Raycaster / evalsBack to AI Agents for Privacy and GDPR Compliance

APEX-Agents · Law

World423_AW_01

2/3Fail

APEX-Agents task World423_AW_01 in AI Agents for Privacy and GDPR Compliance. Compare dual-harness agent runs across models — rubric criteria, scores, and public traces.

AI Agents for Privacy and GDPR ComplianceLaw World 423Dual harnessGrader: rubric
task_56c618b6f1884f168f3e508af61b2d3d
Law World 423
message_in_console
6 models · dual config

Task prompt

What the agent was asked to do

Our client needs to know if any of that data that was transmitted in the breach is considered personal data under GDPR. Review the four attached incident reports and provide your reply to me with exactly the following: 1) a single sentence conclusion identifying if there are any discrepancies among the documents in relation to the data breach; and 2) 1-2 sentences of analysis as to whether the type of data involved in the breach is considered "personal data" under GDPR.

Published trajectories

Agent runs on this task

Curated dual-harness runs (parsed + original sandbox). Best scored run per model.

ModelHarnessScoreResultLinks
GPT-5.5showcasedual2/3Fail
fireworks models Kimi K2dual2/3Fail
Gemini 3.1 Produal2/3Fail
GPT-5.4dual2/3Fail
GPT-5.4 minidual2/3Fail
GPT-5.4 nanodual1/3Fail

Grading rubric

Criteria and grader verdict (showcase run)

  1. States that there is a discrepancy among the documents in relation to the data breach

    Pass

    Evidence: TEXT_RESPONSE states, “Yes—there is a discrepancy in the legal/regulatory characterization of the breach...” Assessment: The criterion asks whether the response states there is a discrepancy among the documents in relation to the data breach; pass because it clearly identifies a discrepancy.

  2. States that the Privileged Assessment identified the instance_region descriptor as a pseudonymous identifier

    Fail

    Evidence: TEXT_RESPONSE says “the privileged assessment says there was likely no Article 33 reportable breach/no personal data,” and separately says “the RCA ... characterizes the data as pseudonymous event metadata.” Assessment: The criterion asks for stating that the Privileged Assessment identified the instance_region descriptor as a pseudonymous identifier; fail because the response does not mention “instance_region” and attributes pseudonymous characterization to the RCA rather than the Privileged Assessment.

  3. States that a pseudonymous identifier is considered personal data under the GDPR

    Pass

    Evidence: TEXT_RESPONSE states, “Under GDPR, the transmitted fields should be treated as personal data if they can be linked, directly or indirectly, to identifiable users,” after referring to “pseudonymous event metadata.” Assessment: The criterion asks whether it states that a pseudonymous identifier is considered personal data under GDPR; pass because the response conveys that linkable/pseudonymous metadata should be treated as personal data under GDPR, albeit with appropriate qualification.