DEV Community

Cover image for Digital Sovereignty and Attorney-Client Confidentiality:
Thomas Delfing
Thomas Delfing

Posted on

Digital Sovereignty and Attorney-Client Confidentiality:

#legaltech #privacy #cybersecurity #digitalsovereignty

Between Microsoft, Cloud Services, and Alternative Solutions for Law Firms

Introduction

Attorney-client confidentiality (§ 43a (2) BRAO, § 203 StGB) is at the very core of legal practice. It forms the foundation of the trust relationship between lawyer and client and safeguards the rule of law.

With ongoing digitalization, however, law firms face a conflict: modern software solutions such as Microsoft 365, Teams, or OneDrive are practically indispensable, but they raise significant questions of data sovereignty and confidentiality.

A recent report by t3n criticized Microsoft for failing to provide basic transparency about data flows, noting that Europe remains in factual dependence on U.S. corporations in key IT sectors1
.

For law firms, this raises the crucial question: is the use of such products still compatible with professional regulations, or must alternative, more sovereign systems be adopted?

I. Legal Foundations

1. Confidentiality and Protection of Secrets
Attorney-client confidentiality obliges the lawyer to keep all information secret (§ 43a (2) BRAO).

  • A breach may have criminal consequences (§ 203 (1) No. 3 StGB).
  • Even the risk of uncontrolled third-party access can constitute a violation.

2. Data Protection Requirements
Under Art. 32 GDPR, law firms must implement technical and organizational measures (TOMs).

If services from U.S. providers are used, the rules on third-country transfers (Art. 44 et seq. GDPR) apply.

While the EU–US Data Privacy Framework (July 2023) provides a new adequacy decision, doubts remain due to U.S. surveillance laws like the CLOUD Act3.

3. Professional Law Implications
The German Federal Bar (BRAK) emphasizes:

  • Use of cloud services is only permissible if secure encryption and access protection are ensured.
  • Third-party access must be excluded.
  • A simple Art. 28 GDPR agreement is not enough if technical access is still possible.

II. Microsoft and the Illusion of Digital Sovereignty

Microsoft products are deeply embedded in law firm practice:

  • Word for briefs
  • Outlook for communication
  • Teams for internal coordination

But debates on digital sovereignty highlight structural dependence on U.S. providers:

  • Lack of transparency regarding data flows in Microsoft’s cloud
  • Potential access under the CLOUD Act
  • Opaque processing in Office and Teams
  • Practical inevitability, since courts often require Word formats

Implication for law firms: Usage is possible, but always carries risks of violating data protection and professional law obligations.

III. Practical Questions for Law Firms

1. Use of Office and Teams

  • Office (Word, Excel, Outlook): permissible when stored locally and encrypted. Cloud integration increases risks.
  • Teams: may be acceptable for internal communication, but not for client communication due to sensitive secrets.

2. The Necessity of Digital Sovereignty

Law firms must gradually reduce reliance on U.S. providers. European solutions and self-controlled infrastructure are essential for the long term.

3. Compromise Solutions

  • Hybrid use: Word for drafting, storage in a firm-owned cloud
  • Separate channels: internal vs. client communication
  • Client portals (e.g., GWeb): enabling compliant communication

IV. Alternative Approaches

1. Communication via Law Firm Clouds
Dedicated firm clouds (e.g., GWeb) enable protected client communication within the European legal space, ensuring confidentiality compliance.

2. Document Creation without Word

  • LibreOffice / OnlyOffice (open source, self-hosted)
  • Firm-specific modules based on open standards (.odt, PDF/A)
  • Hybrid models: draft in Word → archive in law firm cloud (audit-proof).

V. Conclusion and Outlook

The debate shows: Microsoft remains practically indispensable but entails considerable risks.

Law firms should therefore:

  • Raise awareness of legal risks
  • Implement encryption and audit-proof systems
  • Conduct client communication via sovereign firm platforms
  • Gradually transition to European alternatives

But the focus must not remain solely on Microsoft:

  • Payment providers (PayPal, Stripe) → subject to U.S. law
  • Banks with U.S. ties → conflicts with secrecy obligations
  • AI providers (OpenAI, Anthropic) → sensitive data outside Europe
  • Legal databases (Westlaw, LexisNexis) → subject to U.S. jurisdiction

➡️ Conclusion: Digital sovereignty is not a theoretical debate but a direct concern for attorney-client confidentiality. Firms must adopt hybrid compromise models today to build greater European autonomy tomorrow.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.