Legal Research in the Age of AI: What Privilege Really Requires

A partner at a mid-size European firm calls an associate into her office. There’s a sensitive M&A question — a client is considering acquiring a competitor, and the deal hinges on a regulatory exposure the associate needs to research. It’s the kind of question lawyers have researched for decades: open Westlaw, run some searches, pull the relevant case law, write a memo.

But the associate doesn’t open Westlaw. She opens ChatGPT. She types something like: “What are the EU merger control risks if [Client A], a German pharmaceutical company, acquires [Company B]‘s oncology division?” She gets a detailed, well-structured answer in seconds. And she’s just done something that no Westlaw search ever did — she’s revealed her client’s identity, their acquisition target, the specific business unit involved, and the regulatory angle they’re worried about. All in a single prompt, sent to a US company’s servers.

What just happened to privilege?

A single AI prompt can reveal your client, their acquisition target, the business unit, and the regulatory angle — all sent to a US company’s servers.

The query is the problem, not the answer

Here’s the thing most people miss about AI-assisted legal research: the risk isn’t in what the AI tells you. It’s in what you tell the AI.

When you search Westlaw for “EU merger control pharmaceutical acquisition,” that query is generic. It tells an observer you’re interested in merger law. It doesn’t reveal your client, their target, or the deal structure. Westlaw searches are structured keywords — fragmented, abstract, and stripped of context. That’s not a security feature. It’s just how keyword search works.

AI tools are fundamentally different. They’re designed to take natural language — the more context, the better. A prompt like “Analyze whether [Client A]‘s acquisition of [Company B] would trigger a Phase II review under the EU Merger Regulation, given their combined market share in oncology therapeutics” isn’t a search query. It’s a briefing document. It contains the kind of information that would normally live inside a privileged memorandum, shared only between attorney and client.

And unlike a memo sitting in your firm’s document management system, that prompt is now sitting on OpenAI’s servers. API inputs are retained for 30 days for abuse monitoring per OpenAI’s data usage policy; ChatGPT consumer data may be retained indefinitely unless users opt out. On infrastructure subject to US legal process.

Privilege and confidentiality aren’t the same thing

Before we go further, let’s get precise about two terms that lawyers sometimes use interchangeably — even though they protect very different things.

Attorney-client privilege is an evidentiary rule. It prevents the forced disclosure of confidential communications between a lawyer and their client made for the purpose of obtaining legal advice. Privilege belongs to the client. It can be waived — and once waived, it’s gone. The critical question is always: did the communication remain confidential?

Confidentiality is an ethical duty. Under ABA Model Rule 1.6, a lawyer “shall not reveal information relating to the representation of a client” unless the client gives informed consent or one of a handful of narrow exceptions applies. This duty is broader than privilege — it covers everything related to the representation, not just communications made for legal advice.

Here’s why the distinction matters for AI research: sending a detailed prompt to ChatGPT might not destroy privilege outright (courts are still working that out). But it almost certainly implicates the confidentiality duty under Rule 1.6. You’ve shared information relating to a client’s representation with a third-party technology provider. The question isn’t whether you meant to disclose — it’s whether you took reasonable steps to prevent it.

And “reasonable steps” is doing a lot of heavy lifting right now, because most lawyers haven’t thought about what reasonable looks like when your research tool is an AI model hosted by a US corporation.

What the professional rules actually require

The obligation to think about this isn’t optional. It’s built into the rules governing legal practice.

Model Rule 1.1 (Competence) requires lawyers to provide competent representation, which includes “keeping abreast of… the benefits and risks associated with relevant technology.” ABA Formal Opinion 512 (2024), the ABA’s first formal opinion addressing generative AI, made this explicit: lawyers who use AI tools without understanding their data handling practices aren’t meeting their competence obligations.

Model Rule 1.6 (Confidentiality) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation.” Sending client-specific queries to a cloud-based AI tool raises an obvious question: what efforts did you make to understand where that data goes, who can access it, and under what legal authorities?

Formal Opinion 512 didn’t ban AI use. It said lawyers must understand the technology’s implications before using it with client information. That means understanding not just the AI provider’s privacy policy, but the jurisdictional framework governing the provider’s data.

