The news initially sounded like a liberating move: Microsoft is now making its Copilot available in free versions of Outlook, Word, and other applications. What was previously reserved only for paying users can now be tested – at least in part – by the general public since June 2025. Especially in tax offices, where efficiency, text quality, and structured communication are required daily, this seems like an invitation to try it out immediately. But as tempting as the new offer may sound, those bound by professional secrecy, such as tax advisors, must exercise extreme caution.
The introduction of the free Copilot version allows users to generate simple texts, summarize emails, draft presentations, or ask questions about document content—all using the latest AI technology from Microsoft. The highlight: Many of these functions can be accessed directly via the web browser or mobile apps. This means that you no longer need a paid Microsoft 365 subscription with a Copilot license to experiment with the basic AI functions.
But this is precisely where the problem lies: This variant is not integrated into the firm's Microsoft 365 tenant , it does not operate on the basis of a customized licensing model with contractually regulated data processing , and it may process inputs in environments whose data protection standards do not meet European standards. Data protection-compliant use – especially with sensitive client data – is thus effectively impossible.
As analyzed in detail in my book "Data Protection-Compliant Use of Microsoft Cloud Services for Tax Advisors," those bound by professional secrecy, such as tax advisors, are subject not only to the general requirements of the General Data Protection Regulation (GDPR), but also to stricter regulations under Section 203 of the German Criminal Code (StGB) and Section 62a of the German Tax Consultants Act (StBerG). These standards oblige all professional information to be treated confidentially – including and especially when using technical systems. Disclosure to third parties or service providers not bound by instructions may, under certain circumstances, be subject to criminal prosecution.
The free Copilot version is particularly problematic because it generally does n't offer clear instructions within the meaning of data protection law . There is no customized data processing agreement with Microsoft that could guarantee compliance with the specific requirements of Art. 28 GDPR. Furthermore, the storage and processing locations of the entered content are not clearly traceable—which is particularly problematic in light of US legislation (keyword: CLOUD Act, FISA 702) .
In contrast, there is the licensed version "Copilot for Microsoft 365," which is fully integrated into Microsoft's desktop and web applications. This version—with the correct configuration of the M365 environment—accesses the emails, calendar data, SharePoint content, or Excel files stored in your tenant in compliance with data protection regulations. It can provide context-specific assistance in preparing pleadings, evaluating spreadsheets, or analyzing client data. With the correct configuration, this version can also be used by those bound by professional secrecy. It is based on a data processing agreement , processes data within the EU Data Boundary , and can be further secured with features such as Data Loss Prevention (DLP), Double Key Encryption, and Conditional Access .
The key point is: Even if the free Copilot features appear to be virtually identical to the full licensed version at first glance, the differences in terms of data protection, data responsibility, and legal protection are significant. While a simple test run with anonymized examples may be useful, only the licensed version is suitable for productive use in a law firm.
In my In this book, I go into detail about how law firms can use Copilot in compliance with data protection regulations: from concluding a data processing agreement to tenant configuration and the question of when a data protection impact assessment is necessary. Even with the EU Data Boundary – Microsoft's commitment to store and process data within the EU – uncertainties remain that require a data protection impact assessment (DPIA) and additional measures.
My conclusion, therefore, is: Copilot can be a genuine efficiency tool for tax firms – but only if it is used in full compliance with professional and data protection regulations. We already wrote something about this in this article . The free version is suitable at best for internal tests with neutral data, but not for use in client relationships.
If you would like to prepare your law firm to use Copilot strategically and compliantly, we would be happy to support you with the technical implementation, legal assessment, and integration into your work processes.
More information can be found in my book series “Digital Law Firm – Strategies for Modern Tax Firms”
AI AND ONLINE STRATEGIES for modern tax offices
and
DATA PROTECTION-COMPLIANT USE OF MICROSOFT CLOUD SERVICES in modern tax offices
