The problem nobody talks about
Picture this: you are a lawyer and you have just finished a one-hour client consultation. Complex subject matter, lots of detail, and you do not want to miss a thing. So you record the conversation — with the client's consent — and send the audio file off to a transcription service.
But where does that file actually go?
With most transcription services, your audio is uploaded to servers in the United States. There it gets processed by an AI model, and the text comes back to you. Sounds harmless enough. But think about what is in that recording: client names, case details, financial information, sometimes even criminal context. Information that is protected by attorney-client privilege.
What does the law say?
Attorney-client privilege is a foundational principle of legal practice in virtually every jurisdiction. In the US, the duty of confidentiality is set out in the ABA Model Rules of Professional Conduct, specifically Rule 1.6, which requires lawyers to make reasonable efforts to prevent the unauthorised disclosure of client information. In England and Wales, legal professional privilege serves a comparable protective function. Across the EU, the GDPR adds a further regulatory layer governing how personal data may be processed and transferred.
Regardless of where you practise, the core obligation is the same: lawyers must protect client information, and that duty extends to how information is processed, stored and transmitted by third-party service providers. Using a cloud transcription service for privileged conversations raises questions that deserve careful, well-considered answers.
For practitioners subject to the GDPR, the requirements are particularly detailed. Personal data may only be processed with a valid legal basis, processors must implement appropriate technical and organisational safeguards, and transfers outside the European Economic Area require additional protections. Since the Schrems II judgment invalidated the EU-US Privacy Shield, the legal footing for transatlantic data transfers has been under continued scrutiny.
The risks are not theoretical
In recent years, several incidents have exposed the real-world risks of cloud-based audio processing. Some transcription providers were found to route recordings through human reviewers for quality assurance — meaning actual people listened to files that customers believed were handled entirely by machines. In other cases, recording metadata turned out to be accessible to employees of the service provider.
For a law firm, an incident like this can trigger disciplinary proceedings, regulatory fines, reputational damage, and a serious erosion of client trust. Bar associations and law societies across Europe and North America have published guidance on using AI tools in legal practice, consistently stressing the importance of thorough due diligence before processing confidential material through any third-party service.
What is the alternative?
When it comes to transcription, there are three distinct levels of data protection to consider.
Level 1: European cloud
Your audio is processed on servers within the EU, governed by a data processing agreement, with automatic deletion once the transcription is complete. For many professional situations this provides adequate protection, as long as you have reviewed the provider's terms and verified their compliance posture.
Level 2: Local processing
The transcription engine runs entirely on your own computer. Audio is not uploaded, not transmitted, and not stored on any external server. It is technically impossible for the provider or any third party to access your recordings. This is the level of protection that matches the requirements of legal professional privilege.
Level 3: Local processing with automatic redaction
On top of local transcription, names, case references and other personal identifiers are automatically detected and masked before any further analysis takes place. If you then choose to use AI to review the content, no sensitive information ever leaves your device.
An easy decision
For lawyers who take confidentiality seriously — and all lawyers should — the conclusion is clear. Process privileged audio locally, or use a European cloud provider with rigorous contractual and technical safeguards. Never send unprotected client data to a service where you cannot verify exactly how and where it is handled.
The encouraging news is that the technology has reached a point where local processing no longer means sacrificing quality or speed. Modern AI models run comfortably on a standard laptop and produce results on par with cloud-based alternatives.
Learn more about secure transcription for legal professionals at scribeer.io