- Microsoft 365 Copilot will enable flex routing by default
- This means that some data may be processed outside the EU
- Businesses need to check whether they remain GDPR compliant
Microsoft 365 Copilot has received a new feature intended to ease European capacity gaps, but it could actually make your business non-compliant with GDPR guidelines.
To maintain Copilot’s data processing at peak times, Microsoft enables ‘flex routing’ that can divert inferences from large language models (LLM) to the US, Canada or Australia.
So if your business operates in the European Union or the European Free Trade Association (EFTA) and is subject to the GDPR, you might want to double-check the guidelines.
The article continues below
What is flex routing and when is it activated?
Flex routing is a new Microsoft 365 Copilot feature that will direct some Copilot traffic to data centers in the US, Canada, and Australia when capacity in European data centers is lacking.
While transferred to these data centers, your data remains encrypted. But in order to process the data, it must be readable. This means that information from your company can be processed outside the EU.
As privacy-focused collaboration software maker Proton pointed out, Microsoft has placed the burden of compliance on its users, many of whom won’t be aware that the feature is enabled by default.
For all new customer accounts created after 25 March 2026, flex routing is enabled by default.
For everyone else, flex routing was activated on 17 April 2026 – so it might be worth checking your settings by following the steps below.
How do I stay GDPR compliant?
Violation of the GDPR can earn your company a fine of up to €20 million, or 4% of global turnover.
Microsoft has explained in its blog post that while data is at rest, it will remain within the EU data limit. However, when data is transferred outside the EU data border, it must do so while protected by the EU-US Data Privacy Framework or through standard contract clauses to remain GDPR compliant.
Microsoft also states that a limited amount of ‘pseudonymised’ data can be stored outside the EU data limit. You may need to document this data to remain GDPR compliant.
If you choose to continue using flex routing, it may be necessary to conduct a data protection impact assessment to address LLM inferencing in third countries to minimize the risk of non-compliance with the GDPR.
In addition, you may need to update certain policies to inform employees and customers about how their data is handled and processed.
How do I turn off flex routing?
Follow these steps to disable flex routing for Microsoft Copilot 365:
- Sign in to the Microsoft 365 admin center with the AI Administrator role
- Go to Copilot, Settings, See alland then select ‘Flexible inferencing during peak periods‘
- Select Do not allow flex routing
TechRadar Pro contacted Microsoft to clarify how flex routing will affect GDPR compliance, but did not immediately receive a response. Any updates will be posted here.
The best cloud storage for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
