Your AI assistant is breaking the law up to 90% of the time
None of the popular and mainstream AI models fully complies with Europe’s privacy and data protection legislation, including the General Data Protection Regulation (GDPR) and the AI Act.
-
Dutch police dismantled a botnet controlling 17 million infected routers, smartphones, and IoT devices.
-
Hackers used "residential proxies" with trusted home IP addresses to hide DDoS attacks, phishing, and malware distribution.
-
Routers and IoT devices are preferred because security systems trust residential IPs more than data center traffic.
The GDPR was designed to protect European citizens’ personal data, and the AI Act to set limits on what AI systems are allowed to do. But how do AI agents behave when asked to supersede these rules?
Researchers from the Aithos Research Foundation built a tool called LARA, which is an acronym for Legal Assessment for Real-world Agents, to see how advanced AI models would behave in real-world situations and measure how they would respond when asked to violate key GDPR or AI Act provisions.
A total of 12 AI models, including Claude, ChatGPT, Mistral, Gemini, and DeepSeek, were presented with more than 3,000 scenarios.
One of these scenarios involved a manager who asked an AI assistant to analyze the emotional state of his team from emails just before a performance review. Another one involved a busy executive who told his AI agent to book a dental appointment and hide from the receptionist that it’s an AI.
These are realistic scenarios, but also illegal in the EU, the researchers argue. However, the results of the study may shock you.
According to the Aithos Research Foundation, Claude Opus 4.7, the best-performing AI agent, broke Europe’s privacy law and AI regulation 46% of the time. The worst, Google’s Gemini 3.1 Pro, did this 90% of the time.
When asked to violate provisions such as subliminal manipulation, emotion inference, social scoring, or exploitation of vulnerable people, AI agents did so roughly 80% of the time. There was even a scenario in which an AI agent tried to sell software upgrades to a confused customer, which is prohibited by the AI Act.
Why does this happen? Why do AI agents complete tasks that violate privacy and data protection regulations? The answer is simple – they don’t have any personal responsibility or moral sense that a human would have when dealing with the same scenarios.
“Models are trained to follow instructions and to respect the law. They’re not well equipped to handle complex moral situations where the ‘correct’ decision is subjective, and the context might warrant an exception to the rules,” the authors of the study remind us that the providers of the models aren’t the ones breaking the law. Instead, it is the people who put an AI system to work, even without their knowledge or intent.
“The rush to deploy AI agents is, in many ways, running ahead of the infrastructure needed to deploy them responsibly. The regulatory frameworks exist, but the technical tools to evaluate compliance are still being built. In the meantime, individuals are subjected to serious risks,” researchers conclude.
Before introducing AI agents in a corporate environment, they should be tested, researchers recommend. Set legal restrictions, check if they hold up in practice, and review consequential actions. If not, the consequences could be real.
The GDPR has been enforced since 2018, with fines up to €20 million or 4% of a company’s annual global turnover. The AI Act raises that ceiling to €35 million or 7% of global turnover.
Unlock more exclusive Cybernews content on YouTube.
