Raycaster / evalsBack to AI Agents for Privacy and GDPR Compliance

APEX-Agents · Law

Law_World_434_sg_01

0/10Fail

APEX-Agents task Law_World_434_sg_01 in AI Agents for Privacy and GDPR Compliance. Compare dual-harness agent runs across models — rubric criteria, scores, and public traces.

AI Agents for Privacy and GDPR ComplianceLaw World 434Dual harnessGrader: rubric
task_981f4f72a55c4e7598b6f23f3e576e54
Law World 434
message_in_console
7 models · dual config

Task prompt

What the agent was asked to do

HarborView requires all customer documents to be sent to their offices in the Cayman Islands headquarters, including information of Hong Kong customers. We’ve also already sent them documents as part of our due diligence – please see the transaction/deal documents on file. Can you please draft a brief memo (just a few paragraphs) explaining whether consent is required to transfer the customer’s data and, if so, whether SecureBox or HarborView is obligated to erase any or all transferred records? Please state your reason based on any documents on file as well as relevant laws such as Hong Kong’s “Personal Data (Privacy) Ordinance" (PDPO). Also, please explain whether we need a data transfer agreement for any relevant jurisdiction. Write your reply back to me straight in here, just giving me the body of the memo. PS: For our transaction docs, if multiple versions of the same document exist, please assume the most recent version (denoted by a version number at the end of the file name) was the executed version, unless there is a copy with a file name that indicates the document is an executed version.

Published trajectories

Agent runs on this task

Curated dual-harness runs (parsed + original sandbox). Best scored run per model.

ModelHarnessScoreResultLinks
GPT-5.5showcasedual0/10Fail
fireworks models Kimi K2dual8/10Fail
Gemini 3 Flashdual8/10Fail
Gemini 3.1 Produal3/10Fail
GPT-5.4dual7/10Fail
GPT-5.4 minidual5/10Fail
GPT-5.4 nanodual6/10Fail

Grading rubric

Criteria and grader verdict (showcase run)

  1. States that customer consent is not required to disclose the personal information of Hong Kong customers for the purpose of a due diligence exercise

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires the response to state that customer consent is not required for Hong Kong customer information disclosed for due diligence; no such statement appears. Fail.

  2. States that SecureBox likely obtained customer information for its regular business purpose in compliance with privacy laws of all jurisdictions

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating SecureBox likely obtained customer information for regular business purposes in compliance with privacy laws; no such statement appears. Fail.

  3. States that sending customer information to a different entity is unlikely to be part of the original purposes for which SecureBox received customer consent

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating that transfer to a different entity is unlikely part of the original purposes for which SecureBox received consent; no such statement appears. Fail.

  4. States that customer consent is likely required for the personal information of Hong Kong customers that HarborView received for regular business operations after the deal

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating customer consent is likely required for Hong Kong customer personal information HarborView received for regular operations after the deal; no such statement appears. Fail.

  5. States that customer consent is likely not required for the personal information of Hong Kong customers that HarborView received during the due diligence

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating consent is likely not required for Hong Kong customer personal information HarborView received during due diligence; no such statement appears. Fail.

  6. States that the PDPO requires customer data to be erased if the data is no longer necessary for the original purpose

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating that PDPO requires erasure when customer data is no longer necessary for the original purpose; no such statement appears. Fail.

  7. States that HarborView has a contractual obligation to destroy the records of customer information received during the due diligence

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating HarborView has a contractual obligation to destroy due-diligence customer information records; no such statement appears. Fail.

  8. States that HarborView is likely required to erase the records of personal information of Hong Kong customers it received from SecureBox

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating HarborView is likely required to erase records of Hong Kong customers' personal information received from SecureBox; no such statement appears. Fail.

  9. States that there is no data transfer agreement required under the jurisdiction of Hong Kong

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating no data transfer agreement is required under Hong Kong jurisdiction; no such statement appears. Fail.

  10. States that there is no data transfer agreement required under the jurisdiction of the Cayman Islands

    Fail

    Evidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating no data transfer agreement is required under the Cayman Islands jurisdiction; no such statement appears. Fail.