Attorney-Client Privilege and AI Tools: What Heppner Means, and Where Indian Law Stands

Most consumer generative AI tools, including ChatGPT, Claude, and Gemini, operate on a common architecture: the user inputs text, the platform processes it on the provider's servers, and a response is generated. The user's input is transmitted to, and often stored by, a third party. Some enterprise and self-hosted deployments operate differently, with tighter controls over data retention and access, but the majority of legal professionals using AI tools today are using consumer-tier products that transmit data externally.

For most uses, this is unremarkable. But when the input contains privileged legal communications, confidential case strategy, or information shared between a lawyer and a client in confidence, the implications are serious. The question is not whether AI tools are useful for legal work. They plainly are. The question is whether using them impairs the legal protections that make candid legal communication possible, and if so, what the precise consequences are under the applicable legal framework.

In February 2026, a US federal court addressed this question for the first time. On the facts before it, the court held that the AI-generated materials were not protected by attorney-client privilege. India has no equivalent ruling yet, but the statutory framework contains the tools to analyse the same question, and the likely conclusions are sobering. This article analyses the US decision, maps it against the Indian statutory framework, identifies the gaps, and sets out practical guidance for anyone using AI tools in a legal context.

What is attorney-client privilege?

For readers who are not lawyers, a brief explanation of what privilege is and why it matters.

Attorney-client privilege is a legal rule that protects communications between a client and their lawyer from being disclosed in court or to opposing parties. The rationale is straightforward: clients need to be able to speak candidly to their lawyers without fear that what they say will be used against them. If that candour is not protected, rational clients would withhold information, and their lawyers would give worse advice as a result. The entire legal system depends on this dynamic working properly.

Privilege is not absolute. It does not protect communications made in furtherance of a crime or fraud. It does not cover facts, only communications. And, critically for this analysis, it can be lost if the communication is shared with a third party who is not covered by the privilege.

In the United States, privilege is a common law doctrine, developed through case law over centuries and varying somewhat across jurisdictions. In India, privilege is statutory, governed by Sections 132 to 134 of the Bharatiya Sakshya Adhiniyam, 2023 (which replaced Sections 126 to 129 of the Indian Evidence Act, 1872). This structural difference matters, as we will see, because the Indian framework is more rigid in some respects and more protective in others.

The core requirements are broadly similar across both systems: there must be a lawyer-client relationship, the communication must be confidential, and it must be for the purpose of obtaining or providing legal advice.

The Heppner decision

United States v. Heppner, No. 1:25-cr-00503-JSR (S.D.N.Y., Feb. 17, 2026), is the first federal decision in the United States to squarely address whether communications with a consumer generative AI platform are protected by attorney-client privilege. The court, Judge Jed S. Rakoff presiding, held that they are not.

The facts

Bradley Heppner was a public company executive who came under criminal investigation for securities fraud. He was indicted on 28 October 2025 and arrested on 4 November 2025. Before his arrest, Heppner had engaged legal counsel and knew he was under investigation.

Independently, without direction from his lawyers, Heppner used Anthropic's Claude, a free consumer-tier generative AI platform, to draft documents outlining his defence strategy, anticipated legal arguments, and analysis of the facts and law of his case. He generated approximately 31 documents through these exchanges.

When the FBI executed a search warrant at Heppner's home upon his arrest, they seized the electronic devices containing these AI-generated materials. Heppner subsequently shared the materials with his defence counsel, who asserted attorney-client privilege and work product protection over them. Defence counsel acknowledged, however, that they had not directed Heppner to use the AI platform.

The three-part privilege test

The court applied the standard three-part test for attorney-client privilege. A communication is privileged if it is (1) between an attorney and a client, (2) intended to be and kept confidential, and (3) made for the purpose of obtaining or providing legal advice. The court found all three elements unsatisfied.

No attorney-client relationship. Claude is not an attorney. Judge Rakoff emphasised that all recognised privileges require a "trusting human relationship" with a "licensed professional" bound by fiduciary duties. An AI platform, regardless of how sophisticated its outputs, cannot form such a relationship. The user is not communicating with or through a lawyer; they are typing queries into a software product.

