3 / 20
Lv.1 Explorer

0 XP

Sample lessonAI Fundamentals for Legal Professionals 20 min

Confidentiality, Privilege, and AI

Understand the specific confidentiality and privilege risks that arise when using AI in legal practice, and how to manage them without sacrificing the productivity benefits.

In practice: Contract first-pass: 2–4 hours → 20 minutes

Your version of this lesson adapts to your role. After the 3-minute assessment, examples, scenarios, and exercises are tailored specifically to your job function and experience level.

Personalise →

The Core Tension

AI tools are at their most useful when given rich context — the full contract, the complete correspondence, the detailed case facts. But rich context often means client-confidential or legally privileged information. Managing this tension is the central compliance challenge of AI adoption in legal practice.

What Are the Risks?

Data Transmitted to Third Parties

When you paste content into an AI tool, that content is transmitted to the AI provider's servers. If the provider is not bound by a suitable data processing agreement, that content may:

  • Be retained and used for model training
  • Be accessible to provider employees in certain circumstances
  • Be stored in jurisdictions with different data protection standards

Inadvertent Waiver of Privilege

In some jurisdictions, sharing privileged materials with third parties — including AI providers — can constitute a waiver of legal professional privilege if the provider is not subject to appropriate confidentiality obligations. This is an evolving area of law.

Data Breach Risk

Any data held by a third-party AI provider is subject to that provider's security posture. A breach at the AI provider level could expose client information.

Practical Mitigation Strategies

1. Use approved enterprise tools only. Your firm or organisation should maintain an approved tool list. Only use tools that have appropriate data processing agreements with your organisation.

2. Anonymise before pasting. For matters where enterprise agreements are not in place, anonymise names, company names, dates, and identifying details before submitting to AI. Use placeholder names.

3. Apply the minimum necessary test. Only include the context the AI needs to complete the task. Don't paste an entire matter file when only a specific clause needs review.

4. Treat AI output as internal workproduct. AI outputs are drafts for your review. They are not final documents and should not be sent externally without careful review.

5. Know your firm's policy. Many firms have issued specific guidance on AI tool use. Know it, follow it, and raise questions if the guidance is silent on a situation you face.

Privilege in AI-Generated Documents

A separate question: can AI-generated legal work product attract privilege? The consensus emerging is yes — if created under the supervision of a lawyer for the purpose of legal advice, AI-assisted documents can attract privilege. The key is lawyer oversight and control.

Key Takeaways

  • Client content transmitted to AI tools may be retained by providers unless enterprise agreements prohibit it
  • Inadvertent privilege waiver through AI tool use is a live issue in some jurisdictions
  • Use only approved enterprise tools with appropriate data processing agreements for client matters
  • Anonymise sensitive content when enterprise tools are not available
  • Apply the minimum necessary information principle — only share what the AI needs

Before you practise

What is one specific task in your current role where you could apply what you just learned?

Ready to put it into practice?

Apply what you just learned with a hands-on exercise.

Ask the AI Tutor