Microsoft Copilot Flex Routing: Your Data Leaves the EU by Default

In practice, this means: anyone using Copilot chats with the bot about contracts, customer data, and personnel files — and the prompt is no longer guaranteed to pass through an EU data centre. Instead, it goes wherever Microsoft's routing algorithm fancies. Including the USA. India. Israel. You might be thinking: 'But that's what the EU-US DPF is for!' — yet there's a catch.

Until April 2026, Copilot traffic for EU customers ran with high probability through a European Microsoft data centre. Microsoft called this the EU Data Boundary and publicly committed to keeping EU customer data within the EU. Flex Routing weakens that guarantee — Microsoft justifies it on performance grounds. The critical point: the default is now opt-out rather than opt-in.

Microsoft has reversed the usual order here: activate first, inform the customer afterwards, then explain how to turn it off.

What has specifically changed? Prompts. Responses. Context windows — including the documents Copilot reads to formulate answers (job applications, contracts, patient records) along with their metadata. All of this can now pass through a Microsoft data centre outside the EU at any time.

Art. 44 DSGVO is unambiguous: every data transfer to a third country requires a specific legal basis. For Microsoft-USA, there is the EU-US Data Privacy Framework, which has survived two CJEU challenges since 2023. But the DPF covers only the USA — not India, not Israel, not Brazil. And Flex Routing does not define where data is routed; it merely states that routing anywhere is permitted.

If the transfer route is not fixed in advance, you cannot assign appropriate standard contractual clauses (SCC) to it. That is a legal trapdoor.

In practice: your data processing agreement (DPA) with Microsoft must cover the new third-country routes. Currently it does not — Microsoft relies on blanket references to SCC and DPF. The Datenschutzkonferenz (DSK) will review this shortly, but until then you carry the risk.

The fines at stake: Art. 83 Abs. 5 DSGVO allows up to €20 million or 4% of annual turnover. For a mid-sized online shop, that realistically means €50,000–€500,000.

Data protection authorities have followed a clear pattern with new US cloud services for years: first a press release saying 'we are reviewing', a few months later a DSK briefing paper, and finally hard enforcement decisions from month 12 onwards. I expect exactly the same pattern with Flex Routing.

Two data points from recent history:

The BayLDA (Bavarian State Office for Data Protection Supervision) stated in its 2022 activity report that a Transfer Impact Assessment (TIA) must be documented even when using Microsoft 365 — even if the standard contract relies on a blanket SCC reference. After the EU-US DPF entered into force in 2023 the authority quietly stepped back, but the TIA obligation itself remained.

The LfDI Baden-Württemberg was particularly active in the same year and stated: controllers must verify where their data is actually processed, not merely what the contract formally permits. Flex Routing hits precisely this point — the contract allows the routing, but the controller does not know the actual destination in any given case.

Supervisory authorities do not penalise the data processing itself, but the absence of documentation and accountability. Anyone who has turned the toggle off and documented it takes the wind out of the authorities' sails.

For you, this means: it is quiet for now — but the first fines are coming, most likely in the second half of 2026. By then, you do not want to be the one explaining to an authority why Flex Routing was still enabled on your tenant.

You need Global Admin rights. Allow roughly 3 minutes:

After this, Copilot routes only through EU Data Boundary regions. You may lose 50–100 ms of latency — a small price for clean DSGVO compliance.

The toggle exists, but the path to it is deliberately nested. Microsoft is not actively trying to stop you — but it does not make it easy either.

The toggle covers only future workloads. You also need:

DPA update. If your Microsoft DPA was signed before April 2026, the old Online Services Terms document is no longer current. Download the latest version from aka.ms/dpa, check the 'Sub-Processors' section, and document it internally.

DPIA (Art. 35 DSGVO). If Copilot processes personnel records, job applications, or health data for you, you formally need a data protection impact assessment. Microsoft does not provide one — that is your responsibility as the controller.

Staff notice (Art. 13 DSGVO). If Copilot processes data about your employees (Outlook analytics, Teams transcripts), they must have been informed in your internal privacy notice beforehand — including about possible third-country transfers.

Compliance is more than a single click. Alongside turning the toggle off, you need documentation, staff notification, and — where required — an impact assessment. Stopping at the click leaves most of the risk in place.

1. Microsoft Learn — Data residency for Microsoft 365 Copilot

2. European Commission — EU-US Data Privacy Framework (2023/1795)

3. Art. 44 DSGVO

4. DSK Kurzpapier Nr. 19 — Third-Country Transfers

5. Bavarian Commissioner for Data Protection — Statement on US Cloud

6. BayLDA — Activity Reports

7. LfDI Baden-Württemberg