Civil Law Remedies as Tools for Regulatory Guidance and Enforcement of the EU AI Act:
A Study on the Prohibition on the Exploitation of Vulnerabilities

DOI: https://doi.org/10.69592/3045-9036-N1-2025-ART-3

José Miguel Bello y Villarino1

Senior Research Fellow, University of Sydney Law School, Australia
Diplomatic Corps of Spain (on leave)
Sydney, Australia

Enviado el 4 de noviembre de 2025; aceptado el 1 de diciembre de 2025.

Abstract: This article explores how civil litigation can complement regulatory enforcement under the EU Artificial Intelligence Act’s prohibition on exploiting vulnerabilities (Article 5(1)(b)). It examines ambiguities and enforcement challenges surrounding AI systems that target vulnerable individuals or groups, using online betting advertisements as a case study. The analysis argues that public authorities lack the capacity to address these complex risks effectively. Drawing on Spanish legal traditions, notably the 1908 Usury Repression Act, the article proposes that private civil actions—particularly collective remedies—can guide administrative intervention. It advocates a collaborative model where private enforcement informs regulatory practice, clarifying the scope of vulnerability exploitation.

Keywords: AI Act, Private remedies, Vulnerability, Exploitation, Regulatory enforcement, Collective redress, Online advertising.

Resumen: Este artículo analiza cómo la litigación civil puede complementar la aplicación regulatoria de la prohibición de explotación de vulnerabilidades en el Reglamento de IA de la UE (artículo 5.1.b). Apoyándose en un estudio de la publicidad en línea de casas de apuestas, el artículo sostiene que las autoridades carecen de capacidad para abordar estos riesgos complejos. Inspirado en la tradición jurídica española, especialmente la Ley de Represión de la Usura de 1908, sugiere que la litigación civil privada puede ofrecer una orientación clave para la intervención administrativa, abogando por una aproximación colaborativa, donde la interpretación de derecho privado en sede judicial informe la acción regulatoria pública.

Palabras clave: Reglamento de IA, Recursos civiles, Vulnerabilidad, Explotación, Aplicación regulatoria, Acción colectiva, Publicidad online.

I. Introduction

The European Union’s Artificial Intelligence Act (hereinafter “AI Act” of “the Regulation”), adopted in March 20242, represents a landmark in global technology governance. In its final form, the AI Act is undoubtedly a complex piece of regulation, where values are intertwined with rules, different enforcement approaches and the use of technical standards3. The AI Act is underpinned by an ambition of delivering an internal market for AI systems, one which creates the necessary predictability for stakeholders engaged in the development of the technology, while protecting fundamental rights, particularly those of vulnerable groups4. All framed, as some scholars have noted, in a package of “ethical AI”5, ensured by hard boundaries for what AI-systems must not be allowed to do within the European Union. The most characteristic manifestation of this approach is the list of prohibited uses for AI systems detailed in Article 5, as they are considered to go against core European values6.

Within those proscriptions, one of the most intriguing and ethically charged provisions is the prohibition of AI systems that exploit the vulnerabilities of individuals or groups, as set out in Article 5(1)(b). This stipulation aims to protect those facing a heightened risk of harm due to age, disability, or specific social or economic situations7. However, the article’s wording raises significant questions of clarity and enforceability8.

Article 5 Prohibited AI practices

1. The following AI practices shall be prohibited: […]

(b) the placing on the market, the putting into service or the use of an AI system that exploits any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation, with the objective, or the effect, of materially distorting the behaviour of that person or a person belonging to that group in a manner that causes or is reasonably likely to cause that person or another person significant harm;

This work examines the ambiguities inherent in the AI Act’s approach to vulnerability, drawing on both the Regulation’s text and broader civil law traditions. It argues that a civil law approach—particularly through litigation and judicial interpretation—can provide much-needed guidance for public authorities that are tasked with enforcing the Regulation. The article then discusses in some detail one of the most problematic areas: targeted online advertising. It offers the example of gambling as one of the contentious points where aggressive selling techniques can easily evolve into tools enabling the exploitation of the vulnerabilities of a given group of individuals. The exposition uses the example of a study in Australia on online advertising, as it is the only one this author could identify in comparative scholarly work, but also one with the relevant methodology (citizen-researchers who donate their data) to study these phenomena9. It would be obvious to most readers that the example would not be governed by the EU AI Act. Rather, it serves the purpose in this work of illustrating the tensions between what law can regulate and what practices can escape regulation, while elucidating the challenges in defining and addressing vulnerability within the existing provisions of the EU AI Act and other EU law.

On the basis of that study the article argues that proper enforcement of the prohibition of article 5(b)(1) requires very detailed analysis of individual cases, which would escape the capacity of the public regulator to continuously evaluate and monitor the deployment of hundreds (or thousands) of AI systems capable of exploiting the vulnerabilities of users. The assumption is that the enforcement methods envisaged in the EU AI Act can only be tangentially sufficient to address the gargantuan task of determining where the threshold of “exploitation” should be placed for the different vulnerabilities of groups affected by the deployment of each system10.

From that observation, the article puts forward a bigger claim, building on a partially lost tradition in Spanish law of using civil law methods of enforcement as not only guidance, but actual triggers for administrative intervention. Using the example of the 1908 Usury Repression Act, also known as the Ley Azcárate11, still in force, the discussion set out here illustrates how court decisions adapted to individual circumstances regarding the exploitation of vulnerabilities can trigger financial penalties imposed by the State. The 1908 Usury Repression Act declares null and void any loan contracts with interest rates that are notably higher than the normal rate and disproportionate, giving redress to the borrower through only having to pay the principal—no interest—and recover any amount already paid as interest. However, it does not stop there. It also envisages in its article 5 that private parties that are found three times in violation of their inter-partes obligations, that is, a lender whose three or more contracts are annulled under this law, shall also be fined12.

The article contends that the supervisory authorities envisaged in the EU AI Act (mainly the “market surveillance authorities” of Chapter IX) should carefully consider the intersection between private interests and public goals as a mean to alleviate the burden of regulators to unequivocally determine ex ante when, for example, an aggressive marketing technique enters the territory of exploitation of vulnerabilities.

The argument in broader terms is not new in the Spanish law tradition13, and there is significant comparative scholarship on the achievement of public goals through private enforcement means. Notably, in the United States, this discussion has been often attached to economic analyses of private law remedies14. However, as Tridimas observes, that is not the case in EU Law, which “tends to provide for rights but not for remedies”; in his view reflecting historical path dependencies derived from its origin in international law15. However, the innovation in this article is the argument in favour of leveraging that capacity to facilitate regulated public enforcement. That is, the social objectives of the EU AI Act are not meant to be achieved through private litigation (European or domestic), but domestic private litigation can fill gaps, shape and make public enforcement of the Act more responsive to complex circumstances.

