This new Microsoft 365 Copilot feature could throw your GDPR compliance into… is attracting attention across the tech world. Analysts, enthusiasts, and industry observers are watching closely to see how this story develops.
This update adds another signal to a fast-moving sector where product decisions, platform changes, and competition can quickly shape the market.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Get full access to premium articles, exclusive features and a growing list of member rewards.
Microsoft 365 Copilot has received a new feature intended to ease European capacity shortages, but it might actually make your business non-compliant GDPR guidelines.
In order to maintain Copilot’s data processing at peak times, Microsoft is enabling ‘flex routing’ that can divert large language model (LLM) inference to the US, Canada, or Australia.
So, if your business is operating in the European Union or the European Free Trade Association (EFTA) and is subject to GDPR, you might want to double check the guidelines.
Flex routing is a new Microsoft 365 Copilot feature that will funnel some Copilot traffic to data centers in the US, Canada, and Australia when capacity in European data centers runs short.
While in transit to these data centers, your data will remain encrypted. However, in order to process the data it needs to be readable. This means that information from your business could be processed outside of the EU.
As privacy-oriented collaboration software producer Proton pointed out, Microsoft has placed the burden of compliance on its users, many of whom will not be aware that the feature is enabled by default.
For all new customer accounts created after March 25, 2026, flex routing is enabled by default.
For everyone else, flex routing was enabled on April 17, 2026 – so it might be worth checking your settings by following the steps below.
Violating GDPR could put your business in line for a fine of up to €20 million, or 4% of global turnover.
Microsoft has explained in its blog post that while data is at rest, it will remain within the EU Data Boundary. However, when data is transferred outside of the EU Data Boundary, it must do so while protected by the EU-US Data Privacy Framework or through Standard Contractual Clauses in order to remain compliant with GDPR.
Microsoft also states that a limited amount of ‘pseudonymized’ data may be stored outside of the EU Data Boundary. You may need to document this data in order to remain GDPR compliant.
If you choose to continue using flex routing, it may be necessary to conduct a Data Protection Impact Assessment to address LLM inferencing in third countries to minimize the risks of GDPR non-compliance.
Additionally, you may need to update certain policies in order to inform employees and customers of how their data is handled and processed.
In order to turn off flex routing for Microsoft Copilot 365, follow these steps:
TechRadar Pro reached out to Microsoft for clarification on how flex routing will impact GDPR compliance, but did not immediately receive a response. Any update will be posted here.
➡️ Read our full guide to the best cloud storage1. Best overall:IDrive2. Best lifetime value:pCloud3. Best for syncing:Sync.com
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Benedict is a Senior Security Writer at TechRadar Pro, where he has specialized in covering the intersection of geopolitics, cyber-warfare, and business security.
Benedict provides detailed analysis on state-sponsored threat actors, APT groups, and the protection of critical national infrastructure, with his reporting bridging the gap between technical threat intelligence and B2B security strategy.
Benedict holds an MA (Distinction) in Security, Intelligence, and Diplomacy from the University of Buckingham Centre for Security and Intelligence Studies (BUCSIS), with his specialization providing him with a robust academic framework for deconstructing complex international conflicts and intelligence operations, and the ability to translate intricate security data into actionable insights.
Please logout and then login again, you will then be prompted to enter your display name.
Why This Matters
This development may influence user expectations, future product strategy, and the competitive balance inside the broader technology industry.
Companies in adjacent segments often react quickly to similar moves, which is why stories like this tend to matter beyond a single announcement.
Looking Ahead
The full impact will become clearer over time, but the story already highlights how quickly the modern tech landscape can evolve.
Observers will continue tracking the next steps and how they affect products, users, and the wider market.
