GDPR, legal professional privilege, and the EU AI Act create a three-way compliance challenge for Irish firms rolling out AI tools. Getting this right requires more than reading a vendor's data processing agreement.
The question Irish law firms most frequently avoid asking before rolling out an AI tool is also the most important one: where does the data go, and who can see it?
Cloud-based AI tools — Copilot, document review platforms, AI-powered legal research tools — all process data somewhere. In most cases, that somewhere is infrastructure owned or operated by a US-headquartered technology company. For a law firm, the data being processed includes client communications, transaction documents, and privileged legal advice. The compliance stakes are not equivalent to a marketing team deploying a chatbot.
The three-way regulatory problem
Irish law firms face an interaction between three distinct legal frameworks that most IT assessments handle separately — if they handle them at all.
GDPR imposes requirements around lawful basis for processing, data minimisation, and data subject rights. For most AI tools that process personal data in the course of legal work, the lawful basis is contractual or legitimate interests — but this needs to be documented and defensible, not assumed.
Legal professional privilege is a common law protection covering confidential communications between a solicitor and client made for the purpose of obtaining legal advice. It is not a GDPR concept, and GDPR compliance does not preserve it. If confidential client communications are processed by a third-party AI system in a way that constitutes a waiver of privilege — which is a fact-specific analysis — no data processing agreement repairs that.
The EU AI Act adds a third layer. Where AI tools are being used in high-risk applications (see our post on EU AI Act obligations for Irish law firms), firms must maintain logs, conduct impact assessments, and ensure human oversight. Some of these compliance activities themselves involve processing client data.
Data residency is not optional
The practical first question before deploying any AI tool in legal practice is data residency. Where is the data processed? Where is it stored? Under what circumstances can it be accessed by the vendor or its sub-processors?
Most enterprise AI agreements offer data residency options — EU-hosted processing, contractual restrictions on vendor access to data, commitments not to use client data for model training. These options are not always the default. They often need to be negotiated, and in some cases they require enterprise licensing tiers that differ from what a small or mid-sized firm might be quoted.
Before signing any agreement, a legal firm should be able to answer: can the vendor access our data in an identifiable form? Does the processing occur in the EU? What happens to data if we cancel the contract?
Practical governance steps
Rolling out Copilot, or any comparable tool, in a legal practice requires more than IT sign-off. Governance steps that firms consistently underweight include:
Staff training that goes beyond "here is how to use the tool" to address what categories of data should not be processed through it. There will always be matters where the risk of using an AI tool is too high regardless of the contractual protections.
Client communication. Some engagement letters now require clients to be informed if AI tools are used in the course of their matter. This is still evolving, but firms that get ahead of it are in a better position than those who wait for a client to ask.
Vendor due diligence that treats the AI provider as a data processor under GDPR and reviews their sub-processing chain, not just the headline data processing agreement.
An incident response process for the scenario where confidential data is inadvertently processed in a way that creates a breach risk. Firms that discover a GDPR issue in the context of client privilege are dealing with two regulators — the DPC and the Law Society — simultaneously.
Getting the governance right takes more time than deploying the tool. That is not an argument against AI in legal practice. It is an argument for sequencing the work properly. We help Irish professional services firms build governance frameworks that hold up to regulatory scrutiny. Get in touch if you want to talk through your current approach.