EU releases draft guidelines on high-risk AI systems

The European Union (EU) Commission has released draft guidelines that will help companies determine if the products that have artificial intelligence (AI) components incorporated in them are of high risk or not under the EU’s Artificial Intelligence Act. These products also include medical devices containing AI components. For medical devices that are subject to the AI Act, these requirements will be placed alongside the existing obligations under the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR) instead of replacing them. These guidelines would help businesses, developers, and regulators determine when an AI system falls within the Act's stricter regulatory framework and is therefore subject to enhanced compliance obligations. 

The draft guidelines explain two main paths through which an AI system may become high-risk: AI systems that function as safety components of regulated products such as medical devices, machinery, vehicles, aviation products, and other products subject to EU safety legislation and AI systems used in sensitive sectors such as employment, education, critical infrastructure, migration, border control, law enforcement, healthcare, and access to essential services, where they could materially impact individuals' rights and opportunities.  

A particularly important clarification concerns Article 6(3) of the AI Act. Certain AI systems may avoid being classified as high-risk if they satisfy specific exemption criteria, such as performing only narrow procedural tasks or supporting human decision-making without influencing the outcome. 

However, the guidelines stress that AI systems used for profiling individuals in Annex III sectors remain high-risk regardless of these exemptions. This has major implications for HR tools, recruitment systems, credit-scoring models, and other systems that create predictive profiles about individuals. 

The AI Act's high-risk obligations will apply in stages. Firstly, high-risk AI systems used in areas such as biometrics, education, employment, migration, and critical infrastructure must comply from 2nd December 2027. Then, high-risk AI systems embedded within regulated products, including medical devices and industrial machinery, must comply from 2nd August 2028. 

For businesses that develop or use AI getting risk classification right is crucial. A high-risk label means they have to do a lot to manage risks, handle data properly, keep records, be transparent have humans check their work and follow regulations. The guidelines are meant to clear up confusion and make sure companies can't dodge rules by interpreting, the high-risk criteria too narrowly. 

Source: EU Commission drafts guidelines on classifying high-risk systems under the AI Act | RAPS 

News of the week: 

1. UK’s New Data Protection Complaint Handling Requirements Take Effect on 19 June 2026 

Image Credits  

With just a few days left for the relevant provisions of the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026 to come into effect, organizations in the UK prepare to put data protection complaints process in place. When the General Data Protection Regulation (GDPR) was introduced, it drastically changed a lot of facets relating to data privacy; however, it did not officially formulate an obligation on the organizations to run a complaint process system that is publicly accessible. However, this gap is closed by the UK's data protection law with the introduction of a few regulations under the Data (Use and Access) Act 2025 (DUAA).  

Starting from June 19, 2026, all organizations/companies in the UK are mandated to maintain and operate a complaint process system that is accessible to the public, which would investigate and speed up the process of resolving concerns in a quick and efficient manner.  

Since the complaint handling process is formalized and mandated by law, it would be more structured and transparent. Now, a proper complaint process is mandated to be published, a stipulated timeframe is set for doing so, an investigation procedure would be in place, and the complaints would be properly recorded and be tracked. This system would not only benefit the public stakeholders but would also enable the organizations to easily garner customer trust and foster good relationships with all the stakeholders like the employees, customers, clients, and service users, where they get a clear picture about how their data is being put to use. 

Source: One month to go: what businesses need to know to meet new data law   

2. Andhra Pradesh High Court holds that right to privacy cannot operate without restrictions in cases involving fraud and forgery.  

 Image Credits  

In a significant ruling, the Andhra Pradesh High Court has held that the right to privacy cannot operate without restrictions in cases involving fraud and forgery. This decision comes against the backdrop of an alleged land fraud investigation in which the police sought access to the accused person's Aadhaar and biometric details. However, it was refused by the Unique Identification Authority of India (UIDAI), when the victim requested the information through the Right to Information Act. In an earlier order, a single judge refused to direct the disclosure of the information of the accused's fake Aadhar card and biometric information from the UIDAI. This order by the division bench is pertinent and it reaffirms the principle that the right to privacy is not an absolute right, especially during the investigation of criminal proceedings and high-profile crimes like fraud and forgery.  

Source: Right to privacy can’t be used as a shield to evade laws: Andhra HC 

3. India Abandons Proposal for Mandatory Aadhaar App on Smartphones After Industry Pushback 

Image Credits 

India has decided to drop its proposal to make the Aadhaar app a mandatory pre-installed application on all smartphones after facing strong opposition from major technology companies such as Apple, Samsung, and Google. The proposal had been put forward by the Unique Identification Authority of India (UIDAI), which wanted smartphone manufacturers to ship devices with the Aadhaar app already installed. The government believed this would make it easier for citizens to access Aadhaar-based services, which are widely used for identity verification in banking, telecom services, and even airport travel. However, smartphone companies argued that mandatory pre-installation could create security, compatibility, and manufacturing challenges, while also raising concerns about user choice and privacy. After consultations with industry stakeholders, the government ultimately decided not to proceed with the plan. The decision was welcomed by digital rights advocates, who viewed it as a recognition of the importance of user consent and privacy in India's expanding digital ecosystem.  

Source: India drops proposal to mandate national ID app Aadhaar on smartphones after pushback- Economic Times 

Want to stay ahead? 

Secure your communications today with a tailored privacy and compliance strategy from Tsaaro.com.