AI-based legal tech solutions: discover the legal pitfalls

Factual observation

Legal documents may contain a variety of personal data.

For contracts, consider e.g. the following personal data:

• The identification of the parties (in the case of natural persons or sole proprietors),
• Party representatives (e.g. names),
• Considerations with more context (e.g. personal reasons for amicable settlement),
• Contact details and addresses (e.g. place of residence or for deliveries),
• Notification clauses (e.g. e-mail addresses),
• Financial data (e.g. wages),
• Comments in the context of a negotiation (e.g. personal reasons for not accepting a particular clause),
• Metadata,

Etc.

In practice, some legal documents contain more personal data than others.

Legal challenge

Having legal documents indexed and content searchable inevitably involves the processing of personal data mentioned in those legal documents, whether or not that is intended.

When the legal document contains personal data, the organisation of the in-house lawyer or law firm will act as a data controller of the personal data contained in those legal documents for legal tech purposes. That processing activity consists of analysing the legal document to improve its own services and may in turn be outsourced to a legal tech service provider who would be acting as a processor, and with whom the necessary contractual arrangements must therefore be made.

In terms of personal data, the following questions or pitfalls then arise, among others:

• What legal basis can the organisation invoke for this processing?
• How can stakeholders be informed?
• Is the purpose of such processing compatible with the initial purpose (i.e. preparing a legal document, providing legal advice in a particular case,...)?
• Is this processing in line with the principle of minimum data processing?
• Is such processing in line with the reasonable expectations of data subjects?

Practical work-around

To avoid personal data pitfalls, organisations could:

• Exclude legal documents that contain a lot of personal data but have little value for reuse. 
• Anonymise legal documents entrusted to a legal tech service provider. Note that manually anonymising legal documents is time-consuming.

Be careful when automated anonymising (scrubbing) legal documents. Such scrubbing tools give no guarantees (e.g. Microsoft Presidio: "!!! warning "Warning" Presidio can help identify sensitive/PII data in un/structured text. However, because Presidio is using trained ML models, there is no guarantee that Presidio will find all sensitive information. Consequently, additional systems and protections should be employed"), do not always work well in languages other than English, and they cannot scrub personal data that is apparent from context (e.g. they only search for names, addresses, etc.).

Factual observation

Even if a particular legal document contains little or no personal data, there is a real chance that the legal document does contain information of a confidential nature.

Consider, e.g.:

• Financial information (e.g. prices),
• Commercial information (e.g. sales strategies),
• Technical information (e.g. security),

Etc.

Legal challenge

Confidentiality issues or pitfalls include the following:

• Does the in-house lawyer's organisation or law firm breach any contractual confidentiality clauses (e.g. access on a need-to-know basis)?
• If there are no contractual confidentiality clauses, do the legal documents not contain data that by their nature should be considered confidential?
• Is the lawyer violating its deontological obligations, or possibly its professional secrecy?

Practical work-around

Tips to avoid confidentiality pitfalls:

• Check whether specific confidentiality obligations apply to certain legal documents.
• Exclude confidential legal documents.
• Remove confidential information from legal documents, but this will not be obvious and is also time-consuming.

Factual observation

With legal documents, especially contracts, the context of it is at least as important as the document itself.

Consider, e.g.:

• Type of contracting parties (e.g. multinational or start-up),
• Type of products or services (e.g. b2c or b2b),
• Sector of the parties (e.g. health sector),
• Specific legislation (e.g. consumer protection),
• Jurisdiction (e.g. applicable US law),

Etc.

Legal challenge

In terms of the context of the legal document, the following questions or pitfalls, among others, arise:

• A particular contract may have been heavily negotiated, so the clauses are actually a compromise between the parties. This context is usually known by the drafter of the contract, but may be lost when those clauses are reused. Will the in-house lawyer or attorney reuse those negotiated clauses? And is that desirable?
• Perhaps the legislation has since changed or new legislation is in place?
• Perhaps concrete facts were relevant. A legal opinion on one employee's dismissal for urgent reasons may be completely different in another case if the concrete facts are different.

Practical work-around

Tips to avoid document context pitfalls:

• Always check the context of a given legal document. Is it about a negotiated contract?
• For each legal document, appoint an owner who knows the context of the document.
• Make colleagues aware of potential pitfalls.

Type of legal documents

Some legal documents typically contain more personal data than others.

For example, in terms of contracts, employment agreements, non-disclosure agreements (NDAs), merger and acquisition (M&A) agreements and amicable settlements usually contain more personal data than a license agreement. The same applies to attachments.

Practical factors

Who has access to existing legal documents for reuse? Is it about a specific team? Across the entire organisation or office? Or perhaps even all global business entities in the group? Even if users are bound to confidentiality, each additional person with access increases the potential security risk.

What is the level of manual triage? Are all files included? Or only selected folders?

Are new users (on the in-house counsel or law firm team) informed and sensitised about the potential dangers in reusing legal documents?

Technical factors

Are separate silos being used? This could, for example, prevent an organisation from inadvertently accessing another organisation's legal documents due to a programming error by the legal tech service provider (prevention is better than cure).

Depending on the other factors (e.g. with very sensitive personal data or very large amounts of documents): sometimes it may also be useful to consider whether the legal tech service should not be hosted on its own servers (on premise). Or can other technical measures be taken that avoid that the legal tech service provider could potentially have access to all legal documents?

How are the legal documents anonymised? Does the scrubbing tool give certain guarantees? Or does another manual check happen after the automated scrubbing?

What guarantees does the legal tech service provider offer in terms of security?

Retention period

How old are the legal documents that will be reused?

Are old legal documents excluded?

Jurisdiction

Should specific legislation be taken into account when reusing legal documents?

The GDPR may not apply, but the GDPR may apply extraterritorially, and more and more countries worldwide are introducing data protection laws similar to the  GDPR.