← Back to blog/EU Regulation

    The EU Data Act and Legal Tech: Implications for Meeting AI

    How the EU Data Act reshapes obligations for AI meeting tools processing professional data.

    February 20, 20267 min readBuilt in Belgium · EU law

    The EU Data Act, which entered into force in January 2024 with most provisions applicable from September 2025, represents a significant shift in how the EU approaches data. While most commentary focuses on IoT devices and industrial data, the implications for legal technology are substantial.

    For law firms and legal departments, understanding the Data Act is essential for two reasons: it affects the tools you use, and it may affect the advice you give clients navigating the new data economy.

    What Is the EU Data Act?

    The Data Act aims to unlock the economic potential of data by:

    • Data sharing: Making it easier for businesses to share data with each other
    • Consumer rights: Giving users rights to data generated by their use of connected products
    • Cloud switching: Making it easier to switch cloud providers
    • Government access: Allowing public sector access to private data in emergencies

    The regulation applies to "data holders"—parties that have the ability to share data. For legal technology, this includes cloud-based meeting recording services, document management systems, and AI transcription providers.

    Key Implications for Legal Tech

    Data Portability Requirements

    Under the Data Act, users must be able to switch cloud providers without significant barriers. For law firms using cloud-based meeting recorders, this means:

    • You should be able to export your recordings and transcripts in a usable format
    • Providers cannot lock you into their ecosystem through proprietary formats
    • Switching costs should be minimized

    Many current AI meeting tools don't meet these requirements. They store data in proprietary formats, make export difficult, and create switching costs through feature lock-in.

    Data Sharing Obligations

    The Data Act creates obligations for data holders to share data with third parties when requested by the data subject. For legal technology, this raises questions:

    • If a client requests their meeting data from a cloud recording provider, can the provider share it?
    • How does this interact with attorney-client privilege?
    • What safeguards exist for confidential legal data?

    The Data Act includes exceptions for trade secrets and confidential information, but the burden is on the data holder to demonstrate these apply. For legal practices, this creates uncertainty.

    Cloud Switching Rights

    The Data Act requires cloud providers to make switching easier. For law firms, this means:

    • Providers must offer data export in open formats
    • Contractual lock-in periods are limited
    • Technical barriers to migration must be minimized

    The Conflict with Legal Confidentiality

    The Data Act's data sharing provisions create tension with legal confidentiality requirements:

    Attorney-Client Privilege

    The Data Act doesn't explicitly address privileged communications. When a cloud provider holds meeting recordings containing privileged discussions, and a data sharing request is made, who decides whether privilege applies?

    The provider—who isn't a lawyer and doesn't understand privilege—may not be equipped to make this determination. This creates risk of inadvertent waiver.

    Professional Secrecy

    For European lawyers bound by professional secrecy, the Data Act's data sharing provisions are concerning. If a provider can be compelled to share data with third parties, how can lawyers guarantee confidentiality?

    The Data Act includes exceptions for "trade secrets and intellectual property," but professional secrecy is a different legal concept. Whether it qualifies as an exception is unclear.

    How to Choose Data Act-Compliant Legal Tech

    Given these uncertainties, law firms should choose technology that minimizes Data Act exposure:

    1. Prefer Local-First Solutions

    When data lives on your device or infrastructure, you are the data holder—not a third party. The Data Act's sharing obligations fall on you, and you can apply appropriate legal judgment to any requests.

    Local-first architecture also eliminates the cloud switching issues entirely—you already control your data.

    2. Choose EU-Based Providers

    EU-based providers are directly subject to the Data Act, meaning they must comply with its portability and switching requirements. Non-EU providers may not be, creating uncertainty about your rights.

    3. Verify Export Capabilities

    Before adopting any cloud legal tech, verify that you can export your data in open, usable formats. This is now a regulatory requirement, but many tools haven't caught up.

    4. Review Contractual Terms

    The Data Act limits contractual lock-in. Review your existing agreements for:

    • Excessive minimum commitment periods
    • Restrictive exit clauses
    • Data portability limitations

    5. Assess Privilege Protection

    For any cloud tool handling privileged communications, verify:

    • How they would respond to a Data Act sharing request
    • Whether they have processes to protect confidential legal data
    • Whether they can even identify which data is privileged

    Caven: Data Act-Ready by Design

    Caven's architecture makes it naturally suited for the Data Act era:

    Local-First = You Control

    With local-first processing, you are the data holder. There's no third party that could be compelled to share your data. You maintain complete control and can apply appropriate legal judgment to any data requests.

    EU-Hosted Cloud

    When you use cloud features, Caven processes data on EU infrastructure. We're directly subject to the Data Act and fully compliant with its portability and switching requirements.

    Open Export

    Export your recordings, transcripts, and summaries in standard formats. No proprietary lock-in, no switching costs. You can move your data at any time.

    SFTP Integration

    For firms with document management systems, Caven can export directly via SFTP to your own infrastructure. You maintain complete control from the start.

    No AI Training

    We never use your data for AI training. Your recordings stay yours—no risk that your clients' matters influence AI systems serving others.

    What to Advise Clients

    As lawyers, you'll increasingly advise clients on Data Act compliance. Key points:

    • IoT and connected products: Clients manufacturing connected devices must comply with data sharing requirements
    • Cloud contracts: Review existing cloud agreements for Data Act compliance
    • Data governance: Help clients establish processes for handling data sharing requests
    • Trade secrets: Document what data qualifies for trade secret protection

    Comparison: Data Act Readiness

    FactorOtter.aiFireflies.aiTeams PremiumCaven
    EU-based providerPartial
    Local-first option
    Open data exportPartialPartialPartial
    You control dataPartial
    No third-party sharing riskPartial
    SFTP export

    The Bottom Line

    The EU Data Act creates new dynamics for legal technology. Cloud providers now have data sharing obligations that may conflict with legal confidentiality. Law firms need to choose tools that protect privilege while meeting regulatory requirements.

    Caven's local-first architecture makes it the natural choice: you control your data, you apply legal judgment to any requests, and you avoid the uncertainties of third-party data holding. In the Data Act era, local-first isn't just about privacy—it's about professional responsibility.

    Further reading

    Ready to capture confidential meetings?

    EU processing · No bots · GDPR by design · Built in Belgium

    Request access