As Large Language Models (LLMs) and Large Multimodal Models (LMMs) (together, Models) become increasingly prominent, we are now seeing instances of legal advice being used to train these Models.  If you import legal advice into a Model, you can potentially inadvertently and unintentionally waive legal professional privilege (LPP).

The importance of maintaining advice confidentiality (i.e., not sharing the advice external to the recipient of the LPP) generally underpins the continuity of the LPP.

We consider the implications of sharing legal advice and the impact of that sharing on LPP with Models across Australia, Singapore, the United Kingdom, as well as the states of Delaware and New York in the United States of America.  


In Australia, confidential communications made between a client and a lawyer for the dominant purpose of legal advice or litigation is protected by LPP under both statute and common law.[1] However, LPP can be lost if the privilege holder acts inconsistently with maintaining confidentiality, such as by consenting to disclosure, or knowingly or voluntarily disclosing to another person.[2] This is the case even if a privilege holder did not subjectively intend to waive confidentiality.[3] Therefore, sharing privileged information with a third party, even a Model, can potentially waive the privilege.

However, it is important to note that not every disclosure of confidential information to a third party leads to a waiver of privilege. In Mann v Carnell,[4] it was held that LPP was not waived in circumstances where a copy of legal advice was provided by the Australian Capital Territory (ACT) Chief Minister to a member of the ACT Legislative Assembly on a confidential basis to consider the reasonableness of ACT’s conduct in litigation.

Sharing legal advice with an external Model carries the inherent risk of losing LPP, especially due to its lack of control and potential for wider dissemination. For example, if a client inputs the legal advice they have received into an external Model, it could likely amount to a loss of privilege even if the client did not subjectively intend to waive it.

In Australia not every disclosure amounts to a loss of LPP. Organisations can mitigate their risk, for example, by using confidentiality agreements with the external Model provider as evidence against any finding of the privilege holder acting inconsistently with maintaining privilege despite disclosure to the Model. Alternatively, creating an internal Model for usage could also signal to courts the objective intent of maintaining confidentiality.[5]

United Kingdom

Legal professional privilege is governed by common law principles. As in Australia, LPP applies to confidential communications made between a lawyer and client for the dominant purpose of legal advice or litigation.[6] The privilege belongs to the client,[7] and disclosure to a third party could lead to a loss of privilege.

However, the United Kingdom recognises situations wherein there is limited waiver.[8] The Privy Council has held that privilege is not waived generally simply because a privileged document has been disclosed for a limited purpose only.[9] Rather, there is a distinction between waiving privilege and losing privilege.[10] Thus, in Property Alliance Group Ltd v Royal Bank of Scotland Plc,[11] it was held that privilege was not lost when confidential documents were given to regulators on a limited basis, even though the regulators could have used, acted on or even published those documents based on their legal rights and duties.[12] This conclusion was reached mainly because there was an express agreement between the privilege holders and regulators that privilege and confidentiality would be maintained.[13]

Like Australia, issues of loss of LPP arise when using UK legal advice to train a Model. On the other hand, it could be possible that Courts may recognise Model sharing to be a circumstance of limited waiver. A possible argument that can be advanced is that despite a Model having the capability to disseminate confidential information, privilege is not necessarily lost if the information is provided to the Model on a limited basis.


LPP is protected in Singapore in two ways – under statute for legal advice privilege and under both statute and common law for litigation privilege.[14]  The familiar dominant purpose approach is used to ascertain litigation privilege.[15] However, legal advice privilege does not. In that context, confidential communications are protected between a client and lawyer if the purpose was for seeking legal advice.[16]

For legal advice privilege, the Singaporean Court has held that third party communications are not protected unless “the third party is an agent for communication” as a “mere conduit”.[17] However, the Court did accept the possibility of utilising the Australian dominant purpose test for third party communications.[18] This indicates that disclosure of legal advice to a third party, such as a Model, is not protected under LPP.

In Singapore, waiver of privilege can be express or implied. For example, an implied waiver could be a disclosure to a third party.[19] However, the Court has noted that the law of implied waiver is tremendously complex and thus there is no one principle for all the different circumstances that may arise.[20] Privilege can also be lost if it enters the public domain, although the Court has noted that simply because confidential information is publicly accessible does not automatically mean loss of privilege.[21] Importantly, the Court said:

Merely making confidential information technically available to the public at large does not necessarily destroy its confidential character. Public media, in particular the Internet, must not be the gateway through which all confidentiality is dissolved and destroyed.[22]

Although this case involved the hacking of emails, this quote may influence the manner in which Singaporean Courts consider the possibility of confidential information being made available to the public domain through external Models. Although confidential information may be made publicly available such as through a data breach of the Model, it does not necessarily equate to a loss of privilege.

