In our 'Contentious AI' insight series we consider the development, adoption and use of AI and how it can become contentious.

In this article, we outline key steps to ensure that your business' use of AI tools does not erode the protections afforded by privilege and confidentiality. The article aims to explore two valuable questions:

• Can claims of privilege or confidentiality be maintained over documents uploaded to third-party AI tools?
• Is sharing information with a publicly available AI tool equivalent to sharing it with the wider public?

International observations

Three recent US decisions provide cautionary tales. In United States v Heppner, a criminal defendant used Claude to interrogate his defence strategy and later shared the outputs with his lawyers. The FBI seized the Claude records and sought access. The court found that because the AI provider's terms of service allowed it to collect inputs, share them with third parties and use them to train its models, there was no reasonable expectation of privacy. Subsequent sharing of the records with lawyers did not retrospectively attract privilege. Consequently, the court rejected Heppner's privilege claim.

But the position is not straightforward. In Tremblay v OpenAI, lawyers for plaintiffs alleging copyright infringement conducted targeted testing of ChatGPT to evaluate potential claims against its operator, OpenAI. A California district court held that the unused AI prompts generated by counsel were privileged on the basis that they were created by lawyers for the primary purpose of evaluating legal claims.

Similarly, in Warner v Gilbarco, the court denied the defendants' broad discovery requests directed at the plaintiff's use of AI in connection with the litigation, characterising them as a fishing expedition. The court observed, in dicta, that sharing materials with an AI tool does not waive protection.

Australian observations

In Australia, there is yet to be any case law directly addressing the impact of AI tools on privilege and confidentiality protections. However, core principles will apply. The test in Australia (at common law and under s 122 of the Evidence Act 1995 (Cth) and its state equivalents) for assessing whether privilege has been waived is whether the conduct of the privilege-holder is inconsistent with the maintenance of the confidentiality which the privilege is intended to protect (Mann v Carnell).

This adaptive test can be applied to new technologies for storing and processing data. Courts have recognised that general use of third-party cloud storage platforms does not of itself waive privilege. However, AI tools raise distinct concerns. A document uploaded to a cloud storage platform just sits there. By contrast, information entered into an AI tool that uses data for training may be absorbed into the model itself and, in effect, become irrecoverable. A UK tribunal recently held that uploading confidential information to an open-source AI tool such as ChatGPT is the same as placing the information into the public domain.

In addition, some enterprise AI tools include human review of inputs including, for example, for content moderation, safety filtering, or quality assurance. Uploading documents to such tools could mean allowing an unknown third party to access them, raising a question as to whether such conduct is consistent with maintaining confidentiality.

Managing these risks requires more than legal controls, but organisation-wide training. Employees at all levels need to understand the privilege and confidentiality risks of using AI tools, even senior management. Importantly, AI prompts, like internet searches, may not themselves attract privilege.

Added considerations for in-house legal teams

For in-house legal teams, an additional layer of complexity arises. Under the test established by the High Court in Esso Australia Resources Ltd v Commissioner of Taxation, privilege attaches to communications only where they were made for the dominant purpose of giving or receiving legal advice, or of providing professional legal services in connection with litigation. In an in-house setting, this test can be difficult to satisfy, because communications by in-house lawyers frequently serve both legal and commercial or operational purposes.

Where an in-house lawyer uses an AI tool to assist with legal analysis, the privileged character of that work may be more readily called into question – particularly if the inputs reflect the blend of legal and commercial reasoning that often characterises in-house practice. In-house teams should ensure that their AI use policies clearly distinguish between legal advisory work and general business tasks, and that privileged materials are handled only through appropriately secured and access-controlled platforms.

Safeguarding with AI providers

For businesses using enterprise or bespoke AI tools, the contractual arrangements with your AI provider are the primary mechanism for managing these risks. Those agreements should be reviewed regularly to ensure ongoing compliance with evolving best practices.

Key terms to negotiate include:

1. No training on your data: the agreement should expressly prohibit the provider from reselling your data or using your prompts and inputs to train or fine-tune its models, even internally.
2. No human review of your data: the agreement should restrict or prohibit the provider's personnel from accessing or reviewing your inputs and outputs, including for content moderation, quality assurance, or safety purposes, except where strictly required by law.
3. Ownership of outputs: the agreement should expressly confirm that the firm (or its client, as appropriate) owns all outputs generated from its inputs. Where the provider's standard terms are silent or ambiguous on this point, ownership should be addressed in a bespoke written agreement.
4. Data residency: the agreement should specify where and how your data is stored and processed. Cross-border processing engages obligations concerning overseas disclosure of personal information (including under the Privacy Act 1988 (Cth)), and may also implicate professional duties of confidentiality.
5. Access controls: the agreement should require that the platform is a secure, access-controlled environment from which no unauthorised party can access or retrieve your data.
6. Retention and deletion: the agreement should impose clear limits on how long your data is retained by the provider, together with an obligation to delete it on request or on termination of the agreement.

Coming up next

The insight series will expand to explore the following topics:

• The legal risk of AI washing (released)
• AI and regulatory risk – familiar risks, new frontiers (released)
• Copyright, ownership and the myth of “AI Generated IP” (released)

Navigate your AI pathway with confidence and clarity.

Contact us before AI becomes contentious in your organisation.