WEBVTT

00:00:00.001 --> 00:00:05.900
Welcome back to Legal Prompting, I'm Nicola Fabiano and this is episode 8.

00:00:06.699 --> 00:00:13.119
In the previous episode, we saw how to integrate legal prompting into corporate compliance workflows

00:00:13.140 --> 00:00:17.340
with structured processes, governance and traceability.

00:00:18.139 --> 00:00:21.639
Today we tackle a topic that underpins everything,

00:00:22.760 --> 00:00:26.700
professional secrecy and the choice of AI infrastructure.

00:00:27.700 --> 00:00:31.659
The principle is simple but often underestimated.

00:00:32.639 --> 00:00:41.080
When a lawyer, a legal consultant or a DPO enters information covered by professional secrecy into an AI system,

00:00:41.819 --> 00:00:46.540
they are making a deontological choice, not just a technical one.

00:00:46.979 --> 00:00:52.880
The infrastructure on which the model runs, the place where the data is processed,

00:00:52.880 --> 00:01:00.240
the parties who can access it, the contractual guarantees in place, the applicable jurisdiction,

00:01:00.779 --> 00:01:04.400
all of this is part of respecting that secrecy.

00:01:05.319 --> 00:01:09.860
No well-written prompt can compensate for inadequate infrastructure.

00:01:10.500 --> 00:01:13.019
Let's look at three concrete applications.

00:01:14.120 --> 00:01:17.440
First application, analyzing a confidential file.

00:01:17.440 --> 00:01:26.639
If I need to ask a model to summarize the documents of a dispute or to compare clauses of a contract covered by an NDA,

00:01:27.199 --> 00:01:29.779
the first step is not writing the prompt.

00:01:30.360 --> 00:01:35.760
It is verifying where that data will go, whether it will be used for training,

00:01:36.300 --> 00:01:40.400
who will have access to the logs, how long it will be retained

00:01:40.400 --> 00:01:46.440
and whether the provider offers guarantees compatible with the duty of confidentiality.

00:01:46.440 --> 00:01:54.900
For highly sensitive data, a model run locally or on European infrastructure with a solid DPA

00:01:54.900 --> 00:02:00.879
and explicit no training clauses is often the only coherent option.

00:02:01.720 --> 00:02:05.720
Second application, privacy or health-related advice.

00:02:06.760 --> 00:02:10.279
Special categories of data require reinforced caution.

00:02:10.279 --> 00:02:13.559
Even when the use case appears generic,

00:02:14.080 --> 00:02:20.259
a single identifying detail can turn the prompt into a processing of sensitive personal data.

00:02:21.139 --> 00:02:28.460
The operational rule is preventative pseudonymization or, where possible, abstraction of the case.

00:02:29.399 --> 00:02:38.399
If the provider does not offer adequate guarantees on extra EU transfers, sensitive data must not leave my perimeter.

00:02:38.399 --> 00:02:45.419
Third application, drafting opinions on extraordinary transactions or criminal proceedings.

00:02:46.539 --> 00:02:49.139
Here technical confidentiality is not enough.

00:02:49.679 --> 00:02:55.820
One must consider the provider's jurisdiction, access requests from foreign authorities,

00:02:56.759 --> 00:03:05.300
exposure to regulations such as the Cloud Act and the implications of Italian Law 132-2025

00:03:05.300 --> 00:03:08.460
and the AI Act regarding infrastructure.

00:03:09.399 --> 00:03:11.699
Three cross-cutting operational rules.

00:03:13.020 --> 00:03:15.679
First rule, classify before prompting.

00:03:16.539 --> 00:03:22.500
Every piece of information entering a model must be classified by confidentiality level.

00:03:23.300 --> 00:03:27.800
Without classification there can be no informed choice of infrastructure

00:03:27.800 --> 00:03:31.440
and every subsequent decision is blind.

00:03:31.440 --> 00:03:34.899
Second rule, document the choice.

00:03:35.520 --> 00:03:41.559
The client file must be able to show which tool was used, with what contractual guarantees,

00:03:42.080 --> 00:03:47.100
on what legal basis and why that choice was proportional to the case.

00:03:48.320 --> 00:03:51.940
Documentation protects the client and protects the professional.

00:03:52.600 --> 00:03:54.820
Third rule, favor abstraction.

00:03:55.820 --> 00:03:59.940
Where possible, replace identifying data with placeholders.

00:04:00.860 --> 00:04:02.580
Work through categories and schemes.

00:04:03.360 --> 00:04:06.779
Reconstruct the context only in your own mind.

00:04:07.600 --> 00:04:09.479
The model helps you reason.

00:04:10.119 --> 00:04:13.880
It does not need to know the identity of the persons involved.

00:04:14.899 --> 00:04:19.679
Professional secrecy is not a constraint that limits the use of AI.

00:04:20.440 --> 00:04:23.279
It is the framework that makes it legitimate.

00:04:23.279 --> 00:04:30.720
Without this framework, every efficiency gain turns into a deontological and disciplinary risk

00:04:30.839 --> 00:04:35.500
and every operational advantage becomes a latent liability.

00:04:36.420 --> 00:04:40.140
In the next episode we will enter the heart of the AI Act,

00:04:40.859 --> 00:04:44.200
which specific obligations fall on the legal professional,

00:04:44.959 --> 00:04:47.140
how human oversight is articulated

00:04:47.140 --> 00:04:52.720
and what transparency in the use of AI systems concretely means.

00:04:53.279 --> 00:04:55.779
To explore these topics further

00:04:55.779 --> 00:05:02.320
and receive weekly reflections on the relationship between law, privacy and technology,

00:05:03.100 --> 00:05:07.579
I invite you to subscribe to the newsletter at nickfab.eu.

00:05:08.440 --> 00:05:09.359
Thank you for listening!