New York

LPP, known as attorney-client privilege in New York is protected under statute which states that confidential communication made between a client and an attorney is protected unless waived by the client.[23] Determining privilege involves questioning whether the communication in “its full content and context…was made in order to render legal advice or services to the client”.[24]

Express waiver could constitute a client voluntarily disclosing the information to a third party,[25] although it has been said that privilege may apply to confidential communications between a client and an attorney’s agent if it is made with the purpose of receiving legal advice.[26] However,  the Court’s determination will depend on the facts of the case.[27]

Regarding electronic usage and storage for confidential communications, New York Courts have stated that communication:

“…does not lose its privileged character for the sole reason that it is communicated by electronic means or because persons involved in the delivery, facilitation, or storage of electronic communication may have access to the content of the communication.”[28]

In Scott v Beth Israel Med. Ctr. Inc,[29] however, the Court held communications between the privilege holder and his attorney on the privilege holder’s company’s email address did not qualify for privilege, and even if it did, it had been waived.[30] This was predominantly because the privilege holder’s company had a policy that gave them a right to access or disclose material sent through their email system.[31]

Considering the rules and case law, it seems that sharing legal advice with external Models under New York law could also lead to a loss of privilege. Although electronic communication and storage does not necessarily amount to disclosure, courts may consider the possibility of Models leaking private data as forgoing privilege.


LPP is also codified under statute, with privilege attaching to confidential lawyer and client communications made to obtain professional legal services.[32] Similarly to New York, Delaware has contemplated whether the usage of electronic communications and storage may lead to a loss of LPP. In re WeWork Litigation,[33] the Delaware Court applied a four-factor test from re Asia Global Crossing, Ltd to hold that privilege was lost by employees who used their work email accounts to make communications as it undermined their reasonable expectation of privacy.[34] The test is:

“(1) does the corporation maintain a policy banning personal or other objectionable use, (2) does the company monitor the use of the employee’s computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?”[35]

The test could be transformed into a Model-user scenario, excluding the first element. It may be that if a Model (i) can monitor the inputted material by the user, (ii) provide third parties access to the inputted material, and (iii) has notified the user of its monitoring policies, then there may be a loss of LPP if legal advice is inputted. Ultimately, it seems that if a person’s reasonable expectation of privacy is undermined when using a Model, then privilege may be lost. It may be that having a proper confidentiality agreement in place with external Models or building an internal Model can avoid a finding of loss of privacy by the user.

Mitigating the Risk of Losing Privilege

Considering the above five jurisdictions, it seems that a common thread is that the usage of external Models for legal advice poses risks of loss of privilege. We consider some potential methods of mitigation.

Confidentiality Agreements and De-identification tools:
  • Potential Support: Detailed and specific confidentiality agreements between the Model provider and user could demonstrate a commitment to maintaining confidentiality. Confidentiality Agreements bolstered by the removal of personal information by de-identification software may further support a claim that LPP has not been waived.
  • Challenges: Despite the existence of confidentiality agreements, depending on the jurisdiction, courts may still find a loss of privilege depending on circumstances (i.e. such as the privilege holder acting inconsistently with the maintenance of privilege in Australia).
Limited Waiver:
  • Potential Support: It could be argued that disclosing confidential information to a Model was done for a limited purpose, such as for legal research or analysis.
  • Challenges: Defining and determining the limited purpose may be difficult, and it will be open to the courts to find whether privilege is lost on a case-to-case basis.
Data Breach Not a Loss of Privilege:
  • Potential Support: It could be argued that potential disclosure from a cyber or data breach does not equate to a loss of confidentiality when looking at the whole circumstances of the event. Additionally, it could be argued that information being inadvertently made available to the public is not inconsistent with a maintenance of privilege. Showing the court all the reasonable steps taken when using Models could also be relevant, but increasingly practically difficult.
  • Challenges: Courts may still find the possibility of third-party data breaches as being a determining factor of loss of privilege. Additionally, defining “reasonable steps” in the context of evolving technology like Models is complex, and courts may have differing opinions on what constitutes sufficient measures.
Is this another reason for organisations to build/host Internal Models?
  • Potential Support: With more stringent and specific policies, an internal Model could mitigate confidentiality risks by allowing for stricter data protocols and allowing for more control and customisation. This could signal to the courts the objective intention of the privilege holder to maintain LPP.
  • Challenges: Internal Models may still suffer similar problems to external Models if there are data and privacy breaches where the organisation itself is found to be responsible for the breach. Probably the largest practical impediment to self-hosting is the significant resources and expertise required to run sufficiently powerful and well-tuned Models internally.


