AI-based legal tech solutions: discover the legal pitfalls

Author info

Over the past years, “legal tech” solutions have become increasingly popular to help inhouse legal departments and law firms share and reuse existing knowledge. Thanks to the rapid growth of technology and in particular artificial intelligence, legal tech solutions have been taken to yet another level. They can now also be used to quickly review, search and analyse documents. And thanks to the extensive data input they can even be used to create, harmonise and improve documents. This (r)evolution is saving valuable time for legal professionals and therefore also contributing to higher quality and cost-efficiency. In this blogpost we will examine the potential pitfalls of this new way of working, in particular also due to the involvement of third parties from whom legal tech solutions are procured.

Reuse challenges, pitfalls and practical remedies

When (in-house) lawyers draft legal documents such as contracts, legal opinions and court documents, they usually do not reinvent the wheel. Even when it’s best to start from scratch, existing legal documents will often serve as inspiration and some part may be reused.

However, reusing existing (and sometimes quite old) legal documents can pose a number of legal challenges. We distinguish challenges in terms of personal data, confidentiality and context of the legal document:

Personal data

Factual observation

Legal documents may contain a variety of personal data.

For contracts, consider e.g. the following personal data:

  • The identification of the parties (in the case of natural persons or sole proprietors),
  • Party representatives (e.g. names),
  • Considerations with more context (e.g. personal reasons for amicable settlement),
  • Contact details and addresses (e.g. place of residence or for deliveries),
  • Notification clauses (e.g. e-mail addresses),
  • Financial data (e.g. wages),
  • Comments in the context of a negotiation (e.g. personal reasons for not accepting a particular clause),
  • Metadata,


In practice, some legal documents contain more personal data than others.

Legal challenge

Having legal documents indexed and content searchable inevitably involves the processing of personal data mentioned in those legal documents, whether or not that is intended.

When the legal document contains personal data, the organisation of the in-house lawyer or law firm will act as a data controller of the personal data contained in those legal documents for legal tech purposes. That processing activity consists of analysing the legal document to improve its own services and may in turn be outsourced to a legal tech service provider who would be acting as a processor, and with whom the necessary contractual arrangements must therefore be made.

In terms of personal data, the following questions or pitfalls then arise, among others:

  • What legal basis can the organisation invoke for this processing?
  • How can stakeholders be informed?
  • Is the purpose of such processing compatible with the initial purpose (i.e. preparing a legal document, providing legal advice in a particular case,...)?
  • Is this processing in line with the principle of minimum data processing?
  • Is such processing in line with the reasonable expectations of data subjects?

Practical work-around

To avoid personal data pitfalls, organisations could:

  • Exclude legal documents that contain a lot of personal data but have little value for reuse. 
  • Anonymise legal documents entrusted to a legal tech service provider. Note that manually anonymising legal documents is time-consuming.

Be careful when automated anonymising (scrubbing) legal documents. Such scrubbing tools give no guarantees (e.g. Microsoft Presidio: "!!! warning "Warning" Presidio can help identify sensitive/PII data in un/structured text. However, because Presidio is using trained ML models, there is no guarantee that Presidio will find all sensitive information. Consequently, additional systems and protections should be employed"), do not always work well in languages other than English, and they cannot scrub personal data that is apparent from context (e.g. they only search for names, addresses, etc.).


Factual observation

Even if a particular legal document contains little or no personal data, there is a real chance that the legal document does contain information of a confidential nature.

Consider, e.g.:

  • Financial information (e.g. prices),
  • Commercial information (e.g. sales strategies),
  • Technical information (e.g. security),


Legal challenge

Confidentiality issues or pitfalls include the following:

  • Does the in-house lawyer's organisation or law firm breach any contractual confidentiality clauses (e.g. access on a need-to-know basis)?
  • If there are no contractual confidentiality clauses, do the legal documents not contain data that by their nature should be considered confidential?
  • Is the lawyer violating its deontological obligations, or possibly its professional secrecy?

Practical work-around

Tips to avoid confidentiality pitfalls:

  • Check whether specific confidentiality obligations apply to certain legal documents.
  • Exclude confidential legal documents.
  • Remove confidential information from legal documents, but this will not be obvious and is also time-consuming.


