ILS News – March 2026

One of the unanswered questions about AI use centers on its impact on attorney-client privilege.  A federal judge has finally offered one answer, first, for non-lawyers—a rather strong “no”—along with some dicta that might guide lawyers’ AI use—let’s call it a “maybe.”^[i]

The Facts in Brief. Bradley Heppner, CEO of one financial services company and chair (and former CEO) of another, was indicted by a grand jury for securities fraud (among other charges).  In executing a warrant to search his home, the FBI found documents that included results of his use of Anthropic’s Claude to explore his legal options—an AI conversation that he generated before he engaged a lawyer. Once he had legal counsel, his lawyers tried to shield some thirty “AI-generated analysis” documents as privileged.

Judge Rakoff was unimpressed. Rakoff wrote that, essentially, no attorney-client privilege could protect those documents because a lawyer was not involved, plus the terms of service make it clear that the information could be shared with third parties. As for attorney work product: well, no lawyer created the documents. Put simply, AI chats are no more privileged than a Google search.

The Dicta for Lawyers’ Using AI. But then things got interesting. The judge mused that under the right circumstances, an AI tool might act like a specialized professional assisting an attorney, permitted under the Kovel doctrine, which extends attorney-client privilege to non-lawyer experts, as long as they are working at the attorney’s direction and in confidence.  This sentence in the opinion has lit up the legal world:

Had counsel directed Heppner to use Claude, Claude might arguably be said to have functioned in a manner akin to a highly trained professional who may act as a lawyer’s agent within the protection of the attorney-client privilege.^[ii]

His dicta and his reasons for denying Heppner’s request hint that an AI tool could qualify for Kovel treatment if it: performs serves as a highly trained professional; is an AI system that preserves confidentiality; and, the keystone,  operates under the attorney’s direction.

The Devilish Details. As with many judicial opinions, the devil is in the details of further questions, such as just what amounts to an “attorney’s direction” and the degree of confidentiality of the AI system itself, i.e., do “closed systems” suffice? Here, though, lawyers might be on safer ground, as judges tend to respect attorney-client privilege where the claims are reasonable. Thus, treating AI tools in a manner equivalent to a Kovel-protected expert might be sufficient, if the lawyer knows that the terms of services prevent further distribution. And what about AI-generated transcripts or merely summarizing notes of a call between an attorney and its client? At least two bits of advice seem clear: Have the lawyer control the use of the AI tool and read the terms of service.

[i] United States v. Heppner, 2026 BL 52143, S.D.N.Y., 25 Cr. 503 (JSR), 2/17/26.

[ii] Cf. United States v. Adlman, 68 F.3d 1495, 1498–99 (2d Cir. 1995) (citing United States v. Kovel, 296 F.2d 918 (2d Cir. 1961)).

The Setting. It’s the Milano Cortina 2026 Winter Olympics on TV. You are a transactional lawyer—licensing, commercial, or cross‑border. You are admiring the grace of a downhill skier in the Dolomites or the speed of a bobsled in Cortina. But then you start to think like a lawyer. When that skier slides past those gates, you aren’t just seeing sport; you are seeing the execution of a massive web of contracts.

Just how many? For athletes and support staff alone, the universe for these Games exceeds 25,000 contracts. Add in the volunteers and you get another 18,000.

Why might it matter to California lawyers? The 2028 Summer Olympics are coming to Los Angeles in just over two years.

MC2026: The Physical, Human and Legal Scale. These Games are the most geographically dispersed in history, covering over 22,000 square kilometers (nearly 10,000 square miles) across Northern Italy—from the urban rinks of Milan to the peaks of the Valtellina. Between the main Games and the Paralympics, there were roughly 3,500 athletes (2,884 Olympians and a record 611 Paralympians). They competed for 195 gold medal events, with over 1,000 individual medals awarded in total. For a lawyer, every one of those medals is a “trigger event” for performance bonuses, IP licensing escalators, and potential endorsement disputes.