No confidentiality. The court found no reasonable expectation of confidentiality because Anthropic's privacy policy, which users consent to, provides that the company collects data on users' inputs and the platform's outputs, uses this data for model training, and reserves the right to disclose it to third parties including government regulatory authorities. Judge Rakoff stated that Heppner had disclosed privileged information to a third party with an express provision that what was submitted was not confidential. There was, in the court's view, no reasonable expectation of privacy whatsoever.

No legal advice purpose. Heppner acted on his own initiative, not at counsel's direction. Claude itself explicitly disclaims the ability to provide formal legal advice. Since no lawyer was involved in the process, the purpose element was unmet.

The court also rejected the argument that sharing the documents with counsel after the fact could retroactively create privilege. Sharing unprivileged documents with a lawyer does not retroactively shield them.

Work product doctrine rejected

Defence counsel alternatively argued that the materials qualified for work product protection, which shields materials prepared by or at the direction of counsel in anticipation of litigation. The court rejected this on two grounds.

First, Heppner acted on his own initiative without counsel's direction, so he was not functioning as counsel's agent. Second, the documents did not reflect defence counsel's mental impressions, strategy, or thought processes, which is the core purpose of the work product doctrine. Judge Rakoff expressly disagreed with prior SDNY precedent in Shih v. Petal Card, Inc., 565 F. Supp. 3d 557 (S.D.N.Y. 2021), which had taken a broader view of work product protection for non-lawyer-generated materials.

The critical dicta

What makes Heppner more than a cautionary tale for careless defendants is what Judge Rakoff said about scenarios he was not deciding. Three points from the dicta are particularly significant.

First, if counsel had directed the client to use the AI tool, the platform "might arguably be said to have functioned in a manner akin to a highly trained professional who may act as a lawyer's agent." The court referenced United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), the leading case on extending privilege to third parties whose assistance is necessary for effective legal representation. This suggests that counsel-directed AI use might qualify for Kovel protection.

Second, enterprise or confidential AI systems, in which inputs and outputs are kept confidential and are not used to train models, could receive different treatment. The court stated that whether privilege is protected within a closed, enterprise-grade system remains an open question.

Third, the court framed its holding by noting that long-established privilege rules "apply to generative AI just as they apply to telephone calls, memorandums, and emails." The message is clear: AI is not a special case. Existing doctrine applies. The question is whether the specific circumstances satisfy the existing requirements.

The Indian statutory framework

India's privilege law operates differently from the US common law model. Understanding these structural differences is essential before applying the Heppner analysis to Indian facts. Two critical distinctions must be kept in mind throughout: first, Indian privilege is statutory, not common law, so the text of the statute defines the boundaries; and second, the statute creates two distinct mechanisms, an evidentiary bar on compelling testimony and a separate ethical duty of non-disclosure, which operate independently and must not be conflated.

BSA 2023, Sections 132 to 134

The Bharatiya Sakshya Adhiniyam, 2023 replaced the Indian Evidence Act, 1872, and its privilege provisions are found in Sections 132 to 134.

Section 132 consolidates what were formerly Sections 126 and 127 of the Indian Evidence Act into a single provision. It is an evidentiary rule principally addressed to the court: no advocate shall, at any time, be permitted to disclose, unless with the client's express consent, any communication made to them in the course and for the purpose of their service as an advocate. The operative words are "be permitted to disclose." This principally operates as a bar on compelled disclosure in legal proceedings, though it also expresses a legal protection over professional communications more broadly. The protection extends to the contents of documents and any advice given, and continues after professional service has ceased. Critically, the section also extends the evidentiary bar to "any interpreter, clerk, or other person" who has become acquainted with privileged communications in the course of their employment with the advocate, a consolidation of the old Section 127 that is directly relevant to the AI analysis. Two exceptions apply: communications made in furtherance of an illegal purpose, and facts showing that a crime or fraud has been committed since the commencement of the advocate's service.

This distinction matters for the AI analysis. Section 132 principally determines whether privileged communications can be compelled in legal proceedings. The broader professional obligation of confidentiality is separately reinforced by BCI Rules 7 and 17, discussed below. When a lawyer voluntarily shares client information with a third party (including an AI platform), the question of whether this breaches a legal duty falls primarily to those professional conduct rules, though it may also affect whether the evidentiary bar under Section 132 can be maintained in practice.

