Using generative AI in legal work compliantly means securing data sovereignty, meeting data protection law (Swiss revDSG and GDPR), ensuring no client data is used for model training, and keeping human oversight over AI-assisted outputs. CASUS, a Swiss legal AI platform, retains no data after a session (Zero Data Retention), hosts exclusively in Switzerland and the EU, and transfers no data to the US.
Why compliance in legal AI is not optional
Generative AI is entering law firms and in-house legal departments for contract review, research, and document analysis. The regulatory picture is sharpening faster than many teams anticipated: Switzerland's revised Federal Act on Data Protection (revDSG / nDSG) has been in force since 1 September 2023, the EU's GDPR applies to many Swiss organisations with EU-facing operations, and the EU AI Act begins imposing high-risk classification obligations under Art. 6 from August 2026.
Deploying generative AI in legal work without addressing compliance questions risks data breaches, loss of client trust, and regulatory consequences under Art. 60 revDSG, which provides for fines of up to CHF 250,000. That applies to small teams and in-house legal functions just as much as large firms.
Switzerland's Federal Data Protection and Information Commissioner (EDÖB/PFPDT) has made clear that cloud processing of personal data – even where the cloud provider is located in the EU – remains subject to the processing principles of Art. 6 revDSG, and that data processing agreements under Art. 9 revDSG are mandatory, not optional. The EDÖB annual report for 2024/2025 identifies AI-based data processing as a focal area of ongoing supervisory activity.
According to the TrustArc Global Privacy Benchmarks Report 2025, AI is now the single biggest privacy challenge organisations report (47%), and there is a 16-point gap between organisations that consider themselves AI-ready and those that do not. AI can help close that gap, but only if the deployment itself meets applicable standards.
What "generative AI legal compliance" actually means
Generative AI legal compliance describes the lawful deployment of AI systems that use large language models (LLMs) to generate, analyse, or summarise text. In a legal context, that means contracts, pleadings, legal opinions, or compliance documents.
Compliance here is not only about the AI system being technically secure. It covers three levels:
Data protection: Where does data go? Who has access? Is client data used for model training?
Liability and professional duty of care: Who is responsible for AI-generated outputs? What oversight do lawyers retain?
Copyright and ownership: Who owns AI-generated text? Can it be legally used and attributed?
These are not hypothetical questions. In March 2025, the U.S. Court of Appeals for the D.C. Circuit confirmed in Thaler v. Perlmutter (No. 23-5233, decided 18 March 2025) that copyright protection requires human authorship; purely AI-generated works are not protectable. For pleadings and contracts produced under professional liability, that distinction is directly relevant.
The Swiss Federal Council stated in February 2025, in its position paper on AI governance, that existing sectoral regulation – including the revDSG and the professional duty-of-care obligations under Art. 12 of the Swiss Federal Lawyers Act (BGFA) – already applies to AI-assisted legal activities. A standalone Swiss AI liability statute is not planned; liability is governed by Art. 97 et seq. OR (Swiss Code of Obligations).
The compliance checklist: what to clarify before deploying AI
Data protection and data sovereignty
Where is data processed? (Switzerland / EU, or US / third countries)
Is client data used to train the underlying model?
Is Zero Data Retention in place – meaning no storage after the session ends?
Is No Human Review guaranteed – no vendor staff access to content?
Are data processing agreements in place under Art. 9 revDSG and/or Art. 28 GDPR?
For transfers to third countries: has the EDÖB recognised the destination country as adequate, or are standard contractual clauses in place?
Model and vendor assessment
Which base model is used, and how transparent is the vendor about it?
Is there ISO 27001 certification or comparable documented security evidence?
Are security audits or penetration tests conducted and documented regularly?
Internal governance and bar association rules
Is there an internal AI usage policy?
Are staff trained to critically review AI outputs?
Are AI-generated results always approved by qualified lawyers before entering work product?
