Search papers, labs, and topics across Lattice.
This paper examines how generative AI systems manage client data through three distinct mechanisms: model parameters, context windows, and knowledge databases, each presenting unique risks to confidentiality and legal privilege. By analyzing landmark legal cases and integrating recent computer science findings, the authors elucidate the implications of these data handling methods for legal professionals. The study argues for an evolving standard of information governance that reflects the changing landscape of data privacy in the context of AI technologies.
Generative AI systems may inadvertently compromise client confidentiality in ways that legal professionals are not yet equipped to manage.
Generative AI (GenAI) systems store and process client data in three distinct ways: in the model's parameters through training and memorisation, in the context window during a live session, and in knowledge databases for retrieval-augmented generation (RAG). Each mode creates different and often counter-intuitive risks to confidentiality and legal professional privilege, and each calls for specific governance responses. Drawing on the first English and American decisions to address privilege and generative AI, UK and Munir v Secretary of State for the Home Department and United States v Heppner, on the orthodox privilege authorities against which those decisions must be read, and on recent computer science research, we explain the three modes of data storage and processing in terms accessible to practitioners and analyse the legal consequences of each. We then situate the analysis within the regulatory framework governing solicitors in England and Wales and within the ordinary principles of professional negligence, arguing that the standard of effective information governance (and with it the benchmark against which negligence and misconduct will be measured) is changing. Although we write primarily for SRA-regulated practitioners, our data-governance analysis is framed to extend to any jurisdiction in which the protection of privilege or professional secrecy depends on demonstrable confidentiality. The ultimate aim of this article is to help legal services professionals understand salient data leakage risks in GenAI systems and thereby facilitate a more responsible deployment of GenAI on client data and other sensitive material.