In the AI context, the capacity of a system to individually target characteristics, can seldom be determined ex ante. Hence, it will require an extrapolation of its general effects from individual instances. Courts are well-placed to make that judgment. If this is accompanied by class action or public interest litigation—i.e., collective redress European style16—the EU can prove that the specifications of the general principles contained in the Act do not need to exclusively depend on technical standards17. In summary, this article advocates for private civil law remedies as triggers for administrative action, challenging the strict civil vs administrative separations in most continental legal doctrines and encourages the Commission, through its AI Office, to support such an approach, actively monitoring private litigation, that could then be passed onto the relevant AI-specific regulators.

II. The Concept of Vulnerability in the EU AI Act

1. The Regulatory Context

The AI Act’s concern with vulnerability is rooted in a broader European Union approach to private law focused on protecting weaker parties in contractual and consumer relationships, against the more traditional approach of domestic systems centred around the equality of the parties18. Concretely, in the AI Act, Article 5(1)(b) prohibits the placing on the market, putting into service, or use of AI systems that exploit vulnerabilities arising from age, disability, or specific social or economic situations, where such exploitation is likely to cause significant harm.

The provision is complemented by Recital 29, which elaborates on the types of vulnerabilities and groups at risk, including those living in extreme poverty or belonging to ethnic or religious minorities. The specific terms of that recital are described below, but it suffices here to say that the drafting of the article and the recital went through several iterations in the legislative process, allowing different stakeholders to interpret its meaning very differently. However, that is not surprising in a regulation with “unprecedented level of redrafting”19.

2. Searching for the Elements of vulnerability

Despite its laudable aims, Article 5(1)(b) is marked by significant indeterminacy. The Regulation does not define “vulnerability” in operational terms, nor does it provide clear criteria for what constitutes “exploitation” or “significant harm.” The provision’s reliance on open-ended categories—age, disability, social or economic situation—leaves much to the discretion of regulators and courts. Moreover, the requirement that the exploitation must have the “objective or effect” of materially distorting behaviour20 introduces further ambiguity, particularly regarding the threshold for “material distortion” and the causal link to harm.

The AI Act contains other express reference to vulnerability in Article 7(2)(h), which instruct the Commission to consider the intensity and disproportionate impact of harm on persons in vulnerable positions when updating the list of high-risk AI systems. Concretely:

(h) the extent to which there is an imbalance of power, or the persons who are potentially harmed or suffer an adverse impact are in a vulnerable position in relation to the deployer of an AI system, in particular due to status, authority, knowledge, economic or social circumstances, or age;

However, this provision seems broader than Article 5(1)(b) and do not provide specific guidance for the application of the prohibition on exploitation of article 5. The European legislator offers then two uses of vulnerability in the EU AI Act, which serve different purposes. One is linked to prohibited AI systems and refers to “vulnerable groups”. The other comes into play for systems which may be considered high-risk but not prohibited—those impacting persons in a “vulnerable position” in relation to the deployer. Given they serve a different purpose in the Act, article 7(2)(h) provides little help for interpreting vulnerability arising from prohibited systems.

One difference is causal: a system is prohibited because it exploits (or is capable of exploiting) vulnerabilities in a harmful manner. This triggers a binary yes/no judgment: prohibited/not prohibited. The other difference is a matter of intensity: A system may be high risk and, hence, need to be treated with more care, because some groups may be differentially affected by it. For example, a minority language group may not be properly served by an AI education system deployed in schools, and, hence, those types of systems could be considered to be high-risk. This classifies those groups as more “vulnerable” in this sense, but the judgment about “how distinct the effects are” needs to be made at a systemic and abstract level, because the legislator itself—here the Commission through delegated acts—is meant to respond to that judgement.

3. Vulnerability in Other EU Regulatory Instruments

A) The cross-references in the EU AI Act

The AI Act explicitly refers in this context to two other EU instruments in recital 29: Directive 2005/29/EC on Unfair Commercial Practice (hereinafter “the UCP Directive”)21 and Directive (EU) 2019/882 on the accessibility requirements for products and services22. Starting with the former, article 5 of Directive 2005/29/EC serves as the normative fulcrum for the prohibition of unfair commercial practices within the European Union’s consumer protection framework. Its relevance to private and consumer law is elucidated not only through its operative provisions but also via the interpretative guidance offered in the recitals accompanying that Directive. These recitals underscore the UCP Directive’s dual function: to harmonise market conduct standards and to safeguard consumers from practices that compromise their economic autonomy (e.g., Recital 6). As some early commentary put it, it is a piece of legislation with far reaching objectives and innovative methods, which was anticipated to deliver “massive” legal impacts23.

The UCP Directive’s prohibition of unfair commercial practices—defined in article 5(2) as those practices that are contrary to professional diligence and likely to distort the economic behaviour of the average consumer—has direct implications for contractual relationships governed by private law. In particular, it establishes a behavioural threshold for traders that, when breached, may render a contract voidable or give rise to claims for redress under national consumer law regimes24.

This regulatory architecture is recalled in the AI Act, explicitly in Recital 29, which recalls that the prohibition of Article 5 is “complementary to the provisions contained in [the UCP Directive]” which prohibits under all circumstances, practices causing “economic or financial harms to consumers”[…] irrespective of whether they are put in place through AI systems or otherwise.” Such prohibitions are not merely parallel to those found in Directive 2005/29/EC; they reinforce each other. The AI Act’s restrictions on manipulative or exploitative AI practices serve to bolster the Directive’s ban on unfair commercial conduct, particularly where such conduct is facilitated or exacerbated by algorithmic targeting and personalisation. Notably, the term “unfair” in the Directive—translated as desleal in Spanish and déloyal in French—captures a broader ethical dimension that resonates with the AI Act’s emphasis on trustworthiness and human-centric design. They are not just “unfair” in terms of the balance of obligations between the parties, they imply a further judgment of disloyalty from the trader towards the consumer.

In this way, the evolving corpus of EU law reflects a convergence between traditional consumer protection norms and the exigencies of digital market regulation. The integration of Article 5’s principles into the AI regulatory framework signals a recognition that technological mediation does not obviate the need for legal accountability; rather, it intensifies it25. As AI systems increasingly mediate contractual engagements, the imperative to safeguard consumers—particularly those who are vulnerable—becomes ever more pronounced.

However, this reference to consumer law cannot fully explain what is an “exploitation of vulnerability” in the AI Act. The Regulation introduces a framework for the governance of AI systems, including explicit prohibitions on certain practices deemed incompatible with fundamental rights and consumer protection principles. Among these, there are AI-driven commercial strategies that exploit cognitive vulnerabilities, manipulate decision-making, or otherwise cause economic or financial detriment to consumers.

