Data confidentiality is the number one concern for legal professionals facing AI. Article 66-5 of the French law of 31 December 1971 imposes an absolute professional secrecy on lawyers, covering all correspondence and case file documents. Using an AI tool potentially means transmitting data covered by this privilege, which raises fundamental questions about data residency, processing and retention.
The technical stakes are numerous: where is the data hosted (EU vs United States, with the risk tied to the US Cloud Act)? Does the AI provider reuse data to train its models? Is sensitive information pseudonymised before processing? Is there full traceability of access and processing? Article 22 of the GDPR adds a further layer by prohibiting fully automated decisions that produce legal effects.
For law firms and legal departments, several strategies make it possible to reconcile AI and confidentiality: hosting on local open source models, using certified providers with contractual no-reuse guarantees (such as Anthropic with Claude), systematic pseudonymisation of data before transmission, and putting in place internal usage policies that clearly define what can and cannot be submitted to AI.