Social scoring is the only AI Act prohibition that turns on intent. Article 5(1)(c) draws the line, and four boundary cases catch teams who read the headline.

The legal definition — three conjunctive elements

Article 5(1)(c) prohibits social scoring only when all three elements are present:

1. An AI system evaluates or classifies natural persons over a certain period of time, based on their social behaviour or known, inferred or predicted personal or personality characteristics.
2. The score leads to detrimental or unfavourable treatment of those persons or groups.
3. The detrimental treatment occurs in social contexts unrelated to the original data context, OR the treatment is unjustified or disproportionate to the social behaviour or its gravity.

All three must hold. A scoring system that does not lead to detriment is not prohibited. A scoring system that leads to detriment in the same context as the data collection, and is proportionate, is also not prohibited under Article 5(1)(c) — though it may be high-risk under Annex III. Source: Article 5(1)(c), Regulation (EU) 2024/1689.

The four boundary cases that catch teams

Boundary 1: traditional credit scoring

Traditional credit scoring based on financial history — repayment behaviour, outstanding debt, defaults, payment patterns — is not prohibited social scoring. It is high-risk under Annex III point 5(b). The AI system evaluates persons; the score leads to detriment (loan refusal); but the detriment occurs in the same context as the data collection (creditworthiness from credit data) and is justified by the underlying behaviour.

The boundary breaks if the scoring incorporates non-financial social-behaviour data — social-media activity, friend networks, browsing patterns — to deny essential services like loans. That moves from same-context (finance from finance) to cross-context (finance from social media), which is exactly the line Article 5(1)(c)(i) draws.

Boundary 2: insurance pricing

Life and health insurance risk assessment and pricing using AI is high-risk under Annex III point 5(c), not prohibited under Article 5. Property and motor insurance pricing is not explicitly listed in Annex III, but if the AI denies access to essential services it can still be high-risk via the Article 6 catch-all.

The prohibited scenario: an insurer building a customer "risk score" from unrelated personal characteristics (e.g., aggregated social-media posts about lifestyle, friends' health profiles, residential-area inferences) and using that score to deny coverage in a context unrelated to the data context. That is a 5(1)(c)(i) breach.

Boundary 3: loyalty and customer-tier programs

Standard loyalty programs that score customers based on transaction history and apply transaction-context benefits or restrictions are not prohibited. Differential pricing between bronze, silver and gold tiers based on observed loyalty is justified by the underlying behaviour and proportionate.

The prohibited scenario: a loyalty system that systematically disadvantages customers based on inferred personality characteristics or social behaviour beyond their transaction history — for example, pricing changes based on inferred income, friend-network composition, or social-media sentiment. That meets all three Article 5(1)(c) prongs.

Boundary 4: workforce ranking and stack-ranking

HR systems that rank employees on objective performance metrics in the same context as the data collection (productivity from productivity data) are high-risk under Annex III 4(b) — not prohibited. The detrimental treatment (lower bonus, demotion) is in the same context as the data and is proportionate.

The prohibited scenario: stack-ranking using cross-contextual social-behaviour data — engagement on internal social channels, perceived "team fit", inferred personality scores from behavioural analytics — to inform termination, demotion or pay-band placement. The cross-context detriment crosses Article 5(1)(c)(i). Combined with Article 5(1)(f) (emotion recognition prohibited at workplace), HR analytics that infer personality from biometric data is doubly prohibited.

The GDPR overlay — Article 22 still applies

GDPR Article 22 grants data subjects the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal effects or similarly significantly affects them. Article 22 applies in parallel with AI Act Article 5(1)(c). Concretely:

• A scoring system that does not cross Article 5(1)(c) but produces solely-automated legally-significant decisions still triggers GDPR Article 22 — meaning the data subject has the right to human intervention, to express their point of view, and to contest the decision.
• A scoring system that does cross Article 5(1)(c) is prohibited outright. GDPR Article 22 becomes moot — the system cannot exist.

Source: GDPR Article 22.

What public-sector deployers must read closely

Recital 31 of the AI Act emphasises that the prohibition addresses scoring systems "by public authorities or on their behalf" especially carefully — the historical reference is to social-credit-system architectures. Public-sector use is not blanket-banned, but the threshold for "detrimental treatment in unrelated context" is interpreted strictly. Public-body deployers should expect closer scrutiny on Article 27 fundamental rights impact assessments and human oversight under Article 14 even where the system is not classified prohibited.

Penalty exposure — top tier

Article 99(1) sets the ceiling for Article 5 prohibited practices, including 5(1)(c) social scoring, at €35,000,000 or 7% of total worldwide annual turnover, whichever is higher. This is the highest tier in the regulation, more than double the Tier 2 ceiling that applies to high-risk obligations. A misclassified scoring system that crosses the Article 5(1)(c) line carries penalty exposure roughly 2.3× the same system would carry as high-risk under Annex III.

Stacking with GDPR (€20M / 4% under Article 83(5) for solely-automated profiling without an Article 22(2) basis) is real. National implementing law may add further administrative or criminal penalties.

Real numbers Fontvera tracks

• 16 Article 5 obligations in Fontvera's structured corpus — covering all eight prohibited categories including social scoring at 5(1)(c).
• 743 AI Act obligations total. The eight Article 5 prohibitions are categorically distinct from the 735 high-risk and ancillary obligations — they cannot be cured by conformity assessment or human oversight; they are bans.
• AI Act ↔ GDPR cross-references: 8 collisions, of which Article 22-related profiling rules sit in the densest cluster.

What good looks like before any inquiry

1. Audit every scoring system against the three conjunctive elements of Article 5(1)(c). If your system clears any one of the three (no detriment, same context, or proportionate), you are not in the prohibition. Document the analysis.
2. Map cross-context data flows. Same-context scoring (credit from credit, fitness from fitness) is generally safe; cross-context scoring (essential service from social-media data) is the prohibition's heartland.
3. For HR analytics: if any score uses inferred personality or social-behaviour signals to inform termination, demotion or pay-band placement, redesign or remove. Article 5(1)(c) plus 5(1)(f) plus Annex III 4 stack against you.
4. For loyalty and pricing: ensure differential treatment maps to transactional behaviour, not to inferred social or personality characteristics.
5. For public-sector deployers: assume a strict reading of Article 5(1)(c). Run Article 27 FRIA in addition to Article 9 risk management even where you believe the system is high-risk rather than prohibited.

Run your free AI Act compliance diagnostic

Returns whether your scoring system is prohibited under Article 5, high-risk under Annex III, or outside the AI Act high-risk regime — with the specific article paragraph that applies.

→ Run the AI Act diagnostic