This is where most firms fall short. They’ve read OpenAI’s terms of service. They haven’t thought about the CLOUD Act.

Privilege is about whether the communication stayed confidential. An AI prompt sent to a third-party cloud service raises that question immediately.

The jurisdictional exposure nobody talks about

Traditional legal research tools operate within a well-understood legal framework. Thomson Reuters, which owns Westlaw, is a Canadian-incorporated company dual-listed on the NYSE and TSX under TRI, with its operational headquarters in Toronto but significant US operations. RELX Group, which owns LexisNexis, is dual-listed on the London Stock Exchange (REL) and NYSE (RELX), headquartered in London but with deep US ties. Both are subject to US legal process.

But here’s the thing: when you searched Westlaw in 2005, your query was “antitrust pharmaceutical merger EU.” Even if a US authority obtained that search history, it told them almost nothing. The query was too abstract to reveal client matters.

AI queries are different. “Analyze the antitrust risk of [Client A]‘s proposed €2.1 billion acquisition of [Company B]‘s European oncology portfolio” is a complete intelligence brief. If that query is stored on US-accessible infrastructure — and under the CLOUD Act, any US-jurisdiction company’s servers qualify — it’s one warrant away from disclosure. As we covered in The CLOUD Act and Your AI Research, the physical location of the server doesn’t matter. What matters is the corporate chain.

This exposure extends beyond the traditional research platforms. Harvey AI, one of the most prominent legal AI tools, is a US-based company powered by OpenAI’s models. Queries processed through Harvey are subject to the same jurisdictional framework. Your firm might have a sophisticated data classification policy, but if the AI tool you’re using for privileged research matters routes through US infrastructure, that classification doesn’t override US legal authorities.

Bar associations are catching up — slowly

Professional bodies are starting to grapple with this, though guidance varies widely by jurisdiction.

The ABA has been the most active. Formal Opinion 512 (2024) emphasizes that existing duties of competence and confidentiality apply fully to AI tools. The ABA doesn’t prescribe specific technical solutions, but it makes clear that ignorance isn’t an excuse — if you use AI for client work, you need to understand the implications.

In Europe, the Council of Bars and Law Societies of Europe (CCBE) has issued guidance recognizing that AI tools create new confidentiality risks, particularly when data is processed outside the EU. The CCBE’s position aligns with the broader European regulatory trend: jurisdiction matters more than geography.

Germany’s Bundesrechtsanwaltskammer (BRAK) — the Federal Chamber of Lawyers — has taken a characteristically direct position. Its guidance emphasizes that lawyers using AI must ensure client data doesn’t leave the control of systems subject exclusively to European law. The BRAK explicitly flags the risk of US-jurisdiction exposure through cloud-based AI tools, making it one of the few bar associations to connect professional responsibility directly to data sovereignty.

The common thread across jurisdictions: professional bodies aren’t saying “don’t use AI.” They’re saying “understand what happens to client data when you do.” And right now, most lawyers don’t.

Most firms have read OpenAI’s terms of service. Almost none have thought about the CLOUD Act.

Which tasks are safe on which tools?

Not every research task carries the same risk. The key is matching the sensitivity of the query to the security of the tool.

Low risk — generic legal research: Asking an AI to explain the elements of a breach of fiduciary duty claim, summarize a public court decision, or outline the structure of EU merger control review. These queries don’t reveal client information. They’re the AI equivalent of reading a textbook. Any tool is fine.

Medium risk — pattern-based analysis: Using AI to compare regulatory frameworks, identify trends in case law, or draft template language for common contract clauses. These queries might reveal your practice area focus but don’t expose specific client matters. Standard enterprise AI tools with appropriate data processing agreements are reasonable.

High risk — client-specific research: Any prompt that includes client names, deal terms, transaction details, investigation specifics, or strategic legal positions. This is where confidentiality and privilege are directly at stake. These queries should only go through tools where you can verify the complete jurisdictional chain — and where no non-EU government has a legal pathway to compel disclosure.

Never appropriate for external AI: Queries involving pending litigation strategy, settlement positions, whistleblower identities, or information received under legal professional privilege from other counsel. Some information is too sensitive for any third-party tool, regardless of where it’s hosted.

