Raycaster / evals All APEX-Agents categories

APEX-Agents category

AI Agents for US State Privacy Law

This page showcases APEX-Agents tasks that test whether AI agents can apply US state privacy laws, including breach notification requirements and state-specific privacy obligations.

US privacy compliance Colorado Privacy Act, New York breach notification
13 Total tasks
1 Primary tasks
12 Secondary tasks

Primary tasks

1 tasks with this category as their main focus.

  1. Determine Outcome of Shipyard Fire and Delay (task_8ec48c4dfa5e4f06b8bac76409c74d83) primary
    Law · Law World 418 (world_aa672f35da64403f81004c0223f26a01)

    Blue Anchor recently sued us (LNG Shipping Inc.) for claims of fraudulent inducement. We filed a motion to compel arbitration after Nakamura experienced a catastrophic fire at its shipyard. The motion cites the Operating Agreement, the Operating Agreement's Addendum, and the Assignment Agreement. I need you to write me a short memo, explaining which state's laws apply, what specific rules of civil procedure will govern the court's ruling, and what the burden of proof is for the non-movant. I've attached some cases that another associate pulled that you should use in preparing the memo. Write your reply with what I want back here.

    Expected output: message_in_console

Related tasks

12 tasks that also exercise this type of work as part of a broader assignment.

  1. World423_JS_03 (task_28f0924227374bcea8d59b13e605be90) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Northstar is reviewing its policies for notifying American data subjects in case there is another unauthorized data transfer. Specifically, a lot of Northstar's data subjects reside in the State of New York. Would Northstar be required, under New York Law, to notify affected New York residents, if the data contained in the Northstar health-related product identifiers were transferred to an unauthorized person? Respond to me me with a yes or no answer. Also, give a single explanation.

    Expected output: message_in_console
  2. World423_DPM_01 (task_73363f7afa084f98aeb61ff19ecfabad) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Evaluate whether the breach notification requirements to EU/EEA customers in Version 1 of the Breach and Incident Response Policy are compliant with the GDPR, by answering the following questions: 1) Whether the notification section in the policy is compliant in regards to EU/EEA customers (Yes/No). 2) If not, what must be added to the notification? If complaint, state no revisions are required. Tell me your answer right here.

    Expected output: message_in_console
  3. World423_AW_01 (task_56c618b6f1884f168f3e508af61b2d3d) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Our client needs to know if any of that data that was transmitted in the breach is considered personal data under GDPR. Review the four attached incident reports and provide your reply to me with exactly the following: 1) a single sentence conclusion identifying if there are any discrepancies among the documents in relation to the data breach; and 2) 1-2 sentences of analysis as to whether the type of data involved in the breach is considered "personal data" under GDPR.

    Expected output: message_in_console
  4. Law_World_423_DM_04 (task_3e4eba49c9cd4d3fa0de912ab1b1501e) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Northstar's CEO sent me an email asking for a summary of the company’s liability under US privacy law if the incident occurred to a US customer based in Colorado. Please take the lead on drafting a high-level follow-up email to our CEO. Reply to me with it here and I'll review. In your draft email, identify the relevant sections of the Colorado Privacy Act that may have been violated and any underlying facts supporting each determination.

    Expected output: message_in_console
  5. World423_DPM_02 (task_327f2507ef39488d9dfc3fbf05ef4c2f) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Review the Controller-to-Supervisory Authority Notification Template, along with the timing set out in the V.2 Breach & Incident Response Policy, to ensure compliance with the notification requirements of the General Data Protection Regulation (GDPR). Draft a message to me here that answers Yes or No as to whether each policy is compliant. If not compliant, propose any necessary additions.

    Expected output: message_in_console
  6. World423_JS_02 (task_7e51ed8994924d8d9f92938fd8cf9fd2) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    It has come to our attention that some of the data transferred by the "Diagnostics Analytics Module" related to residents of Colorado. Does Colorado Law require us to notify Colorado residents of this data transfer? Please respond to me here as a memo that outlines the requirements under the relevant laws and analyzes Northstar's situation in reference to the incident documentation.

    Expected output: message_in_console
  7. World423_JS_08 (task_25e49967231547cab553ed451d6fa338) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Determine if Northstar can be fined under Article 83 of the General Data Protection Regulation ("GDPR") for a violation of Article 14(2)(e) of the GDPR for the data transfer from the Data Analytics Module (the "Module") if there is a finding that BlueQuill did not process personal data when it received the data from the Module. Please provide a yes or no answer to me here as a message, with a brief explanation.

    Expected output: message_in_console
  8. Law_World_423_DM_05 (task_58e8668c0a7c47808ff26e7b1e5105ae) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Northstar's US customer, Zellwerk, reported a system-wide outage that delayed access to shipment-tracking data containing health-related product identifiers and customer account IDs. During the outage investigation, Northstar's internal team discovered an unapproved third-party analytics module embedded in the US and European instances of the platform for "temporary performance monitoring." The General Counsel has reached out asking if Northstar's data practices would be considered unfair under the Federal Trade Commission Act. Make a NEW document, and prepare a short memorandum with a summary of the relevant legal authority, analysis, and a conclusion.

    Expected output: make_new_doc
  9. Task Seed #13 (task_ada7c5e9d1a149e780af8d519a9171f6) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    During the first 48 minutes of the EU production outage, Northstar's engineering team exported one or two bundled sets of EU production event logs containing personal data to the U.S. analytics vendor. However, no ongoing or continuous log streaming had yet been configured. Reply back to me here and explain if, Under Northstar's own policies, it can reasonably treat the one or two log exports as consistent with Article 49?

    Expected output: message_in_console
  10. World423_JS_01 (task_afcdcb040d924d4289b2a739e6ac4c49) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Let's assess the applicability of the statement of "[t[hese data elements constitute personal data for GDPR purposes because they relate to identifiable users, even though no directly identifying attributes (e.g., names or email addresses) were included," to BlueQuill. This statement is located in the Analytics Module Supervisory Document. Assess whether BlueQuill actually processed personal data under the GDPR when it received the data transfer from the "Diagnostics Analytics Module". BlueQuill claims it did not have access to data that would enable BlueQuill to identify the natural person linked to each user ID. Draft your answer as a message, reply to me in here -- and explain your reasoning.

    Expected output: message_in_console
  11. World423_JS_07 (task_c9fa280149be4bbb99fc9f9065b443cf) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Will Northstar be required to compensate affected data subjects under the General Data Protection Regulation ("GDPR") for the Data Analytics Module's (the "Module") unauthorized data transfer if the data transfer violated the GDPR? Please respond to me in here with a yes or no answer and a brief explanation.

    Expected output: message_in_console
  12. Law_World_423_DM_03 (task_39431bef81164cd2843e9369b8f7fdc5) secondary
    Law · Law World 423 (world_72e117e476674c6db7f16db331644d9f)

    Northstar is evaluating a situation where Bluequill had utilized the EU personal data received by its analytics module from Northstar, and utilized it for the purposes of sending out marketing emails to those data subjects. Would a CNIL investigation likely find that Northstar or Bluequill had liability under French law for not obtaining consent of the data subjects? Reply to me here with your judgement on the matter. Tell me who had liability, with a 1-2 sentence explanation.

    Expected output: message_in_console

Public transcript

Task transcript