Microsoft’s recent changes to how Copilot handles AI inference requests have stirred up a GDPR compliance debate among EU tenants. The company quietly introduced a “flex routing” mechanism that, under certain conditions, allows inference bursts to be processed outside the European Union. For organizations bound by strict data residency requirements, this is more than a technical footnote — it’s a potential regulatory exposure.

The core issue revolves around Microsoft 365 Copilot’s capacity management. When demand for AI inference spikes within an EU tenant’s designated boundary, the system may now route requests to data centers in other regions. Microsoft frames this as a performance optimization: flex routing prevents slowdowns during peak loads. But for compliance officers, the sudden departure of processing away from the EU Data Boundary raises immediate GDPR concerns.

How Flex Routing Works

Flex routing is not a permanent redirection of all traffic. It activates only when the local capacity is under strain. Microsoft’s documentation describes it as a “burst” capability — temporary, automatic, and designed to maintain service responsiveness. However, the mechanism does not require explicit tenant consent; it is enabled by default for eligible subscriptions.

What triggers a burst? Microsoft has not publicly shared the precise thresholds, but sources indicate it involves CPU utilization, request queue depth, and latency metrics. Once the local region reaches near-saturation, new inference tasks may be forwarded to a secondary region with available capacity.

The GDPR Compliance Gap

GDPR Article 28 requires that personal data processed outside the EU be subject to adequate safeguards. When Copilot inference involves personal data — for example, generating a summary of a customer complaint — flex routing could transfer that data to a non-EU data center without the controller’s explicit authorization.

Microsoft’s standard Data Processing Addendum (DPA) includes the EU Data Boundary commitment, but flex routing appears to operate outside that boundary. The company argues that the routing is temporary and that data is not stored in the secondary region. But even transient processing triggers GDPR transfer rules if the data is accessible outside the EU.

“The problem is not that Microsoft does it — it’s that tenants don’t have a way to opt out,” says a data protection officer at a large German manufacturer. “We need granular control over where inference happens, not just a promise of best effort.”

Microsoft’s Response

Microsoft has acknowledged the feature in its admin documentation but has not widely communicated the change. In a support article updated in late 2024, the company states: “Flex routing may temporarily route inference requests outside your selected data boundary to optimize performance. This does not affect data storage or retention.”

Legal experts argue that this language downplays the risk. “Processing is processing,” says Dr. Anna Klein, a privacy lawyer based in Berlin. “Whether it’s storage or inference, if it happens outside the EU without a legal basis, it’s a violation.”

Microsoft recommends that tenants review their compliance posture and consider using the “Data Residency” controls in the Microsoft 365 admin center. However, those controls currently do not offer a toggle to disable flex routing for Copilot inference.

Real-World Impact

For organizations that process sensitive personal data — such as healthcare providers, law firms, or financial institutions — the inability to guarantee EU-only processing is a deal-breaker. Some are now reevaluating their rollout of Copilot features.

“We paused our pilot last week,” says IT director Mark Sorensen at a Danish bank. “Our internal audit flagged the flex routing as a high-risk gap. We can’t afford a GDPR fine of up to 4% of global turnover.”

Others are exploring technical workarounds. One option is to route all Copilot traffic through a dedicated network egress point that blocks non-EU destinations. But this adds latency and may not be supported by all Copilot endpoints.

What Tenants Can Do Now

Until Microsoft provides a direct opt-out, tenants must rely on contractual and technical measures. First, review your Microsoft DPA and ensure it includes explicit language about flex routing. Some organizations are amending their contracts to require prior notice and consent for any cross-border processing.

Second, monitor Copilot usage logs for inference requests that originate from non-EU IP addresses. Microsoft provides audit logs in the Purview compliance portal, but they require careful filtering.

Third, engage with Microsoft’s support team to request a tenant-level exemption. While not officially documented, some enterprise customers have reported success in obtaining temporary exceptions by escalating through their account team.

The Bigger Picture

Flex routing is not unique to Copilot. Microsoft’s Azure OpenAI Service has similar burst capabilities, and other AI providers like Google and AWS have analogous features. But the issue is particularly acute for Copilot because it is deeply integrated into productivity tools that handle everyday personal data.

The European Data Protection Board (EDPB) has yet to issue specific guidance on AI inference routing. However, its recent opinions on cloud computing emphasize that controllers must know exactly where processing occurs. Ignorance of flex routing is not a defense.

Conclusion

Microsoft 365 Copilot’s flex routing is a practical solution to a real technical problem — but it collides head-on with GDPR’s territorial restrictions. For now, EU tenants are left to navigate the gap between Microsoft’s default configuration and their regulatory obligations. The ball is in Microsoft’s court: either provide a granular opt-out or risk losing enterprise customers who cannot compromise on data sovereignty.