Do workflows reflect the professional duty obligations under the Swiss Bar Association (SAV/FSA) code of conduct – particularly the personal-responsibility principle and the prohibition on delegating core tasks without oversight?
Copyright and IP
Does AI use in drafting pleadings or contracts require disclosure to the court or client?
Are no copyrighted texts reproduced without review?
Legal teams that want to work through these points systematically can try CASUS at no cost. The platform is built to meet these requirements from the ground up: Sign up for free.
DSG vs. GDPR: a risk matrix for a Zurich-based firm with EU clients
For a law firm based in Zurich that advises both Swiss and EU clients, two legal regimes apply in parallel. The table below maps where obligations diverge and where they overlap – a framing that does not typically appear in generic legal-AI commentary.
Topic | Swiss revDSG (since 1.9.2023) | EU GDPR (article) | Practical consequence for Zurich firm |
|---|---|---|---|
Legal basis for processing | Art. 6 revDSG: lawfulness, good faith, proportionality, purpose limitation | Art. 6 GDPR: lawful basis (consent, contract, legitimate interest) | For EU clients, an explicit legal basis under Art. 6 GDPR is required; the revDSG has no equivalent permission principle but applies processing principles instead |
AI vendor as processor | Art. 9 revDSG: written contract, controller obligations | Art. 28 GDPR: written contract, sub-processor authorisation | Firm must conclude both a Swiss data processing agreement and an EU DPA when EU personal data is processed |
Breach notification duty | Art. 24 revDSG: notify EDÖB if high risk; no fixed deadline (promptly) | Art. 33 GDPR: 72-hour deadline to supervisory authority | The GDPR deadline is stricter; a single process covering both regimes is needed |
Third-country transfers | Art. 16 revDSG: adequate protection or SCCs | Art. 44 et seq. GDPR: adequacy decision or SCCs | The US is not recognised as adequate under the revDSG; EU SCCs required under post-Schrems II rules |
Client access rights | Art. 25 revDSG | Art. 15 GDPR | Broadly similar in substance but deadlines and exceptions differ |
Sanctions | Art. 60 revDSG: up to CHF 250,000 (individual liability) | Art. 83 GDPR: up to EUR 20m / 4% annual turnover | The revDSG targets individuals; GDPR targets the legal entity |
Profiling / automated decisions | Art. 21 revDSG: right to explanation and objection | Art. 22 GDPR: right to human review | AI-assisted contract analyses that generate recommendations to clients may qualify as profiling |
What this means in practice: A Zurich M&A boutique advising a German corporate group on a Swiss acquisition must choose AI tools that technically satisfy both regimes. A vendor that transfers data to the US meets neither Art. 16 revDSG nor Art. 44 GDPR without additional contractual and technical measures. Selecting a provider with Switzerland and EU hosting is not a comfort choice; it is a compliance requirement.
How CASUS implements compliance requirements technically
CASUS is built so that the compliance requirements above are met at the architectural level – not as an afterthought.
Zero Data Retention: Inputs and outputs are not stored after a session ends. Client data is never used for model training.
Hosting in Switzerland and the EU: No data is transferred to the US. For teams operating under revDSG or GDPR, that is a baseline condition, not an added feature.
No Human Review: Vendor staff have no access to content. Abuse monitoring can be disabled via opt-out.
Traceable outputs: In Legal Research, CASUS references specific sources drawn from over 660,000 cantonal and federal court decisions, plus statutory law. Outputs are source-based, structured, and traceable. Relevant reasoning sections from decisions are shown inline in answers, with no click-through required. That lets lawyers check the source immediately – a requirement that flows directly from the duty of care under Art. 12 BGFA.
One concrete workflow example: an in-house lawyer at a Basel-based pharmaceutical company reviews incoming supplier contracts against the company's internal standard. Using the Benchmark module, she compares an incoming draft against the internal playbook and receives a structured report within minutes: which clauses are missing (for example, no liability cap, IP ownership undefined), which deviate, and a percentage match score. The legal judgment and sign-off remain hers; what changes is the time spent on initial analysis – from roughly two hours to under twenty minutes per document.
