Can We Legally Put This Data Into ChatGPT, Claude or Gemini? A Decision Framework
If the data carries legal privilege, classification, patient confidentiality or a lawful basis that forbids third-party processing, public cloud AI is off the table at any tier.
For most regulated data the answer is no, and the enterprise tier does not change it. If the data is subject to legal professional privilege, government classification, patient confidentiality, or a lawful basis that forbids disclosure to a third-party processor, then sending it to a public cloud AI service such as ChatGPT, Claude or Gemini is unlawful regardless of the pricing tier or the data-processing agreement signed. A contractual promise not to train on or retain your data is not a technical guarantee that the data never leaves your control. The moment it crosses the vendor perimeter it is exposed to that vendor's staff, subprocessors and the jurisdiction its servers sit in.
This question matters in 2026 because the market answer has often been compliance theatre. The standard response, use the enterprise tier, treats a commercial reassurance as a legal control. Regulators, auditors and courts do not. They ask a different question: could a person outside your lawful chain of custody have accessed this data, and can you prove they could not. For a public cloud service the honest answer to the second half is no. That is the gap this framework closes.
What is the actual legal test?
The test is not whether you can trust the vendor. The test is whether any party to whom this data would be disclosed is permitted, under the rule that governs the data, to hold it. Run the data through four blockers before you consider a tier.
- Legal privilege. Privileged material shared with a third party can waive the privilege. A data-processing agreement does not restore it.
- Classification. Government-classified or protectively-marked data has handling caveats that public cloud infrastructure cannot satisfy.
- Patient and special-category confidentiality. The common-law duty of confidence and Article 9 GDPR restrict who may process health data, and consent to care is not consent to AI processing.
- Contractual and statutory data-locality duties. Many contracts and sector rules require the data to stay within a named jurisdiction or a named set of processors.
If the data trips any one of these, the decision is made. No tier, no configuration and no assurance from the vendor reverses it.
Why does an enterprise tier not fix it?
An enterprise agreement gives you three things: a promise of no training on your data, a retention window, and a right to audit that you will almost never exercise at the infrastructure level. What it does not give you is exclusion of the vendor from your data. The service still ingests, tokenises and processes your text on hardware you do not own, administered by staff you cannot name, in a legal jurisdiction you did not choose. A promise is enforceable after a breach. It does not prevent one. For privileged, classified or confidential data, the harm is the disclosure itself, and by the time a contract is enforced the disclosure has already happened.
“A contractual promise not to look at your data is not the same as being unable to.”
Which specific rules make public cloud AI off-limits?
These are the concrete blockers a buyer can cite, current as of 2026.
- UK and EU GDPR. You need a lawful basis and, for special-category data, an Article 9 condition. Onward disclosure to a processor outside your lawful basis is itself unlawful, before any transfer question.
- The US CLOUD Act. A US-headquartered provider can be compelled to hand data to US authorities even when it is stored in the EU or UK. This is a live conflict-of-laws problem for European regulated data, not a hypothetical one.
- DORA, in force since January 2025. Financial entities must manage and evidence ICT third-party risk, including concentration risk on a single AI provider. A data-processing agreement alone does not discharge it.
- NIS2. Essential and important entities carry supply-chain security duties that a public inference endpoint does not, on its own, satisfy.
- The EU AI Act. The high-risk Annex III obligations, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028 and Article 50 transparency duties largely unchanged. We read this as a build window, not a reprieve. The obligations are coming and the architecture takes longer to build than the paperwork.
What can an auditor actually check?
An auditor cannot inspect the inside of a hyperscaler. They can inspect you. So the real audit question is whether you can produce evidence, not assurances. For a public cloud service you can show the contract and the vendor's certifications. You cannot show where the data physically went, who touched it, or that it was destroyed. For a controlled deployment you can show the opposite: a sealed record of every action.
The checkable properties an auditor values are a zero-egress inbound perimeter, so data enters for inference and no copy leaves; hardware-attested identity, so every actor is bound to the audit trail; and a tamper-evident, cryptographically signed audit ledger, so the record cannot be altered after the fact. These are properties of the deployment, not clauses in a contract.
What does a compliant alternative look like?
The compliant pattern for regulated data is to bring the model to the data, not the data to the model. This is why we built Mickai as a Sovereign Intelligence Operating System, a SIOS, that runs offline on operator-owned hardware with every action cryptographically sealed. The data never crosses a third-party perimeter because there is no third-party perimeter to cross.
Concretely, that means sovereign models run inside a zero-egress inbound perimeter, identity is hardware-attested and bound to the audit chain, and the audit ledger is signed with post-quantum algorithms, the FIPS 204 (ML-DSA) signature standard, so the record survives future cryptographic attack. Where a single model's judgement is not enough, cross-model consensus lets several sovereign models check each other before an answer is trusted. Our work in this area sits behind 104 filed UK patent applications and approximately 2,340 claims, owned by Mickai LTD, and is patent pending. The point is not the count. The point is that offline verifiability replaces a promise with proof.
So when is public cloud AI acceptable?
Often. When the data is public, already published, fully synthetic, or genuinely anonymised so that no individual can be re-identified, the four blockers do not apply and a public service is a sensible choice. The framework is not a ban on cloud AI. It is a filter. Classify the data first, apply the four blockers, and only then choose the deployment. Most organisations have a large tier of low-sensitivity work that belongs in the cloud and a smaller, high-consequence tier that must never leave their control. The error is treating the whole estate as one.
Frequently asked questions
Does an enterprise data-processing agreement make it legal to send confidential data to ChatGPT?
Not on its own. A data-processing agreement allocates liability and promises certain handling, but it does not exclude the vendor from your data or keep it in your jurisdiction. If the data is privileged, classified or confidential, disclosure to the processor is the harm the rule is designed to prevent, and a contract that pays out after a breach does not stop the breach.
Is data stored in an EU region safe from the US CLOUD Act?
No. The CLOUD Act reaches data controlled by a US-headquartered provider wherever it is physically stored, including EU and UK data centres. Regional storage reduces transfer-mechanism questions under GDPR but does not remove the risk of lawful compulsion by a foreign authority, which is why locality alone is not a sufficient control for sensitive regulated data.
Can we put patient data into Claude or Gemini if we anonymise it first?
Only if the anonymisation is genuine and irreversible, meaning no individual can be re-identified from the data alone or in combination with other available data. True anonymised data falls outside GDPR and can be processed freely. Pseudonymised data, where a key still links back to a person, remains personal data and the common-law duty of confidence and Article 9 conditions still apply.
Is the 2 August 2026 EU AI Act high-risk deadline still live?
No. The Digital Omnibus deferred the high-risk Annex III obligations to 2 December 2027, with embedded Annex I high-risk systems moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We treat this as a build window rather than a reprieve, because sovereign, auditable architecture takes longer to stand up than the compliance documentation does.
What is the fastest way to decide for a given dataset?
Run four blockers in order: is the data privileged, is it classified, is it patient-confidential or special-category, and is it bound by a locality or processor restriction. If any answer is yes, keep it off public cloud AI and process it on operator-owned infrastructure with a sealed audit trail. If all four are no, a public service is a reasonable choice. Classify first, then choose the deployment.