While we have not yet seen this question explicitly tested by the court – at a minimum, organisations that intend to share their protected materials with a Model should take all steps to demonstrate that it is not their intention to waive LPP when sharing those materials.  They can do this by following the mitigation steps set out above.



[1] See Evidence Act s 117-119 and Esso Australia Resources Ltd v Federal Commissioner of Taxation [1999] HCA 67.

[2] EA s 122 (2), (3); Mann v Carnell [1999] HCA 66.

[3] Mann v Carnell [1999] HCA 66 [30].

[4] [1999] HCA 66 [30].

[5] It is argued that the internal use of technological tools such as Office 365 Tools generally do not lead to a loss of privilege even if they are hosted on external servers such as the Cloud, although there has yet to be case law in any jurisdiction yet. However, technological misuse that causes inadvertent disclosure may come into play – see Expense Reduction Analysts Group Pty Ltd & Ors v. Armstrong Strategic Management and Marketing Pty Limited & Ors [2012] NSWCA 430.

[6] Serious Fraud Office v Eurasian Natural Resources Corporation [2018] EWCA Civ 2006.

[7] B & Ors v. Auckland District Law Society (New Zealand) [2003] UKPC 38.

[8] Ibid.

[9] Ibid [68].

[10] Ibid [68].

[11] [2015] EWHC 1557 (Ch).

[12] Ibid.

[13] Ibid.

[14] Evidence Act 1893 (Singapore) s 128, 128A, 130; Skandinaviska Enskilda Banken AB (Publ), Singapore Branch v Asia Pacific Breweries (Singapore) Pte Ltd and Other Appeals [2007] SGCA 9 [1].

[15] Ibid.

[16] Ibid.

[17] Ibid [52].

[18] Ibid [65].

[19] ARX v Comptroller of Income Tax [2016] 5 SLR 590.

[20] Ibid.

[21] Wee Shuo Woon v HT Srl [2017] SGCA 23.

[22] Ibid [37].

[23] Civil Practice Law & Rules (N.Y.) s 4503(A)(1).

[24] Matter of Appellate Advocates v New York State Dept. of Corr. & Community Supervision Op 06466 (N.Y. 2023).

[25] People v. Patrick, 182 N.Y. 131, 175.

[26] United States v Kovel 296 F.2d 918 (2d Cir. N.Y. 1961).

[27] Ibid.

[28] Evidence Code s 917 (b) in Holmes v Petrovich Development Co., LLC 191 Cal.App.4th 1047 (Cal. Ct. App. 2011).

[29] 17 Misc. 3d 934 (N.Y. Sup. Ct. 2007).

[30] Scott v Beth Israel Med. Ctr. Inc 17 Misc. 3d 934 (N.Y. Sup. Ct. 2007).

[31] Ibid

[32] Delaware Uniform Rules of Evidence Rule 502.

[33] 2020 WL 7624636 (Del. Ch. 2020).

[34] re Asia Global Crossing, Ltd 322 B.R. 247 (Bankr. S.D.N.Y. 2005).

[35] re Asia Global Crossing, Ltd 322 B.R. 247 (Bankr. S.D.N.Y. 2005) cited in re WeWork Litigation 2020 WL 7624636 (Del. Ch. 2020).

Back to top

Stirling & Rose is an end-to-end corporate law advisory service for the lawyers, the technologists, the founders, and the policy makers.

We specialise in providing corporate advisory services to emerging technology companies.

We are experts in artificial intelligence, digital assets, smart legal contracts, regulation, corporate fundraising, AOs/DAOs, space, quantum, digital identity, robotics, privacy and cybersecurity.

When you pursue new frontiers, we bring the legal infrastructure.

Want to discuss the digital future?

Get in touch at | 1800 178 218