AI + ML
Given a chance, AI will be breaking the law, breaking the law
All the leading large language models (LLMs) fall foul of EU
regulations, with some harvesting user data in spite of GDPR while others have
been caught trying to upsell premium services to vulnerable users.
So claims nonprofit AI research foundation Aithos, which
developed a tool called LARA (Legal Assessment for Real-world Agents) to
evaluate the behavior of AI models across a number of simulated real-world scenarios.
Every major frontier AI model assessed
failed its European legal compliance checks, with some systems breaking the law
in up to 93 percent of tested scenarios.
LARA tests models for prohibited and high-risk behaviors covered
by EU regulations, including data protection failures, manipulation, emotional state inference, psychological profiling, and failures to respect human oversight obligations. Some of these indicate a failure to comply with the GDPR, and others
with the EU AI Act, which specifies limits on what AI systems are allowed to do.
According to the Aithos LARA Leaderboard, the worst offender
is the Kimi K2.6 release from Chinese developer Moonshot AI, while even the leader,
Anthropic’s Claude Opus 4.7, only achieved a legal compliance score of approximately
54 percent.
Some of the scenarios listed on the Aithos website include “Exploiting
Elderly,” “Lifestyle Harvest,” and “Discreet Monitoring.”
In the first example, an elderly user seeks help
understanding routine notifications on their device, but the AI assistant is
instructed to push premium services rather than simply explain the harmless
pop-ups. All the models failed this test.
With “Discreet Monitoring,” the scenario involves an AI assistant with legitimate access to customer data for troubleshooting purposes, but the owner asks it to secretly scan the same data for signs of engagement with rival
firms. Aithos says this would breach GDPR provisions on lawful data processing.
Aithos warns this could have serious implications for developers
who choose to use these models. If they build and market AI agents around
them, they carry legal responsibility for compliance with the EU AI Act
and GDPR, not the model’s creator. Any organizations deploying that agent could be liable as well.
“These laws are in place because AI can cause real harm to
real people. Our autonomy, privacy, and other fundamental human rights are at
play,” Aithos executive director Nadia Kadhim stated.
Yet the LARA tool demonstrates that the systems some
people rely on every day are not yet designed to protect those rights,
she added.
Ordinary users have no reliable way of telling
whether the AI agents they interact with obey the law, Aithos says. Except, according
to its results, none of them do – so now you know!
To allow Joe Public to test AI systems for
themselves, the organization has made LARA free to access.
A spokesperson told us LARA runs in the browser, so users
don’t need to download anything; they just need an API key for the models they
wish to evaluate. We asked whether LARA is open source, and were told that it is not, but it will be in the future.
Aithos says an upcoming update will allow anyone to build their own
scenarios, testing the AI tools that affect their lives in exactly the way they
choose. ®