In this author’s view, the AI Act’s approach to vulnerability draws on, but does not fully align with, existing EU consumer protection law. The UCP Directive (2005/29/EC) similarly prohibits practices that exploit the vulnerabilities of specific groups, such as children or the elderly, and requires that the effect of a practice be assessed from the perspective of the average member of the targeted group. However, the UCP Directive provides more detailed guidance on the assessment of vulnerability and the types of practices considered unfair—perhaps not surprisingly, given it could benefit from previous enforcement experiences, when compared to AI-specific regulations.

The divergence in scope in terms of how vulnerability is defined, interpreted and assessed becomes evident if one pays attention to the drafting of that very same recital 29 after the European Parliament amendment, which significantly shaped the current text. Recital 29 in its current form expressly indicates that those vulnerabilities could refer both to “a person or a specific group of persons due to their age, disability within the meaning of Directive (EU) 2019/882 of the European Parliament and of the Council, which establishes the accessibility requirements for products and services” or (emphasis added) “a specific social or economic situation that is likely to make those persons more vulnerable to exploitation”, such as persons living in extreme poverty, ethnic or religious minorities.

B) The “average” vulnerable consumers and the “notional, typical” consumers in the UCP Directive

The UCP Directive adopts the benchmark of the “average consumer”—a construct drawn from the case-law of the Court of Justice of the European Union (CJEU)26—who is reasonably well-informed, observant and circumspect. However, the UCP Directive is not blind to the heterogeneity of consumer profiles. Article 5(3) of that Directive explicitly acknowledges that certain consumers may require enhanced protection due to specific vulnerabilities. These include, inter alia, age-related factors (such as children or the elderly), credulity or naivety, and physical or mental infirmities. In such cases, the assessment of whether a practice is unfair must be conducted from the perspective of the average member of the targeted group.

The UCP Directive categorises unfair practices into two principal forms: misleading practices and aggressive practices. Misleading practices may arise either through affirmative misrepresentation or through omission of material information. Aggressive practices, by contrast, involve coercion, harassment, or undue influence that impairs the consumer’s freedom of choice. But how aggressive does it need to be to qualify as an exploitation of vulnerability?

Recital 18 of the UCP Directive provides interpretative guidance on the treatment of vulnerable consumers. It underscores the imperative to prevent the exploitation of consumers who, due to their circumstances, are particularly susceptible to unfair commercial practices. As the recital explicitly notes, “the Court of Justice has found it necessary in adjudicating on advertising cases since the enactment of Directive 84/450/EEC to examine the effect on a notional, typical consumer.” [emphasis added].

That same recital finally stresses that the concept of the “average consumer” is not a statistical artefact. Rather, it is a normative construct that requires national courts and administrative authorities to exercise evaluative judgement, informed by the evolving body of CJEU case law. This interpretative flexibility allows for a more nuanced and context-sensitive application of the Directive.

This should allow courts “to determine the typical reaction of the average consumer in a given case” (Recital 18). An average consumer that could be, either part of the larger group of “notional consumers” who are “well-informed and reasonably observant and circumspect, taking into account social, cultural and linguistic factors”; or part of a smaller, narrower group, particularly susceptible to unfair commercial practices. For the purpose of this article, only the latter is our concern.

III. Is there a single “Vulnerable Consumer” Concept in AI-Driven Contracting

As noted above, the discussed prohibition in the AI Act should be subsidiary and almost irrelevant, at least in a consumer-related context and, especially, in an advertising environment. Recall that the UCP Directive prohibits under all circumstances, practices causing economic or financial harms irrespective of the technology used. However, as seen in this section, there are many issues where consumer protection laws may prove insufficient. Above all, the emergence of AI systems as autonomous agents in contractual formation and execution raises profound questions regarding the applicability of consumer protection norms, particularly those enshrined in the UCP Directive. Nonetheless, there are many other elements to be considered.

Firstly, the scale at which AI systems operate—often engaging with thousands of consumers simultaneously—amplifies the potential for harm, especially where the system is designed to exploit behavioural biases or vulnerabilities.

Secondly, AI systems possess the capacity to identify and act upon multiple intersecting vulnerabilities. For instance, an elderly consumer with limited digital literacy and cognitive impairment may be targeted through personalised algorithms that exploit these traits in combination.

Thirdly, the granularity of targeting enabled by AI systems challenges the adequacy of the average consumer standard. AI-driven practices may be so finely tuned to individual profiles that the notion of an “average member” of a group becomes increasingly abstract—or irrelevant. This necessitates a recalibration of the legal framework to ensure that the protections envisaged by the Directive remain effective in the face of technological sophistication.

For these reasons, it seems that simply readapting, a test for the vulnerable consumer as done under consumer protection laws is likely to be insufficient for an adequate application of the AI Act. This leaves the entities in charge of enforcement lacking the necessary guidance to, first, actually enforce the prohibition in a consistent manner across the EU; and second, identify practices of exploitation of vulnerabilities.

Identification is particularly complex when the harm is not significant enough for each individual affected, but notable in aggregate terms when diffused among larger vulnerable groups. In the next section I consider one by one the elements required to trigger the prohibition of Article 5(1)(b). As we will see the manner in which article 5(1)(b) is drafted seems to envisage a panoply of scenarios that go well beyond the consumer law spectrum.

IV. The Limits of Article 5(1)(b): Ambiguities and Gaps

1. The Scope of Vulnerability

One of the central ambiguities in Article 5(1)(b) concerns the scope of vulnerability. The provision lists age, disability, and specific social or economic situations as sources of vulnerability, but does not clarify whether these categories are exhaustive or illustrative. Recital 29 suggests a broader reading, encompassing factors such as poverty and minority status, but the lack of precision may lead to inconsistent application across Member States.

Furthermore, in the opinion of this author, a natural reading of the article (“exploits any of the vulnerabilities of a natural person or a specific group”) in conjunction with Recital 29 would justify an expansive concept of vulnerability beyond consumer-protection directives. First, it would cover a broader range of vulnerabilities beyond those of the UCP Directive and expand to functional limitations. Concretely, the cross reference in the AI Act to the Directive on the accessibility requirements for products and services—which includes both people with disabilities and persons with “functional limitations”, such as “elderly persons, pregnant women or persons travelling with luggage (sic)” (Recital 4 of this Directive)—would imply that the assessment of the vulnerabilities are very context specific.

Second, more interesting here and noted before, the AI Act would consider “vulnerable individuals”, in terms of article 5(1)(b), those whose vulnerabilities may be originated by a combination of factors such as personality traits, prior addictions and cognitive variances, at a given point in time. We know that individual could be distinctly targeted by AI at scale and with higher precision, depending on their moment-specific vulnerability in the day or week.

For example, the article could potentially find within its scope the use of targeted advertising in the Cambridge Analytica scandal. The scandal exposed in March 2018, involved the political consulting firm improperly acquiring and using the personal data of up to 87 million Facebook users for political advertising and voter profiling, primarily during the 2016 U.S. presidential election and the Brexit referendum. According to the literature this allowed the creation of “psychographic” profiles of voters, which were then used to target them with personalised political advertisements designed to influence their behaviour and voting decisions27.

