Client Confidentiality in the Age of AI: What Law and CA Firms Must Know

Professionals across law and accounting are under pressure to adopt AI tools to stay competitive. But there is a critical risk that is not being talked about enough: uploading client documents to public AI services like ChatGPT or Google Gemini may constitute a serious breach of professional confidentiality obligations.

What happens when you upload to public AI

When you paste a client agreement into ChatGPT, or upload a balance sheet to a public AI chatbot, that data leaves your control. Depending on the service's terms of use and privacy policy, that content may be:

• Stored on the provider's servers for an indefinite period
• Used to train or improve future AI models
• Accessible to the provider's staff for safety review
• Subject to the jurisdiction of a foreign country's data laws

For a client who shared their confidential financial statements or litigation strategy with you — this is a disclosure they never consented to.

The professional obligation

Under the Bar Council of India Rules, advocates are bound by strict duties of confidentiality to their clients. Similarly, the ICAI's Code of Ethics for Chartered Accountants requires that members not disclose client information to third parties without consent.

Uploading a client's ITR, balance sheet, or agreement to a public AI service almost certainly constitutes disclosure to a third party — and the fact that you did it for your own convenience does not provide a defence.

The only compliant path: private, isolated AI

A private AI document search system runs entirely within your firm's controlled environment. Documents are uploaded to your firm's private knowledge base, not to any public cloud AI. The AI model processes queries against your own documents without sending anything to a third-party service.

Key characteristics of a compliant private AI document search system:

• All documents stored in an isolated, access-controlled environment
• No document content sent to external AI APIs at query time
• Per-client or per-matter data separation enforced at the database level
• Full audit trail of who accessed which documents
• Data residency within India (or your chosen jurisdiction)

How to evaluate an AI document search tool for compliance

Before adopting any AI tool for client documents, ask these questions:

1. Does my document content leave my environment when I run a query?
2. Where are documents stored, and who has access to the storage?
3. Can different client matters be isolated from each other?
4. Does the vendor have a data processing agreement that covers DPDP Act obligations?
5. What is the data retention and deletion policy?