Microsoft Copilot chats are now secretly transferred to countries outside the EU.

Today is the day. Not someday, not “soon”. Starting April 17, 2026, Microsoft’s “Flex Routing” for Copilot is active by default in the EU. You probably have not noticed and you were not asked about it either. This means that when Microsoft’s servers are under load, your business data, prompts, chats, and requests in Microsoft’s AI assistant can automatically be processed outside the EU. Possible destinations according to Microsoft itself include the US, Canada, or Australia.

Nobody asked you. It just is what it is. Thousands of European companies are currently overlooking this compliance issue.

What Flex Routing means and why it is a problem

Microsoft explains Flex Routing as follows: To ensure a “consistent Copilot experience” during high demand, AI processing is conducted outside the EU data boundary during peak loads. The data is supposed to be transmitted encrypted, and “data at rest” is to remain stored within the EU. However, there is an exception: “limited pseudonymized data” can also be stored outside for security and operational purposes.

This last sentence is crucial. The IT experts at Avanade have analyzed it and come to a clear conclusion: The wording leaves considerable room for interpretation. “Limited pseudonymized data” sounds harmless, but it could include session IDs, usage timestamps, and behavioral data. Exactly the kind of data from which user profiles can be reconstructed.

The problem with the GDPR is obvious. The regulation dictates that its protective provisions must travel with the data when it leaves the EU. For a US company subject to the US CLOUD Act, this is not automatically the case. Companies using Copilot under these conditions bear the compliance risk themselves.

How to turn off Flex Routing in Microsoft Copilot

• Open Copilot
• Then go to Settings
• Then select “Flex routing during peak loads”
• Then select “Do not allow Flex routing”.

This should happen in every European company today!

The bigger context: Europe has a dependency problem

The Flex Routing example already highlights the issue in a larger context. In particular, it exposes existing vulnerabilities and shows that data can potentially be transferred to non-EU countries on short notice and without prior warning.

On January 22 of this year, the European Parliament adopted a comprehensive report on technological sovereignty with 471 to 68 votes. The most important finding: The EU relies on non-EU providers for more than 80 percent of its digital products, services, and infrastructure. Belgium’s cybersecurity chief Miguel De Bruycker summarized this in unusually direct words, stating that Europe has “lost the entire cloud.” He added that it is currently virtually impossible to keep data completely within Europe.

This dependency was uncomfortable for years but somehow accepted. Since Donald Trump’s second term and the growing geopolitical tensions across the Atlantic, it has become a strategic threat. If critical infrastructure runs on servers in another country, that service can be shut down politically, economically, or by court order. This is not paranoia. This is geopolitics.

What governments are doing right now

Several European countries have drawn the consequences and are taking action.

Germany announced in March 2026 that all public documents will be issued exclusively in open formats in the future; proprietary formats like Microsoft Word are thus explicitly excluded. The state of Schleswig-Holstein has already transitioned 80 percent of all government workplaces from Microsoft to open-source alternatives, saving around 15 million euros annually in license fees starting in 2026.

France is going even further. The government has announced it will replace Windows with Linux in the long term. Already, 80,000 employees of the national health insurance system have been migrated from US platforms like Microsoft Teams and Zoom to European open-source solutions.

Austria has switched its armed forces from Microsoft Office to LibreOffice, the open-source office suite developed in Germany.

Denmark has also initiated a move away, not least in light of Trump’s threats regarding Greenland, which cast the dependence on US technology in a completely new light.

The EU Cloud and AI Development Act, expected shortly, aims to legally secure this development and prioritize the procurement of cloud services that keep EU data under European control.

AI as a particularly sensitive field

The Copilot case perfectly illustrates why AI assistants represent their own category of privacy risks. When an employee uses Copilot, they do not just enter search queries. They share business strategies, customer data, internal documents, and confidential analyses. This data ends up in a system operated by a US company, governed by US law, and now officially allowed to process outside the EU during peak loads.

And that is not the whole story.

Anthropic, the maker of the AI assistant Claude, has just started requiring identity verification from new subscribers. A passport, driver’s license, or national ID card, processed by a US third-party provider named Persona. What this means: Anyone using Claude links their legal identity to every question they have ever asked, every document they have uploaded, every political opinion, and every trade secret. Read more about this in this blog post.

ChatGPT, Gemini, and Grok are not doing this yet. But the direction is set. What is an exception today might even be the industry standard in a few years: No access to AI assistants without a linked identity. Everything stored, everything potentially subject to being handed over, everything linked to a real person.

This is not gloomy speculation. It is the logical consequence of what we are observing right now.

CamoCopy: AI assistant without US dependency

There is an alternative, and it comes from Europe.

CamoCopy was developed with a clear goal: An AI assistant that runs exclusively on European infrastructure, does not use user data for model training, and does not depend on US services. No CLOUD Act by default. No sudden service interruptions because geopolitical winds are shifting. No identity verification that links your name to your conversations.

Specifically, this means:

The servers are located in the EU and are operated by European providers. Your chats are not used to train the underlying models. The architecture is designed so that your data does not leave Europe, unlike Microsoft’s new Flex Routing, where that is exactly what happens by default now.

For companies that take GDPR compliance seriously, this is not a nice-to-have. It is a structural requirement.

Your Exit Strategy: Alternatives to Microsoft

In July 2026, Microsoft will drastically increase prices and force users into CoPilot surveillance. In times of geopolitical tension, switching to independent alternatives is vital. Fortunately, there is a good alternative for every Microsoft product, from your operating system to your document editors and browsers. Learn how to reclaim your digital freedom with cost-effective tools in our comprehensive guide: Microsoft’s Price Hike & Forced AI: Why Digital Sovereignty Defines Your Freedom in 2026.

Conclusion: The time to switch is today

The news about Microsoft’s Flex Routing is not a technical side note. It is another signal in a long line of developments showing where the journey of US Big Tech dependency leads: More control for the provider, less sovereignty for the user.

Europe recognizes this. Governments are taking action. And the technical alternatives exist.

The path to digital sovereignty does not require an overnight revolution. It begins with concrete, small decisions. Disabling Flex Routing in Copilot is one of them. Switching to another privacy-friendly AI assistant from Europe is, of course, a much better decision.

Anyone who wants to secure their data, their compliance, and their strategic independence in the long term should not wait until the plug is pulled.

Test CamoCopy for free right now here or claim our offer here and experience AI that protects your privacy, stays in Europe, and doesn’t ask who you are.