LMbox
Book a demo

Copilot Has Been Sending Your Data Outside Europe by Default Since April 17 — Is Your IT Team Aware?

Since April 17, 2026, Microsoft routes Copilot requests to servers in the US, Canada, or Australia when European datacenters are under load. The setting was switched on silently, without any alert. Here's what it means for your GDPR compliance and how to turn it off.

4 min read
Copilot Has Been Sending Your Data Outside Europe by Default Since April 17 — Is Your IT Team Aware?

Monday 9:15 AM: Your Emails Are in Denver

Your IT department did everything right. EU Data Boundary is enabled. The data processing agreement with Microsoft is signed. Copilot has been running for six months, teams are using it, no incidents have been reported.

What your IT manager may not know yet: since April 17, 2026, when Microsoft's European datacenters are under load — a Monday morning after a long weekend, end of month, peak fiscal period — the contents of your Copilot requests are being processed on servers located in the United States, Canada, or Australia.

Not stored. Processed.

Microsoft calls this "flex routing." It's been switched on by default since April 17 for all EU and EFTA Microsoft 365 tenants. Organizations created after March 25, 2026 already had it on. No alert email. No consent request.

What "Processed" Actually Means

When a colleague asks Copilot to summarize a long client email, draft a reply based on a contract, or synthesize an audit report, here's what happens:

  1. Copilot gathers the context — the email, attachments, recent documents related to the topic
  2. It sends all of that to the AI model to generate a response
  3. The response arrives to your colleague

Step 2 is what engineers call "inference" — the moment the model reads your data and produces output. That's exactly the step that, since April, can happen in Denver, Toronto, or Sydney when Amsterdam is overloaded.

Microsoft clarifies that your data remains stored in Europe. But it's not storage that creates a GDPR problem. It's processing.

What This Means for Your Compliance

GDPR permits processing of personal data outside the EU — but under strict conditions. The US benefits from an adequacy decision under the Data Privacy Framework since 2023, but this agreement has been repeatedly challenged before the Court of Justice of the European Union and remains politically fragile.

What Microsoft itself acknowledges in its documentation: "if you choose to continue using flex routing, it may be necessary to conduct a Data Protection Impact Assessment (DPIA) to address LLM inferencing in third countries to minimize the risks of GDPR non-compliance."

In plain terms: Microsoft is asking you to conduct your own impact assessment to cover a decision they made unilaterally.

Beyond GDPR, there's the US CLOUD Act. Microsoft is a US-incorporated company. Regardless of where its servers are located, US authorities can compel it to produce data it controls. The EU Data Boundary is a commercial commitment — not a legal shield against this.

How to Check and Turn It Off (Full Procedure)

If you're using Microsoft 365 with Copilot, flex routing is most likely enabled. Here's how to disable it:

  1. Sign in to the Microsoft 365 admin center (admin.microsoft.com) with an AI administrator account
  2. Navigate to Copilot → Settings → Show all
  3. Find "Flex routing during peak load periods"
  4. Select "Do not allow flex routing"

Note: the change can take up to one week to take effect across your organization.

If your organization also uses Dynamics 365, Power Platform, or Copilot Studio, the same setting is available in the Power Platform admin center.

What Disabling Flex Routing Doesn't Solve

Turning off flex routing is the right first step. It's not the end of the story.

Microsoft remains a US-incorporated entity. Even with EU Data Boundary enabled and flex routing disabled, your Copilot requests are processed by infrastructure operated by a company subject to US law. The exposure to the CLOUD Act is structural — not configurable.

For organizations that handle inherently sensitive data — banking details, health records, information covered by trade secret law — this isn't a misconfigured setting. It's an architectural question.

What Organizations That Don't Have This Problem Chose

Some mid-market enterprises and public bodies anticipated this situation by deploying an AI model that runs on their own infrastructure, hosted in France or in a certified sovereign European cloud.

When inference happens on servers you operate — or that your certified French datacenter host operates on your behalf — the question of flex routing simply doesn't arise. Your data never leaves your network, even at peak load. No token goes to Denver.

Copilot (flex routing off) Copilot (flex routing on) LMbox on-premise
Data stored in Europe
Processing guaranteed in Europe
Outside CLOUD Act reach
DPIA required Likely Yes No

If you want to see what AI running inside your own datacenter looks like in practice, on your own documents, request a demo.

Partager :
LinkedIn X

Prochaine étape

Une IA aussi puissante que ChatGPT, installée chez vous.

LMbox est opérationnel en 10–15 jours. Vos données ne quittent jamais votre réseau.

Voir la démo Contacter l'équipe

Shall we talk?

30 minutes to understand your context, identify the first use cases and quantify the value. No commitment.

Book a demo