In AI contract review, risks are assessed from each party's perspective and prioritised by severity (low / medium / high). That lets lawyers focus review time where it matters, while retaining final responsibility.
What remains legally unsettled – and why it stays relevant
Generative AI in legal work still operates in a partially unresolved regulatory space. The EU AI Act classifies AI systems by risk level; high-risk applications under Art. 6 EU AI Act – which may include AI systems used in the administration of justice – will face transparency obligations, conformity assessments, and logging requirements. The Annex III obligations under Art. 6(2) apply from 2 August 2026, the Annex I product rules under Art. 6(1) only from 2 August 2027; the ongoing Digital Omnibus reform may push these dates back further still. For Swiss firms with EU clients, this can become directly relevant depending on how the system is used.
In Switzerland, liability for AI-generated legal work is governed by Art. 97 OR (breach of contractual obligation) and Art. 41 OR (tort). A law firm that passes AI output into a pleading without review and thereby harms a client faces a claim under Art. 97 OR – the breach of professional duty of care would be difficult to contest. Under established Swiss professional-conduct principles, a lawyer's duties of care are not reduced by the use of technical aids; the lawyer remains responsible for the correctness of the result. This principle predates generative AI but applies directly to it.
The question of platform liability for AI-generated content is also unresolved in Switzerland. There is no equivalent to the US Section 230 of the Communications Decency Act in Swiss law; platform liability would be assessed under general OR principles. For law firms, this means liability exposure does not shift to the AI vendor by contract alone – it stays with the professional who signed the work product.
Practical implications – what actually goes wrong
Technical compliance is solvable. What is more often underestimated in practice are the substantive pitfalls that LLMs introduce specifically in the Swiss legal context.
LLMs trained on broad international datasets have a known weakness with jurisdiction-specific limitation and notice periods. One concrete example: under Art. 210 OR, warranty claims in Swiss sales contracts are subject to a two-year limitation period from delivery - which is distinct from the duty under Art. 201 OR to give notice of defects immediately upon discovery. Both are regularly conflated with each other, and with the general ten-year limitation period for contractual claims under Art. 127 OR. LLMs tend to smooth over this distinction and produce clause language calibrated to German law or US warranty concepts rather than to Swiss OR. Firms that adopt AI-generated contract drafts without review can expose clients who rely on the two-year period without realising the clause actually sets a different standard.
The same applies to default interest clauses: the statutory rate under Art. 104 OR is 5%. Models trained predominantly on international data sometimes replace this with EURIBOR-based or US-prime-rate references, simply because those appear more frequently in training data.
Neither of these failures is an argument against using AI. They are arguments for qualified review. The AI Chat with Agent Mode can be used to identify such clauses and check them against Swiss OR standards – but the final judgment requires someone who knows the OR.
Tension with bar association rules: The SAV/FSA code of conduct obliges lawyers to perform core tasks personally and to protect professional secrecy. Both create friction with AI deployment. Personal performance does not prohibit technical tools, but it requires the lawyer to substantively own the result – quality review is not optional. Professional secrecy under Art. 13 BGFA prohibits disclosure of mandate-related information to third parties; an AI vendor that stores or trains on data qualifies legally as a third party. Choosing a provider without data retention is therefore not a preference under bar association rules; it is a precondition.
The cantonal bar associations – including the Zurich Bar Association (ZAV) and the Bernese Bar Association (BAV) – have not yet published AI-specific guidelines. The SAV general assembly in 2024 placed the topic on the agenda for 2025. Until formal guidelines are adopted, the existing code of conduct applies in full.
Next steps: putting compliance into practice
Compliance in AI deployment is not a one-time project. The technical foundation – Zero Data Retention, hosting in Switzerland and the EU, no data transfer to the US, no vendor staff access to content – is built into CASUS from the start. Teams that work with source-based legal research or structured contract review get traceable outputs that integrate into existing quality assurance processes.
