- Microsoft 365 Copilot will enable flexible routing by default
- This means that some data may be processed outside the EU.
- Companies should check whether they remain compliant with the GDPR
Microsoft 365 Copilot has received a new feature aimed at alleviating capacity shortages in Europe, but it could actually put your business out of compliance with GDPR guidelines.
To keep Copilot data processing at peak times, Microsoft is enabling “flexible routing” that can divert large language model (LLM) inference to the US, Canada, or Australia.
So, if your business operates in the European Union or the European Free Trade Association (EFTA) and is subject to the GDPR, you may want to double-check the guidelines.
Article continues below.
What is flexible routing and when is it activated?
Flexible routing is a new feature in Microsoft 365 Copilot that will funnel some Copilot traffic to data centers in the US, Canada, and Australia when capacity in European data centers runs out.
While in transit to these data centers, your data will remain encrypted. However, to process the data it is necessary for it to be readable. This means that your company information could be processed outside the EU.
As Proton, a producer of privacy-oriented collaboration software, noted, Microsoft has placed the burden of compliance on its users, many of whom will not know that the feature is enabled by default.
For all new customer accounts created after March 25, 2026, flexible routing is enabled by default.
For everyone else, flexible routing was enabled on April 17, 2026, so it might be worth checking your settings by following the steps below.
How do I remain compliant with the GDPR?
Violation of the GDPR could expose your company to a fine of up to €20 million, or 4% of global turnover.
Microsoft has explained on its blog that while data is at rest, it will remain within the EU data limit. However, when data is transferred outside the EU data boundaries, it must do so while protected by the EU-US Data Privacy Framework. US or through Standard Contractual Clauses to remain compliant with the GDPR.
Microsoft also claims that a limited amount of “pseudonymized” data may be stored outside of EU data limits. You may need to document this data to remain compliant with the GDPR.
If you decide to continue using flexible routing, it may be necessary to conduct a data protection impact assessment to address LLM inference in third countries to minimize GDPR non-compliance risks.
Additionally, you may need to update certain policies to inform employees and customers about how their data is handled and processed.
How do I turn off flexible routing?
To turn off flexible routing for Microsoft Copilot 365, follow these steps:
- Sign in to the Microsoft 365 admin center with the AI administrator role
- Go to Co-pilot, Settings, See alland then select ‘Flexible inference during peak load periods‘
- Select Do not allow flexible routing
TechRadar Pro He reached out to Microsoft for clarification on how flexible routing will impact GDPR compliance, but did not immediately receive a response. Any updates will be posted here.
The best cloud storage for every budget
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
