Generative AI (GenAI) systems store and process client data in three distinct ways: in the model's parameters through training and memorization, in the context window during a live session, and in knowledge databases for retrieval-augmented generation (RAG). Each mode creates different and often counter-intuitive risks to confidentiality and legal professional privilege, necessitating specific governance responses.
This article draws on the first English and American decisions addressing privilege and generative AI—UK's Munir v Secretary of State for the Home Department and United States v Heppner—analyzing these judgments against traditional privilege authorities and incorporating recent computer science research. We explain the three modes of data storage and processing in an accessible manner for practitioners and analyze the legal consequences of each. The analysis is situated within the regulatory framework governing solicitors in England and Wales and ordinary principles of professional negligence, arguing that the standard of effective information governance is changing.
While primarily written for SRA-regulated practitioners, our data governance analysis is framed to extend to any jurisdiction where the protection of privilege or professional secrecy depends on demonstrable confidentiality. The ultimate aim is to help legal services professionals understand salient data leakage risks in GenAI systems, facilitating a more responsible deployment of GenAI on client data and other sensitive material.
Blogger's Review: The application of generative AI in the legal field is growing, but the data leakage risks it poses cannot be overlooked. This article delves into the issues of privilege and confidentiality, emphasizing the importance of governance and providing a framework that legal practitioners must adhere to when utilizing GenAI, making it a valuable reference point.