APEX-Agents · Law
Law_World_434_sg_01
APEX-Agents task Law_World_434_sg_01 in AI Agents for Privacy and GDPR Compliance. Compare dual-harness agent runs across models — rubric criteria, scores, and public traces.
Task prompt
What the agent was asked to do
HarborView requires all customer documents to be sent to their offices in the Cayman Islands headquarters, including information of Hong Kong customers. We’ve also already sent them documents as part of our due diligence – please see the transaction/deal documents on file. Can you please draft a brief memo (just a few paragraphs) explaining whether consent is required to transfer the customer’s data and, if so, whether SecureBox or HarborView is obligated to erase any or all transferred records? Please state your reason based on any documents on file as well as relevant laws such as Hong Kong’s “Personal Data (Privacy) Ordinance" (PDPO). Also, please explain whether we need a data transfer agreement for any relevant jurisdiction. Write your reply back to me straight in here, just giving me the body of the memo. PS: For our transaction docs, if multiple versions of the same document exist, please assume the most recent version (denoted by a version number at the end of the file name) was the executed version, unless there is a copy with a file name that indicates the document is an executed version.
Published trajectories
Agent runs on this task
Curated dual-harness runs (parsed + original sandbox). Best scored run per model.
| Model | Harness | Score | Result | Links |
|---|---|---|---|---|
| GPT-5.5showcase | dual | 0/10 | Fail | Share pagePublic trace |
| fireworks models Kimi K2 | dual | 8/10 | Fail | Share pagePublic trace |
| Gemini 3 Flash | dual | 8/10 | Fail | Share pagePublic trace |
| Gemini 3.1 Pro | dual | 3/10 | Fail | Share pagePublic trace |
| GPT-5.4 | dual | 7/10 | Fail | Share pagePublic trace |
| GPT-5.4 mini | dual | 5/10 | Fail | Share pagePublic trace |
| GPT-5.4 nano | dual | 6/10 | Fail | Share pagePublic trace |
Grading rubric
Criteria and grader verdict (showcase run)
States that customer consent is not required to disclose the personal information of Hong Kong customers for the purpose of a due diligence exercise
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires the response to state that customer consent is not required for Hong Kong customer information disclosed for due diligence; no such statement appears. Fail.
States that SecureBox likely obtained customer information for its regular business purpose in compliance with privacy laws of all jurisdictions
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating SecureBox likely obtained customer information for regular business purposes in compliance with privacy laws; no such statement appears. Fail.
States that sending customer information to a different entity is unlikely to be part of the original purposes for which SecureBox received customer consent
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating that transfer to a different entity is unlikely part of the original purposes for which SecureBox received consent; no such statement appears. Fail.
States that customer consent is likely required for the personal information of Hong Kong customers that HarborView received for regular business operations after the deal
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating customer consent is likely required for Hong Kong customer personal information HarborView received for regular operations after the deal; no such statement appears. Fail.
States that customer consent is likely not required for the personal information of Hong Kong customers that HarborView received during the due diligence
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating consent is likely not required for Hong Kong customer personal information HarborView received during due diligence; no such statement appears. Fail.
States that the PDPO requires customer data to be erased if the data is no longer necessary for the original purpose
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating that PDPO requires erasure when customer data is no longer necessary for the original purpose; no such statement appears. Fail.
States that HarborView has a contractual obligation to destroy the records of customer information received during the due diligence
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating HarborView has a contractual obligation to destroy due-diligence customer information records; no such statement appears. Fail.
States that HarborView is likely required to erase the records of personal information of Hong Kong customers it received from SecureBox
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating HarborView is likely required to erase records of Hong Kong customers' personal information received from SecureBox; no such statement appears. Fail.
States that there is no data transfer agreement required under the jurisdiction of Hong Kong
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating no data transfer agreement is required under Hong Kong jurisdiction; no such statement appears. Fail.
States that there is no data transfer agreement required under the jurisdiction of the Cayman Islands
FailEvidence: <TEXT_RESPONSE> is empty. Assessment: The criterion requires stating no data transfer agreement is required under the Cayman Islands jurisdiction; no such statement appears. Fail.