This new Microsoft 365 Copilot feature could throw your GDPR compliance into question — here's how to check, and how turn it off

• Microsoft 365 Copilot will enable flex routing by default
• This means some data can be processed outside of the EU
• Businesses needs to check if they remain GDPR compliant

Microsoft 365 Copilot has received a new feature intended to ease European capacity shortages, but it might actually make your business non-compliant GDPR guidelines.

In order to maintain Copilot’s data processing at peak times, Microsoft is enabling ‘flex routing’ that can divert large language model (LLM) inference to the US, Canada, or Australia.

So, if your business is operating in the European Union or the European Free Trade Association (EFTA) and is subject to GDPR, you might want to double check the guidelines.

What is flex routing and when is it being activated?

Flex routing is a new Microsoft 365 Copilot feature that will funnel some Copilot traffic to data centers in the US, Canada, and Australia when capacity in European data centers runs short.

While in transit to these data centers, your data will remain encrypted. However, in order to process the data it needs to be readable. This means that information from your business could be processed outside of the EU.

As privacy-oriented collaboration software producer Proton pointed out, Microsoft has placed the burden of compliance on its users, many of whom will not be aware that the feature is enabled by default.

For all new customer accounts created after March 25, 2026, flex routing is enabled by default.

For everyone else, flex routing was enabled on April 17, 2026 - so it might be worth checking your settings by following the steps below.

How do I stay GDPR compliant?

Violating GDPR could put your business in line for a fine of up to €20 million, or 4% of global turnover.

Microsoft has explained in its blog post that while data is at rest, it will remain within the EU Data Boundary. However, when data is transferred outside of the EU Data Boundary, it must do so while protected by the EU-US Data Privacy Framework or through Standard Contractual Clauses in order to remain compliant with GDPR.

Microsoft also states that a limited amount of 'pseudonymized' data may be stored outside of the EU Data Boundary. You may need to document this data in order to remain GDPR compliant.

If you choose to continue using flex routing, it may be necessary to conduct a Data Protection Impact Assessment to address LLM inferencing in third countries to minimize the risks of GDPR non-compliance.

Additionally, you may need to update certain policies in order to inform employees and customers of how their data is handled and processed.

How do I turn off flex routing?

In order to turn off flex routing for Microsoft Copilot 365, follow these steps:

1. Sign in to Microsoft 365 admin center with the AI Administrator role
2. Head to Copilot, Settings, View all, and then select ‘Flexible inferencing during peak load periods’
3. Select Do not allow flex routing

TechRadar Pro reached out to Microsoft for clarification on how flex routing will impact GDPR compliance, but did not immediately receive a response. Any update will be posted here.

The best cloud storage for all budgets

➡️ Read our full guide to the best cloud storage
1. Best overall:
IDrive
2. Best lifetime value:
pCloud
3. Best for syncing:
Sync.com

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.