The EU AI Act is set to introduce significant penalties starting in February 2025, some even larger than those under GDPR. Passed in August 2024, the Act classifies AI systems by risk level: prohibited, high-risk, limited-risk, and minimal-risk. Systems that exploit vulnerabilities or engage in unauthorized biometric surveillance will be prohibited, while high-risk systems—like those used in employment or credit scoring—will face strict oversight.
To learn more about penalties for prohibited systems under Article 99, check here.
Let’s dive into a few scenarios that highlight the potential consequences of non-compliance.
ShopSmart's AI Misstep
Imagine ShopSmart, a fictional retailer in France, that uses AI to analyze customer facial expressions for emotional targeting. They launched this technology in 2024, aiming to boost sales with hyper-targeted recommendations. Some customers welcomed the personalized experience, seeing it as a cutting-edge innovation.
But by August 2, 2025, when the EU AI Act takes effect, ShopSmart's system is classified as prohibited for exploiting vulnerabilities and conducting unauthorized biometric surveillance. Suddenly, they’re facing penalties of up to €35 million or 7% of global turnover. For a company generating €1 billion in revenue, this could mean a €70 million fine—not to mention damage to their reputation and a loss of consumer trust. While some may have appreciated the tailored recommendations, others will feel their privacy was compromised. This highlights the delicate balance between innovation and protecting individual rights.
A Utility's Risky AI Implementation
Now consider GreenGrid, a German energy startup. In a bid to optimize energy distribution, they introduced an AI system that makes real-time decisions based on environmental and consumer data. However, their system falls under the high-risk category due to transparency and bias concerns.
By August 2025, GreenGrid faces penalties of up to €15 million or 3% of global turnover if they fail to meet the strict compliance requirements for high-risk systems. This includes ensuring transparency, conducting conformity assessments, and undergoing audits. For GreenGrid, it’s a balancing act between innovating in energy efficiency and upholding privacy and ethical standards.
What’s the Role of Privacy Professionals as Penalties Take Effect?
As the EU AI Act rolls out—starting in February 2025, with full enforcement by August 2026—privacy professionals will play a key role in navigating the complex world of AI governance. While privacy is a critical part of this governance, AI requires additional expertise. Ethical challenges, technical complexities, and decision-making processes will need the involvement of AI developers, data scientists, legal experts, and business leaders.
Privacy professionals bring valuable skills in compliance, data protection, and risk management. However, AI governance will also need to address challenges like algorithmic bias, explainability, and the broader ethical impact of AI decisions. Now is the time for privacy professionals to educate themselves, advocate for an AI Governance Office or Center of Excellence, and ensure privacy remains a key component of a cross-functional approach to AI governance.
Can We Learn from GDPR’s Implementation?
The EU AI Act shares some similarities with GDPR. When GDPR was introduced in May 2018, many were concerned about its lack of clarity, inconsistent enforcement, and underestimated resource needs. Sound familiar? The EU AI Act is also facing criticism around its scope and application.However, privacy professionals who lived through the challenges of GDPR’s early days are well-positioned to help guide AI governance teams. By applying their GDPR experience, privacy pros can help ensure the successful implementation of the EU AI Act and use this opportunity to expand their skills while continuing to provide valuable insights in this evolving regulatory landscape.
Looking for an AI Governance solution? Book a demo and see TrustWorks AI Governance module in action.
Roberta Kowalishin
