Attention: Your GitHub Interactions Will Soon Train Microsoft's Copilot — What This Means for Swiss SMEs

A surprisingly large number of Swiss SMEs underestimate the subtle ways their digital footprints could become training data for global AI models. When t3n.de recently reported that GitHub intends to use user interactions for training Copilot, a murmur went through the developer community.

For Swiss companies with sensitive data, relying on compliance and data protection, this was concerning news. The idea that proprietary code or internal documentation could contribute to the improvement of a generic AI model without control directly contradicts the strict requirements of the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR).

However, the reality is more nuanced than it initially appears. While the initial report sparked legitimate concern, Microsoft has clarified its strategy for Swiss SMEs: the focus is on integrating Copilot into existing Microsoft 365 plans, with a strong emphasis on data protection and governance. This, however, requires a deep understanding of the actual mechanisms and necessary protective measures.

How does the new GitHub policy affect data integrity and the training of AI models like Copilot?

The initial fear that private GitHub repositories could be directly used to train the general Copilot model has not been confirmed in this form for Microsoft 365 Copilot. The original report from t3n.de referred to a broader data acquisition strategy for AI models. However, for enterprise customers, particularly in the context of Microsoft 365 Copilot, specific and far stricter data protection and governance rules apply. This is a crucial difference that many overlook.

Microsoft has clarified that a company's data processed with Microsoft 365 Copilot remains within its own Microsoft 365 tenant. It will not be used to train Microsoft's base models for other customers, or vice versa. This means your Copilot learns from your data, but your data does not become part of Microsoft's global training dataset. For Swiss SMEs, this is a fundamental commitment that aligns with our data protection requirements.

Nevertheless, there's an important nuance here: If you use GitHub Copilot (without the Microsoft 365 context), it accesses publicly available code and can also learn from your public repositories. The debate surrounding the use of code for training AI models is complex and has already led to legal disputes. For Swiss companies hosting private repositories on GitHub, it is advisable to carefully review the terms of service and privacy policies and, if necessary, opt for enterprise solutions that offer additional control mechanisms. A systematic analysis is essential here. We have often seen companies seeking only "technical" solutions, overlooking the cultural or governance issues.

What concrete measures must a Swiss SME take to comply with data protection regulations when using AI tools like Copilot?

A Swiss SME must implement a robust governance structure that embeds the use of AI tools like Copilot within the existing data protection framework. Merely assuming that Microsoft handles everything is negligent. Clear internal policies, technical configurations, and regular reviews are needed to ensure compliance with the FADP and, where applicable, the GDPR.

Firstly, data residency is a central point. For Microsoft 365 Copilot, this means that data remains within the Microsoft 365 tenant, and storage should be configured in Switzerland or the EU. Microsoft offers corresponding options here. This is an absolute must for us in Switzerland. Any processing of customer data or other sensitive information must ensure that it does not flow out uncontrollably or is used for generic model training.

An indispensable tool is Microsoft Purview. Purview enables central control and monitoring of data flows. Here, you can define policies for data access, data retention, and data classification. It is the control centre for your data integrity. Without a well-thought-out implementation of Purview, you are operating blind.

From my experience as a practitioner with an IPSO certification in AI Business, I can emphasise: A comprehensive AI governance setup is essential. This includes:

• Clear Policies: Formulate specific ethics, data, incident, and change policies for AI usage. Who is allowed to use Copilot for what? What data can be processed?
• Roles and Responsibilities (RACI): Clearly assign responsibilities. Who is responsible for configuration? Who monitors compliance with policies? Lukas Huber, the founder of schnellstart.ai, has often seen that a missing RACI model causes the biggest projects to fail.
• Controls and Evidence: Establish a control catalogue and collect verifiable evidence of policy compliance. Regular audits are mandatory here.
• Human-in-the-Loop: For critical decisions supported by Copilot, a human must always perform a final review. AI is an assistance system, not a replacement for human judgment, especially in areas with financial or legal impact.

The EU AI Act, even though it is still in implementation, categorises AI systems that influence financial situations as "High Risk." For you as an SME, this means you have additional due diligence obligations. Clearly label AI-generated responses as such and add disclaimers where appropriate, such as: "AI assistance – does not replace legal advice."

What impact does the use of Copilot have on the productivity and cost structure of Swiss SMEs compared to traditional development methods?

The use of Copilot can significantly increase the productivity of Swiss SMEs and optimise the cost structure in the long term, but it requires an initially conscious investment in implementation and governance. The initial CHF 18 per user/month for Microsoft 365 Copilot may seem like an additional expense at first glance. However, the potential time savings and efficiency gains far outweigh these costs in most cases. In our experience, employees can often save 12+ hours per week on repetitive tasks through the intelligent use of AI tools.

Consider the time spent on drafting emails, summarising long documents, creating presentation drafts, or searching for information on the intranet. Copilot automates or accelerates these processes. A developer who previously spent hours searching for boilerplate code or debugging now receives suggestions in real-time. This isn't a "game-changer," but a tangible, measurable improvement in how work is done.

Compared to traditional development methods, which often rely on manual coding, extensive research, and repeated debugging, Copilot offers a clear advantage. It reduces development time, minimises errors, and allows teams to focus on more complex, value-adding tasks. This not only leads to faster project completion times but also to better utilisation of existing skilled personnel. Phased development, as recommended at schnellstart.ai, allows these benefits to be realised step-by-step and risks to be minimised.

Consider a Swiss SME offering engineering services, for example. Integrating Microsoft 365 Copilot into existing Microsoft 365 plans allows engineers to draft technical reports faster, analyse specifications, and search internal documents more efficiently. An engineer who spends 30 minutes daily on administrative tasks could reduce this time by half with Copilot. Over a year, this represents significant savings of valuable working time that can instead be invested in core competencies. It is crucial that data residency is in Switzerland or the EU and that control is managed centrally via Microsoft Purview to meet compliance requirements.

The cost structure thus shifts: from high personnel costs for repetitive tasks to an investment in AI tools that significantly enhance the efficiency of the existing workforce. This is not cost reduction through staff reduction, but value creation by empowering employees to focus on more demanding activities. "Start Small" is an important principle here: begin with a clearly defined use case and gradually expand its application, rather than trying to implement everything at once.

Conclusion

The initial excitement surrounding GitHub's data policy has sparked an important debate about the secure use of AI tools. For Swiss SMEs, the core message is clear: Microsoft 365 Copilot offers immense productivity potential, but success hinges significantly on a proactive and well-founded implementation that places data protection and governance at its core. It is a question of control, not of renunciation.

Three takeaways for your Swiss SME:

• ✅ Differentiate Copilot Versions: Understand the different data protection models of GitHub Copilot and Microsoft 365 Copilot to implement the right protective measures.
• ✅ Implement AI Governance: Only with clear policies, assigned responsibilities, and the use of tools like Microsoft Purview can you ensure compliance with the FADP and data integrity.
• ✅ Invest in Employee Training: Empower your teams to use Copilot responsibly and efficiently. This maximises productivity gains and minimises risks.

The future of work in Swiss SMEs will be significantly shaped by intelligent assistance systems. Those who use these tools securely and strategically will secure a decisive competitive advantage without compromising on data protection.

Would you like to explore the possibilities of AI for your SME, relying on Swiss data protection standards? Contact us for a no-obligation initial consultation.