Section 133 provides that volunteering evidence does not constitute waiver. A party who gives evidence does not thereby consent to disclosure of privileged communications. Even calling an advocate as a witness only permits questions on matters specifically asked about. This anti-waiver provision is relevant to compelled production scenarios: if privileged material surfaces through a third party (such as an AI provider responding to a government request), Section 133 could be argued in the client's favour, since the client did not voluntarily put the material in evidence.

Section 134 protects the client, not the adviser. No one shall be compelled to disclose to the court any confidential communication which has taken place between them and their legal adviser. The critical distinction from Section 132 is directional: Section 132 bars the advocate from being compelled to testify about privileged communications; Section 134 bars the client from being compelled to disclose confidential communications with a legal adviser. Section 134 uses the broader term "legal adviser" rather than "advocate," but as discussed below in the context of the Supreme Court's 2025 decision in In Re: Summoning of Advocates, the scope of this provision in relation to in-house counsel is significantly narrower than the text might suggest.

A critical structural feature of Indian privilege law, observed by the Supreme Court in Reliance Industries Limited v. SEBI, AIR 2022 SC 3690, is that Indian courts derive privilege from the statute rather than from common law classifications. There is no distinction between legal advice privilege and litigation privilege of the kind found in English law, and the scope of protection is defined by the text of the statute.

Who holds privilege? The protection exists for the benefit of the client and generally cannot be overridden without the client's express consent. The advocate's testimonial immunity under Section 132 is a duty owed to the client. The client's right under Section 134 is personal to the client. This means that when a lawyer discloses privileged information to an AI platform without the client's knowledge, two separate questions arise: has the lawyer breached their ethical duty of non-disclosure (BCI Rules 7 and 17)? And has the client's ability to enforce the evidentiary bar been impaired by the disclosure? These are not the same question, and they may have different answers. In corporate settings, who within the company can consent to disclosure or waive privilege, whether the board, authorised officers, or general counsel, adds a further layer of complexity that AI use policies must address.

BCI Rule 7 and the ethical duty

Independent of the statutory evidentiary privilege, the BCI Rules impose a substantive duty of non-disclosure on advocates through two provisions. Rule 7 of Part VI, Chapter II, Section II (Duty to the Client) provides that an advocate shall not, by any means, directly or indirectly, disclose communications made by a client or advice given in proceedings. Rule 17 of the same section reinforces this by providing that an advocate shall not, directly or indirectly, commit a breach of the obligations imposed by Section 126 of the Indian Evidence Act (now Section 132 of the BSA). Breach of either rule triggers disciplinary proceedings before the State Bar Council.

These provisions do the heavy analytical work in the AI context. While Section 132 principally bars compelled disclosure in proceedings, BCI Rules 7 and 17 prohibit any disclosure, including voluntary disclosure to a third party. When a lawyer inputs identifiable confidential client information into a consumer AI platform without the client's consent, there is a strong argument that this breaches both rules: Rule 7 prohibits disclosure "by any means, directly or indirectly," and Rule 17 incorporates the statutory obligations of Section 132. The analysis may differ for anonymised or abstracted inputs, or for enterprise tools that function as confidential processors under client-authorised terms, but for consumer AI use involving identifiable client-confidential material, the risk of a professional conduct violation is serious.

These ethical duties predate digital communication entirely. They contain no guidance on cloud-based services, AI tools, data residency, or encryption obligations. To the best of the author's knowledge, the interaction between these duties and the use of AI tools that process client information on third-party servers has not been formally addressed by the Bar Council of India. But the absence of specific guidance does not narrow the duties' scope. "By any means" is broad enough to cover any medium of disclosure.

The in-house counsel position

The Supreme Court addressed the privilege status of in-house counsel conclusively in In Re: Summoning of Advocates, Suo Motu W.P. (Crl.) No. 2 of 2025, decided 31 October 2025, building on the earlier holding in Satish Kumar Sharma v. Bar Council of HP, (2001) 2 SCC 365, that an advocate cannot be a full-time salaried employee.

