AI, Confidentiality, and Privacy Risks in Mediation and Arbitration
Artificial intelligence is rapidly becoming part of everyday ADR practice. Mediators and arbitrators now encounter AI tools in document review, legal research, scheduling systems, transcription software, and online hearing platforms. Some of these tools are genuinely helpful and can reduce administrative burdens significantly. Others create privacy and confidentiality risks that many professionals still underestimate.
In mediation and arbitration, confidentiality is central to the process itself. Parties routinely disclose sensitive financial information, trade secrets, internal business records, settlement positions, and strategic communications, expecting the information will remain protected. The growing use of AI raises hard questions about where that information travels, who can access it, and whether confidential material may unintentionally be retained or used by external AI systems.
The Meeting Platform Problem
One of the most practical concerns involves AI assistants built into online meeting platforms. Zoom, Microsoft Teams, and similar systems increasingly offer AI-generated summaries, transcripts, and note-taking features. In some corporate environments, these tools may already be enabled by default.
One real-world example illustrates the issue clearly. During a confidential online legal meeting, two participants unknowingly had AI-powered note taking tools active on their devices. The systems were automatically recording and processing the discussion through external cloud services. Once the issue was discovered, the atmosphere changed immediately. What had started as a routine confidential discussion suddenly became tense and uncomfortable because nobody was entirely sure where the information had already gone or how it might be stored.
The concern is not simply the recording itself. Many AI systems route information through multiple vendors and cloud providers before processing is complete. Documents, transcripts, prompts, and uploaded exhibits may pass through external systems located across different jurisdictions and touch any number of privacy regulations (see Appendix A). Even sophisticated professionals often do not fully understand these data flows or the privacy regulations that might intersect with where the data is stored or processed.
Where Your Prompt Actually Goes
Public AI chatbots create another significant area of concern. Lawyers, experts, and ADR professionals increasingly use AI tools to summarize evidence, organize chronologies, draft clauses, submissions, or review large document collections. The convenience is obvious. The privacy implications are often less obvious.
Why “Redacting the Name” Is Not Enough
Many users assume that just removing names from a document is enough to preserve confidentiality. Modern AI systems can identify parties through indirect identifiers and contextual clues. Dates, transaction histories, project descriptions, industry references, or publicly available news reports may allow identities to be inferred with surprising accuracy.
For mediators and arbitrators, indirect personally identifiable information can be just as revealing as direct identifiers such as names or account numbers. A carefully redacted arbitration award may still expose the identity of a party if enough contextual information remains embedded in the document.
This creates an important operational need before uploading documents into AI systems: effective anonymization of both direct and indirect personally identifiable information.
Solutions such as PII Anomalyzer are designed specifically to help organizations identify and anonymize both direct and indirect personally identifiable information before documents are processed by AI tools. This includes names, addresses, account numbers, contact information, metadata, nationality, race, date of birth, MAC address, social media handles, and more. Documents stay on the user’s machine throughout the process; nothing is uploaded to a cloud service to be anonymized.
For ADR professionals, this type of workflow can provide an additional layer of protection when using AI-assisted document analysis tools. Proper anonymization does not eliminate every risk, but it can significantly reduce the likelihood that confidential information will be exposed through external AI platforms or retained within third-party systems.
The Devices in the Room
Mobile devices and connected technologies create additional concerns that are often overlooked. Smartphones, smartwatches, voice assistants, and connected office devices may collect far more information than users realize. Recent litigation and regulatory actions involving smart TVs, voice assistants, and connected mobile applications have highlighted how extensively some consumer technologies collect, analyze, and monetize user data, often with limited user awareness or meaningful consent.
Even ordinary applications may request excessive permissions to access microphones, contacts, photographs, or location data. Most users simply click “Allow” without reviewing what is being shared. In an ADR setting, however, those permissions may expose confidential communications or sensitive business information connected to active proceedings.
A Practical Path Forward
None of this means mediators and arbitrators should avoid AI entirely. Used responsibly, AI tools can improve efficiency, reduce administrative burdens, and assist with large-scale document management. The issue is not whether AI belongs in ADR practice. It already does. The real challenge is learning how to use these technologies without compromising the trust and confidentiality that mediation and arbitration depend upon.
Several practical safeguards can reduce risk significantly:
- Review the privacy settings of conferencing and transcription tools before every proceeding.
- Disable unnecessary AI assistants and automatic recording features.
- Avoid uploading confidential materials into public AI chatbots without first anonymizing sensitive information.
- Use anonymization tools capable of removing both direct and indirect personally identifiable information before documents are processed by AI systems.
- Regularly audit mobile app permissions and connected devices used in professional settings.
AI can become a valuable partner in ADR practice. At the same time, it can quietly undermine confidentiality if used carelessly. For mediators and arbitrators, maintaining trust requires not only understanding the benefits of AI, but also recognizing the practical steps necessary to protect sensitive information in an increasingly connected environment.
