An analyst at a mid-sized firm types a simple question into Microsoft 365 Copilot: "What's the latest on the leadership reorg?" Copilot answers helpfully, summarising a draft plan, complete with names, proposed redundancies, and severance figures.
The analyst was never meant to see that document. But two years ago, someone saved it to a SharePoint site that had been shared with "everyone except external users," and the permission was never revisited. Technically, the analyst always had access. They just never knew the file existed - until Copilot made it findable by answering a question in plain English.
Nothing was hacked. No permission was broken. Copilot did exactly what Microsoft designed it to do: it inherited the user's access and made it searchable. And that is the whole privacy story of Copilot at work.
Is Microsoft 365 Copilot safe for business data?
As a platform, yes - and Microsoft's commitments here are genuinely strong. Microsoft 365 Copilot does not use your prompts, responses, or Microsoft Graph data to train its foundation models. Processing stays within the Microsoft 365 service boundary, and it only ever returns data the asking user already has permission to open.
That last guarantee is also the catch. Copilot inherits each person's access exactly. So if your organisation has years of accumulated oversharing - broad sharing links, broken permission inheritance, sites opened to "everyone," files dropped in the wrong place - Copilot does not create new exposure, but it removes the obscurity that was quietly protecting you. What used to require knowing a file existed and hunting for it now takes one well-phrased question.
The risk in Copilot is not the AI. It is your permissions, made instantly legible.
How Copilot handles your data
There is not one Copilot. There are three, with very different protections.
| Free Copilot (consumer) | Copilot Chat (work) | Microsoft 365 Copilot (add-on) | |
|---|---|---|---|
| Sign-in | Personal / none | Work account | Work account |
| Enterprise data protection | No | Yes | Yes |
| Trains foundation models on your data | Possible | No | No |
| Access to your email/files/Teams | No | Limited (uploads, on-screen) | Full, via Microsoft Graph |
| The "inherits your access" risk | No | Limited | Yes |
Free consumer Copilot (copilot.microsoft.com, no work sign-in) grounds on the public web and has no enterprise data protection. It is not for work data - this is the version the US House of Representatives blocked for staff.
Microsoft 365 Copilot Chat, used signed in with a work account, runs under enterprise data protection but does not automatically reach across your mailbox and Graph.
Microsoft 365 Copilot (the paid add-on) is the one with full Microsoft Graph access - email, files, calendar, Teams, SharePoint - and it is the version where the oversharing problem lives.
On data residency, Microsoft 365 Copilot is an EU Data Boundary service and stored data stays in the EU. But "flex routing" can let LLM processing happen in the US, Canada, or Australia during peak demand, and it defaults on for newer tenants. Some Anthropic-model paths and Bing web queries also sit outside the EU boundary. Stored data stays in the EU; processing may not, unless you intervene.
The biggest privacy risks in Copilot
1. Oversharing made searchable
The headline risk. A payroll file on an overshared site, a board pack in an open Teams channel, an HR letter in a misconfigured library - all already accessible to more people than intended, all now one question away. Copilot does not widen access; it makes existing over-access usable.
2. Stale and inherited permissions
People change roles, projects end, contractors leave - and their access often lingers. Copilot draws on whatever each user can still reach today, including rights that should have been removed months ago.
3. The "which Copilot" mistake
An employee who uses free consumer Copilot on a work task, signed in with a personal account, gets none of the enterprise protections. The same prompt in signed-in Copilot Chat is governed; in consumer Copilot it is not. Most users cannot tell which one they are in.
4. Prompt injection reaching governed data
In 2025, researchers demonstrated "EchoLeak" (CVE-2025-32711), a zero-click flaw where a crafted email could make Copilot pull internal data and exfiltrate it - no clicking required. Microsoft patched it server-side before any known abuse, but it proved that prompt injection reaches enterprise Copilot, precisely because Copilot's scope is everything the victim can access.
5. Hallucinated personal data
Copilot can generate confident, inaccurate statements about real, identifiable people. Under GDPR, inaccurate personal data is itself a data-quality issue - and a Dutch sector DPIA flagged exactly this as a residual risk.
6. Processing leaving the EU at peak
With flex routing on by default for newer tenants, Copilot's LLM processing can temporarily leave the EU Data Boundary. For organisations with strict EU-residency requirements, that is a decision to make deliberately, not inherit.
