In April 2026, Microsoft introduced a new feature for Microsoft 365 Copilot: "Flex Routing". The name sounds harmless. The data protection implications are not.
What Is Flex Routing?
Flex Routing allows Microsoft to reroute Copilot AI requests to data centres in the US, Canada, or Australia when European data centre capacity runs short. What is affected is so-called LLM inferencing – the step where the language model actually processes your input. At that point, your data – emails, files, metadata, prompts – has already been assembled and is handed to the model as a package. Flex Routing means: that package can leave the EU.
Microsoft emphasises that data remains encrypted in transit and continues to be stored within the EU. But that does not change the fact that processing takes place outside the EU. And that is what matters.
The Data Protection Problem
Processing personal data in a third country constitutes a data transfer under Articles 44 et seq. GDPR. This requires a legal basis – such as an adequacy decision (Article 45 GDPR), appropriate safeguards like Standard Contractual Clauses (Article 46(2)(c) GDPR), or a Transfer Impact Assessment. This applies even if the data is only transferred for processing and then stored back in the EU.
Is This Already Happening? You Had No Idea?
Yes – at least if your tenant was created after 25 March 2026, Flex Routing is enabled by default.
For existing tenants, the feature was rolled out on 17 April 2026. It not clear whether the option came as opt-in or opt-out. The information in Microsoft's Message Center posts (MC1269219 and MC1269223) is not entirely consistent.
Our recommendation is therefore to actively check whether the feature is enabled in your tenant, to avoid an unnoticed third-country transfer.
NIS2
Organisations subject to NIS2 must control risks in their supply chain – including the security of acquisition, development, and maintenance of IT systems.
A silent change to the processing location by a key IT service provider (where implemented as an opt-out) constitutes a third-party risk that must be documented in supplier management.
What Should You Do?
First: Check whether Flex Routing is enabled in your tenant. Open the Microsoft 365 Admin Center and navigate to Copilot > Settings > Flexible inferencing during peak load periods. Select "Do not allow flex routing" if you want to rule out processing outside the EU.
Second: If you choose to keep Flex Routing enabled, make sure that appropriate transfer mechanisms are in place for the relevant third countries (US, Canada, Australia). For the US, the EU-U.S. Data Privacy Framework may currently apply (Article 45 GDPR) – provided Microsoft is listed under the Data Privacy Framework and the transfer falls within its scope. For Canada and Australia, Standard Contractual Clauses or other appropriate safeguards would be required.
Third: Document your decision. The Flex Routing configuration belongs in your Records of Processing Activities and, where applicable, in your Data Protection Impact Assessment for the use of Microsoft 365 Copilot.
Important: Keep an eye on product changes from cloud service providers and review them for data protection implications. The Microsoft Message Center is not just an IT operations channel – it is a compliance channel.
If you have any questions, please do not hesitate to contact us. We help you operate and assess your Microsoft tenant in a data-protection-compliant manner – including retention periods, access rights, audits, data processing agreements, and more. Inside and outside the EU.
No comments