Over the past years, “legal tech” solutions have become increasingly popular to help inhouse legal departments and law firms share and reuse existing knowledge. Thanks to the rapid growth of technology and in particular artificial intelligence, legal tech solutions have been taken to yet another level. They can now also be used to quickly review, search and analyse documents. And thanks to the extensive data input they can even be used to create, harmonise and improve documents. This (r)evolution is saving valuable time for legal professionals and therefore also contributing to higher quality and cost-efficiency. In this blogpost we will examine the potential pitfalls of this new way of working, in particular also due to the involvement of third parties from whom legal tech solutions are procured.
When (in-house) lawyers draft legal documents such as contracts, legal opinions and court documents, they usually do not reinvent the wheel. Even when it’s best to start from scratch, existing legal documents will often serve as inspiration and some part may be reused.
However, reusing existing (and sometimes quite old) legal documents can pose a number of legal challenges. We distinguish challenges in terms of personal data, confidentiality and context of the legal document:
Legal documents may contain a variety of personal data.
For contracts, consider e.g. the following personal data:
In practice, some legal documents contain more personal data than others.
Having legal documents indexed and content searchable inevitably involves the processing of personal data mentioned in those legal documents, whether or not that is intended.
When the legal document contains personal data, the organisation of the in-house lawyer or law firm will act as a data controller of the personal data contained in those legal documents for legal tech purposes. That processing activity consists of analysing the legal document to improve its own services and may in turn be outsourced to a legal tech service provider who would be acting as a processor, and with whom the necessary contractual arrangements must therefore be made.
In terms of personal data, the following questions or pitfalls then arise, among others:
To avoid personal data pitfalls, organisations could:
Be careful when automated anonymising (scrubbing) legal documents. Such scrubbing tools give no guarantees (e.g. Microsoft Presidio: "!!! warning "Warning" Presidio can help identify sensitive/PII data in un/structured text. However, because Presidio is using trained ML models, there is no guarantee that Presidio will find all sensitive information. Consequently, additional systems and protections should be employed"), do not always work well in languages other than English, and they cannot scrub personal data that is apparent from context (e.g. they only search for names, addresses, etc.).
Even if a particular legal document contains little or no personal data, there is a real chance that the legal document does contain information of a confidential nature.
Confidentiality issues or pitfalls include the following:
Tips to avoid confidentiality pitfalls:
With legal documents, especially contracts, the context of it is at least as important as the document itself.
In terms of the context of the legal document, the following questions or pitfalls, among others, arise:
Tips to avoid document context pitfalls:
Whether the use of legal tech when reusing legal documents is advisable depends on several factors.
So whether or not legal tech for document reuse is advisable to your organisation is an analysis that every organisation or law firm needs to do for itself. In that analysis, they can take into account the following factors:
Type of legal documents
Some legal documents typically contain more personal data than others.
For example, in terms of contracts, employment agreements, non-disclosure agreements (NDAs), merger and acquisition (M&A) agreements and amicable settlements usually contain more personal data than a license agreement. The same applies to attachments.
Who has access to existing legal documents for reuse? Is it about a specific team? Across the entire organisation or office? Or perhaps even all global business entities in the group? Even if users are bound to confidentiality, each additional person with access increases the potential security risk.
What is the level of manual triage? Are all files included? Or only selected folders?
Are new users (on the in-house counsel or law firm team) informed and sensitised about the potential dangers in reusing legal documents?
Are separate silos being used? This could, for example, prevent an organisation from inadvertently accessing another organisation's legal documents due to a programming error by the legal tech service provider (prevention is better than cure).
Depending on the other factors (e.g. with very sensitive personal data or very large amounts of documents): sometimes it may also be useful to consider whether the legal tech service should not be hosted on its own servers (on premise). Or can other technical measures be taken that avoid that the legal tech service provider could potentially have access to all legal documents?
How are the legal documents anonymised? Does the scrubbing tool give certain guarantees? Or does another manual check happen after the automated scrubbing?
What guarantees does the legal tech service provider offer in terms of security?
How old are the legal documents that will be reused?
Are old legal documents excluded?
Should specific legislation be taken into account when reusing legal documents?
The GDPR may not apply, but the GDPR may apply extraterritorially, and more and more countries worldwide are introducing data protection laws similar to the GDPR.
Do you still have questions or would you like an introductory meeting? Book a free 15-minute call with Bernd at bernd.lawyer.brussels (reserved for organizations).