A New eDiscovery Frontier: AI-Related Restrictions in Protective Orders
Editor’s Note: As artificial intelligence continues to reshape the practice of civil litigation, courts are increasingly confronting questions about how discovery materials should be handled when AI tools are involved. What began as targeted restrictions on uploading confidential or attorney’s eyes-only documents to unsecured AI platforms has evolved into a broader conversation about protecting all produced materials. The recent decision in Jeffries v. Harcros Chemicals Inc. marks a significant step in that evolution, with a court extending protective order restrictions to non-confidential discovery materials when open loop AI tools are involved. Author Phil Favro examines the legal reasoning behind Jeffries alongside related rulings, breaking down the technical, regulatory, and national security considerations that led courts to draw sharper boundaries around AI use in discovery. His analysis offers practitioners a practical framework for evaluating when expanded protective order provisions may be warranted, and what criteria distinguish the closed AI tools that courts appear willing to permit. As AI adoption in legal workflows accelerates, understanding these emerging guardrails is becoming an essential part of competent discovery practice.
A New eDiscovery Frontier: AI-Related Restrictions in Protective Orders
By Phil Favro, Contributing Author for HaystackID
The landscape of civil discovery is changing as courts address advances in the use of artificial intelligence (AI). From developing search criteria and review workflows to drafting letters, briefs, privilege logs, deposition summaries, and a variety of other documents, AI is transforming discovery practices on many different fronts. Among other changes, one that particularly stands out involves parties’ requests that protective orders include provisions restricting the use of protected materials in certain AI applications.
Early court decisions addressing the use of these provisions in protective orders focused primarily on the risk of uploading “confidential” materials (including “attorney’s eyes only” designated documents) into AI platforms. In those cases, courts either issued or amended protective orders to treat such actions as unauthorized disclosures and violations of the protective orders. Recent decisions such as In re ByHeart, Inc., Warner v. Gilbarco, Inc., and Morgan v. V2X, Inc. reflect this trend. In these matters, courts established baseline restrictions that generally forbade the input of protected discovery materials into AI tools that lacked specific security safeguards.
For example, the ByHeart order generally proscribed uploading protected content into AI applications unless (among other things) those applications would not train their models on the inputted data or otherwise include inputted data into “model weights.” [1] In addition, the ByHeart protective order required AI applications to include “administrative controls” that would provide for the deletion of and otherwise block access to protected content.
Similarly, the court in Morgan amended the existing protective order to generally bar the parties from uploading protected materials into “any modern artificial intelligence platform, including any generative, analytical, or large language model-based tool.” The court made exceptions where AI tools contractually bar the retention or use of “inputs to train or improve its model” and forbid divulging inputs to third parties, except where such disclosure is essential to facilitate delivery of the service. [2] In the event of disclosure, the court imposed further conditions, including (among other things) a requirement that the AI application eliminate protected materials if requested by a party. Warner modified a protective order to restrict the use of protected content and forbid uploading such information “onto any AI platform.” [3]
While these cases reflect this trend, the technical realities of so-called open loop AI models have raised an additional inquiry in connection with protective order practices:
Should AI-related restrictions be extended to all discovery materials and not limited to just protected information?
One court recently addressed this issue directly. In Jeffries v. Harcros Chemicals Inc., the court issued an amended protective order that prevents the parties from uploading materials produced in discovery into “open loop” AI tools. In the order, Jeffries offers a roadmap for identifying instances—ranging from regulatory compliance to national security concerns—where parties may seek to obtain more restrictive protective orders to prevent the use of discovery materials in particular AI applications.
The Amended Protective Order in Jeffries
In Jeffries, the defendants sought to amend the existing protective order to expand AI-related restrictions to any information produced in discovery. The protective order previously limited the parties’ use of information designated “confidential” to “closed or secure AI Tools.” The court (Magistrate Judge Angel D. Mitchell) observed that the defendants’ motion would, in particular, “seek to prevent parties from uploading even non-confidential documents into public or ‘open loop’ generative artificial intelligence tools.”
Judge Mitchell found good cause for the proposed amendment and granted the defendants’ motion. Under the subsequently amended protective order, parties could only submit materials produced in discovery into “closed AI tools.” The court’s ruling was based on several factors.
The Technical Finality of Open Loop AI Tools
One factor in play was the design feature of open loop AI tools. The defendants argued—and the court agreed—that once data is uploaded to such an AI application, the information is used to continually develop and improve the application’s underlying model. This creates a state of technical finality, i.e., it becomes “practically impossible” to claw back or delete data later determined to be privileged or inadvertently produced without a confidentiality designation. The court noted that this inherent design risk undermines the standard “return or destroy” mandate typically found in protective orders.
Critical Infrastructure and National Security
Another factor was the nature of the defendants’ business operations and the information they would produce in discovery. The defendants “are a series of entities that collectively owned and operated [a chemical] facility over a period of several decades.” They are members of the so-called chemical sector, which the court indicated has been “designated as Critical Infrastructure and vital to national security.” The defendants maintained that uploading their produced information to an open loop AI tool could expose their critical infrastructure to cybercriminals and heighten the risk of a data breach.
