Navigating the AI Act: Prohibited Practices and the Role of Synthetic Data

January 30, 2025

As we have discussed in previous posts, the EU Artificial Intelligence Act (AI Act) represents one of the most comprehensive regulatory frameworks aimed at ensuring the safe and ethical use of artificial intelligence across the European Union.

Among its key provisions is the prohibition of certain practices deemed to pose unacceptable risks to fundamental rights and freedoms. These prohibited practices enter into force in February 2025 - significantly earlier than the other parts of the Act.

A standout example is the prohibition on facial recognition systems based on untargeted web scraping. This article explores the specifics of this prohibition and how synthetic data may offer a path forward for compliance and continued innovation.

Understanding the Prohibition on Untargeted Scraping

Facial recognition technology has advanced rapidly, often using methods that raise ethical and legal concerns. Untargeted scraping involves collecting images of individuals from public websites, CCTV and social media without their consent. This practice poses several risks:


  • Privacy Violations: Harvesting personal data without authorisation may breach the General Data Protection Regulation (GDPR).

  • Lack of Transparency: Individuals are typically unaware that their images are being collected and used for AI training.

  • Potential for Misuse: Datasets can be exploited for surveillance or lead to biased AI systems, resulting in discrimination or other harms.

To address these issues, Article 5 of the AI Act explicitly bans the creation of facial recognition databases through untargeted scraping of images from the internet or CCTV footage.

Challenges for Businesses

The prohibition introduces several challenges for organisations developing facial recognition systems. In particular, accessing high-quality, compliant datasets becomes more difficult, while lawful data collection and curation of appropriate “real data” can be resource-intensive. To compound the issue, non-compliance by the February 2025 deadline can lead to significant fines and reputational damage.

Synthetic Data as a Solution

Synthetic data is artificially produced to replicate the properties of real-world data and so offers a viable solution to these challenges:

  • Ethical and Privacy Compliance: Since synthetic data doesn’t involve real individuals, it aligns with privacy and AI Act requirements.

  • Cost-Effectiveness, Scalability and Edge Cases: Once the data generation pipeline is established, new data can be generated rapidly and at scale. Moreover, Devant can also simulate various environments and rare events that are difficult or dangerous to capture in real-world datasets.

  • Mitigate Bias and Ensure Representation: Synthetic data can be designed to counteract biases present in real-world data, promoting fairness in AI systems. By producing diverse representations of individuals, synthetic data can improve machine learning performance by ensuring it addresses all intended demographics.

Preparing for Compliance

With the February 2025 deadline approaching, it’s crucial for businesses to evaluate their data collection methods to ensure they don’t involve prohibited practices. By embracing synthetic data, businesses can navigate these regulations effectively, leading the way in creating responsible and innovative AI technologies.

If you’d like to learn more about how we can support your AI Act compliance efforts, please get in touch.