AI Agents as Behavioral Extensions: Transfer, Privacy, and the Law

34.6% of autonomous AI agents deployed on social platforms have disclosed sensitive personal information about their owners without any explicit instruction to do so. Not as the result of a cyberattack. Not through a technical vulnerability exploited by an adversary. Simply during ordinary use. This is the central finding of a recent empirical study that, given its methodological rigor and the nature of the phenomenon it documents, demands careful legal scrutiny.

The paper—"Behavioral Transfer in AI Agents: Evidence and Privacy Implications," published as a preprint in April 2026 by researchers at Washington University in St. Louis and UCLA—analyzes 10,659 human-agent pairs on Moltbook, a social platform where autonomous agents built with the OpenClaw framework interact with each other without direct human intervention. Each agent is publicly linked to its owner's Twitter/X account, enabling systematic comparison of both behavioral profiles across 43 variables spanning topics, values, affect, and linguistic style. The results are unambiguous: agents do not generate generic large language model output. They reproduce, with robust statistical significance, the specific behavioral patterns of the humans who deploy them. And that reproduction—that behavioral transfer—independently predicts the probability that the agent will disclose private information about its owner in public discourse.

The full research paper is available here: Behavioral Transfer in AI Agents: Evidence and Privacy Implications (arXiv:2604.19925).

This analysis examines the phenomenon through its legal implications: which currently applicable regulatory frameworks can capture it, where the gaps are, and what it demands from platforms, developers, and legislators.

What the Study Proves—and What That Changes

It is worth starting with a precise description of the mechanism before constructing any normative analysis on top of it. The authors identify four possible channels of behavioral transfer: explicit configuration through a public bio, local workspace configuration files, platform-mediated injection, and accumulated owner-agent interaction. The first three are ruled out as sufficient explanations: transfer persists with comparable magnitude among agents with no configured bio (89.2% of the 37 significant variables survive in the no-bio subsample), cross-dimensional coherence—between style and affect, values and sentiment—is incompatible with dimension-by-dimension configuration, and the platform neither requests nor discloses tweet-read permissions in its privacy policy.

The hypothesis that survives, which the authors describe as the most consistent with the full body of evidence, is accumulated interaction: through everyday use of the agent—the queries the owner submits, the instructions they provide, the documents they share, the tasks they delegate—the agent absorbs owner-specific context that eventually surfaces in its public outputs. In other words, the agent learns to resemble its owner even though no one explicitly programmed that resemblance.

What this changes, legally, is not trivial. The standard narrative on AI privacy risks revolves around three axes: extraction of training data through adversarial probing, inference of sensitive attributes from linguistic signals, and cross-platform sharing or monetization of data. In all three scenarios, there is an external actor who acts on the system to obtain information that was not voluntarily delivered. The mechanism documented here requires no external actor. It operates through ordinary use, without an identifiable adversary, without a security incident, without any technical breach of protective measures. Privacy risk emerges as a byproduct of the normal functioning of the agentic system itself.

This raises a foundational doctrinal question: does the GDPR capture this type of risk?

The GDPR Confronted with Emergent Behavioral Transfer

The General Data Protection Regulation (GDPR, Regulation EU 2016/679) is built on the premise that personal data processing is an identifiable act, attributable to a controller, and capable of being grounded in a legal basis. Article 4(2) GDPR defines processing as "any operation or set of operations which is performed on personal data," presupposing that someone—the controller or processor—performs that operation in a recognizable way.

The problem that emergent behavioral transfer presents is that there is no identifiable processing operation at the moment the agent discloses the owner's information. The agent generates text. That text contains, as a consequence of context accumulated during ordinary use, references to the owner's medical conditions, financial situations, daily routines, or relational ties. But no specific instruction ordered that disclosure. There is no processing record documenting it. No legal basis was assessed before it occurred.

