Lokalaise
Back to the blog
AI in Law Firms10 min read

Sovereign AI for law firms: § 203 StGB, the US CLOUD Act and the DAT 2026 sovereignty debate

At the German Bar Association's DAT 2026 in Freiburg, Markus Beckedahl warned: no German office and no GDPR seal protects against the US CLOUD Act. At the same time, per a vendor survey, most AI-savvy firms use generic tools like ChatGPT. We explain what § 203 StGB and § 43e BRAO really require, why US providers are the core of the problem — and how sovereign, local AI keeps client confidentiality in-house. Not legal advice.

Marius Gill

Marius Gill

CTO @ Lokalaise

Share

10 min read

One of the sharpest statements of the 2026 legal year was made in Freiburg. At the 77th German Lawyers' Conference (Deutscher Anwaltstag), the digital-rights expert Markus Beckedahl made digital sovereignty the theme and reduced the core professional-law problem to a sentence: no German office and no GDPR seal protects against the US CLOUD Act — "The NSA has access."

That is pointed, but it hits a real gap. While firms quickly bring AI tools into everyday work, client secrets often flow into generic cloud tools whose providers are subject to a foreign jurisdiction. We situate what § 203 StGB and § 43e BRAO really require, why data location alone is not enough — and how a sovereign, local AI solves the problem at the root.

Do German law firms use AI — and where does the risk arise?

Yes — and precisely where the tools are generic. In a Wolters Kluwer Benchmark survey 2026 of only 99 mostly small German firms, 63.3% said they use AI; 82.5% of the AI-using firms deploy generic tools like ChatGPT. This is exactly where the confidentiality risk arises: client secrets flow into consumer tools outside the firm's control. Data protection and GDPR, at 38.9%, is at the same time one of the most-cited barriers against AI.

These figures are a mood reading, not a census. They come from a vendor-commissioned online survey (fieldwork 24 July to 24 September 2025) with 633 participants from six countries, of which only 99 were based in Germany and around 95% were solo or small firms. The reported margin of error of ±3% applies to the full sample, not the German subset; the report is also inconsistent in detail. We therefore read the figures as directional: AI has arrived in firms — and the riskiest path runs through generic cloud tools.

The reference point also matters: the 82.5% refers to firms that already use AI, not to all German firms. That does not shrink the point — but it keeps it clean.

What does § 203 StGB protect — and what penalty applies?

§ 203(1) StGB makes it a criminal offence for a lawyer (no. 3) to disclose without authorisation another's secret that was entrusted to them or otherwise became known to them: imprisonment of up to one year or a fine. In the cases of § 203(6) StGB (e.g. acting for consideration or with intent to enrich or harm), the maximum rises to two years. Lawyers are thus criminally bound holders of professional secrets — not merely responsible under data-protection law.

The scope is broad: it covers not only what the client expressly entrusts, but also what otherwise became known to the lawyer ("sonst bekanntgeworden ist"). Even uploading a draft brief file or a contract clause with an identifiable reference can be a disclosure.

What did the 2017 reform change for IT and AI providers?

Since the 2017 reform (in force since 9 November 2017), lawyers may disclose secrets to participating persons — such as IT or AI providers — but only "insofar as this is necessary for the engagement of the activity" (§ 203(3) sentence 2 StGB). That is not a free pass but a necessity standard. And § 203(4) StGB sharpens it: it covers the participating person itself and additionally punishes the lawyer who has not ensured that this person was obligated to secrecy.

The standard for AI providers is therefore precise: a contractually bound provider, obligated to secrecy and technically limited to what is necessary, can be a permissible participating person. Anyone who omits this obligation becomes criminally liable themselves.

May a law firm use ChatGPT or cloud AI at all?

Yes, in principle. The German Bar Association's opinion no. 32/2025 (July 2025) states: subject to certain requirements, the use of AI and cloud services is permissible under professional law. Under § 43e(1) BRAO, providers may even be involved without client consent, insofar as necessary. A blanket "ChatGPT is banned for lawyers" is therefore an overclaim.

The decisive word is "conditional". The opinion is a professional-association position, not binding law, and it ties permissibility to requirements: a written confidentiality undertaking, limitation to what is necessary, appropriate technical access restrictions. The question is therefore not whether AI, but under which architecture. And this is exactly where the provider becomes the crux.

Why are US providers the core problem? The CLOUD Act and § 43e(4) BRAO

The US CLOUD Act (18 U.S.C. § 2713, since 23 March 2018) compels US providers to disclose data in their "possession, custody, or control" — regardless of whether it is stored inside or outside the United States. Data located in Germany is therefore reachable too, if the provider is subject to US control. The wording is unambiguous: the duty applies "regardless of whether such communication, record, or other information is located within or outside of the United States".

