Client Confidentiality and AI: PDPL Obligations for UAE Law Firms
Your client files carry legal professional privilege. When AI processes them, PDPL obligations and bar confidentiality rules both apply.
UAE law firms face overlapping obligations when deploying AI: data protection requirements under the governing regime for their jurisdiction, and professional confidentiality obligations under bar rules and engagement letters. For mainland-registered firms, federal PDPL (Decree-Law 45/2021) applies to client personal data. For DIFC-registered firms, the primary regime is DIFC Data Protection Law No. 5 of 2020, supplemented by Regulation 10 on Automated Processing for AI-specific obligations. When a law firm deploys an AI system over case archives — contract review, precedent search, document Q&A — it processes client identities, transaction details, dispute histories, and legal strategies. Understanding which regime governs which data is the starting point for any compliant AI deployment.
What this means for your business
- Client personal data processed by AI is subject to PDPL — including names, company details, transaction information, and any data that can identify an individual
- DIFC-registered firms are governed by DIFC Data Protection Law No. 5 of 2020 (not federal PDPL) — Regulation 10 on Automated Processing supplements this specifically for AI deployments, imposing additional transparency notice obligations and a mandatory DPIA
- A DPIA is required before deploying AI over case archives if the processing is systematic and involves personal data at scale (PDPL Article 21 / DIFC Reg 10)
- Sending client documents to a cloud AI service creates a cross-border transfer and potentially a sub-processor disclosure obligation — review your engagement letters
- Data subject rights under PDPL apply to client personal data — clients can request access, correction, and deletion of their personal data the firm holds
How on-premise AI addresses these obligations
Air-gapped RAG over a law firm's document archive is the architecture that resolves both the confidentiality and the data protection challenge. The model runs inside the firm's network — no document, no query, and no response crosses an external API. The DPIA scope is narrow because the data never leaves the firm's custody. Associates get paragraph-level cited answers from 80,000+ documents in seconds, without any document touching the internet.
Frequently Asked Questions
- Does using AI for document review breach client confidentiality?
- Using a cloud AI service that processes client documents on external servers raises serious confidentiality concerns — the documents are transmitted to a third party's infrastructure. On-premise AI deployment avoids this: the model runs inside your firm's network, documents are never transmitted externally, and the result is functionally equivalent to a senior associate reading the file — the data stays within the firm's custody and control.
- Our firm is in DIFC. What does Regulation 10 require?
- DIFC Regulation 10 on Automated Processing has been in full enforcement since January 2026. For a DIFC law firm, it requires: (1) a transparency notice for any AI system that processes client personal data, covering the system's purpose, outputs, and design safeguards; (2) a DPIA before deploying high-risk AI; (3) records of how these obligations were fulfilled. Failure to conduct a mandatory DPIA under Article 20 of the DIFC Data Protection Law carries a maximum fine of USD 50,000 (increased from USD 20,000 by the July 2025 amendment).
- Do we need to update our engagement letters before deploying AI?
- Probably. Most standard engagement letters do not contemplate AI-assisted document review. If your AI system processes client personal data, PDPL requires a lawful basis — for law firms, this is typically contractual necessity (the service you have agreed to provide) or consent. Review your standard engagement letter template with privacy counsel and consider adding an AI processing disclosure. For DIFC firms, the Regulation 10 transparency notice should be disclosed to clients whose data the system processes.
- How accurate is on-premise AI document Q&A over legal archives?
- In an SGON.AI deployment at a DIFC-based boutique law firm (6 partners, 80,000+ documents indexed), citation accuracy on partner spot-checks exceeded 95%. The system retrieved paragraph-level citations from the exact source document, and research time dropped from hours to minutes per query. Accuracy depends on corpus quality and document tagging — a structured deployment plan starts with the highest-value document categories.