Section 43e BRAO Explained: AI API Requirements for German Law Firms
Short answer
Section 43e BRAO permits law firms to use AI APIs for mandate-related work provided the service provider is bound in writing to professional confidentiality, warned of criminal liability under §203 StGB, contractually prohibited from using mandate data for AI training, and subject to documented subprocessor and.
- Section 43e BRAO applies to every AI API that processes mandate data — regardless of provider or contract label.
- A §203 StGB warning in the service provider contract is a mandatory professional-conduct requirement — a GDPR DPA alone does not satisfy it.
- Client consent under Section 43e(5) BRAO is required where mandate data is processed beyond the specific scope of the instruction.
Section 43e of the Bundesrechtsanwaltsordnung (BRAO) — Germany’s Federal Lawyers’ Act — permits law firms to involve external service providers, including AI API vendors such as OpenAI, Anthropic, and Microsoft Azure OpenAI, in mandate-related work, provided specific contractual and oversight conditions are met. The § symbol (Paragraph-Zeichen) is the standard German statutory reference marker; “§43e BRAO” simply means Section 43e of the BRAO statute. Section 43e BRAO requires law firms to bind service providers in writing to professional confidentiality, warn them of criminal liability under §203 StGB (the German Criminal Code), exclude mandate data from AI training, regulate subprocessors, and document deletion and exit terms — all before any client data reaches an external AI system.
What Does Section 43e BRAO Regulate?
Section 43e BRAO was introduced by the BRAO Reform Act of 2022, effective 1 August 2022. It closed a longstanding gap in German professional conduct rules: prior to the reform, there was no explicit statutory basis allowing lawyers to engage external service providers for mandate-related tasks without risking a breach of professional secrecy.
Section 43e(1) BRAO authorises lawyers to engage service providers that assist in processing information subject to the professional duty of confidentiality under §43a(2) BRAO — the Verschwiegenheitspflicht, the core professional secrecy obligation that binds every German lawyer. The statute expressly references information processing systems, which covers AI APIs, cloud platforms, legal analytics software, and external document platforms.
Quick reference — What is BRAO? The Bundesrechtsanwaltsordnung is the federal statute governing the legal profession in Germany: bar admission, professional conduct, disciplinary proceedings, and the structure of regional bar associations (Rechtsanwaltskammern). The § symbol in German law corresponds to “section” or “article” in English legal systems.
Section 43e BRAO is the central professional-conduct provision for AI tool usage in German law firms. The permission to use external service providers exists — but only together with the obligations in subsection (3).
Why Section 43e BRAO Applies to Every AI API Deployment
As soon as a law firm sends mandate data — case facts, draft briefs, contract terms, party information — to an external AI API, it has engaged a service provider within the meaning of Section 43e(1) BRAO. What matters is not the contract label or the provider’s business model. The operative question is: has confidential client information left the law firm’s sphere and reached a third party?
The link to §43a BRAO is decisive. Section 43a(2) BRAO requires lawyers to protect mandate secrecy even with respect to third parties they bring in to assist with client work. Section 43e BRAO operationalises that duty for the digital environment, specifying how the obligation must be implemented contractually and organisationally when external processors are involved.
Practical consequence: No AI API deployment involving client data is permissible without a Section 43e BRAO-compliant contractual foundation — whether the tool is an AI writing assistant, a legal research API, an automated document review system, or an AI-powered client communications platform. This applies equally to self-hosted models that use external inference infrastructure.
Requirements Under Section 43e(3) BRAO
Section 43e(3) BRAO defines the minimum contractual and organisational requirements that must be in place before any mandate data is transferred to an external AI provider.
Written Obligation with §203 StGB Warning
The service provider must be bound in writing to professional confidentiality. Beyond this, the contract must explicitly warn the provider of criminal liability under §203 StGB — the provision that makes the unauthorised disclosure of professional secrets a criminal offence, including for persons to whom a professional secret-holder has disclosed information.
This requirement goes well beyond a standard Data Processing Agreement (DPA) under Art. 28 GDPR. A DPA contains no §203 StGB warning. Law firms must supplement the provider contract with this professional-conduct element — either as a standalone clause or in a separate professional-rules annex.
No-Training Clause and Purpose Limitation
Mandate data may only be processed by the service provider for the specific purpose of the engagement. Any use for model improvement, internal analysis, or AI training is incompatible with Section 43e BRAO.
For AI API deployments, this requires an explicit no-training clause in the contract. Many major providers exclude training use in their API terms by default — but that contractual position must be verified, documented, and actively monitored. A vendor website statement does not replace a contractual commitment.
Subprocessor Rules
Section 43e(3) BRAO requires the primary service provider to bind its own subprocessors to equivalent obligations. AI providers routinely rely on cloud infrastructure, monitoring tools, and security services from third parties. For law firms, the chain of confidentiality and purpose-limitation obligations must be traceable through the entire processing chain.
Law firms should request and review the subprocessor list from the AI provider and verify that all downstream processors are contractually bound to equivalent professional-secrecy standards.
Deletion and Exit Arrangements
The provider contract must specify when and how mandate data is deleted — both on an ongoing basis (temporary storage, logs, inference buffers) and upon contract termination. Exit arrangements — the secure handover or destruction of all stored mandate data on provider change — must be agreed in writing and implemented technically.
Client Consent Under Section 43e(5) BRAO — When Is It Required?
Section 43e(5) BRAO addresses a specific scenario: where the service provider processes mandate data beyond the scope of the specific instruction, or where using that service provider would not be recognisably acceptable to the client, explicit client consent is required.