This dissolves a widespread fallacy: a server location in Frankfurt does not protect if the operator is subject to US law. The CLOUD Act keys on control over the provider, not on the geography of the hard drive. That is exactly what Beckedahl meant by "The NSA has access" — compressed, but correct at its core.

In professional-law terms this meets § 43e(4) BRAO: for services rendered abroad, the lawyer may grant the provider access to others' secrets only "if the secrecy protection existing there is comparable to that in Germany". Whether US law, given the CLOUD Act, protects "comparably" is a case-by-case question and not decided by a high court — but it is the direct professional-law lever on which the provider choice turns.

Two paths for the same client secret. § 203 StGB applies to both; the decisive difference lies in jurisdiction — who can have access to the data.

What did DAT 2026 say about digital sovereignty?

At the 77th German Lawyers' Conference 2026 in Freiburg (around 1,700 participants), Markus Beckedahl, managing director of the Centre for Digital Rights and Democracy, made digital sovereignty the theme of the opening programme. His core statement: no German office and no GDPR seal protects against the US CLOUD Act. And further: "A legal profession that does not control its own infrastructure will, in the long run, give up its independence" — this, he argued, is no longer a tech problem but an attack on the rule of law.

Precision belongs to the framing: Beckedahl did not give the only opening address — the official opening was by DAV president Stefan von Raumer, and Beckedahl spoke in the opening programme after State Secretary Kramme. His sovereignty address was the featured speech, one of several. His sentences are advocacy, not a judicial finding. But they shift the frame: for the legal profession, sovereignty is not a pure IT question but a question of professional independence.

Generic cloud AI vs. sovereign local AI — the professional-law checkpoints

CheckpointGeneric cloud AI (US provider, e.g. ChatGPT)Sovereign local AI on your own hardware in-country
US CLOUD Act, 18 U.S.C. § 2713 (since 23.03.2018)Provider must disclose data in its "possession, custody, or control" — "regardless of whether … located within or outside of the United States"; data stored in Germany is reachable tooNo US provider in the supply chain → no CLOUD Act addressee
§ 43e(4) BRAO (service rendered abroad)Access to secrets permissible only if protection there is "comparable to that in Germany" — comparability with US law questionable case by caseService rendered in-country → the foreign-comparability test does not arise
§ 203(3) sentence 2 StGB (disclosure to participating persons)Permitted only "insofar as necessary"; the data flow into the provider's ecosystem is hard for the firm to limitPermitted only "insofar as necessary"; processing can be technically limited to what is necessary
§ 203(4) StGB (confidentiality undertaking)Applies: participating persons must be obligated to secrecy; breach is criminally sanctioned (up to 1 year)Applies equally: a contractual confidentiality undertaking is required (easier to enforce locally)
Basic professional-law permissibility (DAV opinion 32/2025)"Permissible under professional law subject to certain requirements""Permissible under professional law subject to certain requirements"

Rows three to five apply equally to both models — the real difference lies in jurisdiction and data control (rows one and two). That is the point: it is not AI as such that is the professional-law problem, but the question of who can access the data.

How sovereign, local AI supports firms in a § 203-compliant way

The effective lever is not abstaining from AI, but an AI that works where the client secret has to stay anyway. A local, permission-aware AI processes files, briefs and contracts on your own hardware — with no external APIs. As a result, no US provider is in the supply chain that could be a CLOUD Act addressee, and the foreign-comparability test under § 43e(4) BRAO structurally disappears.

This is exactly where Lokalaise comes in: a grounded AI platform on your hardware that connects firm documents permission-aware, without them leaving the building. It addresses the professional-law checkpoints at once: processing stays in-country, a bound local provider can be contractually obligated as a participating person (§ 203(4) StGB), and disclosure can be technically limited to what is necessary (§ 203(3) sentence 2 StGB). An audit trail makes every use traceable (see Security & data sovereignty) — the precondition for being able to demonstrate confidentiality.

We have described the same pattern from other angles: why data location does not mean data sovereignty, how generic AI assistants become a data leak, and why the same § 203 logic applies in clinics and practices — just with patient rather than client secrets. To be clear: Lokalaise is an enabler, not legal advice. The professional-law assessment in the individual case remains the responsibility of the firm and, where applicable, the bar.

Your next steps

Three questions show how large your sovereignty risk in the firm is:

  1. Provider: Is any of your AI or cloud providers subject to US law — directly or via its parent company — and thus to the CLOUD Act?
  2. Obligation: Are your AI providers obligated to secrecy in writing and limited to what is necessary (§ 203(3)/(4) StGB)?
  3. Data sovereignty: Do client secrets leave your premises for AI use — and is that compatible with § 43e(4) BRAO?

