ChatGPT and Client Data: What Lawyers Need to Know
ChatGPT has arrived in many law firms — as a research aid, for drafting briefs, for summarizing lengthy documents. The efficiency gains are real. So are the legal risks.
This article explains what happens when client data is entered into ChatGPT — and what lawyers can do instead.
What Happens When You Enter Something Into ChatGPT?
Every input to ChatGPT is transmitted to OpenAI’s servers in the United States. OpenAI processes this data and may — depending on settings and terms of service — use it to train future models.
This also applies to the paid ChatGPT Plus version. Even with “privacy mode” enabled, your inputs leave your network and end up on American servers.
For general text, this is unproblematic. For client data, it is a serious legal issue.
The Legal Problem
Attorney-Client Privilege Under Section 43a BRAO
Under German law, lawyers are legally obligated to maintain confidentiality regarding all information entrusted to them. This obligation, codified in Section 43a of the Federal Lawyers’ Act (Bundesrechtsanwaltsordnung, BRAO), applies to everyone — including AI providers in the United States.
Entering client data into ChatGPT effectively discloses this information to a third party. This constitutes a breach of attorney-client privilege — regardless of whether OpenAI actually misuses the data.
GDPR and Third-Country Data Transfers
The transfer of personal data to the United States is only permissible under the GDPR (General Data Protection Regulation) if specific conditions are met. OpenAI relies on Standard Contractual Clauses — a legally vulnerable construct that European data protection authorities increasingly view with skepticism.
For particularly sensitive data such as client information, this is not sufficient.
Professional Consequences
A breach of confidentiality obligations can lead to professional sanctions — up to and including revocation of the license to practice. In addition, there is civil liability toward the client.
The Most Common Risk Scenarios
“I don’t enter any names” This provides less protection than you might think. Case numbers, file references, specific facts, and phrasings can in combination point to particular clients — even without explicitly naming them.
“I use the Business version” ChatGPT Enterprise offers better privacy settings. But even here, data leaves your network and resides on OpenAI’s servers. For attorney-client privilege, this is not sufficient.
“I anonymize the data first” Thorough anonymization is time-consuming and error-prone. A single overlooked detail can be enough to trace the matter back to a specific client.
“I only use it for general research” That is legitimate. It becomes problematic as soon as specific case information is included — which happens quickly in day-to-day practice.
What Other European Authorities Say
European data protection authorities have launched multiple investigations into OpenAI in recent years. The Italian data protection authority temporarily blocked ChatGPT. The German Data Protection Conference has repeatedly warned against using US cloud services for sensitive data.
The legal landscape is not stable — and it is trending toward stricter requirements, not looser ones.
The Alternative: AI That Never Leaves Your Firm
The real problem is not AI — it is AI in the cloud.
Local language models run entirely on hardware in your firm. No internet connection required. No data leaves your network. You get the same functionality — summaries, analysis, structuring — without the legal risks.
| ChatGPT (Cloud) | Local Model | |
|---|---|---|
| Data flow | Input -> OpenAI servers (USA) -> Response | Input -> Your device in the firm -> Response |
| Client data | Leaves the firm | Stays with you |
Modern local models such as Llama 3.1 70B achieve a quality that is fully sufficient for practical use in typical law firm tasks — document summarization, case file analysis, brief drafting.
What It Actually Costs
A local AI system for a mid-sized law firm is not a million-dollar investment. A Mac Mini M4 Pro with the appropriate software configuration is fully sufficient for smaller firms.
The one-time costs for hardware and setup typically range between EUR 2,500 and EUR 6,000 — depending on firm size and desired functionality. Plus a monthly maintenance fee.
For comparison: ChatGPT Enterprise costs per user per month — with 10 lawyers, that quickly adds up to a four-figure annual amount, without solving the data protection issues.
Conclusion
ChatGPT is not a suitable tool for working with client data. This is not an opinion — it is a legal assessment based on attorney-client privilege and the GDPR.
The good news: there is a practical alternative that requires no compromises on data protection. Local AI is mature enough today for everyday use in law firms.
Want to know what a local system would look like for your firm? Get in touch — free and with no obligation.