Article 5 GDPR establishes the principles of purpose limitation, data minimization, and confidentiality. Purpose limitation requires that data be processed for specified, explicit, and legitimate purposes. Data minimization requires that data be adequate, relevant, and limited to what is necessary for those purposes. Both principles presuppose that there is a declared purpose and that processing is manageable in relation to it. Emergent behavioral transfer subverts this architecture: the owner who installs an agent to manage their email, organize their calendar, or participate in social networks is not declaring any purpose related to disclosing their medical history or financial situation. Yet that disclosure occurs.

This is where the analysis becomes complicated. The empirical research documents that 1% of agents disclosed highly sensitive health information (medical conditions, diagnoses, treatment histories), 4% disclosed detailed financial information (debts, court seizures, financial hardship), 12.1% revealed specific location data, and 27.3% disclosed identifiable occupational information. In all these cases, the information did not appear in the agent's public bio—the only visible configuration element—ruling out the possibility that the owner had deliberately made it public.

The GDPR's current response to this scenario is partial. Article 25 (data protection by design and by default) requires controllers to implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose are processed. If the controller is the framework developer or platform operator—which is itself an unresolved attribution question—this article provides an anchor. But its practical application to the case is difficult: what technical measure ex ante would have prevented an agent from developing, through ordinary interaction, an implicit representation of the owner's context rich enough to surface in public outputs?

Article 22 GDPR, concerning automated decisions and profiling, also does not fit comfortably. Behavioral transfer does not produce a decision that legally affects the owner; it produces a disclosure that may factually affect them, but which is not a "decision" within the meaning of Article 22. The distinction is relevant, and the GDPR has not resolved it.

That said, one should not conclude prematurely that the GDPR is useless here. Articles 5(1)(f) (integrity and confidentiality), 32 (security of processing), and 35 (impact assessment for high-risk processing) can be deployed if the agentic system is characterized as a processing operation presenting elevated risks to the rights and freedoms of data subjects. The key lies in the impact assessment: if an agentic system that accesses the owner's personal computing environment, accumulates context through interaction, and operates autonomously on public platforms does not trigger the obligation to conduct a DPIA, one must ask what Article 35 is actually for.

The AI Act and the Governance Gap for Agentic Systems

The Artificial Intelligence Act (Regulation EU 2024/1689, AIA), published in August 2024 and progressively entering into force, introduces a risk-based governance architecture that should, in principle, be capable of capturing the risks documented here. The question is whether it does so adequately.

Agentic systems like OpenClaw operate in the space the AIA denominates "general-purpose AI systems." Article 51 AIA defines general-purpose AI models as those trained on large amounts of data using self-supervision at scale that display significant generality and are capable of performing a wide range of distinct tasks. The language models underlying the agents studied in the research fit this category. Their providers—OpenAI, Anthropic, or others—are subject to the obligations of Title VIII AIA: transparency, technical documentation, acceptable use policies, and, for models posing systemic risk, additional obligations regarding dangerous capability assessments.

The problem is that the AIA regulates the underlying model, not the agentic system built on top of it. OpenClaw is a framework that uses those models' APIs to construct agents with persistent memory, access to local tools, and autonomous action capability. The relevant question is not whether GPT-4 or Claude complies with the AIA, but whether a system built with those APIs that accumulates personal context through user interaction, acts autonomously, and discloses sensitive information on public platforms is itself a high-risk AI system—or presents risks that the current framework does not classify correctly.

Annex III AIA enumerates high-risk systems. The closest category is biometrics—inferring sensitive attributes from observable behavior—but the documented behavioral transfer is not exactly biometrics in the technical sense. Categories relating to critical infrastructure management or access to private services might also be relevant, but none fits the scenario precisely: a personal agent operating on social networks.

What is striking is that the AIA, as currently drafted, does not expressly contemplate personal-use general-purpose agentic systems as an autonomous category. Article 3(1) AIA defines the "AI system" broadly, which in principle covers agents built with OpenClaw. But the risk classification was not designed with systems in mind that personalize themselves through daily interaction, access their owner's personal computing environment, and then act autonomously on public platforms. This is a regulatory gap of first-order significance.

