AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Explainer

AI in legal services: reliability and confidentiality

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

AI in law firms and legal services is rarely high-risk, but sets sharp demands on reliability, confidentiality and transparency. Hallucinations, professional secrecy and GDPR processing set the limits, alongside the AI Act's transparency duties.

Short answer: For lawyers and advisers, legal AI usually does not fall under the high-risk regime, but it is under pressure from three demands: reliability (no fabricated case law), confidentiality (professional secrecy and the GDPR) and transparency. Only when AI supports judges or judicial authorities in fact-finding or applying the law does it tip towards high-risk under Annex III.

Reliability and hallucinations

Generative AI can produce convincing but incorrect statements, citations and case law. In a legal context that is not a fringe issue but a core risk: a fabricated judgment in a court document harms both the client and the professional. The AI Act does not enforce this directly for ordinary advisory work, but professional rules and the duty of care do. Every AI output should be verified by a human against the source.

Professional secrecy and confidentiality

Professional secrecy and the GDPR quickly clash with cloud-based AI. Feeding client files into an external model is data processing and possibly a transfer to a third party. That requires a legal basis, a processor agreement and safeguards that the input is not used to train the model or made accessible to others. Without those safeguards the use can breach professional secrecy, regardless of the AI Act.

Transparency

Article 50 transparency requires that users know when they are interacting with an AI system and that generated content is recognisable as such. For legal services this means openness towards clients and the court: an AI-generated draft or a chatbot must be identifiable. Concealing it undermines both the transparency duty and trust.

When it is high-risk

Annex III lists AI systems intended to assist a judicial authority in researching and interpreting facts and the law, or in dispute resolution, as high-risk. That touches adjudication and ADR, not the ordinary advisory work of a firm. Anyone supplying or deploying such systems falls under the full high-risk obligations. The same sensitivity around profiling appears in AI in retail.

What to do

  • Verify every output against the primary source; never trust citations or case law blindly.
  • Protect the file: use only models with contractual safeguards against training and third-party access.
  • Handle the GDPR: legal basis, processor agreement and data minimisation.
  • Be transparent with client and court about AI use.
  • Test for high-risk if you supply systems to courts or dispute resolution.

For lawyers the biggest pitfall is not the AI Act but their own duty of care: reliability and confidentiality weigh more heavily than the letter of the regulation.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 50 transparency and the high-risk category administration of justice (Annex III) for use by judicial authorities.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): legal basis and security when processing personal data in case files.

Share on LinkedIn

Read next

W

The AI Act for DPOs: where it meets the GDPR

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

U

AI background checks and social-media screening of candidates

AI that screens candidates via social media or background checks quickly clashes with the GDPR: proportionality, special-category data and transparency. Add reliability risks (false matches) and discrimination through irrelevant private information.

U

Can an algorithm reject a candidate? Automated decisions in recruitment

Rejecting a candidate fully automatically is in principle not allowed: GDPR Art. 22 prohibits decisions based solely on automated processing that significantly affect someone, unless safeguards apply. The AI Act adds human oversight and transparency for high-risk recruitment.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.