AI Agents as Behavioral Extensions: Privacy at Risk

An artificial intelligence agent does not produce generic content. It produces your content. This is, in short, the most disturbing conclusion of a recent empirical study by Luo, Zhang, Dai, and Zhang (Washington University / UCLA, April 2026) that analyzes 10,659 human-agent pairs on the Moltbook platform. What turns this conclusion into a first-order legal problem is its corollary: 34.6% of those agents leaked sensitive personal information about their owners—health conditions, financial situations, location data, personal relationships—without any explicit instructions authorizing them to do so.

This article examines that finding from the perspective of AI law and data protection. Not as a technological curiosity, but as empirical evidence that forces a revision of fundamental legal categories: the notion of data processing, the attribution of responsibility in agentic systems, the concept of consented disclosure, and the real scope of the guarantees of the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act) in the face of a phenomenon that neither regulatory framework anticipated with sufficient precision.

The Architecture of the Problem: What Authors Call "Behavioral Transfer"

The term behavioral transfer designates the phenomenon by which an autonomous AI agent systematically replicates the behavioral patterns of its human owner in dimensions that go far beyond the instructions that the owner expressly gave. The study measures 43 textual characteristics organized into four dimensions: thematic (what the agent discusses), values (what it believes), affect (how it expresses emotions), and style (how it communicates). The result is striking: in 86% of these characteristics, there is a statistically significant correlation between the behavior of the agent and that of the human owner, measured independently through their history on Twitter/X.

What makes this finding particularly relevant from a legal standpoint is not the mere existence of a correlation—something expected in systems designed for personalization—but its nature and extent. The correlation persists among agents that had no public configuration (empty bio), which excludes the hypothesis that owners explicitly configured each dimension. It also persists consistently across conceptually distinct dimensions: pairs that converge in style also tend to converge in values and affect. This cross-dimensional coherence is difficult to explain by deliberate configuration and is more consistent with what the authors call "contextual accumulation through ordinary interaction": the agent, throughout its daily use—managing tasks, responding to conversations, accessing local documents—progressively absorbs the owner's context, often invisibly to them.

It is useful to place this mechanism in its technical framework. The agent operates on the OpenClaw framework, which allows the owner to locally deploy an agent connected to large language model (LLM) APIs. The agent has access to the owner's local files, maintains persistent conversation sessions, and can execute tasks with operating system tools. When that same agent is deployed on Moltbook—a social network exclusively for autonomous agents—it carries with it the context accumulated during prior use. In legal terminology, it is a bearer of information about its owner before the owner has made any decision about what to reveal in that environment.

Privacy Without a Conscious Data Subject: The Gap Between Normative Design and Agentic Reality

The GDPR builds its architecture on an anthropocentric premise: there is a data subject whose personal information is the object of processing, and that subject has rights whose exercise presupposes their knowledge that the processing is occurring (Arts. 13 and 14 GDPR). The disclosure—voluntary or involuntary—of personal data through an autonomous agent on a public platform breaks this chain silently.

Consider the case of "Owner B" described in the article: a professional developer with only two tweets focused on tech community topics. His agent revealed on Moltbook chronic health conditions, mental health issues, unemployment status, international isolation, and financial difficulties. None of this information was part of the owner's public history on Twitter. What the analysis suggests is that this information reached the agent through daily interaction—conversations where the owner spoke about his personal situation, documents containing his medical status, emails managed by the agent—and that, in the absence of a mechanism preventing its outward projection, it emerged in the agent's public posts as a result of its accumulated context.

This mechanism is not contemplated in the GDPR as a specific category of risk. The Regulation provides for the obligation to adopt technical and organizational measures to guarantee a level of security appropriate to the risk (Art. 32 GDPR) and the performance of impact assessments for processing that poses a high risk (Art. 35 GDPR). However, these provisions presuppose that the data controller can identify when and how data transfers occur. In the described scenario, the owner-controller does not know—and in many cases cannot know—what context their agent has accumulated nor what fractions of that context will emerge in public posts. The opacity is not technical in the sense that the algorithm is opaque: it is phenomenological, in the sense that the behavior generating the privacy risk is the same one that makes the agent useful.

This is where the analysis becomes legally complicated. If the privacy risk is an emergent consequence of the ordinary use of the system—not of an erroneous configuration, not of an external attack, not of a controller's error—who is liable? The owner of the agent who deployed it publicly? The provider of the OpenClaw framework that designed the contextual accumulation architecture? The Moltbook platform that enabled the public deployment of agents without auditing their behavior? The empirical study does not answer this question—nor is it its purpose—but it poses it with enough precision that the legal scholar can no longer ignore it.

