EU Digital Markets Act Forces Google to Open Android and Share Search Data with Rivals

Brussels issues two landmark DMA compliance orders targeting Google's AI and search dominance, with deadlines set for 2027

EU Digital Markets Act Forces Google to Open Android and Share Search Data with Rivals

Brussels Issues Two Landmark Orders Under the EU Digital Markets Act Against Google

The European Commission has issued two binding compliance orders against Google under the EU Digital Markets Act (DMA), marking one of the most aggressive regulatory interventions yet against a major US technology platform operating in the bloc. The orders — one targeting Android's AI ecosystem, the other targeting search data access — set firm deadlines that will require Google to fundamentally reshape how it operates in Europe. For developers, privacy professionals, and IT decision-makers watching the evolution of digital sovereignty in Europe, these rulings carry significant implications far beyond one company's market position.

The Commission announced the decisions on 16 July, following proceedings that began in January of the same year. The deliberations were specifically designed to clarify what meaningful DMA compliance looks like in practice — a question that has been contested between regulators and major technology platforms since the law came into force. According to Silicon Republic, the orders give Google until January 2027 to begin sharing its search data and until July 2027 to open Android to competing AI providers.

AI regulation and digital markets in Europe
The EU's Digital Markets Act is reshaping how Big Tech platforms operate across Europe

The DMA, which came into effect in 2023, designates the largest technology platforms as "gatekeepers" — a legal category that triggers a set of obligations designed to prevent anti-competitive self-preferencing. Google, alongside Apple, Meta, Amazon, and Microsoft, is subject to these rules. However, this latest pair of rulings represents a notable escalation: rather than simply identifying potential violations, the Commission is now prescribing in granular detail exactly how compliance must be achieved, and by when.

What the Android AI Access Order Actually Requires — and Why It Matters

The first order addresses the competitive landscape for AI assistants on Android devices, which account for roughly 60 percent of mobile users in the EU, according to the Commission. The core argument is straightforward: competing AI assistants — including those built by European developers and startups — currently have restricted access to Android's operating system functionalities. This means that third-party AI agents cannot match the deep system integration enjoyed by Google's own Gemini assistant.

In practical terms, this restriction limits what rival AI assistants can do. They cannot be activated via voice wake words like "Hey Google," cannot access the same device-level permissions, and are therefore structurally less capable than Gemini on Android, regardless of their underlying quality. The Commission's ruling would require Google to grant equivalent OS-level access to third-party AI providers, enabling users to set their preferred assistant as a true system default — activated by voice, integrated with device functions, and capable of operating across apps.

For developers building AI-powered applications on Android, this is potentially transformative. If enforced as written, the ruling would open up system APIs and device permissions that are currently gatekept by Google's own product decisions. Smaller AI providers — including European ones competing in a market currently dominated by US platforms — would gain a structurally fairer playing field. This aligns directly with broader digital sovereignty goals that European policymakers have been pursuing through instruments like the DMA, GDPR, and the EU AI Act, all of which aim to ensure that European users and companies are not permanently locked into Big Tech dependencies.

"These rulings risk undermining vital privacy and security guardrails for millions of Europeans. We have repeatedly offered solutions to safeguard users while satisfying the DMA's goals, but these rulings discount extensive evidence of user harm."

— Kent Walker, President of Global Affairs, Google and Alphabet

Google's pushback centres on security. Kent Walker, the company's president of global affairs, argued that the current system — in which phone manufacturers play a key vetting role for AI providers — exists for good reason. Granting "sensitive and powerful device permissions" to external apps without those safeguards, he warned, would expose Android users to meaningful security risks. This is not an entirely implausible concern: the Android ecosystem has historically struggled with malicious apps exploiting broad permissions, and the tension between openness and security is well-documented in cybersecurity literature. However, the Commission maintains that Google retains the right to assess privacy and security risks before sharing any data or access, which suggests the regulator does not view security as an absolute blocker.

The Search Data Order: Opening Google's Most Valuable Asset to Rivals

The second order is arguably more structurally significant. It requires Google to share anonymised search data — the kind it uses to train and optimise its own search algorithms — with competing search engines. This matters because search data at Google's scale is essentially irreproducible. No rival search engine, however well-funded, can generate the volume and diversity of query data that Google accumulates through its dominant market position. This creates a compounding advantage: Google's search improves faster because it learns from more users, which attracts more users, which generates more data.

The Commission's investigation found that Google had been removing between 90 and 100 percent of unique search queries from the datasets it was required to share under existing frameworks. It was also excluding AI chatbots that provide search services from the pool of eligible beneficiaries — a significant carve-out given that AI-powered search is rapidly becoming a primary interface for information retrieval. As a result, the Commission concluded, "there has been no meaningful uptake by potential beneficiaries" of the existing data-sharing arrangements.