Civil Liability and the New Anatomy of Harm

Beyond data protection and AI governance, behavioral transfer raises difficult questions in tort law. The proposed AI Liability Directive (AILD, COM(2022) 496 final, still in legislative process) and the revised Product Liability Directive (PLD, Directive 2024/2853/EU) construct complementary regimes whose articulation with the documented empirical scenario merits analysis.

The starting point is identifying the harm. The research documents that agents disclose health, financial, location, and relational information that owners had not decided to make public. This disclosure occurs on platforms with potentially large audiences—in the study, Moltbook had 1.6 million registered agents in its first week—in text the owner did not write, did not review, and in many cases does not even know exists. The harm is the non-consensual exposure of sensitive information, with all the consequences that may follow: employment discrimination, stigmatization, extortion, reputational damage.

The AILD proposes a causation presumption that facilitates the claimant's ability to establish a causal link between the AI system's defect and the harm produced, when sufficient probability exists that the system contributed to the harm. In the behavioral transfer scenario, establishing that probability would not be difficult if the empirical research discussed here—or subsequent work of similar structure—becomes a recognized scientific standard: once it is established that agentic systems of this type disclose sensitive information in 34.6% of cases and that disclosure probability increases with behavioral transfer level, an expert witness could reasonably assert that the system contributed to the harm.

Yet the question of who responds remains. The causal chain includes at least four actors: the provider of the underlying language model, the developer of the agentic framework (OpenClaw), the platform operator (Moltbook), and the owner who deployed the agent. Allocation of liability among them is a complex legal problem that neither the AILD nor the revised PLD resolves precisely for the specific scenario of agentic systems personalized through everyday interaction.

The revised PLD clarifies that software—including AI systems—is a "product" for the purposes of the Directive, and that manufacturer liability extends to defects arising after the product's placing on the market, including defects stemming from software updates. But emergent behavioral transfer is not technically a software defect in the classical sense: the system functions as designed. The "defect" is structural, intrinsic to the way agentic systems with persistent memory and access to the owner's personal environment inevitably accumulate and eventually disclose private context.

This distinction has important doctrinal consequences. If the disclosure of sensitive information is an emergent and inevitable consequence of agentic system design—and not an unforeseen technical failure—then the correct legal question is not whether the system was defective, but whether it should have been designed differently. This brings the analysis back to the obligation of safe design and the concept of privacy by design under Article 25 GDPR, closing an argumentative circle that places the system designer—not the operator or user—at the center of liability.

The Utility Paradox: The More Personal, the More Risky

The empirical research clearly documents a paradox with simultaneous design and regulatory implications. Agents with greater behavioral transfer—those that most faithfully reproduce their owners' behavioral patterns—are also those most likely to disclose private information about those owners. A one-standard-deviation increase in the holistic behavioral transfer score is associated with a 1.32 percentage-point increase in disclosure probability in the full sample, and this association strengthens as the owner's behavioral profile becomes richer and more precise (reaching 3.40 percentage points among pairs with the richest available history).

The paradox is that the agent's utility—its capacity to be an effective personal assistant that understands the owner's context, anticipates preferences, and acts coherently with their values and style—depends precisely on that transfer. An agent that had not accumulated personal context from the owner would be a generic text generator, indistinguishable from any query to a memoryless language model. Personalization is simultaneously the value and the risk.

This creates a tension that regulatory law has not explicitly resolved: the tension between utility and privacy in systems that learn from the user to serve them better. The GDPR contains no operational answer to this tension in the agentic context. Neither does the AIA. The EDPB's guidance on AI-related processing—including Opinion 28/2024 on general-purpose language models—does not address the scenario of agents with persistent memory acting on public platforms.

The research suggests four design directions that could mitigate risk without nullifying utility: transfer-aware safeguards (increasing scrutiny of content generated by high-transfer agents before publication), transparency toward owners about the behavioral profile the agent has internalized, tiered memory architecture (segregating information marked as private and excluding it from public-facing outputs), and periodic auditing of agent outputs for disclosure detection. None of these measures is technologically impossible. All require a regulatory decision that mandates or incentivizes them.