It could also find that a system exploits a vulnerability if is designed to be triggered by a moment in the year when the individual is particularly vulnerable. For example, it could be assessed to exploit a vulnerability if it can gather data about anniversaries of deaths of close relatives to offer certain services.

2. The Notion of Exploitation

The concept of “exploitation” is also left undefined. Is exploitation limited to intentional targeting, or does it include negligent or reckless disregard for the interests of vulnerable persons? Article 5(1)(b) prohibits “placing on the market, the putting into service or the use of an AI system […] with the objective, or the effect, of materially distorting the [individual] behaviour”, but it does not clarify the situation of how to asses a system that was not anticipated to have such an effect.

It seems logical to think that reckless disregard would be a violation of the prohibition, as the regulation as a whole envisages ex-ante testing duties for high-risk systems that could be applicable here (article 9). But what if the system was not meant to fall in one of the high-risk cases or, if it did, there was insufficient testing to envisage such an effect. How much should developers have assessed it without deploying it in the real world to be sure that their system would not have such an effect?28

The Regulation seems to envisage that situation in recital 29 when it notes that exploitative AI-enabled practices, would be excepted from exceptions where the distortion of behaviour results from factors outside the control of the provider or deployer. But this raises natural questions about the allocation of responsibility and the evidentiary burden on claimants. Furthermore, given that the prohibition is not meant to operate as an ex-post assessment, but an ex-ante one, how could such a situation happen in practice. What kind of process is envisaged in the AI Act to address this?

3. The Threshold of Harm

Finally, article 5(1)(b) requires that the exploitation be “reasonably likely to cause significant harm.” However, the Regulation does not define “significant harm,” nor does it specify whether harm must be immediate or can be cumulative over time. This lack of clarity may hinder enforcement and create uncertainty for both providers and regulators. How is it possible to assess the quantum of harm ex ante? What evidence could be offered to prohibit the deployment of a system to reach the threshold that would qualify the harm as significant.

Even the nature of harm could be challenging. Do systems that stereotype women “exploit a vulnerability”? Assuming that a clear representational harm for the collective “women” can be anticipated, is that “significant”?29

All these questions illustrate the difficulties of translating these “undetermined concepts” into enforceable rules. Generally, courts are used to these problems in civil law proceedings and they are not even alien to determining ex-ante the risk of “significant harm”, as it is the case in environmental law30. However, as there is no clear guidance to make this judgment in the AI Act, all rests on drawing analogies with how harm has been understood in other domains.

V. The example of online advertising for gambling or Systems designed to find their own vulnerable audience

Online advertising on social media platforms poses profound challenges for public accountability because it is both ephemeral and personalised, making harmful practices difficult to detect. The Australian Ad Observatory31, a project developed by a publicly funded research centre in Australia, was established to address this gap by enabling citizens to donate data on Facebook ads, thereby exposing patterns of targeted advertising that would otherwise remain hidden. The findings described below are part of this research as published in academic journals32 and in a report with the Foundation for Alcohol Research and Education (FARE), a not-for-profit organisation33.

Preliminary findings revealed that gambling advertisements, including those from BitStarz—an offshore online casino prohibited under Australian law—were served to users in Australia34. These ads exploited Facebook’s targeting tools to reach individuals identified as being located in Australia, despite the Australian Interactive Gambling Act 2001 banning both the operation and advertising of such services. This demonstrates how advertisers deliberately circumvent legal restrictions, aided by opaque algorithmic systems that personalise ads and obscure oversight, leaving vulnerable audiences exposed to harmful content without any meaningful regulatory intervention.

These researchers found that the vulnerability of targeted audiences is amplified by the cultural and technological environment in which these ads appear. Gambling has become normalised in Australia, woven into national traditions and increasingly integrated into everyday digital life through mobile apps and social media platforms. The research argues that these platforms are designed to maximise engagement, creating an ideal setting for addictive behaviours to flourish, noting that algorithms learn from user interactions to deliver ads at moments of heightened susceptibility, such as during major sporting events, and embed persuasive features like interactive buttons and enticing offers. This limbic design, the research argues, exploits neuropsychological reward systems, making individuals—particularly those predisposed to gambling addiction—highly vulnerable to repeated exposure. More interestingly, the personalised nature of these ads ensures that harm is not only widespread but also deeply individualised, targeting users based on behavioural data that advertisers and platforms leverage for profit, often in violation of consumer protection laws.

Advertisers’ unlawful conduct is compounded by systemic deficiencies in both legal frameworks and platform governance. While Australian law prohibits the publication of gambling ads, enforcement mechanisms fail to account for global social media platforms. Regulators can block websites but lack authority to compel platforms like Facebook to remove illegal ads, creating a blind spot that advertisers exploit. The consequences of these failures are severe: vulnerable individuals are exposed to predatory advertising that promotes harmful and prohibited services, while regulators and the public remain largely powerless to intervene. Platforms not only fail to prevent illegal ads but actively facilitate their dissemination through programmatic targeting systems that are optimised for engagement, thereby deepening the harm.

In Europe, this type of behaviour would mainly be captured by the Digital Services Act35, which requires comprehensive ad libraries and proactive removal of unlawful content. However, the relevant point here is that a prohibited practice could easily go undetected if systemic accountability and robust regulatory intervention could not be guaranteed. That is, to proscribe or penalise such a behaviour would still require an active understanding of contextual vulnerabilities.

VI. Vulnerability in domestic Civil Law:
Other Lessons from Private Law beyond Consumer Protection

This article assumes that civil law litigation enables the cross-fertilization of ideas across jurisdictions. As courts in different Member States interpret the AI Act in light of their own legal traditions, a rich dialogue can emerge, informing the development of EU-wide standards. This comparative perspective is particularly valuable given the diversity of approaches to vulnerability and exploitation in European private law.

Civil law systems have long recognized the need to protect vulnerable parties in contractual relationships. Spanish law, for example, provides for the annulment of contracts entered into by minors or persons with disabilities (Art. 1302 of its Civil Code)36, and for the termination (“rescisión”) of contracts where one party has taken advantage of the other’s distress, inexperience, or limited mental capacity (Ley Azcárate, cited above). Similar doctrines of long tradition exist in other European jurisdictions, such as the German concept of “Wucher” (usury)37 and the French notion of “lésion”38.

Recent Spanish scholarship has also proposed the recognition of “unjust/unfair advantage” (“ventaja injusta”) as a ground for rescission of contracts, defined as a normatively quantified imbalance of duties combined with the exploitation of the other party’s need39. This approach seeks to balance legal certainty with contractual justice, drawing on principles of transparency and free consent.