Factual observation

With legal documents, especially contracts, the context of it is at least as important as the document itself.

Consider, e.g.:

  • Type of contracting parties (e.g. multinational or start-up),
  • Type of products or services (e.g. b2c or b2b),
  • Sector of the parties (e.g. health sector),
  • Specific legislation (e.g. consumer protection),
  • Jurisdiction (e.g. applicable US law),


Legal challenge

In terms of the context of the legal document, the following questions or pitfalls, among others, arise:

  • A particular contract may have been heavily negotiated, so the clauses are actually a compromise between the parties. This context is usually known by the drafter of the contract, but may be lost when those clauses are reused. Will the in-house lawyer or attorney reuse those negotiated clauses? And is that desirable?
  • Perhaps the legislation has since changed or new legislation is in place?
  • Perhaps concrete facts were relevant. A legal opinion on one employee's dismissal for urgent reasons may be completely different in another case if the concrete facts are different.

Practical work-around

Tips to avoid document context pitfalls:

  • Always check the context of a given legal document. Is it about a negotiated contract?
  • For each legal document, appoint an owner who knows the context of the document.
  • Make colleagues aware of potential pitfalls.

So is using legal tech for document reuse advisable? 

Whether the use of legal tech when reusing legal documents is advisable depends on several factors.

  • A good rule of thumb is that the more similar (in scope, approach and data volume) the deployment of legal tech is to the manual reuse of legal documents, the lower the risks will be.
  • Besides, it is not that using a particular legal tech tool is illegal per se. After all, the law is technology-neutral. What matters is the specific use your organisation makes of a legal tech tool.
  • Some legal tech tools are very similar to the functionalities that standard tools (such as Microsoft Office, content management tools such as SharePoint and iManage, case management tools for lawyers, etc.) also offer in terms of searching. However, usually such tools offer strict access controls, which may not always be the case with all legal tech tools, particularly tools whose primary concern is usability. Indeed, there is often a delicate balance to be struck between security and usability.
  • Also, the use of Microsoft Office obviously does not preclude the use of other legal tech tools but, from an information security perspective, any additional service provider with access increases the risk of data breaches.

So whether or not legal tech for document reuse is advisable to your organisation is an analysis that every organisation or law firm needs to do for itself. In that analysis, they can take into account the following factors:

Type of legal documents

Some legal documents typically contain more personal data than others.

For example, in terms of contracts, employment agreements, non-disclosure agreements (NDAs), merger and acquisition (M&A) agreements and amicable settlements usually contain more personal data than a license agreement. The same applies to attachments.

Practical factors

Who has access to existing legal documents for reuse? Is it about a specific team? Across the entire organisation or office? Or perhaps even all global business entities in the group? Even if users are bound to confidentiality, each additional person with access increases the potential security risk.

What is the level of manual triage? Are all files included? Or only selected folders?

Are new users (on the in-house counsel or law firm team) informed and sensitised about the potential dangers in reusing legal documents?

Technical factors

Are separate silos being used? This could, for example, prevent an organisation from inadvertently accessing another organisation's legal documents due to a programming error by the legal tech service provider (prevention is better than cure).

Depending on the other factors (e.g. with very sensitive personal data or very large amounts of documents): sometimes it may also be useful to consider whether the legal tech service should not be hosted on its own servers (on premise). Or can other technical measures be taken that avoid that the legal tech service provider could potentially have access to all legal documents?

How are the legal documents anonymised? Does the scrubbing tool give certain guarantees? Or does another manual check happen after the automated scrubbing?

What guarantees does the legal tech service provider offer in terms of security?

Retention period

How old are the legal documents that will be reused?

Are old legal documents excluded?


Should specific legislation be taken into account when reusing legal documents?

The GDPR may not apply, but the GDPR may apply extraterritorially, and more and more countries worldwide are introducing data protection laws similar to the  GDPR.

Do you still have questions or would you like an introductory meeting? Book a free 15-minute call with Bernd at (reserved for organizations).