- Microsoft 365 Copilot will enable flexible routing by default
- This means that some data may be processed outside the EU.
- Businesses should check whether they remain GDPR compliant
Microsoft 365 Copilot has received a new feature intended to alleviate European capacity shortages, but it could actually make your business non-compliant with GDPR guidelines.
To maintain Copilot data processing during peak hours, Microsoft is enabling “flexible routing” which can divert Large Language Model (LLM) inference to the United States, Canada, or Australia.
So, if your business operates in the European Union or European Free Trade Association (EFTA) and is subject to GDPR, you may want to check the guidelines.
Article continues below
What is flexible routing and when is it enabled?
Flexible Routing is a new feature in Microsoft 365 Copilot that will route some Copilot traffic to data centers in the United States, Canada, and Australia when there is insufficient capacity in European data centers.
While in transit to these data centers, your data will remain encrypted. However, to process the data, it must be readable. This means that your company information could be processed outside the EU.
As Proton, a producer of privacy-focused collaboration software, pointed out, Microsoft has put the responsibility for compliance on its users, many of whom are unaware that the feature is enabled by default.
For all new customer accounts created after March 25, 2026, flexible routing is enabled by default.
For everyone else, Flexible Routing was enabled on April 17, 2026, so it might be worth checking your settings using the steps below.
How to stay GDPR compliant?
Violating the GDPR could expose your business to a fine of up to €20 million, or 4% of global turnover.
Microsoft explained in its blog post that even though the data is at rest, it will remain within the EU data limit. However, when data is transferred outside EU data borders, it must do so while being protected by the EU-US Data Privacy Framework or Standard Contractual Clauses in order to remain GDPR compliant.
Microsoft also states that a limited amount of “pseudonymized” data may be stored outside EU data boundaries. You may need to document this data in order to remain GDPR compliant.
If you choose to continue using flexible routing, it may be necessary to conduct a data protection impact assessment to address LLM inferences in third countries to minimize GDPR non-compliance risks.
Additionally, you may need to update certain policies to inform employees and customers about how their data is handled.
How do I disable flexible routing?
To disable flexible routing for Microsoft Copilot 365, follow these steps:
- Sign in to the Microsoft 365 admin center with the AI administrator role
- Head to Co-pilot, Settings, See allthen select ‘Flexible inference during peak periods‘
- Select Do not allow flexible routing
TechRadar Pro contacted Microsoft for clarification on the impact of flexible routing on GDPR compliance, but did not immediately receive a response. Any updates will be posted here.
The best cloud storage for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