Appendix A: Privacy Regulations Relevant to AI Document Workflows
| Abbreviation | Name | Description |
|---|---|---|
| COPPA | Children’s Online Privacy Protection Act | Governs the online collection of personal information from children under 13. |
| HIPAA | Health Insurance Portability and Accountability Act | Governs Protected Health Information (PHI). The Safe Harbor method for de-identification requires removal of 18 specific identifiers. |
| GLBA | Gramm-Leach-Bliley Act | Governs Non-public Personal Information (NPI) held by financial institutions. |
| FCRA | Fair Credit Reporting Act | Regulates the collection, dissemination, and use of consumer credit information. |
| FERPA | Family Educational Rights and Privacy Act | Protects the privacy of student education records. |
| NY SHIELD | New York Stop Hacks and Improve Electronic Data Security Act | Broadens breach notification and imposes reasonable data security requirements for the “private information” of New York residents. |
| CCPA-CPRA (CA) | California Consumer Privacy Act / California Privacy Rights Act | Broadest U.S. state privacy law. Distinguishes “Personal Information” (PI) from “Sensitive Personal Information” (SPI); the latter unlocks the “Right to Limit Use.” |
| VCDPA (VA) | Virginia Consumer Data Protection Act | First Virginia-framework law. Defines Personal Data and a separate category of Sensitive Data requiring opt-in consent. |
| CPA (CO) | Colorado Privacy Act | Tracks VCDPA with opt-out of profiling added. Sensitive data requires opt-in. |
| UCPA (UT) | Utah Consumer Privacy Act | Opt-out framework; narrower consumer rights than VCDPA/CPA but same sensitive data categories. |
| CTDPA (CT) | Connecticut Data Privacy Act | Virginia-framework with additional protections for children; universal opt-out required. |
| MTCDPA (MT) | Montana Consumer Data Privacy Act | Virginia-framework. 60-day cure period sunsets April 1, 2026. |
| TIPA (TN) | Tennessee Information Protection Act | Virginia-framework with an affirmative defense for NIST-aligned privacy programs. |
| OCPA (OR) | Oregon Consumer Privacy Act | Broader “sensitive data” definition than peers; explicitly includes transgender and nonbinary status, crime-victim status, and national origin. |
| TDPSA (TX) | Texas Data Privacy and Security Act | Applies broadly to any business operating in Texas (no revenue threshold). Sale of sensitive or biometric info requires explicit notice. |
| ICDPA (IA) | Iowa Consumer Data Protection Act | Narrower consumer rights (no right to correct, no right to opt-out of profiling) but same sensitive data categories. |
| INCDPA (IN) | Indiana Consumer Data Protection Act | Virginia-framework; requires Data Protection Impact Assessments for heightened-risk processing. |
| DPDPA (DE) | Delaware Personal Data Privacy Act | Consumer-friendly with a low 35,000-consumer threshold. Broader sensitive data definition; expanded protections for teens 13 to 17. |
| NDPA (NE) | Nebraska Data Privacy Act | Tracks the Texas law; applies to any business that is not a “small business” under the federal SBA definition. |
| NHPA (NH) | New Hampshire Privacy Act | Aligns with VCDPA and CTDPA. Requires recognition of universal opt-out mechanisms. |
| NJDPA (NJ) | New Jersey Data Privacy Act | Virginia-framework with broad “sale” definition similar to California. No fixed revenue-percentage threshold. |
| KCDPA (KY) | Kentucky Consumer Data Protection Act | Closely tracks the Virginia (VCDPA) framework. |
| MCDPA (MN) | Minnesota Consumer Data Privacy Act | Virginia-framework with additional rights including the right to question profiling decisions. |
| MODPA (MD) | Maryland Online Data Privacy Act | Most stringent state law. Outright bans the sale of sensitive data and restricts its collection to what is strictly necessary. |
| RIDTPPA (RI) | Rhode Island Data Transparency and Privacy Protection Act | No cure period; does not require honoring universal opt-out signals. Same sensitive categories as Virginia framework. |
| GDPR (EU) | General Data Protection Regulation | The foundational global privacy law. Broad “personal data” plus special categories requiring explicit consent. |
| DSA (EU) | Digital Services Act | Focuses on illegal content, transparency, and platform accountability. Redaction relevance is narrow; restricts use of specific personal data for targeted advertising. |
| DMA (EU) | Digital Markets Act | Applies to “gatekeepers.” Restricts cross-context use of end-user personal data without consent. |
| EU-US DPF | EU-U.S. Data Privacy Framework | Adequacy mechanism; not a redaction law. Sets safeguards for EU personal data transferred to self-certifying U.S. organizations. Categories mirror GDPR personal and sensitive data. |
| EU AI Act | EU Artificial Intelligence Act | Governs AI systems by risk tier. Focus is on prohibited and high-risk processing of specific personal data categories by AI. |
| LGPD (Brazil) | Lei Geral de Proteção de Dados Pessoais | GDPR-like law for Brazil. Explicit Sensitive Personal Data category with near-GDPR alignment. |
| PIPEDA (CA) | Personal Information Protection and Electronic Documents Act | Canadian federal law. Does not formally enumerate “sensitive data,” but OPC guidance identifies certain categories as requiring higher safeguards. |
| PIPL (China) | Personal Information Protection Law | GDPR-inspired but stricter on consent and with harsher penalties. Sensitive PI has its own Art. 28 regime. |
| DPDPA (India) | Digital Personal Data Protection Act | Covers digital personal data. Does not use “sensitive data” as a formal category but imposes strict rules on children’s and guardian-consented data. |
Robert Bergman is CEO of Southwest Management Technology and Next Level Mediation.