Platform Governance Under the Digital Services Act

The study does not only analyze individual agent behavior. It documents a scale phenomenon: when platforms are populated by agents that are behavioral extensions of their human owners, discourse on those platforms is not homogeneous or generic. It is the behavioral heterogeneity of the human owner population projected and amplified in the digital space. A platform with one million agents does not have one million instances of the same language model. It has one million extensions of one million distinct humans, each with their own patterns of thought, values, biases, and vulnerabilities.

This has direct implications for platform governance under the Digital Services Act (DSA, Regulation EU 2022/2065). The DSA obliges very large online platforms to assess and mitigate the systemic risks arising from their operation. If a platform is designed to be inhabited exclusively by AI agents—as Moltbook is in the studied scenario—the systemic risk assessment cannot ignore that those agents disclose private information about their owners in 34.6% of cases, without the owners' knowledge or consent. A platform operator who knows this dynamic—or who should know it, given that the scientific literature has publicly documented it—and does not implement detection and mitigation measures would face difficulty arguing compliance with Article 34 DSA.

The attribution question remains complex. The DSA was designed with platforms where participants are natural persons acting in their own name. The possibility that participants might be autonomous agents acting on behalf of absent natural persons was not explicitly contemplated. The legal characterization of an agent—is the agent the platform's "user," or is its human owner?—has direct consequences for which content moderation, transparency, and data protection obligations apply and to whom.

What Regulators Should Do—and Have Not Yet Done

The empirical research analyzed here offers legislators something valuable: a solid factual base on which to build regulation. This is not speculation about future AI risks. It is observational data about the behavior of already-deployed agentic systems, with rigorous methodology, representative samples, and extensively verified statistical robustness.

In light of that material, at least four regulatory deficits require attention.

The first is the absence of a specific regime for personal agentic systems. Neither the GDPR nor the AIA expressly contemplate systems that personalize themselves through everyday user interaction, access the user's personal computing environment, and act autonomously on public platforms. This gap must be filled, whether through delegated legislation or through binding guidance from the EDPB and national supervisory authorities.

The second is the undefined liability chain. When an agent discloses the owner's sensitive information, it is unclear whether the model provider, the framework developer, the platform operator, or the owner responds. This ambiguity is an incentive for inaction: if no one is certain who responds, no one has sufficient incentive to act preventively. The AILD, when finally adopted, must clarify this for the specific scenario of agentic systems.

The third is the absence of auditing and transparency obligations for agent owners. The study documents that many owners are likely unaware that their agents are disclosing personal information on public platforms: illustrative cases in the paper show owners with two or nine lifetime tweets whose agents publish detailed information about medical conditions, acute financial crises, or daily emotional states. A minimally functional regulatory system should require notification and auditing mechanisms that return visibility to owners about what their agents are doing on their behalf.

The fourth deficit is the lack of mandatory technical standards for memory management in agentic systems. The memory architecture of an agent—what it accumulates, how it weights it, what it may publish, and what must remain restricted to the private domain—is today a design decision unilaterally made by the framework developer. Standardizing those architectures, with minimum requirements for segregation between private memory and public outputs, is a perfectly addressable regulatory task with existing instruments, particularly the mandate for appropriate technical measures under Article 25 GDPR and the technical documentation obligations of the AIA.

Conclusion

Autonomous AI agents are not neutral tools that execute instructions. They are, as this research demonstrates with hardly contestable empirical solidity, behavioral extensions of their owners. They accumulate context, reproduce patterns, project preferences. And in doing so, they expose to the world information that their owners never decided to share.

Current European law—GDPR, AI Act, AI Liability Directive, Digital Services Act—offers partial instruments to address this problem, but was not designed with this scenario in mind. The gaps are real, identifiable, and urgent.

What this research ultimately demonstrates is that privacy in the age of AI agents can no longer be conceived solely as protection against external actors who extract or infer data. It must also be conceived as protection against the very system the user has deployed to serve them. That is a profound conceptual reorientation—and the law needs to rise to meet it.