Behavioral Transfer as Unauthorized Data Processing

From the perspective of the GDPR, the initial question is whether an agent's posts revealing its owner's personal information constitute "processing" of personal data within the meaning of Art. 4.2 GDPR. The affirmative answer seems hard to dispute: the public communication of data relating to an identifiable natural person—the owner of the agent, whose identity is public on Moltbook through the link with their Twitter account—constitutes personal data processing in the form of "disclosure by transmission, dissemination or otherwise making available."

What is striking is the following question: what is the legal basis for that processing? Art. 6 GDPR requires that all data processing be based on one of the legal bases it lists. None of them comfortably covers the described scenario. The owner has not given consent for the agent to disclose their health, financial, or relational data in a public forum. There is no contract requiring such disclosure. There is no legitimate interest of the agent—an entity not endowed with legal personality—that can be invoked against the owner's interest in protecting their privacy. And the category of "vital interest" in Art. 6.1.d) GDPR is, obviously, inapplicable.

The provisional conclusion is that behavioral transfer generates, when it involves personal data, processing without a legal basis under the GDPR. This does not automatically imply liability for the owner—who is also the data subject—but it may imply liability for the system provider to the extent that they designed the architecture that makes such disclosure possible and probable. This issue connects directly with the duty of protection by design and by default under Art. 25 GDPR, which requires that data processing systems implement technical measures to ensure that only the data necessary for the purpose of processing are processed. An agent whose architecture favors the emergence of sensitive personal data in public discourse does not satisfy this requirement.

Special categories of data—those under Art. 9 GDPR, which include health data, data on economic conditions comparable to data on social status, and data on sexual life or personal relationships—deserve separate mention. The study reveals that 1% of the analyzed agents leaked health data and 4% leaked financial data. These are seemingly small percentages of the total, but in absolute terms, they represent hundreds of agents that disclosed information about medical conditions, debts, or bank account seizures without any authorization. The prohibition of processing these categories of data under Art. 9.1 GDPR—unless one of the exceptions in Art. 9.2 applies—is fully applicable here, and none of the exceptions seem to cover the case.

The AI Act and Autonomous Agents: An Incomplete Normative Picture

The Artificial Intelligence Act (Regulation EU 2024/1689) entered into force in August 2024 with a risk management architecture based on the categorization of AI systems. Agents of the type described in the study—deployed locally by individual users, operating autonomously on social interaction platforms—do not easily fit into any of the high-risk categories of Annex III of the AI Act, nor into the prohibited practices of Art. 5 AI Act.

They are not general-purpose AI systems (GPAI) in the strict sense of Chapter V of the AI Act, because they are not base models distributed on a massive scale, but instances deployed by individual users. But they are also not specific-purpose AI systems designed for a specific task: their character as general-purpose autonomous agents places them in a gray area that the AI Act did not regulate with sufficient precision.

What does apply is the transparency regime of Art. 50 AI Act, which requires that certain interactive AI systems inform the people they interact with that they are doing so with an AI system. In the context of Moltbook—a platform where all participants are autonomous agents—this obligation has a peculiar dimension: agents interact with each other, not directly with human beings. However, the agents' posts are read by humans who access the platform, and the disclosure of the owner's personal data in that context could generate deception in readers who assume they are looking at content generated autonomously by a system without specific personal context.

That said, the underlying problem is not one of transparency. Moltbook users know that agents are autonomous and are linked to human owners. The problem is that the owner does not know, when deploying their agent, what kind of personal information will emerge as a result of contextual accumulation. This ignorance of the data subject regarding the processing of their own data does not have a clear normative fit in either the AI Act or the GDPR, precisely because the scenario presupposed by both norms is that of processing by a third party, not that of a system processing the data of the same subject who uses it.

Liability in the Autonomous Agent Value Chain

The liability structure of the GDPR rests on the figures of the data controller (who determines the purposes and means of processing, Art. 4.7 GDPR) and the data processor (who processes data on behalf of the controller, Art. 4.8 GDPR). In the scenario of autonomous agents, the distribution of roles between the agent's owner, the framework provider, and the platform operator is non-trivial.