The Court held that in-house counsel are not entitled to privilege under Section 132 because they are not "advocates practising in Courts as spoken of in the BSA." The Court's reasoning was grounded in the employment relationship: the salaried nature of in-house counsel means they are likely to be influenced by their employer's commercial interests, which undermines the independence that privilege presupposes.

On Section 134, the Court's holding was specific and limiting. The Court held that in-house counsel are entitled to limited confidentiality under Section 134, but expressly stated that this protection cannot be claimed for communications between the employer and the in-house counsel themselves. Section 134's protection, as applied in this context, covers only communications made by in-house counsel to the employer's external legal advisors. Communications between the company and its in-house counsel fall outside both Section 132 and the scope of Section 134 protection as interpreted by the Court.

The Court did hold, separately, that communications between an in-house counsel (acting as the company's agent) and the company's external advocate remain privileged under Section 132, since the external advocate is an enrolled advocate and the communication is made for the purpose of obtaining legal advice.

The implications for AI tool usage are stark. When an in-house counsel uses an AI tool to draft legal analysis or assess the company's liability, that work product is not protected by privilege under either Section 132 or Section 134. It was never privileged to begin with.

To make this concrete: an in-house counsel at a Bangalore fintech company discovers a data breach affecting 50,000 users. She uses Gemini to summarise the incident details and draft an internal memo assessing the company's liability exposure, before the company's external lawyers are engaged. Under the framework established in In Re: Summoning of Advocates, the company cannot claim privilege over this memo: it is a communication between the employer and its in-house counsel, which the Supreme Court has held falls outside both Section 132 and the scope of Section 134 protection. The fact that it also now sits on Google's servers, where Google's terms permit data retention and human review, compounds the problem but does not change the underlying position. The memo was never privileged. If the Data Protection Board investigates and demands the document, the company has no privilege to assert. The lesson for corporate legal teams is that where privilege sensitivity is high, external counsel should be engaged early and communications structured accordingly. The use of consumer AI tools by in-house counsel makes an already exposed position worse by creating a producible copy of the analysis on a third party's servers.

How would Heppner play out in India?

Consider a scenario that plays out in law firms across India every day. A litigation partner at a Mumbai firm is responding to a SEBI show-cause notice on behalf of a listed company client. The deadline is tight. She pastes her preliminary legal analysis, her notes on the client's liability exposure, and her draft arguments into Claude's free tier to refine the response. These are confidential communications and advice within the meaning of Section 132 BSA: the legal strategy she is developing for the client, the candid assessment of weaknesses in the client's position, the advice she plans to give. She does not tell the client she is doing this. She has not checked Anthropic's terms of service.

Two separate legal questions arise. First, has she breached her ethical duty of non-disclosure under BCI Rules 7 and 17 by routing confidential analysis through a third-party platform without the client's knowledge? On these facts, where she used a consumer tool, did not obtain client consent, and input identifiable confidential analysis, there is a strong argument that she has. Second, has the client's ability to enforce the evidentiary bar under Sections 132 and 134 been impaired? That question is harder, because privilege exists for the benefit of the client, not the lawyer, and the client did not authorise or even know about the disclosure.

No Indian court has been asked to rule on these questions. But the doctrinal tools to analyse them already exist.

The confidentiality requirement and BCI Rule 7

The analysis operates on two tracks. The evidentiary privilege under Section 132 bars the court from compelling the advocate to testify about privileged communications. The ethical duty under BCI Rule 7 prohibits the advocate from disclosing those communications by any means. When an advocate inputs privileged information into a consumer AI tool, the most immediate violation is of BCI Rule 7: the advocate has disclosed confidential client information to a third party, Anthropic, OpenAI, or Google, without the client's consent.

The harder question is whether this disclosure also destroys the client's evidentiary privilege. Section 132's protection applies to communications made "in the course and for the purpose of" professional service. The confidentiality of the communication is inherent in the nature of the professional relationship. The Bombay High Court in Memon Hajee Haroon Mohomed v. Abdul Karim, ILR 30 Bom 439, described this as a requirement that the communication be made "sub sigillo confessionis" (in confidence), though this is a single pre-independence High Court authority and not binding precedent outside Bombay.

