Microsoft has recently introduced a feature in Microsoft 365 Copilot called flex routing that affects EU and EFTA customers. The feature allows large language model inferencing to occur outside the EU Data Boundary during periods of peak demand, with the aim of maintaining a consistent Copilot experience.  

While the functionality is documented and communicated through the Microsoft 365 Message Center, its default configuration and compliance implications deserve careful attention from European organisations. 

What is flex routing? 

If you manage a tenant in the EU or EFTA, Microsoft notified customers via Message Center notification MC1269223 about the introduction of “flex routing” for Microsoft 365 Copilot. According to Microsoft’s documentation, “flex routing lets customers allow large language model (LLM) inferencing to occur outside the EU Data Boundary during periods of peak demand in order to maintain a consistent Copilot experience”. 

Inferencing refers to the step where the LLM processes the prompt and generates a response. This process requires analysis of all data included in the prompt and may therefore involve the processing of personal data. Microsoft states that data is encrypted in transit and at rest regardless of the processing location, and that persistent data storage remains within the EU Data Boundary, except for limited pseudonymised data used for security and operational purposes. 

Flex routing is enabled by default for newly created EU and EFTA tenants. Based on our assessment of tenant configurations, we have also observed cases where tenants created before this date are configured with flex routing enabled. Organisations should verify their own tenant settings, as this configuration directly affects where personal data may be processed. 

It remains an open question whether Copilot’s current adoption levels will immediately require the use of flex routing due to peak demand. However, considering Microsoft’s investment in Copilot adoption and its deep integration across the Microsoft ecosystem, such scenarios are likely to become relevant over time. 

Why does this matter from a GDPR perspective? 

Under the GDPR, personal data may only be transferred to third countries where an adequate level of protection is ensured. The European Commission has adopted adequacy decisions for a limited number of countries, including the United Kingdom and the United States. In the case of the United States, adequacy applies only to organisations participating in the EU-US Data Privacy Framework, of which Microsoft entities are currently members. This adequacy, however, applies solely with respect to transfers to the United States. 

Because Microsoft operates global computing infrastructure, flex routing introduces the possibility that personal data may be processed outside the EU or EEA and/or outside jurisdictions covered by an adequacy decision or another legal transfer mechanism during periods of peak demand. While such processing is not automatically unlawful, it creates a significant compliance challenge. Data controllers cannot predict in advance where inferencing will take place, nor can they reliably perform and document a transfer impact assessment for dynamic, peak load driven processing scenarios. 

As a result, demonstrating compliance with the accountability and documentation requirements set out in Articles 44 to 49 of the GDPR becomes materially more difficult. 

What to do? 

Organisations should review their current flex routing configuration in the Microsoft 365 admin center. With the appropriate administrative role, the setting can be found under Copilot settings for flex routing during peak load periods (Copilot > Settings > View all > Flex routing during peak load periods). 

For organisations based in the EU or EFTA, or those processing personal data of EU residents, disabling flex routing may be the prudent choice until a documented risk assessment supports its use. 

Data sovereignty called into question

This issue highlights a broader challenge faced by European organisations using global hyperscale cloud providers. Default configurations that prioritise scalability and service continuity can, in certain cases, expose customers to regulatory compliance risks if not actively reviewed. 

From a European compliance perspective, flex routing can be acceptable if customers are able to explicitly decide on its use following a rigorous risk assessment that takes into account legal obligations, operational resilience and data protection considerations. Enabling such functionality by default, without an explicit customer decision, shifts compliance risk to organisations that may not be aware of the setting or its implications.