Is Your Legal Translation Actually Privileged? A 5-Point Security Checklist

here's something that doesn't get talked about enough: uploading a client contract to Google Translate might waive attorney-client privilege.

not "might" in the hypothetical sense. "Might" in the "your opposing counsel will absolutely argue this" sense.

the logic is straightforward. privilege protects communications made in confidence. the moment you voluntarily share that communication with a third party who isn't covered by the privilege, the confidentiality is broken. and most free translation tools? they're third parties with terms of service that say they can use your content.

so yeah. that NDA you ran through a consumer translator last Tuesday? it might not be privileged anymore.

The 'Privilege Trap': how uploading to the wrong tool waives confidentiality

attorney-client privilege is fragile. it exists only as long as the communication stays confidential between the attorney and client (and their agents).

the key word is agents. a human translator hired under an NDA? that's an agent. a SaaS tool with a 40-page terms of service that includes "we may use your content to improve our services"? that's... not an agent. that's a data pipeline.

and here's where it gets uncomfortable: most law firms don't have a policy for this. associates paste things into consumer translation apps because it's fast. nobody reads the terms. nobody checks whether the tool retains content or trains on it.

until discovery. then it matters a lot.

The 5 translation risks every law firm should know

I spent some time digging into what actually goes wrong when legal teams use the wrong translation tools. it comes down to five things.

1. Content logging

some services log every translation request. not just metadata—the actual text. this means your contract language is sitting in a database somewhere, accessible to the vendor's employees, subprocessors, and potentially law enforcement in whatever jurisdiction those servers are in.

2. AI training on your data

the big one. if the tool uses your input to train or fine-tune its models, your confidential text becomes part of a shared dataset. it's not just stored—it's learned. and you can't un-train a model.

why consumer tools are risky for legal files—we wrote a whole thing about this.

3. Data residency

your client's contract is governed by German law. you paste it into a tool that processes it on servers in Virginia. congratulations, you've just created a cross-border data transfer that your client's DPO will have opinions about.

4. Uncontrolled sharing

some tools generate shareable links. some keep a history. some sync across devices. any of these features means the translated content is accessible beyond the person who requested it.

5. Formatting destruction

this one's less about privilege and more about liability. legal documents have structure—numbered clauses, defined terms, indentation that matters. if the translation tool destroys that formatting, the translated version might not match the original's legal meaning. and nobody checks.

A safe workflow: redact, split, review

okay, so what do you actually do? you still need to translate things. here's the workflow we recommend.

step 1: classify the document. is it privileged? is it confidential? does it contain PII? if yes to any of these, it needs a secure translation path.

step 2: redact what you can. names, addresses, account numbers—anything that isn't needed for understanding the legal meaning. redact it before translation, re-insert after.

step 3: split if necessary. if the document has both sensitive and non-sensitive sections, translate them separately. use the secure tool for sensitive parts only.

step 4: use a tool with the right controls. this means: no training on your data, short retention windows, EU data residency, and a DPA you can actually sign. noll's stateless translation workflow handles this—your files are gone within 30 minutes, no content logs, no history.

step 5: review the output. don't just skim it. have someone who reads the target language verify that defined terms are consistent, that numbered references match, and that nothing was added or removed.

for a broader framework on evaluating vendors, our secure translation checklist covers the full procurement angle.

Vendor checklist for law firms

when you're evaluating a translation tool for legal work, here are the minimum requirements:

Question	What you want to hear
Do you train on customer data?	No, never
What's your retention window?	< 1 hour, ideally 30 min
Where is data processed?	EU-only (or your jurisdiction)
Can employees access my content?	No, zero-access architecture
Do you offer a DPA?	Yes, available on request
Is there audit logging?	Yes, without content exposure
What happens on service termination?	All data already deleted

if a vendor can't answer these clearly, that's your answer.

When to use human translation instead

machine translation is great for speed. but there are cases where you need a human translator, and trying to shortcut it will cost you more than the time you saved.

use human translation when:

• the document requires certified or notarized translation (courts, immigration, regulatory filings)
• the stakes are extremely high and you need a warranty of accuracy
• the text is highly specialized (patents, medical devices, financial instruments) and requires domain expertise
• your client's contract requires it

use secure machine translation when:

• you need to understand a foreign-language document quickly (due diligence, initial review)
• you're translating internal communications, policies, or reference materials
• formatting preservation matters (PDF, DOCX with complex layouts)
• volume makes human translation impractical

the point isn't that one is better than the other. it's that they serve different purposes, and using the wrong one for the wrong job is where things break.

Frequently asked questions

Can I use ChatGPT or Google Translate for contracts?

short answer: not if they're confidential. both services may use your input for model improvement (depending on your plan/tier), and neither offers the data handling guarantees that legal work requires. we wrote a deeper piece on ChatGPT risks if you want the full picture.

What about DeepL Pro?

DeepL Pro has better data handling than the free tier, but you should still verify their retention policy, subprocessor list, and training practices against your firm's requirements. "Pro" doesn't automatically mean "privileged."

Is machine translation admissible in court?

it depends on the jurisdiction and context. for understanding a document during discovery or due diligence? usually fine. for submitting as evidence or as an official translation? you'll almost certainly need a certified human translator.

Takeaways

• uploading privileged documents to consumer translation tools may waive privilege
• the five risks are: logging, training, residency, sharing, and formatting
• a safe workflow involves classification, redaction, splitting, and review
• your vendor should offer: no training, short retention, EU processing, and a DPA
• know when machine translation is appropriate vs when you need certified human translation

the bar for secure legal document translation isn't actually that high. it's just that most tools weren't built with it in mind.

Further reading

• Which translation services should I use for sensitive documents?
• Why not Google or DeepL?
• How noll works
• How your data is handled
• GDPR & AI Act compliance