The Dilemma: Wanting to Use AI but Not Being Allowed To
The situation in German law firms in 2026 is paradoxical. On one side, lawyers recognize the enormous potential of AI systems: drafting briefs, researching case law, summarizing client files, managing deadlines. On the other side stand professional obligations that make using conventional cloud AI practically impossible.
The core of the problem: As soon as you enter client data into ChatGPT, Claude, or Google Gemini, that data leaves the protected sphere of your law firm. It lands on servers in the USA, is potentially used for training AI models — and attorney-client privilege is violated.
This is not a theoretical concern. It is current law.
The Legal Framework: What Lawyers Need to Know
Duty of Confidentiality Under § 43a(2) BRAO (Federal Lawyers' Act)
The duty of confidentiality for lawyers is enshrined in § 43a(2) of the Bundesrechtsanwaltsordnung (BRAO — Federal Lawyers' Act) and specified in § 2 of the Berufsordnung für Rechtsanwälte (BORA — Professional Code for Lawyers). It is one of the fundamental professional obligations and protects the relationship of trust between lawyer and client.
This obligation is comprehensive: it covers everything that becomes known to the lawyer in the exercise of their profession. This includes not only the content of conversations and legal briefs, but even the fact that a client relationship exists at all.
§ 203 StGB (German Criminal Code): Criminal Liability for Violations
The violation of private secrets is a criminal offense under § 203 StGB (Strafgesetzbuch — German Criminal Code). Any lawyer who unlawfully discloses a secret entrusted to them in their professional capacity risks imprisonment of up to one year or a fine.
The decisive question: Does entering client data into a cloud AI system constitute "disclosure" within the meaning of § 203 StGB? The prevailing opinion in legal literature affirms this when data is transmitted to third parties without adequate technical safeguards.
§ 43e BRAO: Involvement of Service Providers
Since 2017, § 43e BRAO permits the involvement of service providers without requiring client consent — provided this is necessary for the service and the lawyer concludes a professional secrecy agreement (Berufsgeheimnisträgervereinbarung).
In practice, this means: You are generally permitted to use external software. However, the broad transfer of protected data to external servers likely violates the need-to-know principle. It becomes particularly problematic when the provider uses the data to train its models — because then you lose all control over where client information ends up.
The BRAK Guidelines (December 2024)
The Bundesrechtsanwaltskammer (BRAK — Federal Bar Association) published guidelines on the use of AI in law firms at the end of 2024. The key recommendations:
- Anonymization: When using generative AI, you should only submit abstract queries that allow no inference about a specific case. Documents should be fully anonymized beforehand.
- Review obligation: Every AI output must be carefully reviewed. AI systems can generate false information (so-called "hallucinations") — a particularly serious risk with legal texts.
- Transparency: Clients should be informed about the use of AI.
- AI competence: The EU AI Act requires since February 2025 that users of AI systems possess adequate competence. Staff training is therefore mandatory.
- Documentation: The use of AI systems must be documented.
EU AI Act
The AI Act has been in force since August 2024 and is being applied in stages. From August 2026, full applicability takes effect for most provisions. Relevant for law firms: transparency obligations, AI competence requirements, and documentation obligations when using AI systems.
The Problem with Anonymization
The BRAK guidelines recommend anonymization. In practice, this is often not realistic.
When you have a brief drafted, the AI system needs the facts of the case — with the specific circumstances, the parties involved, the particular legal questions. An anonymized case often loses exactly the context the AI needs to deliver a usable draft.
And even if you anonymize: In unusual cases, the combination of legal area, industry, and circumstances alone can allow inferences about the specific case.
Anonymization is therefore not a solution but a workaround — one that works for simple tasks (general research, text templates) but reaches its limits with complex case work.
The Solution: Your Own AI Server in Germany
What if client data never had to leave your protected sphere? That is exactly what an AI-Server in the GDPR Sovereign variant enables — and this is precisely the variant we recommend for law firms.
How It Works Technically
Our AI-Server exists in two variants:
Standard variant: Your documents, your firm's knowledge, and your files reside on a dedicated server in Germany. For the actual AI processing (text generation, analysis), only the task-relevant context data is transmitted via API to the model provider. Your data is not used for training third-party models — but it does briefly leave the server for processing.
GDPR Sovereign variant (recommended for law firms, +300 EUR/month): Here, local AI models run directly on your server. No API call to the outside, no data transfer, zero data leakage. All processing takes place within your protected infrastructure. For professionals bound by confidentiality obligations, this is the only consistent choice.
