The optimism driven by remarkable advances in the field of Artificial Intelligence (AI), combined with the fear of “falling behind” in an increasingly competitive environment, has led many professionals to incorporate, into their daily tasks, the use of tools based on language models for automated content processing and generation – the widely known chatbots.
Once the understandable initial excitement about the many promises of time optimization and performance gains enabled by these technologies has passed, it becomes essential for the corporate environment to assess them with greater sobriety, considering not only their benefits but also the risks associated with the indiscriminate sharing of information with such platforms.
In practice, business owners and employees have begun turning to these tools to draft emails, summarize documents, organize information, review texts, and automate routine tasks, usually without a clear awareness of the legal implications involved.
Although often diffusely encouraged by the organizations themselves, this trend usually unfolds in a spontaneous and decentralized manner, outside formal technology projects and frequently without being supported by specific institutional guidelines.
The result is the consolidation of a silent legal risk that is widely underestimated by companies.
This is because entering information into AI tools is not a neutral activity from a legal standpoint: by inputting internal documents and data into third‑party systems – especially in their free versions – the employee ultimately transfers this data to infrastructures that are often located outside the country.
Depending on the policies of the platform used, the data entered may be incorporated into the system’s internal operational logs, thereby circulating outside the environment controlled by the user and ultimately being exposed to risks of unauthorized access and data leaks. In short, this amounts to a significant failure in information management.
Under the terms of Law nº 13.709/2018 (General Data Protection Law – LGPD)[1], the mere insertion of information into such tools already constitutes the processing of personal data, since it involves at least the activities of transmission, processing and, in certain cases, storage of data in third‑party systems.
In this context, even if the use of these tools is initiated spontaneously by the employee, the company may still be legally classified as the data controller, insofar as it benefits from the processing carried out, incorporates the results into its economic activity, and fails to establish clear limits regarding the purposes and means employed.
It is essential for companies to start managing the legal risks arising from the reckless use of AI tools. Although desirable and inevitable, innovation cannot override key legal obligations, especially those related to information security.
Governing the use of platforms for automated information processing means, first and foremost, providing training to employees and clearly defining which tools may be used in the corporate environment, for which purposes, and under which conditions. These measures must be accompanied by explicit guidance against sharing sensitive data, strategic information, and confidential documents, as well as by the support of professionals specialized in compliance and data protection.
Having made these considerations, it is important to stress that the aim is not to prohibit or indiscriminately discourage the use of new technologies, which will, inevitably, become increasingly embedded in the professional context. Rather, the goal is to ensure that innovation progresses in a responsible manner, in line with legal requirements and with the preservation of legal and informational security.
[1] Law nº 13.709/2018, art. 5, X: “processing of personal data: any operation carried out with personal data, such as those referring to collection, production, reception, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, elimination, evaluation or control of information, modification, communication, transfer, dissemination or extraction.”