The “BOTE” (Back-of-the-Envelope) Calculations. Here is how we get to that 25,000-contract mountain:

• The “Baseline” Athlete Agreements (~10,500): Each athlete must sign at least three agreements with the “powers-that-be”—the IOC/IPC Entry Form, the National Team Agreement, and WADA anti-doping consents. That is over 10,000 “baseline” instruments before a single event begins.
• The Athlete Commercial Agreements (~6,500): A top-tier skier typically signs between twelve to fifteen agreements for everything from technical gear (skis, boots, helmets) to “Rule 40” personal endorsements. Even the mid-tier field of athletes signs three to five separate agreements.
• The Support Staff Agreements (~5,000): Each of the ninety-three national teams brings an army of coaches, doctors, and technicians. These are governed by specialized service agreements that must reconcile international sport standards with rigid Italian labor laws.
• The Institutional Agreements (~3,000): Each National Olympic Committee (NOC) operates like a corporation, managing institutional sponsorships for everything from official “podium” apparel to national logistics and sponsorships, e.g., Ralph Lauren for TeamUSA gear or Fiat for the local “Mobility Partner.”

Finally, we cannot ignore the “Team26” volunteer force. Out of 135,000 applicants, 18,000 volunteers were selected. Every volunteer signs a complex liability waiver and code of conduct covering mountain safety, medical protocols, and GDPR-compliant data handling. In a high-risk environment like winter sports, these waivers are the primary line of defense against staggering tort exposure.

Conclusion. And that’s how we get to some 25,000 agreements (or more). With the Summer Olympic Games always larger than their Winter siblings—almost triple the number of athletes—we can expect many more such contracts. Thatwill be a big mountain of contracts.

[Author’s note: Sources would have been included for longer articles. The author relied on three different AI agents to confirm an estimate range of total contracts for one of the pieces below and to collect sources for the other pieces. AI agents provided some grammatical and structural suggestions but otherwise were not used to draft.]

Introduction. In the ever-evolving regulatory opera that is the European Union, efforts to give enforcement teeth to the EU AI Act of 2024 are well underway. Here is a brief overview of developments since the AI Act became “law.

With the framework of the EU AI Act in place, now it is largely about the details of enforcement mechanisms. By the end of 1Q26 the EU had hit several milestones set forth in the law, with more on schedule, thus accelerating the shift from an ambitious regulatory blueprint to an actual compliance “regime.”

Everything is supposed to be in place by 2027, when all aspects of the AI Act will be in effect and applying to all categories of AI Agents and AI use. 2026 is likely to determine whether the EU AI Act is remembered as a masterstroke of proactive governance or not, with the need to regulate a field evolving faster than policymakers can get the regulatory details right.”

Entry Into Force Through “Waves” of Obligations. The EU institutions and member states chose a sort of “triage” approach, or “waves” of ever broader and deeper regulations starting with regulating the highest risk AI uses and AI agents in 2025.

February 2025: Prohibited Practices. The first enforceable provisions kicked in on February 2, 2025, which targeted certain AI uses considered to be violations of basic EU rights, such as social scoring or real-time biometric identification in public spaces.

AI providers engaged in socially risky uses were not alone in immediate application of some requirements. “General Purpose” AI Providers—commonly known as “GPAI”—have been subject to obligations since August 2025, including copyright compliance, documentation requirements, and training-data summaries. With a grace period through 2027 applying to some of the major players, enforcement is likely to be spotty, but not insignificant.

August 2025: Governance Architecture Comes Online. The EU AI Office officially became operational as another EU-wide compliance authority. If the AI Act means anything, it means that this institution will have the requisite powers.  At the same time, each member state was required to identify its own regulators, thereby building out the institutional framework that will grow as compliance requirements increase through 2027. 

June 2026: Detailed Standards and Member State Enforcement. High-risk AI and general AI providers (the latter commonly known as “GPAI”) are scrambling to comply with the “prohibited practices” requirements while aligning their systems with what they expect in forthcoming standards, including, for example, the long-awaited Code of Practice for content provenance (read: compliance with the EU Copyright Directive and related laws) due in June. And in case anyone does not believe that compliance will get to the member state level, Finland was the first member state to activate full domestic enforcement powers relating to AI use.