What This Means for Attorney-Client Privilege
- § 43a BRAO: In the Sovereign variant, no disclosure to third parties, because neither documents nor AI processing leave the server
- § 203 StGB: In the Sovereign variant, no unauthorized disclosure, because no external provider gains access to client data — not even for processing
- GDPR Art. 25: Privacy by Design — data protection is built into the architecture, not added retroactively
- GDPR Art. 44: No third-country transfer, as server and processing remain in Germany (Sovereign variant)
Practical Examples: AI in the Law Firm
Drafting Briefs
Instead of typing client data into a cloud AI, you work directly on your own server. You enter the facts — with all relevant details, names, dates — and the system produces a draft. Your documents stay on your server. With the Sovereign variant, all AI processing also happens locally — no copying, no anonymizing, no data leakage.
Particularly valuable: Your AI system knows your previous briefs. It knows how you argue, which formulations you prefer, how your outlines are typically structured. The longer you work with it, the better the drafts become.
Deadline Management
Missed deadlines are among the most common reasons for lawyer liability. Your AI-Server can:
- Check incoming correspondence for deadlines
- Remind you of upcoming deadlines (via email and Telegram message on your smartphone)
- Establish the connection to the respective case file
- Suggest which steps are due next
This does not replace a deadline register — but it adds an additional layer of safety.
Searching Your Own Files
"What did we argue in the Müller vs. Schmidt case regarding cosmetic repairs?" Your AI system answers this question in seconds — not by searching the internet, but because it knows your own documents. It searches your briefs, your correspondence, your notes, and finds the relevant passages.
Client Communication
Your AI system drafts emails to clients that match your style. It knows the status of individual cases and can:
- Answer status inquiries
- Suggest and coordinate appointments
- Summarize and send documents
- Remind about outstanding documents
What an AI-Server Costs for Law Firms
Prices for an AI-Server start at 999 EUR per month, depending on scope and selected package. For law firms that require full data protection with local AI processing, there is an additional monthly charge of 300 EUR for the GDPR Sovereign variant.
The one-time setup fee is 2,500–5,000 EUR and includes the complete configuration: server setup, AI configuration, customization for your firm, training.
Is It Economically Viable?
Let us calculate conservatively: A lawyer who saves one hour per day through the AI-Server (research, drafting, emails) gains 5,000–8,000 EUR per month in billable time at an hourly rate of 250–400 EUR. Against that stand costs starting at 999 EUR.
For most law firms, the payback period is under one month.
Common Objections — and Honest Answers
"I have practiced for 20 years without AI."
True. And you probably also spent 20 years manually writing your briefs, searching case law in databases, and entering deadlines by hand. An AI system does not replace your expertise — it takes over the work that is beneath your qualification level. The legal assessment remains with you.
"Can I trust the AI?"
No — and you should not. AI systems can deliver incorrect or imprecise results. Every draft, every research result, every output must be reviewed by you. The system is an assistant, not a decision-maker. The lawyer's duty to review remains in full force.
"What if the bar association objects?"
The BRAK guidelines explicitly recommend the use of AI in law firms — subject to compliance with professional obligations. A dedicated server in Germany with local data processing meets the strictest requirements for data protection and attorney-client privilege. What matters is documentation: Record which AI systems you use, for what purpose, and with what safeguards.
"My clients do not want this."
In our experience, clients have less of a problem with AI than with the uncontrolled transfer of their data to the cloud. When you can explain that your AI runs on a dedicated server in Germany and that in the Sovereign variant no data whatsoever leaves the protected sphere, it actually strengthens trust. Transparency is the key — inform your clients proactively.
Which Law Firms Benefit from an AI-Server?
An AI-Server is particularly suitable for:
- Solo practitioners and small firms (1–5 lawyers) who have no IT department but still want to use AI
- Firms with high brief volume (tenancy law, employment law, insurance law), where the time savings are greatest
- Firms with sensitive cases (criminal law, family law, medical law), where data protection is especially critical
- Tax advisory firms, which operate under similar confidentiality obligations
The Next Step
If you want to use AI as a lawyer without jeopardizing attorney-client privilege, a dedicated AI-Server in Germany is the consistent solution. No workaround with anonymization, no hoping for data protection assurances from US providers, but genuine data sovereignty.
In a free consultation, we clarify which variant makes sense for your firm and which tasks your AI system can take over from day one.
Also read: Setting Up an AI-Server: What a Managed Service Really Means and 5 Tasks AI Can Take Over for Your Business Immediately