Each of these has caused real hesitation in organisations that assumed "it's Microsoft, it's fine."
What is actually at stake: consequences
Under GDPR, surfacing personal data to someone who should not have it - salaries, health information, a disciplinary file - can be a personal data breach even though no attacker was involved and no permission was technically broken. If there is risk to people's rights and freedoms, the organisation must notify its supervisory authority within 72 hours.
Fines reach EUR 20 million or 4% of global annual turnover, whichever is higher, and the liability rests with the organisation as controller. Beyond the regulator, internal oversharing surfaced by Copilot - an employee reading colleagues' salaries or a reorg plan - creates trust and HR damage that is immediate and hard to contain.
The uncomfortable part: a flawless contract with Microsoft offers no defence when the exposure was your own permissions, made searchable.
Verified incidents
March 2024 - US House of Representatives blocks Copilot
The Office of the Chief Administrative Officer declared the commercial version of Microsoft Copilot "unauthorized for House use," citing the risk of leaking House data to non-approved cloud services, and said it would evaluate the government edition later. It targeted the consumer-grade version, not enterprise M365 Copilot - but it set the tone for enterprise caution. Source: Axios, March 2024.
December 2024 to 2025 - SURF Copilot DPIA (Netherlands)
SURF, the Dutch education and research collaboration, published a Data Protection Impact Assessment on Microsoft 365 Copilot in December 2024 finding four high privacy risks and advising institutions not to use it for the time being. After Microsoft changes, a September 2025 update downgraded the risks to "amber," leaving two residual concerns: inaccurate personal data generated about real people, and an 18-month retention period for pseudonymised metadata. Source: SURF, 2024-2025.
June 2025 - EchoLeak (CVE-2025-32711)
Aim Labs disclosed a zero-click prompt-injection flaw in Microsoft 365 Copilot, rated critical (CVSS 9.3), that could exfiltrate internal data without user interaction. Microsoft fixed it server-side in May 2025 and reported no evidence of exploitation in the wild. Source: BleepingComputer / The Hacker News, June 2025.
The thread across these is not a single failure. It is a tool whose power - reaching everything a user can access - is also its largest privacy surface.
Settings that help
1. Find and fix oversharing with SharePoint Advanced Management Use Data Access Governance and permission-state reports to locate broken inheritance, "everyone" links, and overshared sites - then remediate. This is the actual fix, included with Microsoft 365 Copilot.
2. Apply Microsoft Purview sensitivity labels Labels that apply encryption are honoured by Copilot - it returns content only if the user has the rights to extract it. Labelling coverage is the dependency: an unlabeled overshared file is still fair game.
3. Configure Purview DLP for Copilot DLP for the Microsoft 365 Copilot location can exclude sensitivity-labelled content from being processed in Copilot interactions.
4. Use Restricted SharePoint Search - but only temporarily RSS can throttle Copilot discovery to an allow-list of up to 100 sites while you remediate. Microsoft is explicit that it is not a security boundary, does not change permissions, and is a short-term stopgap.
5. Turn off flex routing if you need strict EU processing Microsoft 365 admin center > Copilot > Settings > flex routing > "Do not allow flex routing" keeps LLM processing inside the EU Data Boundary.
6. Scope or remove Copilot licences Disable Copilot per user via licence removal or Integrated Apps to limit the blast radius during a phased rollout.
Steps verified in June 2026; Microsoft reorganises the Copilot control surface frequently, so menu labels shift.
What settings do not solve
Settings govern what Microsoft does with your data and how widely Copilot searches. They do not fix the permissions underneath, and they do not decide what an employee types into the prompt.
No toggle un-shares the folder that was opened to "everyone" three years ago. No data-residency setting removes a client's account number that someone pasted into a Copilot prompt to "summarise this." The two failure modes Copilot amplifies - overshared content and over-shared prompts - are both human decisions that a configuration screen cannot reach.
That is the gap: between the access an organisation has accumulated and the content a person is about to type.
How BeeSensible helps before you send
BeeSensible checks personal data in browser text fields - including the Copilot prompt - as you type. Through the desktop app, detection runs entirely on the device and no text leaves the machine. For browser-only use, the extension sends the text to BeeSensible's EU detection service, where analysis runs in working memory and the text is discarded after detection. When sensitive content appears in a prompt, BeeSensible marks it inline so the user can see exactly what they are about to share - and delete it, replace it with a placeholder, or mask it before sending.