The question that arises when a lawyer routes privileged material through a consumer AI platform is temporal: the communication was confidential when made between advocate and client, but has it lost that character now that it sits on a third party's servers under terms permitting retention and use? A court assessing whether to maintain the evidentiary bar under Section 132 may find that a communication can no longer be treated as confidential for privilege purposes once it has been transmitted to and retained by a commercial entity with no duty of loyalty to either party and an express right to use and disclose the data. This is analogous to sending a privileged letter via a courier service whose terms say it may photocopy and retain the contents.

Does the client's evidentiary privilege survive this? There is a counterargument that it should. The client did not consent to or know about the disclosure. The general principle of agency law is that an agent acting outside authority does not bind the principal, and since privilege exists for the benefit of the client, the advocate's unilateral breach of confidence should not extinguish the client's right. Section 132 itself requires the client's "express consent" for the advocate to disclose; courts have interpreted this strictly, with the court in Bhagwani Choithram v. Deoram, AIR 1940 Sind 68, holding that "express" was used deliberately and that courts should not impute consent through conduct. If the client never gave express consent, the argument runs, the statutory condition for lawful disclosure was never met and the evidentiary bar should remain intact.

But there is an equally forceful argument the other way. Indian law has not developed any doctrine of "inadvertent" or "unauthorised" waiver equivalent to what some US jurisdictions recognise. Nor has it developed a common interest doctrine: in Reliance Industries Ltd. v. SEBI, AIR 2022 SC 3690, the Supreme Court did not recognise or apply any form of selective waiver on the facts before it, and no Indian court has had occasion to adopt a common interest privilege. Without these doctrinal frameworks, there is no established mechanism for preserving privilege once material has been disclosed to an unprotected third party. A court confronting the question would have to decide, without precedent, whether the agency-law principle or the absence of waiver doctrine controls.

The honest answer is that this is genuinely uncertain. A court sympathetic to the client might draw on the protective orientation of Section 133 (which provides that volunteering evidence does not constitute waiver) and the agency-law principle. A court focused on the practical reality that the information is now in the hands of a commercial entity with its own data practices might find that the evidentiary bar can no longer be effectively maintained.

In practice, however, this doctrinal debate may be largely academic, for a reason we turn to next.

The third-party production problem

There is a more fundamental vulnerability in Indian privilege law that the academic debate over waiver may obscure. Sections 132 and 134 of the BSA are bars against compelling specific persons: Section 132 stops the court from compelling the advocate, and Section 134 stops the court from compelling the client. Neither section, by its terms, stops a court or regulator from compelling a third party who holds a copy of the same information.

If a lawyer pastes privileged material into a consumer AI platform, the opposing party or a regulator can seek production directly from the AI provider. The provider is neither the advocate nor the client and cannot claim protection under Section 132 or 134. In court proceedings, a summons under Section 94 of the Bharatiya Nagarik Suraksha Sanhita (BNSS), or an order under Order XVI of the Code of Civil Procedure, could compel the provider to produce the data. Indian courts have generally not excluded relevant evidence based on how it was procured (Pooran Mal v. Director of Inspection, (1974) 1 SCC 345).

This means the practical risk of AI disclosure is not primarily about whether the client has "waived" privilege in some doctrinal sense. It is that the disclosure creates a second, unprotected copy of the information that can be obtained from a party outside the privilege framework entirely. The debate over whether the evidentiary bar survives the advocate's unauthorised disclosure becomes largely academic if the same information is obtainable from the AI provider. This is the single most important practical point for any lawyer considering whether to use a consumer AI tool with client-confidential material.

The advocate vs. legal adviser distinction

An AI tool is neither an "advocate" within the meaning of Section 132 nor a "legal adviser" within the meaning of Section 134. Section 132 extends the evidentiary bar to "any interpreter, clerk, or other person" who has become acquainted with the communication in the course of their employment with the advocate. Could an AI tool fall within "other person"?

No. The principle of ejusdem generis limits "other person" to natural persons in roles analogous to clerks and interpreters, that is, individuals working under and employed by the advocate. An AI platform is not a person, is not employed by the advocate, does not operate under the advocate's supervision, and owes no duty of loyalty to the advocate or the client. The question does not even reach considerations of supervision or confidentiality arrangements; the statutory category is simply not designed to encompass commercial software services.

