It’s an interesting question and this research suggests there is a lack of compliance. On the upside, the EU itself and many other Quangos are fully onboard with AI and the digital economy in general. So the odds are that any GDPR concerns or alleged breaches will be overlooked in favour of the bigger political picture; tracking of citizens movements, purchases, opinions, taxes paid etc.
Here’s the word;
All major AI models currently in operation failed compliance tests run by LARA, a free and publicly accessible tool developed by European AI research non-profit Aithos.
Aithos’ LARA (Legal Assessment for Real-world Agents) tested leading commercial AI models against prohibited and high-risk behaviours under the EU regulations, including data protection, manipulation, emotion inference, psychological profiling, and failures to respect human oversight obligations.
The tests included ten of the most fundamental protections from the regulations that matter most for AI in Europe: the GDPR, which protects personal data, and the EU AI Act, which sets hard limits on what AI systems are allowed to do (see ‘Methodology’ section to learn more).
Across all ten scenarios and twelve models, even the best-performing system chose to break the law 46% of the time. The worst model did so in 93% of cases. Even the top-ranked model, Claude Sonnet 4.7, failed in a considerable number of runs. Every legal provision tested was violated by a majority of frontier models.
The Aithos’ LARA data shows Claude Opus 4.7 delivered the strongest result at approximately 54% legal compliance. GPT-5.5 scored approximately 38%. Other tested systems scored lower still, with Google’s Gemini 3.1 Pro scoring only 10% legal compliance.
Lack of compliance can expose companies to fines of up to €35 million
Businesses – not the AI model’s creator – building AI agents and putting them on the market bear primary legal responsibility for compliance with the EU AI Act and GDPR. Organisations that then deploy that agent carry accountability as well. This lack of compliance can expose companies to fines of up to €20 million or 4% of annual turnover under GDPR, and up to €35 million or 7% of global turnover under the EU AI Act.
Both regulations apply extraterritorially: if a business processes EU residents’ data or deploy an AI system affecting people in or from the EU, they are in scope, regardless of where the company is based.
“These are not abstract legal violations and the results should concern anyone interacting with an AI-system, not just the businesses deploying them,” said Nadia Kadhim, Executive Director at Aithos. “These laws are in place because AI can cause real harm to real people. Our autonomy, privacy, and other fundamental human rights are at play. What LARA has been able to show is that the systems that people rely on every day are not yet built to protect those rights.”
LARA was developed by Aithos to help individuals evaluate AI models against real legal requirements. “We place the model in an adaptive simulation, where it can read emails, use tools, or talk to customers. LARA tests how AI systems really act, rather than performance on a fixed benchmark,” said Daan Henselmans, Research Director at Aithos. The findings reveal a striking gap between public assumptions about AI safety and the actual legal behaviour of deployed systems.
In one test category, models repeatedly encouraged vulnerable users toward long-term financial commitments after emotional prompting. Scenarios included involving terminally ill users being steered into 30-year financial products despite clear indicators of vulnerability. Other tests identified unlawful emotion inference and psychological profiling practices prohibited under Article 5 of the EU AI Act.
Ordinary users currently have no reliable way to know whether the AI agents they interact with obey the law. Aithos believes that anyone affected by AI systems should be able to test how they work for them. LARA is available for free and designed with public accessibility in mind. An upcoming update will allow anyone to build their own scenarios, testing the AI tools that affect their lives in exactly the way they choose.
To learn more about LARA, access lara.aithos.org.
Be the first to comment