The problem is that the line between “medium” and “high” risk isn’t always obvious in the moment. An associate drafting a research memo might start with a generic question and gradually add client-specific context as they refine their query. By the fourth iteration, they’ve effectively briefed the AI on the entire matter — without ever making a conscious decision to share privileged information.

An associate can start with a generic question and gradually add client details across four iterations — briefing the AI on the entire matter without ever making a conscious decision to share privileged information.

Building AI-ready privilege protection

The answer isn’t to ban AI from legal practice. That ship has sailed, and frankly, Model Rule 1.1’s competence requirement increasingly points in the other direction — lawyers who refuse to use AI tools may eventually struggle to argue they’re providing competent representation.

The answer is infrastructure that makes AI use compatible with privilege and confidentiality obligations. That means:

Sovereign deployment. AI models running on infrastructure where no non-EU government can compel data disclosure. Not “EU region” on a US cloud provider — genuinely sovereign, with no US parent company in the corporate chain. As we explained in Data Sovereignty Is Not Data Residency, the distinction is critical. “Where the server sits” and “who can legally demand what’s on it” are different questions with different answers.

No data retention by the AI provider. If your queries aren’t stored, they can’t be subpoenaed. Zero-retention architectures — where inference happens and the prompt is discarded — eliminate the largest single vector of exposure.

Audit trails that stay inside your firm. You need to know which lawyers used which AI tools for which matters, but that audit trail itself is sensitive. It should live on infrastructure you control, not on the AI provider’s platform.

Model transparency. Lawyers have an obligation to understand the tools they use. That’s easier with open-source models, where the model weights are public and the inference pipeline is inspectable, than with proprietary black boxes where you’re trusting a privacy policy written by the provider’s lawyers — not yours.

LumaVista was built with exactly this use case in mind — open-source models running on dedicated EU GPU infrastructure, with no US company anywhere in the data path. Research queries never leave European jurisdiction, and the zero-retention architecture means there’s nothing to subpoena even if someone tried.

What to do now

1. Audit your firm’s AI usage today. Find out which tools lawyers are actually using — not just the ones IT approved. Shadow AI adoption in law firms is rampant. You can’t manage risk you don’t know exists.

2. Map the jurisdictional chain for every tool. For each AI tool, trace the corporate ownership to the ultimate parent company. If it’s US-incorporated, your queries are CLOUD Act-accessible. The CLOUD Act and Your AI Research walks through exactly how to do this.

3. Create a query classification policy. Define what’s safe to put into which tools. Make it simple — lawyers won’t follow a 40-page policy in the middle of a research session. A one-page decision tree works better than a compliance manual.

4. Strip client identifiers before prompting. If you must use a non-sovereign AI tool for substantive research, anonymize first. Replace client names with “Company A,” remove deal values, generalize industry details. It’s not perfect, but it reduces the information density of a potentially discoverable prompt.

5. Brief your lawyers on the privilege distinction. Most lawyers understand privilege conceptually. Few have thought about how AI prompts interact with waiver doctrine, or how Rule 1.6’s confidentiality duty applies to technology vendors. This is a CLE topic that matters right now.

6. Evaluate sovereign AI infrastructure for high-risk work. You don’t need to move everything overnight. Start with the use cases where exposure would be worst: M&A due diligence, internal investigations, regulatory response, litigation strategy. These justify the investment.

7. Update your engagement letters. Clients increasingly expect to know whether and how AI is used in their matters. Getting ahead of this — disclosing your AI practices and the safeguards you’ve implemented — is better than being asked about it after a data incident.

8. Watch bar association guidance closely. This area is evolving fast. The ABA, CCBE, and national bar associations are all developing more specific guidance on AI use. What’s “reasonable” under Rule 1.6 today will be better defined in twelve months — and the standard will almost certainly be higher.

The associate in our opening scenario didn’t do anything malicious. She used a tool that’s faster and, in many ways, better than the alternatives. But she did it without thinking about what her query revealed, where it went, and who could legally demand access to it. That’s the gap this profession needs to close — not by abandoning AI, but by building the infrastructure and practices that make AI use compatible with the duties that define legal practice.