The gaps

The single most significant gap in Indian law is the absence of any judicial or regulatory guidance on AI and privilege. There is no case law, no BCI guidance, and no academic consensus on how the existing statutory framework applies to AI tools. Compare this with the position in other jurisdictions.

The American Bar Association issued Formal Opinion 512 in July 2024, setting out specific obligations for lawyers using AI tools, including duties of competence, confidentiality, supervision, and communication with clients about AI use. The Bar Council of England and Wales updated its guidance in November 2025 to warn explicitly against inputting confidential client information into consumer AI tools. India has no equivalent guidance.

The Supreme Court has shown awareness of AI-related risks in legal practice. It has flagged what it called an "alarming trend" of lawyers filing petitions drafted with AI tools that cite fabricated judgments. But this concern is about accuracy and professional competence, not about privilege and confidentiality. These are related but distinct problems, and addressing one does not address the other.

The intersection with the Digital Personal Data Protection Act, 2023 is also unaddressed. When an advocate processes client personal data through an AI tool, questions arise about whether the advocate is a data fiduciary, a processor, or something else under the DPDP framework, and how the Act's obligations around consent and data security interact with privilege law. The DPDP Rules were notified in November 2025 but the full operational framework is still being phased in, making practical implications speculative.

The Supreme Court's framework in In Re: Summoning of Advocates (2025), which requires digital devices of advocates to be examined only with both the lawyer and client present using a mutually agreed technology expert, provides some procedural protection for device searches but does not address whether data retains its privileged character after transmission through a consumer AI platform.

Practical guidance

For lawyers

Consumer AI tools: never input privileged or confidential client material. Every law firm already uses cloud services: Microsoft 365, Google Workspace, AWS-hosted document management systems. Data on those servers does not automatically destroy privilege, because those services function as confidential processors under terms that do not permit the provider to use the contents for its own purposes. Consumer AI tools are materially different. The terms of service of ChatGPT, Claude (free tier), and Gemini permit not just data storage but training on user inputs, human review of conversations, and disclosure to third parties including government authorities. It is the provider's right to use and learn from the content, not merely the fact that data sits on external servers, that fundamentally changes the confidentiality analysis. Inputting privileged or confidential client information into a tool operating under such terms creates both a BCI Rules 7/17 violation and a practical exposure through the third-party production problem described above.

Enterprise AI tools: evaluate the data processing agreement, but understand the legal uncertainty. If you are considering an enterprise AI tool for legal work involving confidential information, the data processing agreement is the document that matters. Look for: zero data retention, no model training on inputs or outputs, a contractual confidentiality obligation, SOC 2 or equivalent compliance certification, and data residency commitments. No Indian court has ruled on whether such contractual arrangements suffice to maintain confidentiality for privilege purposes, and the Heppner court left this open as well. The practical argument is that contractual confidentiality is materially different from a consumer platform that expressly reserves the right to use your data, but this remains untested. Document your evaluation of the platform's terms as a contemporaneous record of the precautions taken.

Document counsel's direction. The Heppner dicta suggest that if counsel directs the use of an AI tool, privilege may extend to that use under the principle that third parties whose assistance is necessary for effective legal representation can be brought within the privilege umbrella (the US doctrine from United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), which extends privilege to accountants, translators, and similar professionals working at counsel's direction). Indian law does not have an equivalent doctrine, but the principle that Section 132 extends the evidentiary bar to interpreters, clerks, and other persons working under the advocate provides a partial statutory analogue. In either system, counsel's direction creates a stronger factual basis for arguing the AI tool was used as part of the legal representation rather than independently. If you are directing a client, a junior associate, or a paralegal to use an approved AI tool for a matter, document that direction in writing. A brief email confirming that the use is under your supervision and for the purpose of facilitating the legal representation creates a record that distinguishes the situation from the Heppner facts.

