Your Fee Earners Used ChatGPT Today. Client Privilege May Already Be Gone.
The Upper Tribunal has confirmed what privacy lawyers feared: uploading client data to public AI tools constitutes a permanent waiver of legal professional privilege.
The Ruling
"Uploading confidential documents into an open-source AI tool, such as ChatGPT, is to place that information into the public domain, resulting in a breach of client confidentiality and a waiver of legal professional privilege."
This is not obiter dicta. It is a binding determination on the status of privilege when data leaves a firm's controlled environment. Privilege, once waived, cannot be restored.
The Numbers
A Censuswide survey of 200 UK fee earners and 100 legal leaders (commissioned by Access Legal, May 2026) found:
of fee earners use unapproved AI for client work
of paralegals use unapproved AI
of firm leaders believe "zero risk"
The gap between leadership confidence and actual exposure is where liability lives.
Why "Approved" Is Not Enough
Many firms are deploying "approved" AI tools — typically Microsoft Copilot, ChatGPT Enterprise, or Google Gemini. These are marketed as secure. They are not structurally secure for privilege.
Every one of these providers is a US-incorporated entity subject to the US CLOUD Act (2018). Under this legislation, a US court can compel any US company to produce data held anywhere in the world, regardless of:
- ✗ Which data centre region you selected
- ✗ What your contract says about UK data residency
- ✗ Whether the data is encrypted at rest
A contractual promise of privacy cannot override a federal court order. If your "approved" AI provider is a US entity, privilege protection is contractual, not architectural.
| Provider | US Parent | Subject to CLOUD Act |
|---|---|---|
| ChatGPT / OpenAI | Microsoft-backed | Yes |
| Microsoft Copilot | Microsoft Corp. | Yes |
| Google Gemini | Alphabet Inc. | Yes |
| Claude / Anthropic | Anthropic Inc. | Yes |
| Hush AI | None — UK company | No |
The Structural Solution
Privilege protection after Munir requires five conditions:
- No US parent entity — eliminates CLOUD Act jurisdiction entirely
- UK-owned hardware — not "UK region" on AWS/Azure/GCP
- Zero data retention — prompts processed and discarded, never stored
- Full audit trail — provable record for SRA compliance
- No sub-processors — data never leaves the processing environment
If any of these five conditions are not met, privilege remains at risk per the Munir standard.
What This Means for Your Firm
Immediate steps:
- Audit all AI tools in use across the firm (approved and unapproved)
- For each "approved" tool, determine the ultimate parent entity's incorporation
- Assess whether privilege may already be compromised
- Deploy AI where privilege is protected by architecture, not by contract
- Consider SRA reporting obligations if breach has occurred
Protect privilege. Architecturally.
Hush AI is a UK-incorporated company operating AI inference on UK-owned hardware. No US parent entity. Zero data retention. Full audit trail. We exist because privilege cannot be protected by contract alone.
Learn More →Or request a governance evaluation directly.
Sources: Munir v SSHD [2026] UKUT 81 (IAC); Censuswide/Access Legal survey May 2026; US CLOUD Act 18 U.S.C. § 2713 (2018); Norton Rose Fulbright analysis April 2026; DAC Beachcroft analysis May 2026; Bird & Bird analysis 2026.