60%EU mobile users on Android
90–100%Unique queries removed by Google from shared datasets
Jan 2027Deadline to begin sharing search data
Jul 2027Deadline to open Android to rival AI providers

The new order specifically requires Google to include AI chatbots in the beneficiary pool and to stop stripping out unique queries. For privacy professionals, this raises immediate questions about what "anonymised" actually means at this scale and in this context. Truly anonymised search data is technically difficult to achieve — research has repeatedly demonstrated that even stripped query logs can be re-identified when cross-referenced with other datasets. The Commission's requirement that Google assess privacy risks before sharing provides some procedural safeguard, but privacy advocates and data protection officers at organisations receiving this data will need to scrutinise the anonymisation methodology carefully.

The European Data Protection Board and national data protection authorities may yet weigh in on whether the sharing mechanism is compatible with GDPR obligations — a tension that regulators have not fully resolved as the DMA's implementation deepens, as noted by analysts covering EU digital policy at Politico Europe.

How These Orders Fit the Broader DMA Enforcement Landscape

To understand why these orders are significant, it helps to understand how the DMA's enforcement mechanism works. Unlike traditional competition law, which requires regulators to prove harm after the fact, the DMA operates on a preventive logic: gatekeepers must meet specific obligations regardless of whether a specific instance of harm can be demonstrated. The Commission can issue "specification decisions" — detailed orders explaining exactly how a gatekeeper must comply — when it believes a platform's self-proposed remedies are insufficient.

That is precisely what has happened here. Google proposed its own compliance measures, the Commission found them inadequate, and is now prescribing specifics. This enforcement model is relatively new, and these Google orders represent some of the most detailed specification decisions issued to date. Legal analysts covering EU digital regulation, including those writing for Euractiv, have noted that how these orders hold up under potential legal challenge — Google has the right to contest them — will set important precedents for DMA enforcement across all designated gatekeepers.

European tech regulation and data sovereignty
Europe's regulatory framework is increasingly shaping the architecture of digital markets globally

The timing is also notable. These orders arrive as AI assistants are transitioning from novelty to critical infrastructure. Gemini is being embedded ever more deeply into Android's core functionality, and the window in which rivals can establish competitive positions is narrowing rapidly. Waiting until 2027 to enforce interoperability — as the Commission's deadlines require — means that Google has meaningful runway to continue deepening Gemini's integration advantage. Whether the 2027 deadlines reflect a genuine accommodation of technical complexity or represent a gap that entrenches incumbency further is a question that European AI startups and their investors are already asking.

RequirementWhat It MeansDeadline
Search data sharingShare anonymised query data, including unique queries, with rival search engines and AI chatbotsJanuary 2027
Android AI accessOpen Android OS-level functionalities (including voice activation) to third-party AI assistant providersJuly 2027
AI chatbot inclusionStop excluding AI chatbot providers from the pool of search data beneficiariesJanuary 2027
Privacy risk assessmentGoogle retains right to assess and raise privacy/security concerns before sharingOngoing

The Privacy and Security Tension at the Heart of DMA Compliance

Google's privacy argument deserves more than dismissal. The company's position — that opening Android's deepest system permissions to a broader class of AI providers creates genuine security risks — reflects a real architectural challenge that cybersecurity professionals will recognise. Android's permission model is already a frequent attack surface; extending sensitive permissions to a wider pool of AI providers, potentially including those with less rigorous security practices, is not a trivial concern.

However, the Commission's counter-position is equally coherent: that Google's current approach conflates legitimate security gatekeeping with anticompetitive gatekeeping. The question of who vets AI providers for Android integration — Google's current answer is device manufacturers — is not neutral. It places competitive adjudication power in the hands of parties whose interests are not necessarily aligned with an open market. The Commission wants a more transparent, standardised process that does not allow security criteria to function as a de facto market access barrier.

For privacy professionals and IT decision-makers, the more immediate concern may be the search data order. If your organisation is developing a search product, an AI assistant, or any service that might qualify as a "beneficiary" under the new rules, you will need to understand what data you are receiving, under what conditions, and what your obligations are under GDPR once you hold it. The Commission has not yet published a detailed technical specification of the sharing mechanism, and organisations considering participation should monitor guidance from the European Data Protection Board closely. Research from the Electronic Frontier Foundation has long highlighted the risks of assuming that query-log anonymisation is robust — a concern that applies equally to recipients of the data as to its source.

The broader policy question is whether these orders will achieve their stated goal of fostering competition. Historical precedents from earlier EU interoperability mandates — including the 2004 Microsoft case, which required the company to share interoperability information with rivals — suggest that structural remedies take years to translate into genuine market shifts. The DMA was

Originally reported by Silicon Republic. Summarised and curated by European Purpose.