AI Act and LegalTech: how law firms are impacted.

Lawyers and LegalTech: two roles, two responsibilities

The AI Act distinguishes between two categories of actors: providers and deployers. For law firms and LegalTech publishers, this distinction is crucial.

LegalTech publishers, such as developers of predictive analysis or assisted drafting tools, are considered providers of AI systems. As such, they must comply with the AI Act's obligations, particularly regarding technical documentation, transparency, and risk management. Law firms, however, are deployers when using these tools. Their responsibility lies in selecting systems, supervising their use, and ensuring compliance with professional conduct rules.

This duality requires close collaboration between publishers and users. Providers must supply clear documentation on their tools' capabilities and limitations, while lawyers must ensure these tools respect confidentiality and professional secrecy principles. Regulation (EU) 2024/1689 specifies that deployers must verify that the systems used comply with applicable requirements.

Which LegalTech tools are covered by the AI Act?

Not all LegalTech tools incorporating AI are subject to the same obligations. Their classification depends on their use and potential impact.

Legal research tools, such as Lexis+ AI or Doctrine, are generally considered limited-risk. Their use does not require extensive documentation but must comply with transparency obligations, particularly by informing users they are interacting with AI. Conversely, litigation predictive analysis or judicial decision-support tools may be classified as high-risk AI systems if their use directly influences a legal or judicial decision.

The AI Act glossary by AiActo specifies that high-risk AI systems must undergo risk assessment, in-depth technical documentation, and continuous human oversight. For lawyers, this means a tool like Harvey AI, used for drafting documents, may be limited-risk, while a tool predicting litigation outcomes would require stricter compliance.

High-risk systems: what Annex III.8 says

Annex III of Regulation (EU) 2024/1689 lists AI systems considered high-risk. Point 8 specifically targets tools used in the judicial domain.

According to Annex III.8, AI systems used by judicial authorities or on their behalf for the following are considered high-risk:

• searching for facts or evidence,
• interpreting the law,
• applying the law to a factual situation.

This definition also applies to tools used by lawyers if their use directly influences a judicial decision. For example, a tool predicting litigation outcomes and used to advise a client on contentious strategy could be classified as a high-risk AI system. Providers of such tools must comply with the AI Act's strict obligations, particularly regarding documentation, traceability, and human oversight.

The French National Bar Council (CNB) published a guide on AI and lawyer ethics in 2024, emphasising the need for heightened vigilance regarding tools used. The guide reminds lawyers that they remain responsible for the advice given, even when relying on AI tools.

Professional secrecy and data sovereignty

Data entrusted by clients to a lawyer benefits from special protection. Its processing by AI tools raises legal and ethical questions.

Professional secrecy and the GDPR require lawyers to ensure client data confidentiality. Using AI tools hosted outside the European Union, such as certain US cloud services, exposes firms to legal risks. The US CLOUD Act allows American authorities to access data stored by US companies, even if hosted in Europe.

To comply with the AI Act and GDPR, law firms should prioritise sovereign solutions hosted in the EU and adhering to European data protection standards. LegalTech providers must also document measures taken to ensure data confidentiality processed by their tools. The CNIL recommends:

• data encryption,
• anonymisation or pseudonymisation of sensitive data,
• use of servers located in the EU.

Lawyers must also inform clients about the use of AI tools in handling their cases, in line with the AI Act's and GDPR's transparency obligations.

Lawyer liability: a new legal risk

Using AI tools in a law firm introduces new responsibilities and exposes firms to unprecedented legal risks.

A lawyer relying on AI to advise a client assumes professional liability. If the tool makes an error or provides incorrect analysis, the lawyer may be held responsible, particularly if the AI's use was not clearly documented and supervised. The AI Act strengthens this liability by requiring deployers of high-risk AI systems to ensure human oversight and traceability of decisions made with AI assistance.

LegalTech providers are not exempt. As providers, they must ensure their tools comply with the AI Act's obligations, particularly regarding transparency and risk management. In case of failure, their civil or criminal liability could be engaged. Contracts between providers and law firms must therefore specify each party's roles and responsibilities, as well as the guarantees offered by the provider.

To mitigate these risks, law firms should implement an AI tool usage policy, including staff training, regular tool assessment, and documentation of oversight processes. LegalTech providers must integrate AI Act compliance from the design stage, adopting a privacy by design and security by design approach.