Where you hesitate, a closer look pays off. In a short demo we show you how a local, permission-aware AI keeps client secrets in-house — and delivers the productivity gain that makes the generic tools attractive in the first place.

Frequently asked questions

In principle, yes. The German Bar Association's opinion no. 32/2025 (July 2025) considers the use of AI and cloud services "permissible under professional law subject to certain requirements". These include a written confidentiality undertaking by the provider, limitation to what is necessary (§ 203(3) sentence 2 StGB) and appropriate technical measures. There is no blanket ban. This is not legal advice.

Under § 203(1) StGB, the unauthorised disclosure of another's secret by a lawyer is punishable by imprisonment of up to one year or a fine; in aggravated cases under later subsections the maximum rises to two years. § 203(4) StGB additionally covers participating persons and the lawyer who fails to obligate them to secrecy.

Not automatically, but it is a central risk. 18 U.S.C. § 2713 (since 23 March 2018) compels US-controlled providers to disclose data in their "possession, custody, or control" — regardless of storage location, including servers in Germany. § 43e(4) BRAO requires that services rendered abroad offer secrecy protection "comparable to that in Germany"; that is a case-by-case assessment.

No, data location and legal jurisdiction are not the same. The CLOUD Act keys on control over the provider, not on the physical storage location. A provider under US control can be compelled to hand over data stored in Germany too. Sovereignty arises only when no foreign provider has access to the data.

Yes. § 203(4) sentence 2 no. 1 StGB makes it a criminal offence if the lawyer fails to ensure that a participating person was obligated to secrecy. § 43e BRAO specifies the requirements for involving providers. Locally operated systems make the contractual and technical enforcement of this duty easier.

Read them with caution. The figures of 63.3% (AI use) and 82.5% (generative tools like ChatGPT) come from a vendor survey by Wolters Kluwer (Benchmark Report 2026) with only 99 German, mostly small firms. They are not a representative census of the whole legal profession; the 82.5% also refers to firms that already use AI.

Conclusion

For law firms, digital sovereignty is not a pure IT question but a matter of professional law. § 203 StGB makes legal confidentiality a criminally sanctioned duty, § 43e(4) BRAO limits services rendered abroad, and the US CLOUD Act reaches data held by US-controlled providers regardless of storage location. AI is not banned in the process — the German Bar Association's opinion 32/2025 considers it permissible under conditions. But the decisive lever is jurisdiction: a sovereign, local AI on your own hardware in-country removes the US provider from the supply chain and keeps the client secret in the building. This article is information, not legal advice.

Marius Gill

Written by

Marius Gill

CTO @ Lokalaise

Share

Back to the blog

Keep reading

More from the blog

Diagram of German AI supervision: a central Bundesnetzagentur node with the roles of market-surveillance authority, notifying authority and coordination and competence centre, with a status stamp Bundestag 11 Jun 2026, Bundesrat pending.AI Law

KI-MIG: who supervises artificial intelligence in Germany?

On 11 June 2026 the Bundestag passed the KI-MIG and designated the Bundesnetzagentur as Germany's central AI supervisor — as of 26 June 2026 only the Bundesrat's approval is still missing. We explain what the law governs, who will supervise what, which fines Germany itself sets versus those that come from the EU regulation — and what it means for regulated companies.

List of the ten OWASP agentic risks ASI01 to ASI10 in the Lokalaise RASTER style, marking the four risks reducible by a local architecture — ASI02, ASI03, ASI04 and ASI05 — and the limit at ASI01 Agent Goal Hijack driven by prompt injection.AI Security

OWASP Top 10 for agentic AI 2026: what a local, outbound-free architecture actually mitigates

In December 2025 OWASP released the first Top 10 for agentic AI (Version 2026, ASI01–ASI10). Using CVE-2025-6514 (mcp-remote, CVSS 9.6) and the GitHub MCP attack, we show which of these risks a local, outbound-free architecture with least privilege actually mitigates — and where, with ASI01 Agent Goal Hijack, the honesty limit lies. No tool replaces the operator's responsibility.

The prominent figure 50 percent: the share of doctors using private AI tools like ChatGPT for research, in the Lokalaise style with context tiles 28 percent and 54 percent.AI in Healthcare

Shadow AI in the clinic: why 50% of doctors use ChatGPT — and how sovereign AI keeps patient data in-house

Half of the doctors surveyed use private AI tools like ChatGPT — mostly for research. That isn't a discipline problem but a tool vacuum: a heavy documentation burden meets a missing compliant alternative. We read the Doctolib numbers correctly, explain why patient data must not go into a consumer cloud AI under Art. 9 GDPR and § 203 of the German Criminal Code — and how a local, sovereign AI opens the compliant in-house path.