More on CASUS security and data protection standards: Security. Platform overview: About.
Those who want to try the platform without commitment: Sign up for free.
FAQ
What is generative AI legal compliance?
Generative AI legal compliance describes the lawful use of AI systems that generate or analyse text in a legal context. It covers data protection conformity under revDSG and GDPR, liability questions under Art. 97 OR, transparency obligations, and internal governance – including professional duty obligations under the SAV/FSA code of conduct and Art. 12 BGFA.
Can generative AI legally process client data?
Yes, provided the applicable data protection requirements are met: no training on client data, hosting in Switzerland or the EU, a data processing agreement under Art. 9 revDSG or Art. 28 GDPR with the vendor, and no onward transfer to third parties. For EU clients, an additional lawful basis under Art. 6 GDPR is required for each processing activity.
What does Zero Data Retention mean for AI tools?
Zero Data Retention means inputs and outputs are not stored after a session ends. The vendor holds no data and does not use it for model training. In CASUS, this is enabled by default. From a professional secrecy standpoint under Art. 13 BGFA, it is a baseline condition for compliant use.
Must AI use be disclosed in court filings or to clients?
In Switzerland, there is currently no statutory disclosure obligation to courts or opposing counsel. The SAV/FSA code of conduct does require lawyers to personally own the work product they submit; passing AI output on without review would be professionally problematic. Whether Swiss courts will introduce a formal disclosure requirement is an open question; several cantonal courts are discussing it internally.
Are AI-generated texts protected by copyright in Switzerland?
The Swiss Copyright Act (URG) requires human creative activity as a precondition for protection. Under prevailing academic opinion, purely AI-generated texts do not qualify. The Federal Supreme Court has not yet ruled on the question directly. For comparison, the US Court of Appeals for the D.C. Circuit confirmed in Thaler v. Perlmutter (No. 23-5233, 18 March 2025) that copyright requires a human author. Anyone submitting AI-generated text as their own work carries the IP risk.
What drafting errors do LLMs typically make in Swiss contracts?
LLMs trained on broad international data regularly miss or conflate Swiss-specific rules. Known failure patterns: mixing up the two-year warranty limitation period under Art. 210 OR and the duty to notify defects immediately under Art. 201 OR with the general limitation period under Art. 127 OR (ten years); replacing the statutory default interest rate of 5% under Art. 104 OR with EURIBOR or US-prime references; producing IP clauses calibrated to US copyright structures rather than URG. These errors are avoidable through qualified review – they are not unavoidable features of AI use.
How does CASUS differ from tools like Harvey or ChatGPT?
CASUS hosts exclusively in Switzerland and the EU, transfers no data to the US, retains no session data, and is built specifically for Swiss law firms and in-house legal teams. Harvey and general-purpose LLMs such as ChatGPT are not designed around the Swiss revDSG, Art. 9 revDSG, or the SAV/FSA code of conduct. Without additional contractual measures, they do not meet the professional secrecy requirements under Art. 13 BGFA.
What should an internal AI usage policy for a law firm include?
At minimum: which tools are permitted (with verification against Art. 9 revDSG and Art. 28 GDPR), how outputs are documented and labelled, when manual review is mandatory, how Swiss OR-specific deviations in AI-generated drafts are handled, and who holds accountability for liability questions under Art. 97 OR. For firms with EU clients: a separate assessment of the GDPR lawful basis under Art. 6 for each processing activity.
Does the EU AI Act apply to Swiss law firms?
It applies directly only to entities with EU operations or EU market exposure. Swiss firms advising EU clients or providing services in the EU may fall within scope. Art. 6 EU AI Act on high-risk AI systems becomes applicable from August 2026; whether AI-assisted legal advice qualifies depends on the specific use case. Switzerland has not announced a standalone AI Act; the Federal Council's position is that existing laws – including the revDSG and OR – apply to AI-assisted activities without new legislation.
