I recently came across UK and R (on the application of Munir) v Secretary of State for the Home Department (AI hallucinations; supervision; Hamid) [2026] UKUT 81 (IAC). In Lindsley J's decision at [21], she writes:
>"We also observe that to put client letters and decision letters from the Home Office into an open source AI tool, such as ChatGPT, is to place this information on the internet in the public domain, and thus to breach client confidentiality and waive legal privilege, and thus any regulated legal professional or firm that does so would, in addition to needing to bring this to the attention of their regulator, be advised to consult with the Information Commissioner's Office. Closed source AI tools which do not place information in the public domain, such as Microsoft Copilot, are available for tasks such as summarising without these risks." (emphasis added)
And at [60]:
>"Uploading confidential documents into an open-source AI tool, such as ChatGPT, is to place this information on the internet in the public domain, and thus to breach client confidentiality and waive legal privilege, and any such conduct might itself warrant referral to the regulatory body and should, in any event, be referred to the Information Commissioner's Office." (emphasis added)
While purporting to give guidance on safe AI usage, it seems this creates more confusion by suggesting the relevant distinction is between "open source" and "closed source" tools given that ChatGPT (and similar tools like Claude) is (1) not open source, but very much closed source, and (2) putting information into such LLMs does not place such information "in the public domain" unless you fail to opt out of allowing your data to train their models and/or share your material publicly.
It is quite disappointing to see judicial guidance impacting the profession get basic things wrong (re the open/closed source distinction) and massively oversimplify the technology (re assuming open sourced necessarily place information on the internet in the public domain). Anyone have (1) thoughts on the decision and how it should be followed and/or (2) places to look for more nuanced guidance on the intersection between solicitors'/barristers' obligations on confidentiality and the use of AI? Existing SRA and Bar Council guidance feel quite sparse here.