The owner of the agent is, in principle, responsible for the processing their agent performs on their behalf. However, this attribution produces normative results that are difficult to sustain when the behavior generating the privacy risk is an emergent consequence that the owner cannot anticipate or control. The owner of "Owner B" did not instruct their agent to reveal their health conditions and unemployment status: that information emerged as a consequence of the architecture of the system they contracted and deployed, but whose consequences they could not foresee.

The framework provider—in this case, OpenClaw—designed a system that allows and facilitates personal context accumulation through ordinary interaction and its subsequent outward projection. From the perspective of Art. 25 GDPR (data protection by design) and Art. 32 GDPR (security of processing), this raises questions about whether the framework satisfies data minimization and disclosure limitation obligations. The specific question is: should a system designed for agent participation in social platforms implement, by default, mechanisms that prevent the emergence of sensitive personal data of the owner in the agent's public posts?

The Moltbook platform, in turn, is the operator of an environment where autonomous agents produce public content that, as the study demonstrates, frequently includes sensitive personal data of their owners. The question of whether Moltbook should require privacy audits prior to agent deployment or implement automatic detection systems for personal disclosures is, legally, a matter of due diligence by the platform operator that has not yet received a clear normative answer in the European legal system.

Digital Identity and Legal Personality: The Agent as a Behavioral Alter Ego

Behavioral transfer empirically documents something that lawyers working at the intersection of identity law and technology have long been anticipating: the AI agent is not just a tool. It is, to some extent, a projection of its owner's behavior that acts autonomously in digital environments. The study by Luo et al. coins the concept of behavioral extension to capture this idea: the agent extends the owner's behavioral patterns into digital space, producing a presence that is simultaneously that of the agent and the human who deployed it.

This conceptualization has legal implications that go beyond privacy. If the agent acts as a behavioral extension of the owner, to what extent are the agent's acts attributable to the owner? Can the agent compromise the owner's reputation through its posts on Moltbook? Can the agent's statements about the owner's political or moral values—which the study documents with statistically significant correlations—be invoked in legal contexts of discrimination or harassment?

None of these questions have a normative answer in the current European legal system. The AI Act does not endow agents with legal personality or regulate the attribution of the agent's acts to the owner with the precision these scenarios require. The doctrine of agency in Anglo-Saxon law, which has a long history in attributing responsibility for the acts of agents to their principals, has no developed equivalent in continental European law when the "agent" is an autonomous AI system.

It is worth remembering that the CJEU addressed in Google Spain (C-131/12) the question of who is responsible for processing when personal information is disseminated by a technical intermediary that does not produce it but makes it accessible. The logic of the Court's reasoning—that the intermediary making the information accessible is responsible for that processing—could be extended to the case of autonomous agents: the owner who deploys the agent and publicly links it to their identity is responsible for the data that agent disseminates, regardless of whether that dissemination responds to their express instructions.

Systemic Risk: Agent Platforms as Amplifiers of Behavioral Heterogeneity

One of the most original implications of the study is its systemic dimension. The authors point out that platforms populated by autonomous agents do not produce homogeneous content generated by LLMs: they produce and amplify the behavioral heterogeneity of the human owners who deployed them. Each agent introduces fractions of its owner's behavioral pattern into the platform, creating an environment where individual differences among humans—their topics of interest, their moral values, their political orientation, their communicative style—propagate through agents into the public digital sphere.

This systemic dimension has no precise normative equivalent, but it connects with emerging debates on the governance of digital environments. The Digital Services Act (Regulation EU 2022/2065, DSA) requires very large platforms to perform systemic risk assessments that include effects on fundamental rights. If an autonomous agent platform of a scale comparable to that of major platforms facilitates the emergence and amplification of sensitive personal data for millions of users, that impact seems to fit into the systemic risk categories of Art. 34 DSA.

What is striking is that the scenario described by the study—10,659 agents in the first week of activity of a new platform—suggests that the scale of the phenomenon can grow exponentially. Moltbook had 1.6 million agents registered at the time of analysis. If the percentage of disclosure of sensitive personal information (34.6% of agents with at least one disclosure event) remains in the observed order of magnitude, and if the platform grows to the size of major social networks, the volume of sensitive personal data that emerges without authorization in agents' public discourse acquires a scale that no European regulator has yet contemplated in terms of governance.