For AI APIs, this threshold is not automatically reached simply because AI is used in the workflow. Engaging IT service providers for mandate-related work is both legally permissible and common. Consent becomes necessary when:
- mandate data is analysed for purposes outside the direct instruction (e.g. product analytics, model fine-tuning)
- the provider stores data or uses it for its own commercial purposes
- AI outputs are passed to clients without the AI involvement being apparent
- particularly sensitive data (criminal defence, M&A, trade secrets) is transferred to external systems
BRAK guidance from December 2024 recommends that law firms proactively inform clients when sensitive data categories are involved — even where formal Section 43e(5) BRAO consent is not strictly required in every individual case. Transparency is professionally sound and the practical foundation for client trust.
Section 43e BRAO and GDPR — How Do They Interact?
Section 43e BRAO and Art. 28 GDPR protect different legal interests and apply cumulatively. A DPA alone does not satisfy Section 43e BRAO requirements.
| Requirement | Section 43e BRAO | Art. 28 GDPR (DPA) |
|---|---|---|
| Legal basis | Professional conduct law (BRAO) | Data protection law (GDPR) |
| Protected interest | Lawyer’s professional secrecy, §203 StGB | Personal data of individuals |
| §203 StGB warning | Required | Not provided for |
| No-training clause | Required | Not mandatory |
| Purpose limitation | Required | Required (Art. 28(3)(b)) |
| Subprocessor obligations | Required | Required (Art. 28(4)) |
| Deletion terms | Required | Required |
Law firms need both instruments: a DPA for the GDPR framework and a Section 43e BRAO-compliant confidentiality clause for professional conduct compliance. The DAV (German Bar Association) position statement of 2025 explicitly noted that professional conduct law imposes higher standards than GDPR alone — a DPA-only contract structure does not fulfil the professional conduct requirements.
Section 43e BRAO Compliance Checklist for AI Tools
Before deploying any AI API with mandate data, law firms should confirm each of the following:
- Section 43e BRAO clause in the service provider contract — written confidentiality obligation with explicit §203 StGB warning
- No-training clause expressly agreed — mandate data is excluded from model training and product improvement
- Purpose limitation documented — no processing beyond the specific engagement scope
- Subprocessors identified, listed, and contractually bound to equivalent obligations
- Deletion and exit terms agreed in writing and technically implemented
- DPA under Art. 28 GDPR in place — complementary to Section 43e BRAO, not a substitute
- Client consent assessment under Section 43e(5) BRAO — conducted, particularly for sensitive data categories
- Internal AI acceptable use policy in place — approved tools, prohibited data categories, approval procedures
- AI literacy documentation under Art. 4 EU AI Act — staff training on tools in use is verifiable
- Pilot operation with defined test matters before full rollout
Further Reading
- BRAO-Compliant AI Deployment: Full Guide
- AI APIs for Law Firms in Germany
- Professional Liability and AI Specialists in Germany
FAQ
What does Section 43e(3) BRAO require for AI APIs?
Section 43e(3) BRAO requires law firms to ensure the following before engaging any AI API that processes mandate data: (1) a written confidentiality obligation on the service provider with an explicit §203 StGB warning, (2) purpose limitation and a no-training clause, (3) equivalent obligations passed on to the provider’s own subprocessors, and (4) documented deletion and exit arrangements. These requirements are cumulative — satisfying some but not all does not achieve compliance.
When is client consent required under Section 43e(5) BRAO?
Section 43e(5) BRAO requires explicit client consent when a service provider processes mandate data beyond the scope of the specific instruction, or when the client could not reasonably be expected to accept the use of that particular provider. For standard AI workflows (research, drafting, summarisation), the consent threshold is not automatically triggered. BRAK guidance from December 2024 recommends proactive transparency with clients when sensitive data categories are involved, even where formal consent is not strictly required.
What are the consequences of violating Section 43e BRAO?
Violations of Section 43e BRAO can result in professional disciplinary consequences: a reprimand, warning, fine, or further measures by the relevant Rechtsanwaltskammer under §§ 113 ff. BRAO. Civil liability claims from affected clients are also possible. Where a provider discloses mandate secrets because the required §203 StGB obligation was absent from the contract, that disclosure has criminal law relevance for both the firm and the provider.
Does a GDPR DPA satisfy Section 43e BRAO requirements?
No. A DPA under Art. 28 GDPR addresses data protection law but does not contain a §203 StGB warning or the professional-conduct-specific purpose limitation required by Section 43e BRAO. Both instruments must be in place. A DPA-only contract structure does not fulfil the professional conduct requirements under BRAO — the Section 43e BRAO clause must be a distinct contractual element.
Does Section 43e BRAO cover cloud services and AI APIs?
Yes. Section 43e(1) BRAO expressly refers to “information processing systems” — a formulation that covers AI APIs, cloud platforms, legal analytics tools, and external document management systems. Any external service that processes mandate-related information falls within the scope of the provision, regardless of how the provider’s contract characterises the relationship.
Next Step
Compound Law advises law firms and in-house legal departments on Section 43e BRAO-compliant AI tool deployment — from contract negotiation with AI vendors to professional conduct analysis, GDPR structuring, and EU AI Act readiness. If your firm is planning an AI rollout or wants to audit an existing deployment, a structured compliance review is the right starting point.
This article provides general legal information only and does not constitute legal advice. For guidance on your specific situation, please consult a qualified lawyer.