Establish internal AI policies. Consider the senior associate at a Delhi NCR firm who uses ChatGPT to quickly translate a client's Hindi-language witness statement into English for a cross-border arbitration. The witness statement contains details of a commercial dispute that the client has shared in confidence. The associate does not think of this as "inputting privileged material" because he is "just translating," but the entire content of the witness statement is now on OpenAI's servers. Even if the associate had enabled ChatGPT's opt-out from model training, OpenAI's terms still permit data retention for abuse monitoring and potential disclosure to authorities. The opt-out reduces the risk but does not eliminate it. This is the kind of routine, unreflective use that an internal AI policy needs to catch before it happens.

Law firms and legal departments need written policies that specify which AI tools are approved for use with confidential information, what categories of information may and may not be input, who is authorised to approve the use of AI tools on a matter, and what documentation is required. BCI Rule 7's duty of non-disclosure applies regardless of the medium of disclosure. A firm that permits lawyers to input client information into unapproved AI tools without guidelines is exposing itself to both privilege challenges and disciplinary proceedings.

Maintain privilege logs. When using approved AI tools for litigation support or advisory work, maintain detailed logs of what information was processed, when, on which platform, and under what confidentiality arrangements. If opposing counsel later challenges privilege on the ground that AI tools were used, a contemporaneous privilege log is the best evidence of the precautions you took.

For non-lawyers using legal AI tools

The growth of consumer legal AI tools, platforms that answer legal questions, draft contracts, or help users understand their legal position, creates a different set of risks.

AI tools are not lawyers and cannot form an attorney-client relationship. This is not a technicality. It means that nothing you share with an AI tool is protected by privilege. If you type the facts of your legal situation into ChatGPT or any similar platform, that information is not confidential in any legally meaningful sense. The platform's provider can access it, may train its models on it, and in some cases may be compelled to disclose it.

If you are under investigation or anticipate litigation, do not use consumer AI tools to analyse your legal position. This is the direct lesson of Heppner. The defendant used a consumer AI tool to draft defence strategy documents, and the court ruled that those documents could be seized and used against him by the prosecution. The same reasoning applies in India: information you voluntarily disclose to a third-party platform is not protected.

If you need legal advice, consult a lawyer. AI tools are valuable for general legal education and initial research, but they are not a substitute for advice from a qualified professional who owes you a duty of confidentiality and whose communications with you are protected by law.

Be cautious with "AI lawyer" applications. Some legal AI products market themselves in ways that suggest a privileged relationship with the user. Unless the platform is operated by a licensed advocate (in India) or attorney (in the US) who has agreed to represent you, no privilege attaches. Marketing language does not create a legal relationship.

Conclusion

Heppner is narrow on its facts: a consumer-tier AI platform, no attorney direction, a privacy policy that expressly permitted data use. But it is broad in its implications. It establishes that the existing privilege framework applies to AI without special accommodation, and that the key variables are confidentiality (does the platform retain data?) and the involvement of counsel (did a lawyer direct the use?).

Indian law has the doctrinal tools to reach a substantially similar practical result, though through different mechanisms. The analysis operates on two tracks: disclosure to a consumer AI platform almost certainly breaches the advocate's professional duties under BCI Rules 7 and 17, and separately, it creates a serious practical exposure through the third-party production problem, since the AI provider can be compelled to produce the data and is outside the protection of Sections 132 and 134. Whether the client's evidentiary bar under Section 132 technically survives the advocate's unauthorised disclosure is a genuinely open question, but its practical value is severely diminished once the same information is obtainable from the AI provider.

What India lacks is any authoritative statement on these questions. No court has ruled on whether AI disclosure impairs privilege. The Bar Council of India has issued no guidance on AI and confidentiality. The interaction between privilege law, the DPDP Act, and AI processing remains entirely unexamined. This gap is not sustainable. As AI tools become embedded in legal practice, these questions will arise, and it would be far better for the BCI and the courts to address them proactively than to wait for a crisis to force reactive rulemaking.

Until that guidance arrives, the prudent course is clear: treat consumer AI tools as creating serious confidentiality and production risks that may effectively defeat the practical benefit of privilege, evaluate enterprise tools on the strength of their data processing agreements and the distinction between passive hosting and active data use, document everything, and never assume that an AI platform provides the confidentiality that the law requires.

---

For the full text of the BSA 2023, Advocates Act, BCI Rules, and other legal references cited in this article, see the Legal Resources page.