The prohibition on individual risk assessment and prediction of criminal offences in the EU AI Act is written broadly enough that it absolutely applies to the private sector, not just police or government agencies. This is one of the most misunderstood parts of Article 5, so let’s unpack how and why it reaches private companies — and what kinds of private‑sector AI practices fall under the ban.
🔍 What the Ban Actually Says (in plain language)
The EU AI Act prohibits AI systems that:
- Predict whether a specific person will commit a crime,
- Based solely on profiling, or
- Based on personal traits or past behavior,
- Without objective, verifiable facts directly linked to a criminal act.
This prohibition applies to any actor — public or private — who places such a system on the EU market or uses it in the EU.
That means private companies cannot build, sell, or use these systems either.
🏢 Why the Ban Applies to the Private Sector
The EU AI Act regulates AI systems, not just government use of AI.
So the prohibition applies to:
- AI developers
- AI vendors
- Employers
- Insurers
- Retailers
- Banks
- Security companies
- Tech platforms
If they operate in the EU or offer AI systems to EU users, they are bound by the ban.
The logic is simple:
If a type of AI is considered fundamentally harmful, no one — public or private — is allowed to use it.
🧩 How the Ban Affects Private‑Sector Use Cases
Here are the main ways the prohibition reaches private companies.
- Private Security Firms Cannot Use Crime‑Prediction AI
A private security company cannot deploy AI that:
- Predicts which customers are likely to shoplift
- Flags “high‑risk” individuals entering a store
- Scores visitors based on appearance, behavior, or past purchases
These systems would be illegal because they predict criminality based on profiling.
- Retailers Cannot Use “Shoplifter Prediction” Algorithms
Some retailers have experimented with:
- AI that identifies “suspicious” shoppers
- Systems that score customers based on gait, clothing, or movement patterns
- Tools that predict theft risk based on demographic or behavioral data
Under the EU AI Act, these systems are prohibited.
- Employers Cannot Use AI to Predict Employee Misconduct
Examples that would be banned:
- Predicting which employees are likely to commit fraud
- Scoring workers for “insider threat risk” based on personality or behavior
- Using AI to identify “high‑risk” job applicants
These are considered criminal‑offence predictions based on profiling.
- Banks and Insurers Cannot Predict Criminality for Risk Scoring
Financial institutions sometimes use AI to:
- Predict likelihood of money laundering
- Flag customers as “high‑risk” based on personal traits
- Score individuals for fraud risk based on behavior patterns
The EU AI Act draws a line:
- Predicting suspicious transactions = allowed
- Predicting whether a specific person will commit a crime = banned
So AML systems must focus on transaction‑level anomalies, not person‑level criminality predictions.
- Tech Companies Cannot Sell Crime‑Prediction APIs
Any vendor offering:
- “Crime propensity scores”
- “Violence risk prediction”
- “Threat detection based on personality”
- “AI that identifies potential offenders”
…would be violating the Act.
This applies even if the vendor is outside the EU but sells to EU customers.
⚖️ Why the EU Applies This Ban to Private Actors
The EU’s reasoning is that:
- Predicting criminality from personal traits is scientifically invalid
- These systems are inherently discriminatory
- They create unjustified and disproportionate harms
- They resemble social control mechanisms incompatible with EU values
Because the risks are so severe, the EU treats these systems as unacceptable risk AI, meaning:
They cannot be built, sold, or used by anyone — public or private.