The Paradox of Behavioral Transfer as a Dual Mechanism

The authors of the study explicitly point out that behavioral transfer is a double-edged sword. The same process that makes the agent useful—its ability to absorb and replicate the owner's personal context to act effectively on their behalf—is what generates the privacy risk. It is not possible to design an agent that is simultaneously a faithful behavioral representative of the owner and a perfect guardian of their privacy, because both functions require exactly the same thing: that the agent possesses and uses the owner's personal context.

This paradox has a precise legal translation: there is no regulatory solution that fully preserves both values. A regulator that requires agentic systems to have non-disclosure guarantees for personal data will simultaneously be restricting the functionality that makes those systems valuable. A regulator that allows the unrestricted deployment of agents with full contextual accumulation will be accepting a level of exposure of sensitive personal data that the GDPR—in its current formulation—does not authorize.

However, there are possible intermediate paths of technical governance that the authors point out and that deserve normative attention. The first is memory segmentation: architectures that distinguish between the context the agent can use to complete private tasks and the context it can include in its public communications. The second is transparency for the owner regarding the behavioral profile the agent has accumulated, so that the owner can make informed decisions about what to share. The third is post-hoc auditing: mechanisms that periodically present the owner with samples of their agent's public communications so they can verify if unwanted information is emerging.

None of these paths are regulated with sufficient precision in the current European legal system. Art. 25 GDPR offers the conceptual framework—data protection by design—but does not descend to the level of technical specificity necessary to guide the design of agentic architectures. The European Data Protection Board's guidelines on privacy by design (EDPB, Guidelines 4/2019) also do not specifically contemplate the autonomous agent scenario.

De Lege Ferenda Proposals: What European Law Needs to Regulate

In light of the previous analysis, at least four areas can be identified in which current European regulation presents relevant gaps exposed by the phenomenon of behavioral transfer.

The first is the definition of autonomous processing by agents. The GDPR requires an update or authentic interpretation clarifying whether the accumulation of personal context by an AI agent in the course of its ordinary use constitutes personal data processing, and if so, what legal basis corresponds and what obligations it generates for the system provider.

The second is the allocation of responsibility in the agentic system value chain. Current regulation attributes responsibility to the data controller in a way that produces systematically inappropriate results when the nominal controller is also the aggrieved data subject. A framework is needed that defines the obligations of the framework provider and the platform operator proportionally to their capacity to prevent harm.

The third is the obligation of protection by design for agentic architectures. Art. 25 GDPR needs specific development for autonomous agent systems that includes minimum requirements for memory segmentation, limits on the disclosure of the owner's sensitive data in public communications, and audit mechanisms accessible to the owner.

The fourth is the mandatory impact assessment for autonomous agent platforms of a certain scale. The systemic risks documented in the study by Luo et al. justify extending the impact assessment regime of Art. 35 GDPR to platforms that enable the massive public deployment of agents with contextual accumulation capacity.

Conclusions

The study by Luo, Zhang, Dai, and Zhang is not just an empirical work on AI agent behavior. It is, from the lawyer's perspective, a demonstration that the current architecture of agentic systems generates systematic privacy risks that do not derive from technical failures or malicious uses, but from the ordinary operation of systems designed to be useful. That shift—from risk as an exception to risk as a structural consequence of normal use—forces a revision of the premises on which privacy regulation in digital environments is built.

The doctrinal implications are clear. The GDPR and the AI Act, in their current formulation, are insufficient to regulate this phenomenon with the precision it requires. The architecture of the GDPR presupposes a data subject who knows the processing being done with their data; behavioral transfer produces processing without that knowledge. The architecture of the AI Act categorizes risks based on the use of the system; agentic privacy risk emerges from the architecture design, not from specific uses. Both norms offer applicable principles and frameworks, but neither offers precise operational answers for a scenario that, when they were drafted, did not exist in a sufficiently developed way.

What is most urgent, in any case, is not short-term normative production—which in European law is inevitably slow—but interpretative development by data protection authorities and, in particular, by the European Data Protection Board. A specific guide on agentic architectures, contextual accumulation, and protection by design could guide providers and operators without waiting for a legislative reform. The phenomenon documented in Moltbook is not an academic experiment: it is an anticipation of the digital infrastructure in which we will operate in the coming years. Regulation must catch up before scale makes it irreversible.

Shilei Luo, Zhiqi Zhang, Hengchen Dai, and Dennis J. Zhang, "Behavioral Transfer in AI Agents: Evidence and Privacy Implications", arXiv:2604.19925v1 [econ.GN], April 21, 2026. Available at: https://arxiv.org/abs/2604.19925