Spanish lawyers have established for the first time a specific criterion on the use of generative artificial intelligence in law firms, placing the control of these tools within the scope of professional responsibility. Circular Interpretativa 3/2026 of the General Council of Spanish Lawyers obliges lawyers to verify and control the use of these systems under Article 23 of Organic Law 5/2024, of November 11, on the Right to Defense.
The tension arises in the most widespread use of these platforms. While a large part of the sector resorts to tools like ChatGPT, Gemini, or Copilot for support tasks, the circular warns that free versions, when they allow the use of inputs for training, conflict with the principle of purpose limitation of Regulation (EU) 2016/679 and can compromise client data, third parties, and material protected by professional secrecy.
The circular mandates AI verification and penalizes uncritical delegation
The text bases this duty of control on the doctrine of actio libera in causa and transfers to the professional the obligation to review the result before incorporating it into their work. It is not enough for the tool to function or for the final document to appear correct.
The disciplinary consequence is already defined. Article 125.u of the General Statute of Spanish Lawyers penalizes the submission of documents with errors resulting from uncritical delegation to AI.
Furthermore, Article 21 of the Code of Ethics of Spanish Lawyers recalls that the use of information and communication technologies does not exempt from compliance with ethical rules and imposes responsible and diligent use. Within this framework, introducing sensitive information into unaudited tools constitutes a potential violation of sections 21.1 and 21.2, even if the technical result contains no errors.
The use of client data triggers privacy and professional secrecy risks
When a lawyer introduces personal data into a generative AI system, they are processing data within the meaning of Article 4.2 of Regulation (EU) 2016/679. The law firm then acts as the data controller with respect to information of clients and third parties, in accordance with Article 4.7 of the same regulation.
There lies another of the problems identified by the circular. Most large foundational models belong to US companies, meaning the use of these platforms involves international data transfers subject to Chapter V of the European regulation.
That legal fit is not settled. The Commission's Implementing Decision (EU) 2023/1795 of July 10, 2023, established the EU-US Data Privacy Framework, but its stability is being challenged before the Court of Justice of the European Union in appeals that evoke the Schrems I and Schrems II judgments.
The circular lists six areas of risk associated with these practices. They include training the model with client data, irregular international transfers, the lack of a data processing agreement under Article 28.3 of the European regulation, the omission of the impact assessment under Article 35, the exposure of information protected by professional secrecy, and the absence of traceability in the use of AI.
The administration of justice brings these tools closer to the high-risk regime
Regulation (EU) 2024/1689 places most generative AI tools in the GPAI model category. Nevertheless, their use by lawyers within the administration of justice may approach the high-risk scenario outlined in Annex III, point eight.
This caution is added to the reinforced protection of professional secrecy in Spanish legislation. Article 542.3 of the Organic Law of the Judiciary obliges the keeping of secrecy regarding all facts or information learned by reason of professional action, and Article 16 of Organic Law 5/2024 reinforces it as a manifestation of the fundamental right to defense.
The Interpretative Circular 3/2026 itself, however, limits the scope of this initial statement. The General Council of Spanish Lawyers specifies that it "does not address other types of infringements that could be committed when using AI, such as those related to the breach of the duty of confidentiality or professional secrecy, which will be addressed in another circular."