more.