To some extent, this already exists in Spain in the civil laws of Catalonia40. Article 621-45 of its Civil Code titled “Unjust Advantage” establishes that “Contracts (sale or onerous) may be rescinded if, at the time of conclusion, one party was in economic vulnerability or urgent need or was unable to foresee consequences, clearly ignorant or inexperienced” as far as the other party (cumulatively) (1) Knew or should have known this, (ii) Took advantage; and (iii) Gained excessive or clearly unjust benefit41.

However, as foreshadowed, the most representative example of this idea is the fight against usury. In Spain, as noted above, the Ley Azcárate stipulates that:

Art. 1: Any loan contract stipulating an interest rate significantly above the normal rate and clearly disproportionate to the circumstances, or in leonine conditions, shall be null if accepted due to distress, inexperience, or limited mental capacity.

Art. 5: Any lender whose three or more contracts are annulled under this law shall be fined 500 to 5,000 pesetas, depending on the severity and recurrence of abuse.

This Law bridges the private-public divide, determining administrative consequences on the basis of findings in civil litigation. Interestingly, beyond the “three strikes rule”, it focuses on the entities operating in the market. In the Ley Azcárate the targets are lenders, but in a technological context marked by AI hegemons, it may well be the supplier of basic technology, which other companies use for derivative AI systems.

More generally, this section illustrates that there is a tradition in European contract law, beyond consumer protection, that has addressed the issue of contextual vulnerability. Even when there is no formal inequality between the parties, European civil law traditions impose limits on one party on their ability to exploit the vulnerability of its counterpart. The following section of this piece explores how this tradition could be used to serve the objectives of article 5(1)(b) of the EU AI Act.

VII. The Promise of Civil Law Litigation for an effective EU Regulation of AI Systems

Across the article, readers have been offered, first, a discussion of the limitations of article 5(1)(b); second the insufficiency of other EU law to fill those gaps; third, the concretisation of those limitations in the example of gambling advertising; and fourth, an illustration of how domestic European civil law has addressed similar issues in the past. Here, we turn to a reconsideration of the role that civil law can play to serve the broader public objectives manifested in the AI Act, particularly in the context of the prohibition of the exploitation of vulnerabilities.

As a preliminary point, it should be clarified here, that, in the view of this author, private litigation based on the AI Act will be possible and it should be accepted by domestic courts as the ordinary judges of EU law. Regulations are enforceable inter partes and, on that basis, an individual or organisation suing a deployer or developer of an AI system should not be barred from exercising their rights just because the European AI Office and the national market surveillance authorities are the natural enforcement mechanism of the Regulation. Others in the German scholarship have suggested a similar case in the copyright context42, although the general opinion seems to remain against it43.

However, the argument espoused in this article goes further. Individuals and groups will increasingly access courts in the years to come to complain about other contexts where an AI system may have been used to take advantage of a vulnerable trait. It is that other litigation which can serve as inspiration (and trigger) for public enforcement.

1. The Role of Litigation in Clarifying Ambiguities

First, given the indeterminacy of Article 5(1)(b), civil law litigation can play a crucial role in developing interpretive guidance for public authorities. Judicial decisions can, generally speaking, clarify the meaning of key terms such as “vulnerability,” “exploitation,” and “significant harm”, but that is a task which would be pending until a judgement of the European Court of Justice settles the issues.

More interestingly, civil courts can establish evidentiary standards for proving causation and intent in these contexts. Over time, a body of case law can provide the background for the predictability and consistency that the Regulation currently lacks for its ex-ante analyses. That is, civil courts deciding on related issues could cross reference to the AI Act to establish what vulnerability looks like in the digital world.

2. Litigation as a Source of Normative Development

Litigation allows for the incremental development of legal norms, as courts interpret and apply written law to particular facts. This process sometimes reveals gaps and inconsistencies in the law, prompting legislative or regulatory amendments. In our context, this is unlikely to happen.

However, litigation can bring to light the lived experiences of vulnerable individuals, ensuring that the AI Act is responsive to social realities. Concretely it may reflect how people perceive their own vulnerabilities addressing the shortcomings of a drafting that does not clarify which vulnerable groups are within its scope. Furthermore, the existence of litigation itself will clarify when those vulnerable groups feel exploited and what kind of harm is relevant for them.

There is already some evidence of this in the privacy context. The spectrum of remedies available in privacy litigation in several jurisdictions recognises that claimants may have diverse motivations, backgrounds, and desired outcomes when seeking redress44. While some individuals may prioritise financial compensation, others may be chiefly concerned with stopping the infringing conduct, preventing similar breaches in the future, or obtaining public acknowledgement of their rights and interests45.

Particularly where the harm caused by privacy violations is difficult to quantify, non-monetary remedies—such as injunctions, declarations, or apologies—can provide a more appropriate and meaningful response. This nuanced approach is highly relevant to the enforcement of the EU AI Act’s prohibition on the exploitation of vulnerability, as discussed in the article. The effects of exploitative AI practices on vulnerable individuals are often intangible and not easily measured in monetary terms, making civil law litigation in terms of quantifiable harms relevant but insufficient. From the EU AI Act point of view, however, it can serve broader purposes not only for clarifying the scope of the Regulation but also as a catalyst for administrative enforcement.

3. The Interaction with Public Enforcement

While the AI Act provides for administrative enforcement by market surveillance authorities, civil litigation offers a complementary avenue for redress. Individuals and groups affected by exploitative AI practices can bring claims for damages or injunctive relief, and courts can issue binding interpretations of the Regulation. This dual system of enforcement—public and private—can enhance the effectiveness of the Regulation and promote accountability among AI providers and deployers.

Public authorities responsible for implementing the AI Act will face significant challenges in applying Article 5(1)(b). As noted at several points above the lack of clear definitions and criteria increases the risk of inconsistent enforcement and legal uncertainty. By drawing on the case-law of civil courts, authorities can develop more nuanced and context-sensitive approaches to vulnerability and exploitation. This can also help developers that could use findings in civil litigation to support their claims that they would have “done enough” in their ex-ante testing of the AI systems. Developers and deployers could use civil cases discussing similar systems to claim that the systems they have developed could not have been expected to have the effect of causing harm through the exploitation of vulnerabilities.

4. A more realistic perspective: Civil courts case Law as soft law for Administrative Practice

In addition to judicial decisions, public authorities can issue guidelines, codes of conduct, and interpretive statements to clarify the application of Article 5(1)(b). These soft law instruments can draw on the principles developed in civil litigation, as well as on comparative law and academic scholarship. Over time, a body of administrative practice can emerge, providing further guidance for AI providers and deployers, which could then, in turn, reinforce civil practice.

There is no shortage of these instruments in EU law. It could be expected that, for example, the AI Office of the Commission may turn to private litigation in their assessment and interpretation of the article. If this happens, such guidance will be, in turn, undoubtedly used by courts and developers of technical standards in this space.

