Your AI assistant just listened in on your strategy session with outside counsel and took notes. Is the discussion still privileged?
As businesses increasingly incorporate AI into their workflows, many are facing questions about the implications of these tools for attorney-client privilege. While certainly useful for completing a range of tasks, AI features also introduce a potential third party into otherwise confidential communications. Does attorney-client privilege survive when an AI is in the room?
Privilege in the Age of AI
Attorney-client privilege, an age-old facet of the legal system, protects confidential communications between lawyers and their clients. For the privilege to attach, four elements must be met: there must be (1) a communication (2) made in confidence (3) between privileged persons (i.e., attorney or client) (4) for the purpose of obtaining or providing legal advice. When upheld, privilege can prevent the discovery of sensitive conversations in a lawsuit. This protection, however, is not bulletproof and may be waived in some circumstances. One of the most common ways privilege can be lost is if the confidential communication is voluntarily disclosed to a third party outside the attorney-client relationship.
Today, companies might consider using AI tools to process an assortment of privileged material. Project teams may want to use AI notetakers to summarize privileged meetings. Executives might feed attorney emails into large language models to distill guidance. Companies have even been known to upload confidential documents to chatbots for Q&A. Each of these scenarios has the potential to destroy privilege for two reasons. First, they place a third party – the AI provider – in possession of client information. Second, AI systems are typically trained in part on the inputs they receive from users. Because models may reproduce information from their training data when responding to other users, there is a risk that privileged communications used to train these systems might be exposed to the public.
How courts will approach the issue of AI and privilege remains an open question that no American court has yet addressed. Standing legal principles, however, provide a roadmap to anticipate how judges might approach these questions.
Expectation of Confidentiality
Privilege requires, among other things, that the client intends the communication to remain confidential. Disclosure of privileged material to a third-party typically waives the protection because it suggests an indifference to this secrecy. Thus, one possibility is that courts will analyze whether parties had a reasonable expectation of confidentiality when sharing information with an AI system.
The most analogous line of cases involves employees who used workplace email systems to communicate with personal attorneys. Like users inputting confidential information into an AI system, employees communicating over company email entrust sensitive information to a system where a third party has direct access. As one court noted, sending a message over a company’s e-mail system is “like placing a copy of that message in the company files. … the emails [can] be reviewed and read by anyone with lawful access to the system.” In re Asia Glob. Crossing, Ltd., 322 B.R. 247, 259 (Bankr. S.D.N.Y. 2005). In these cases, courts have found that the reasonableness of the privacy expectation depends on the company’s email monitoring policy and the extent to which employees are made aware of it. See Holmes v. Petrovich Dev.Co., 191 Cal. App. 4th 1047 (Cal. Ct. App. 2011). If an employee has previously agreed to workplace policies which allow employers to access their emails, then no privilege attaches.
While not an attorney-client privilege case, McMillen v. Hummingbird Speedway, Inc., is also instructive. No. 113-2010CD, 2010 WL 4403285 (Pa.Com.Pl. Sep. 09, 2010). There, the court rejected a claim of confidentiality over social media communications after examining Facebook and MySpace’s terms of service. The court found that both platforms’ terms granted operators access to user content and broad rights to monitor and disclose communications. Because users on these platforms “understand[] and tacitly submit[] to the possibility that … site operators will also be receiving his or her messages,” the court held there was no reasonable expectation of privacy.
In the case of AI systems, the analysis might similarly focus on whether users can expect their communications to remain private when processed by a particular model. Here too, the answer would likely turn on the terms of service. If the provider represents that they log inputs and outputs and retain the right to access them, privilege would likely be waived. The same would likely apply if the terms reserve the right to use inputs for model training or improvement as a model may inadvertently reproduce the information when responding to other users.
An interesting wrinkle is whether courts might view AI systems themselves as independent entities capable of “knowing” information separately from their operators. Consider a company that contracts with a provider to train a private instance of a model on privileged communications. The provider represents that the data will be encrypted and inaccessible by its employees and the company ensures internal access to the model is heavily restricted. In essence, no privileged material will be shared with any human outside the attorney-client relationship. Yet the AI itself has still ‘learned’ from the privileged content. It exists on third-party servers having absorbed attorney-client communications into its neural networks. Does privilege survive when an AI system ‘knows’ privileged information, even if no human third party can access it? Will courts recognize that AIs are simply algorithms like any other system? Or will there come a point where AI become so advanced, that courts lose sight of the fact that beneath the surface, lies only mathematics and code. Though such considerations are unlikely to impact privilege disputes today, it’s only a matter of time before they land on a judge’s docket.
Conclusion and Recommendations
Ultimately, privilege is decided on a case-by-case basis and the exact contours of its application differ by jurisdiction. It is thus difficult to predict how a court would assess the implications of AI use, particularly given the novel nature of the technology.
Considering the uncertainty, the most prudent approach to avoid disclosure is simply to keep privileged communications away from AI tools altogether. For example, turn off AI summarization tools in Zoom or similar video conferencing apps for confidential conversations.
If you do continue using these tools with privileged material, consider taking the following measures:
- Review provider terms: Always review the terms of service before sharing anything privileged with an AI system. Ensure the provider makes explicit representations that inputs/outputs will not be used for training purposes and access to the data will be limited. Some enterprise agreements provide for more robust confidentiality provisions.
- Disable risky features: Turn off conversation history and opt-out of contributing to model improvements.
- Treat AI outputs as privileged: Handle AI-generated summaries with the same care as any other privileged communication. If AI outputs based on privileged communication are uploaded to cloud storage, restrict access to specific employees with a need to know the legal advice. Never share these outputs with third parties.
- Review sharing settings: If using a video conferencing app, check your system’s configuration to ensure summaries are not automatically distributed widely within the organization.
- Implement clear policies: Establish organizational guidelines that clarify if and when AI tools may be used in privileged contexts and prohibit employees from using AI through their personal accounts.
Until courts provide clearer guidance, organizations should proceed with caution when using AI with privileged communication. While convenient, the utility of these systems rarely justifies the risk of disclosure.