August 2026: The Great Compliance Cliff: August 2, 2026 marks the day when the Act’s obligations relating to high-risk use become fully enforceable, along with the initial impact of regulations applying to other uses. AI providers will need risk management systems, documentation, human oversight frameworks, post-market monitoring, and the kind of recordkeeping that would impress even the most demanding CPA. Failure to comply means risking penalties high enough to make enterprise senior managers long for GDPR enforcement (a nasty experience for many CXOs since its adoption). Several important copyright infringement cases against GPAI provided have also been decided, although they may be appealed this year. In addition, an alphabet soup of relevant institutions—CEN, CENELEC, and ETSI—will finalize standards harmonized across all member states.

Conclusion. The Act’s full effect is expected in 2027 (with some leeway for public sector systems), but 2026 will define much of the breadth, depth, and impact of regulation from enforcement of harmonized standards to lawsuits interpreting the AI Act and its scope. In particular, we should see considerable movement in copyright matters, from court cases to licensing agreements enabling the legitimate use of copyrighted materials by LLMs, as we have seen over the last few years with major content holders such as Axel Springer and Le Monde.

In late 2025 a German court handed OpenAI a defeat in a lawsuit brought by GEMA (the German music collecting society, roughly similar to BMI/ASCAP in the US) for copyright infringement. As a legal “victory” for rightsholders, the decision sparked considerable interest for European copyright law.^[i] OpenAI’s appeal has now gone to a Munich appeals court.^[ii] Here is a brief update as of March 2026. We’ll also briefly discuss the GEMA licensing model.

The Original Verdict: The “Memorization” Doctrine and TDM Exceptions. Among other findings, the GEMA court found that the lyrics to nine songs were “memorized” in a manner similar to lossy compression in an MP3 file, violating Section 16 of the German Copyright Act. Perhaps more important to EU AI regulation, the GEMA court rejected OpenAI’s argument that its use was protected under the “Text and Data Mining” (TDM) exceptions of EU law, holding that the relevant TDM exception only protected temporary copies for analytic data mining, while OpenAI embodied the works for later output in their entirety.

The Appeal Path(s). The Munich Higher Regional Court (Oberlandesgericht) now has the briefs before it in OpenAI’s appeal. OpenAI’s appellate brief argues that the GEMA court mischaracterized the models analytic approach: briefly, its mathematical weights are not “copies,” while the output of the lyrics in their entirety amounted to a “bug.” and that any verbatim output is a technical “bug” (overfitting) rather than deliberate storage.

Member state courts can refer a case to the European Court of Justice (CJEU) but, in a show of confidence in national law, the GEMA court declined. The judges concluded that “memorization” so clearly interferes with the economic interests of creators that a European-level intervention was unnecessary at the trial stage. However, the Munich Higher Court is being pressured to refer the case to the CJEU under the overarching principle of EU legal “harmonization.” The case is also expected to reach Germany’s highest federal court, the Bundesgerichtshof or “BGH.

GEMA’s Licensing Model. Shortly before the original lawsuit, GEMA introduced an innovative “Generative Licensing Model” that requires sharing ongoing revenue with the authors. In January of this year, GEMA added an AI clause to its commercial contracts, aimed largely at retail establishments that play background music. The clause attempts to eliminate protection from copyright infringement where the claim is that the music is AI generated.

Large AI providers such as OpenAI have not signed on to the model and are unlikely to do so, as it would undermine their core legal argument the LLM training does not require a license. Some smaller AI startups are moving towards a “GEMA-compliant” position on the theory that some European enterprise clients prefer this “safer” approach. 

[i] (LG München I [Regional Court of Munich I], GEMA v. OpenAI, 42 O 14139/24 (Nov. 11, 2025) (Ger.), https://www.gesetze-bayern.de/Content/Document/Y-300-Z-GRURRS-B-2025-N-30204.)

[ii] OpenAI, LLC & OpenAI Ireland Ltd. v. GEMA. OLG München, Case No. 6 U 3662/25 e. Oberlandesgericht München (Higher Regional Court of Munich), 6th Civil Senate. See commentary at https://www.euipo.europa.eu/it/law/recent-case-law/the-higher-regional-court-of-munich-considered-memorization-and-temporary-copies-occurred-in-model-training-as-infringing-reproductions-of-works