VIII. Conclusion

The prohibition on the exploitation of vulnerability in the EU AI Act represents a significant step towards the protection of fundamental rights in the age of artificial intelligence. However, the provision’s lack of clarity and precision poses challenges for both regulators and regulated entities. By drawing on the rich traditions of civil law and consumer protection, and by leveraging the interpretive resources of civil litigation, public authorities can develop more effective approaches to the regulation of AI. In this way, the law can move beyond abstract principles to provide specific protection for those most at risk of harm in the digital age.

Concretely, this article advocates for a synergetic public-private action inspired by the Law of 23 July 1908 on Nullity of Usurious Loan Contracts. It offered four distinct avenues for that to happen. However, it fell short of proposing the direct private enforcement of Article 5(1)(b) within EU domestic courts. The idea remains tantalisingly within reach, but prudence counsels caution: unleashing such a mechanism could introduce unwelcome market distortions. Still, in an ideal world—perhaps an academics and litigants’ utopia—one might dream of a robust “three-strike” regime for AI systems, echoing the spirit of Spain’s Ley Azcárate, where persistent offenders face escalating consequences.

Bibliografía

Aimen, T., «Cognitive freedom and legal accountability: Rethinking the EU AI act’s theoretical approach to manipulative AI as unacceptable risk», Cambridge Forum on AI: Law and Governance, vol. 1, 2025, p. e20.

Angus, D.; Obeid, A. K.; Burgess, J.; Parker, C., The Australian Ad Observatory: technical and data report, ARC Centre of Excellence for Automated Decision-Making and Society, 2024, Accessed on 29 octubre 2025, in https://apo.org.au/node/326310.

Atamer, Y. M., «Why Judicial Control of Price Terms in Consumer Contracts Might Not Always Be the Right Answer – Insights from Behavioural Law and Economics», The Modern Law Review, vol. 80, n.o 4, 2017, pp. 624-660.

Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, 2014,
Accessed on 4 November 2025,in https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-alrc-report-123/12-remedies-and-costs/summary-169/.

Bello y Villarino, J.-M., «Global Standard-Setting for Artificial Intelligence: Para-regulating International Law for AI?», Australian Yearbook of International Law, vol. 41, 2023, pp. 157-181.

Ben-Shahar, O.; Bar-Gill, O., «Regulatory techniques in consumer protection: A critique of European consumer contract law», Common Market Law Review, vol. 50, n.o Special, 2013, Accessed on 4 November 2025, in https://kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals\COLA\COLA2013039.pdf.

Cantero Gamito, M.; Marsden, C. T., «Artificial intelligence co-regulation? The role of standards in the EU AI Act», International Journal of Law and Information Technology, vol. 32, 2024, p. eaae011.

Chantepie, G., «La lésion», 2005, Paris 1, Accessed on 4 November 2025, in https://theses.fr/2005PA010272.

Cordella, E. C., Contenido del concepto «significativo» in la definición de daño ambiental, Universidad de Chile, NA, Accessed on 4 November 2025, in https://d1wqtxts1xzle7.cloudfront.net/57169831/Informe_Dano_Significativo_v.final-_para_firma-libre.pdf.

Demontes, E., «Du fondement juridique de la lésion dans les contrats», Revue Critique de Législation et de Jurisprudence, vol. 44, 1915, p. 37.

Ebers, M., «How to Ensure Effective Enforcement of the Artificial Intelligence Act?», Accessed on 4 November 2025, in https://data-en-maatschappij.ai/en/publications/paper-how-to-ensure-effective-enforcement-of-the-artificial-intelligence-act.

European Commission, «Guidance on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market», Accessed on 21 November 2025, in https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021XC1229(05).

Fraser, H.; Bello y Villarino, J.-M., «Acceptable Risks in Europe’s Proposed AI Act: Reasonableness and Other Principles for Deciding How Much Risk Management Is Enough», European Journal of Risk Regulation, vol. 15, n.o 2, 2024, pp. 431-446.

Fraser, H.; Parker, C.; Haines, F.; Bello y Villarino, J.-M. y Weatherall, K., «Should Australia Follow Europe’s Approach to AI Standards and Regulation?», ANU Journal of Law and Technology, vol. 5, n.o 1, 2025, Scholastica, pp. 96-130.

González de la Garza, L. M., «El contenido de las llamadas” técnicas subliminales” y las vulnerabilidades de grupo específico de personas en el Reglamento de inteligencia artificial», in Tratado sobre el reglamento de inteligencia artificial de la unión Europea, Aranzadi, 2024, pp. 251-274.

Hayden, L.; Newton, G.; Carah, N.; Tran, D. K.; Brownbill, A.; Obeid, A.; y otros, «How alcohol and gambling companies target people most at risk with marketing for addictive products on Facebook», 2024, Foundation for Alcohol Research and Education.

Hesselink, M. W., «European Contract Law: A Matter of Consumer Protection, Citizenship, or Justice», European Review of Private Law, vol. 15, n.o 3, 2007, Accessed on 4 November 2025, in https://kluwerlawonline.com/api/Product/CitationPDFURL?file=Journals\ERPL\ERPL2007021.pdf.

Hinds, J.; Williams, E. J.; Joinson, A. N., «“It wouldn’t happen to me”: Privacy concerns and perspectives following the Cambridge Analytica scandal», International Journal of Human-Computer Studies, vol. 143, 2020, p. 102498.

Hueso, L. C., «¿ Cuándo “no es no”?: Criterios para definir los sistemas de inteligencia artificial prohibidos en la Unión Europea.», Revista General de Derecho Administrativo, n.o 69, 2025, Iustel, p. 9.

Kriebitz, A.; Corrigan, C.; Boch, A.; Evans, K. D., «Decoding the EU AI Act in the context of ethics and fundamental rights», in The Elgar Companion to Applied AI Ethics, Edward Elgar Publishing, 2024, pp. 123-152, Accessed on 3 November 2025, in https://doi.org/10.4337/9781803928241.00014.

Lein, E.; Fairgrieve, D.; Otero Crespo, M.; Smith, V., Collective redress in Europe: why and how?, Brtitish Institute of International and Comparative Law, 2015, Accessed on 3 November 2025, in https://investigacion.usc.gal/documentos/5d1df68829995204f766f2fc.

Linacero de la Fuente, M., Ineficacia y rescisión del negocio jurídico: la ventaja injusta, Tirant lo Blanch, 2019.

Mak, V., «Standards of Protection; In Search of the “Average Consumer” of EU Law in the Proposal for a Consumer Rights Directive», European Review of Private Law, vol. 19, n.o 1, 2011.

Micklitz, H.-W., «The Principles of European Contract Law and the Protection of the Weaker Party», Journal of Consumer Policy, vol. 27, n.o 3, 2004, pp. 339-356.

Nordemann, J. B.; Rasouli, A., «The Provisions of the AI Act Relating to Copyright – Possibility of Private Enforcement? Example Germany», Accessed on 4 November 2025, in https://papers.ssrn.com/abstract=5054519.

