Do you use Microsoft products? Then it’s worth taking a closer look at recent developments around Microsoft 365 and GitHub Copilot. Over the past few weeks, Microsoft has introduced two changes that may be relevant for companies in Europe - particularly with regard to data processing, compliance, and data sovereignty.
Microsoft 365 Copilot: “Flex Routing” changes data flows
Since April 17, a new feature has been active in Microsoft 365 Copilot called “Flex Routing.”
This feature means that requests to Copilot are no longer processed exclusively in European data centers, depending on capacity. If resources in Europe are not available, data may be processed in other regions such as the United States, Canada, or Australia.
This does not only involve technical metadata, but also content from everyday business operations, including:
For companies, this means parts of the processed data may leave the European legal framework depending on system load and routing decisions.
GitHub Copilot: Use of inputs for AI training
Just a few days later, on April 24, Microsoft introduced another change in the context of GitHub Copilot.
User inputs and code snippets from certain subscription plans are now used for further development and training of AI models. This can also include content from private repositories if Copilot is actively used.
It is important to note that this feature is enabled by default and must be manually disabled.
Opt-out instead of opt-in: a known pattern
Both changes follow a basic principle: features are enabled by default rather than actively opted into by the user.
This means for companies:
During this transition period, data may already have been processed.
Classification in the context of data sovereignty
Current technological developments show that data processing is increasingly distributed globally. In addition, regulatory and legal frameworks remain complex, especially regarding potential access by authorities outside Europe.
For companies, this raises a strategic question: how much control over their own data actually remains with the organization?
Need for action for companies
Regardless of how these developments are evaluated, companies should regularly review their environments.
Important questions include:
Now is the right time to critically assess your AI and data strategy.
Recommendation
For companies that want to ensure true data sovereignty, standard cloud configurations are often not sufficient. An alternative is private AI solutions that run entirely within their own or dedicated infrastructure.
BWO Systems AG supports companies in building exactly such environments - from private AI systems and secure data processing to customized SaaS AI solutions that are not dependent on public training or routing mechanisms.
This allows companies to retain full control over where data is processed, who has access, and how it is used.
Contact us for a non-binding consultation on your AI and data landscape. Together, we create transparency, reduce risks, and build an infrastructure where your data stays where it belongs: within your organization.
.png)
