Generative AI has by now become a fixed topic within the legal profession and the notarial profession, but the question has shifted from whether lawyers may use AI to under what conditions. A series of recent guidance documents makes clear that using AI on confidential files directly touches the professional duty of secrecy and data protection rules. The common thread: AI is not a neutral tool, but a form of outsourcing and data processing that must be actively governed.
Regulators view AI as outsourcing and data processing
The Bar Standards Board regards the use of AI as outsourcing under its Handbook and requires barristers to configure tools so that client data remains confidential, UK GDPR rules are complied with, and AI audit logs and prompt histories are maintained. This is set out in the Guidance on the use of Artificial Intelligence and Other Technologies (in force from 18 May 2026). The guidance also warns against using general-purpose tools for sensitive matters.
The Council of Bars and Law Societies of Europe (CCBE) warns that inputting personal or confidential client data into GenAI interfaces without firm contractual and technical safeguards can amount to a breach of professional secrecy and privacy. The CCBE guide (2 October 2025) advises data minimisation, zero retention, local or strictly secured environments and meticulous scrutiny of terms of use. The guide also emphasises how generative AI touches core duties such as competence, independence and the avoidance of conflicts of interest.
From hallucinations to verifiable governance
A recent Chambers analysis (21 May 2026) describes how AI in European legal practice falls under the EU AI Act and GDPR, with particular attention to hallucinating legal answers and the duty to verify AI output independently. Professional conduct rules in this context require competence, independence and confidentiality.
Similar concerns arise outside Europe too. In the US, ABA Formal Opinion 512 places, according to the Maryland State Bar Association (3 November 2025), emphasis on understanding the limitations of a tool, protecting client confidentiality under Model Rule 1.6, carrying out risk analyses when uploading client information — especially with self-learning tools — and, where necessary, seeking informed consent. This underlines that using AI on privileged information is a cross-border question of professional secrecy.
Practical GDPR-focused analyses for legal AI emphasise that, alongside secrecy rules, lawyers now need demonstrable data minimisation, DPIAs that cover risks such as hallucinations, unauthorised access and data misuse, encryption, access management, human oversight and auditable processor agreements. The analysis by Aivortex (17 April 2026) shows that AI systems handling European client data must comply with both the GDPR and the EU AI Act in order to make the use of AI on confidential files defensible.
What this means in practice
Together, these sources underline that AI and professional secrecy need not be at odds, provided lawyers deliberately design their AI architecture around privacy, verifiability and visible governance. The common core is always the same: minimal data input, firm contractual safeguards, zero retention, local or screened-off environments, and a verifiable audit chain of prompt logs, model choices and human review.
For practice, this means that AI work must be demonstrably careful: the professional final judgement always remains with the lawyer. A verification layer such as IamVera.ai can help to organise that required visibility, logging and verification in practical terms. The workflow is designed to let pre-processing and anonymisation take place on EU infrastructure and to send only anonymised content to the selected AI models; if a privacy check fails, nothing is forwarded. This gives lawyers greater insight into their sensitive AI flows and allows them to exercise control that aligns with their duty of professional secrecy. More about the underlying approach can be found via privacy-shield and evidence.