AI in your email: efficiency vs. confidentiality

Delegating email to artificial intelligence may seem like a perfect solution. Automating responses, cleaning up spam and summarising important messages promises just what many are looking for today: saving time and increasing productivity.

That's what I thought when I decided to connect an AI tool to my personal emails. For a few days it worked flawlessly. Every morning I found my inbox organised and prioritised with virtually nothing done.

But the feeling of efficiency quickly changed when news about risks associated with the use of AI and leaks of sensitive information started to appear. One of the most well-known cases occurred at Samsung in 2023, when employees shared confidential company information on generative AI platforms, exposing source code and internal company data.

This raised the real question: what information can be exposed when an AI accesses our emails?

For these tools to work, they need access to large volumes of information. And within an inbox there are not only irrelevant emails: there are also strategic conversations, personal data, confidential documents, financial information and communications protected by confidentiality duties. From a personal data processing perspective, this implies that AI processes not only our data, but also the data of third parties who write to us.

The problem is not only a possible attack, incident or security breach. Often the risk of using these tools lies in not knowing where they store the data:

• where the data is stored
• who can access it;
• whether the information is used for model training;
• what security measures are actually in place behind these platforms;
• or if the data is transferred to jurisdictions with lower standards of protection.

Added to this is another major challenge: the lack of traceability and control. In the case of corporate emails, many organisations still do not have clear policies on the use of AI tools, nor criteria to define what information can and cannot be shared.

From a regulatory perspective, this scenario is becoming increasingly relevant. Both the European GDPR and the new Law 19.628 on Personal Data Protection in Chile are moving towards principles of proactive responsibility, privacy by design, data minimisation and security in processing. Additionally, Law No. 21.663, which establishes the Cybersecurity Framework, imposes risk management and incident notification obligations on its obliged subjects, which could be applicable in the context of the use of these tools. Today, it is no longer enough to implement technology: it is also necessary to previously assess its risks and establish adequate governance measures, and to consider the supervisory role that the future Personal Data Protection Agency will have.

Artificial intelligence can become an extraordinary tool for support and efficiency. But the more access we give to our systems and information, the more important it becomes to understand what we are sharing, with whom, under what contractual conditions and with what levels of technical and legal protection. The challenge is not to hold back innovation, but to embrace it in an informed and responsible way.