Palmiotto, F., «The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation», European Journal of Risk Regulation, vol. 16, n.o 2, 2025, pp. 770-793.

Papayannis, D., El derecho privado como cuestión pública, Universidad Externado, 2016.

Parker, C.; Albarrán-Torres, C.; Briggs, C.; Burgess, J.; Carah, N.; Andrejevic, M.; y otros, «Addressing the accountability gap: gambling advertising and social media platform responsibilities», Addiction Research & Theory, vol. 32, n.o 4, 2024, Taylor & Francis, pp. 312-318.

Rebrean, M.-L.; Malgieri, G., «Vulnerability in the EU AI Act: building an interpretation», in Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency, Association for Computing Machinery, New York, NY, USA, 2025 (FAccT ’25), pp. 1985-1997, Accessed on 28 octubre 2025, in https://dl.acm.org/doi/10.1145/3715275.3732133.

Siliciano, J. A., «Corporate Behavior and the Social Efficiency of Tort Law», Michigan Law Review, vol. 85, 1986, p. 1820.

Von Stein, L., Der Wucher und sein Recht: ein Beitrag zum wirthschaftlichen und rechtlichen Leben unserer Zeit, Hölder, 1880.

Stuyck, J.; Terryn, E.; Van Dyck, T., «Confidence through Fairness - The New Directive on Unfair Business-to-Consumer Commercial Practices in the Internal Market», Common Market Law Review, vol. 43, 2006, p. 107.

Tilley, C. C., «Tort Law inside out», Yale Law Journal, vol. 126, 2016, p. 1320.

Tridimas, T., «Rights, remedies, and access to justice in consumer-related litigation: Is Union law fit for purpose?», European Journal of Consumer Law, n.o 3, 2023, Intersentia, pp. 513-537.

Vijeyarasa, R., «Gendered Harms and the Regulation of Artificial Intelligence: A Comparative Assessment of Emerging Legislative Practice», Notre Dame Journal on Emerging Technologies, vol. 5, n.o 1, 2023, pp. 115-161.

Wright, C. A., «The Law of Remedies as a Social Institution», University of Detroit Law Journal, vol. 18, n.o 4, 1954, HeinOnline, p. 376.

Zarro, M., «Online Unfair Commercial Practices: A European Overview», Italian Law Journal, vol. 7, 2021, p. 201.

  1. 1 El autor hace notar su agradecimiento a los participantes en los seminarios en los que se presentó una primera versión de este estudio en la Universidade de Santiago de Compostela en noviembre de 2025 y en la Universidad Carlos III en diciembre de 2025, muy especialmente por los comentarios y sugerencias que han enriquecido exponencialmente el texto; así como a los revisores por sus muy valiosas observaciones y a la dirección de la revista por su excelente trabajo. Todos los errores que puedan quedar en el texto son, sin duda, responsabilidd del autor. La investigación para este trabajo ha sido financiada por el Australian Research Council - programas: CE200100005 y IE240100096.

  2. 2 Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence. and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance) OJ L, 2024/1689, 12.7.2024, ELI: http://data.europa.eu/eli/reg/2024/1689/oj

  3. 3 José-Miguel Bello y Villarino, «Global Standard-Setting for Artificial Intelligence: Para-regulating International Law for AI?», Australian Yearbook of International Law, vol. 41, 2023; Henry Fraser et al., «Should Australia Follow Europe’s Approach to AI Standards and Regulation?», ANU Journal of Law and Technology, vol. 5, 1, 2025.

  4. 4 Henry Fraser; José-Miguel Bello y Villarino, «Acceptable Risks in Europe’s Proposed AI Act: Reasonableness and Other Principles for Deciding How Much Risk Management Is Enough», European Journal of Risk Regulation, vol. 15, 2, 2024, p. 434.

  5. 5 See, for example, the discussion in Alexander Kriebitz et al., «Decoding the EU AI Act in the context of ethics and fundamental rights», in The Elgar Companion to Applied AI Ethics, Edward Elgar Publishing, 2024, https://doi.org/10.4337/9781803928241.00014.

  6. 6 For an overview of the prohibitions see Lorenzo Cotino Hueso, «¿Cuándo “no es no”?: Criterios para definir los sistemas de inteligencia artificial prohibidos en la Unión Europea.», Revista General de Derecho Administrativo, 69, 2025.

  7. 7 A description of the evolution of the article can be seen in Luis M. González de la Garza, «El contenido de las llamadas” técnicas subliminales” y las vulnerabilidades de grupo específico de personas en el Reglamento de inteligencia artificial», in Tratado sobre el reglamento de inteligencia artificial de la unión Europea, collective work, Aranzadi, 2024.

  8. 8 M.-L. Rebrean; G. Malgieri, «Vulnerability in the EU AI Act: building an interpretation», in Proceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency, Association for Computing Machinery, New York, NY, USA, 2025 (FAccT ’25), Accessed on 28 October 2025, in https://dl.acm.org/doi/10.1145/3715275.3732133.

  9. 9 C. Parker et al., «Addressing the accountability gap: gambling advertising and social media platform responsibilities», Addiction Research & Theory, vol. 32, 4, 2024; D. Angus et al., The Australian Ad Observatory: technical and data report, ARC Centre of Excellence for Automated Decision-
    Making and Society, 2024, Accessed on 29 October 2025, en https://apo.org.au/node/326310.

  10. 10 For a similar view, see Taimur Aimen, «Cognitive freedom and legal accountability: Rethinking the EU AI act’s theoretical approach to manipulative AI as unacceptable risk», Cambridge Forum on AI: Law and Governance, vol. 1, 2025, p. 2.

  11. 11 Ley de 23 de julio de 1908 sobre nulidad de los contratos de préstamos usurarios, BOE-A-1908-5579, 1908.

  12. 12 It should be noted here that the consequence of a contract being declared usurious—its nullity—would trigger an order to both borrower and lender to placed themselves in situation as if the contract never existed. In this this would imply that the lender would be ordered to give back the full amount at once. This may explain why the Usury act of 1908 has not been widely invoked in the past, for the consequences for the weak party were extremely harsh.

  13. 13 See, for example, D. Papayannis, El derecho privado como cuestión pública, Universidad Externado, 2016.

  14. 14 There is a solid tradition in the United States to recognise this. As early as Charles Alan Wright, «The Law of Remedies as a Social Institution», University of Detroit Law Journal, vol. 18, 4, 1954, p. 379 notes, there is a “strong case» to argue that «the purpose of all remedies should be to deter conduct which is thought to be socially undesirable”. More recent authors in the US offer more nuanced views: John A. Siliciano, «Corporate Behavior and the Social Efficiency of Tort Law», Michigan Law Review, vol. 85, 1986 notes how the social efficiency model’s reliance on competitive markets and predictable liability costs is often based on unrealistic assumptions, given the existence of limited liability and bankrupcy rules; Cristina Carmody Tilley, «Tort Law inside out», Yale Law Journal, vol. 126, 2016, especially p. 1403 recalls how the scholarship has stressed how (both) efficiency and morality (social values) are drivers of tort rules.

  15. 15 Takis Tridimas, «Rights, remedies, and access to justice in consumer-related litigation: Is Union law fit for purpose?», European Journal of Consumer Law, 3, 2023, p. 516.

  16. 16 Note the difference with the United States model as discussed in Eva Lein; Duncan Fairgrieve; Marta Otero Crespo; Vincent Smith, Collective redress in Europe: why and how?, British Institute of International and Comparative Law, 2015.

  17. 17 See a summary of different points of view about this issue in Marta Cantero Gamito; Chris T. Marsden, «Artificial intelligence co-regulation? The role of standards in the EU AI Act», International Journal of Law and Information Technology, vol. 32, 2024.

  18. 18 See a discussion of the tension in Hans-W. Micklitz, «The Principles of European Contract Law and the Protection of the Weaker Party», Journal of Consumer Policy, vol. 27, 3, 2004; and a view on the intention of the Commission to centre its approach to contractual relations around consumer protection Martijn W. Hesselink, «European Contract Law: A Matter of Consumer Protection, Citizenship, or Justice», European Review of Private Law, vol. 15, 3, 2007. However, it may be questioned whether equality of the parties were the base of traditional approaches.

  19. 19 Francesca Palmiotto, «The AI Act Roller Coaster: The Evolution of Fundamental Rights Protection in the Legislative Process and the Future of the Regulation», European Journal of Risk Regulation, vol. 16, 2, 2025, p. 770.

  20. 20 Probably, the easiest part of the article to interpret is the requirement to “Materially distort the behaviour” as it is a benchmark widely used in unfair commercial practices, and the Commission has provided guidance on this: European Commission, «Guidance on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market». (OJ C 526, 29.12.2021, p. 1).

  21. 21 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (“Unfair Commercial Practices Directive” or “UFC Directive”) (OJ L 149, 11.6.2005, p. 22).

  22. 22 That is, Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019 on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70).

  23. 23 Jules Stuyck; Evelyn Terryn; Tom Van Dyck, «Confidence through Fairness - The New Directive on Unfair Business-to-Consumer Commercial Practices in the Internal Market», Common Market Law Review, vol. 43, 2006, p. 107.

  24. 24 Although with its fair share of critics. See, for example: Omri Ben-Shahar; Oren Bar-Gill, «Regulatory techniques in consumer protection: A critique of European consumer contract law», Common Market Law Review, vol. 50, Special, 2013; Yesim M. Atamer, «Why Judicial Control of Price Terms in Consumer Contracts Might Not Always Be the Right Answer – Insights from Behavioural Law and Economics», The Modern Law Review, vol. 80, 4, 2017.

  25. 25 See a similar argument in Mariacristina Zarro, «Online Unfair Commercial Practices: A European Overview», Italian Law Journal, vol. 7, 2021 in relation to online practices that allow «subtle» perpetrations of unfair commercial practices.

  26. 26 For a larger discussion of the concept of the average consumer in EU law, see Vanessa Mak, «Standards of Protection; In Search of the “Average Consumer” of EU Law in the Proposal for a Consumer Rights Directive», European Review of Private Law, vol. 19, 1, 2011.

  27. 27 Joanne Hinds; Emma J. Williams; Adam N. Joinson, «“It wouldn’t happen to me”: Privacy concerns and perspectives following the Cambridge Analytica scandal», International Journal of Human-Computer Studies, vol. 143, 2020.

  28. 28 Henry Fraser; José-Miguel Bello y Villarino, «Acceptable Risks in Europe’s Proposed AI Act», cit.

  29. 29 For a broader discussion on this point see Ramona Vijeyarasa, «Gendered Harms and the Regulation of Artificial Intelligence: A Comparative Assessment of Emerging Legislative Practice», Notre Dame Journal on Emerging Technologies, vol. 5, 1, 2023.

  30. 30 Ezio Costa Cordella, Contenido del concepto «significativo» en la definición de daño ambiental, Universidad de Chile, NA, Accessed on 4 November 2025, in https://d1wqtxts1xzle7.cloudfront.net/57169831/Informe_Dano_Significativo_v.final-_para_firma-libre.pdf.

  31. 31 See background information in https://www.admscentre.org.au/adobservatory/

  32. 32 Christine Parker et al., «Addressing the accountability gap», cit.

  33. 33 Lauren Hayden et al., «How alcohol and gambling companies target people most at risk with marketing for addictive products on Facebook», 2024, Foundation for Alcohol Research and Education.

  34. 34 Christine Parker et al., «Addressing the accountability gap», cit.

  35. 35 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), OJ L 277, 27.10.2022, pp. 1–102, eli/reg/2022/2065/oj.

  36. 36 Código Civil (“CC”) of Spain, Real Decreto de 24 de julio de 1889.

  37. 37 Lorenz von Stein, Der Wucher und sein Recht: ein Beitrag zum wirthschaftlichen und rechtlichen Leben unserer Zeit, Hölder, 1880.

  38. 38 E. Demontes, «Du fondement juridique de la lésion dans les contrats», Revue Critique de Législation et de Jurisprudence, vol. 44, 1915; Gaël Chantepie, «La lésion», 2005, Paris 1, Accessed on 4 November 2025, in https://theses.fr/2005PA010272.

  39. 39 María Linacero de la Fuente, Ineficacia y rescisión del negocio jurídico: la ventaja injusta, Tirant lo Blanch, 2019.

  40. 40 A consolidated version of the laws in Spanish can be found at https://www.boe.es/biblioteca_juridica/codigos/codigo.php?id=150&modo=2&nota=0&tab=2, accessed 4 Nov 2025.

  41. 41 Ley 3/2017, de 15 de febrero, del libro sexto del Código civil de Cataluña, relativo a las obligaciones y los contratos, y de modificación de los libros primero, segundo, tercero, cuarto y quinto. DOGC 7314, 22/02/2017, and BOE 57, 08/03/2017.

  42. 42 Jan Bernd Nordemann; Arman Rasouli, «The Provisions of the AI Act Relating to Copyright – Possibility of Private Enforcement? Example Germany», Accessed on 4 November 2025, in https://papers.ssrn.com/abstract=5054519.

  43. 43 Martin Ebers, «How to Ensure Effective Enforcement of the Artificial Intelligence Act?», Accessed on 4 November 2025, in https://data-en-maatschappij.ai/en/publications/paper-how-to-ensure-effective-enforcement-of-the-artificial-intelligence-act.

  44. 44 Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, 2014, párr. 12.2, Accessed on 4 November 2025, in https://www.alrc.gov.au/publication/serious-invasions-of-privacy-in-the-digital-era-alrc-report-123/12-remedies-and-costs/summary-169/.

  45. 45 Ibid.