The court agreed, observing that an open loop AI application provides a “centralized repository that makes information available to the public at a scale that was not historically available and ignores the very real security risks of public AI Tools, including the inability to effectively claw back information from the AI Tool.”
The Impact of U.S. Privacy Laws and the General Data Protection Regulation
A third factor that impacted the court’s analysis involved data privacy and protection laws. As Judge Mitchell noted, the defendants are all subject to U.S. data privacy laws, and two of the defendants (Philips and Elementis) are subject to the European Union General Data Protection Regulation (GDPR). Allowing their discovery materials to be uploaded to an open loop AI application could expose the defendants to liability under U.S. privacy laws and, more particularly for Philips and Elementis, the GDPR. Judge Mitchell specifically emphasized the GDPR requirement of consent from data subjects for data processing and that such consent from the defendants’ “employees, contractors, and correspondents” had not been obtained.
In contrast, the court reasoned that closed AI tools did not appear to present the same regulatory risks and suggested that they could be used for the many discovery-related tasks that AI can facilitate. According to Judge Mitchell, those tasks could include:
[S]ignificantly accelerating document review, quickly summarizing documents, streamlining privilege review and logging, identifying named entities like key people and organizations, extracting important topics, and automating writing tasks, such as drafting deposition questions, creating narrative timelines from evidence, and drafting legal briefs. (emphasis added)
By ensuring that discovery materials of any type or nature would not be used in open loop AI platforms, the court determined that its order would incentivize the defendants to provide fulsome document productions without the types of redactions that might otherwise characterize their productions.
All of this led the court to dismiss the plaintiffs’ argument that the defendants’ positions were “speculative” and lacked a “concrete showing of harm.” The court ultimately concluded that the known functionality of public AI tools—specifically the ingestion of data for model training—established a sufficient risk to justify amending the protective order.
Practical Takeaways for Protective Orders
Jeffries and other court decisions make clear that restrictive AI provisions are quickly becoming a standard feature in protective orders. However, whether the expanded protective order in Jeffries proliferates in other litigation will depend on the nature of the data involved in the litigation.
For example, does the case at issue have parties involved in critical infrastructure industries or that manufacture or are otherwise involved with products subject to U.S. export control laws? If so, and if discovery focuses on information relating to business operations, the Jeffries criteria may be satisfied. In like manner, organizations subject to data protection or privacy statutes that can show an increase in liability arising from the disclosure of personal information to AI applications could also meet the Jeffries standard. And there may be other categories of information, in particular litigation, that are so sensitive as to establish good cause for the issuance of a more restrictive protective order.
Another practical takeaway from Jeffries, along with ByHeart and Morgan, is the importance of understanding the criteria that often characterize closed AI tools. Those criteria may include contractual proscriptions on using inputs to train or improve models or incorporating those inputs into model weights. Closed AI tools also generally prevent the disclosure of user inputs to third parties while also allowing users to remove or delete all inputs and inadvertent disclosures upon request. Closed AI tools should also operate within a secure environment that prevents “human-in-the-loop” review by the provider’s staff. Understanding these and other aspects of closed AI tools is significant when seeking more restrictive protective order provisions, like those in Jeffries, to better ensure client information is properly safeguarded from public disclosure.
Jeffries makes clear that more restrictive protective orders will likely be evaluated on a case-by-case basis. Whether there are grounds for additional restrictions, such as restricting the use of any discovery materials to closed AI platforms, will turn upon the nature of the parties and the information they are producing in discovery.
[1] In re ByHeart, Inc., Infant Formula Marketing, Sales Practices, and Products Liability Litig., 1:26-md-03178 (AS) (S.D.N.Y. Apr. 23, 2026), ECF No. 45 (Protective Order), at 11 (¶20). “Model weights” generally refer to the data that comprises an AI application’s model and that facilitates the calculation and development of an application’s output in response to user input. See Stephen Pastis, A.I.’s un-learning problem: Researchers say it’s virtually impossible to make an A.I. model ‘forget’ the things it learns from private user data, Fortune (Aug. 30, 2023). [2] Morgan v. V2X, Inc., No. 25–CV–01991–SKC–MDB, 2026 WL 864223, at *7 (D. Colo. Mar. 30, 2026). [3] Warner v. Gilbarco, Inc., No. 2:24-CV-12333, 2025 WL 3047881, at *2 (E.D. Mich. Oct. 30, 2025).
About Phil Favro
Phil Favro is the founder of Favro Law PLLC, where he counsels clients on ESI, AI, and discovery issues and serves as a special master, mediator, and expert witness. Phil is nationally recognized for his expertise on ESI, discovery, and information governance, with courts acknowledging his credentials. See, e.g., Oakley v. MSG Networks, Inc., No. 17-CV-6903 (RJS), 2025 WL 2061665 (S.D.N.Y. July 23, 2025). This background makes Phil particularly well-suited to counsel clients and advise courts on information-related issues. As a special master, Phil is acclaimed for his collaborative approach, working with parties to find stipulated solutions to complex issues. For disputes that require adjudication, he is renowned for the clarity and vigor of his written dispositions, which are available on legal search engines.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface and eDiscovery AI™ technology. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID