On July 16, 2026, the European Commission turned two DMA duties for Alphabet from general obligations into implementation tracks. One measure specifies what Google must do under Article 6(7) DMA so rival AI assistants can interoperate with Android. The other specifies what Google must do under Article 6(11) DMA so eligible third-party search engines and AI chatbots with search functions can receive Google Search data. Both were adopted through Article 8(2), the DMA mechanism that lets the Commission specify the steps a gatekeeper must take to comply with an existing obligation.[1]
| Measure | DMA hook | What changes | Deadline |
|---|---|---|---|
| Android AI interoperability | Article 6(7), specified under Article 8(2) | Google must give rival AI assistants access to Android interoperability functions, including voice activation, in-app actions, and device permission access. | July 2027 |
| Google Search data sharing | Article 6(11), specified under Article 8(2) | Google must share anonymized ranking, query, click, and view data with eligible third-party search engines and AI chatbots with search functions. | January 2027 |
That is the operational core. The Android measure concerns access to the mobile layer through which assistants are invoked and authorized. The search measure concerns access to behavioral and ranking data that can improve search quality and, increasingly, AI search products. The Commission did not merely tell Google to be fairer to rivals; it identified the access points, the beneficiary class, and the dates by which compliance must be in place.[1]

The Search Data Measure Is Where Access Becomes Testable
The search-data decision is the denser of the two measures because it confronts a familiar problem in platform remedies: access can exist on paper while the useful part of the asset remains unavailable. The Commission’s April 2026 preliminary proposal had already identified the weak point in Google’s voluntary European Search Dataset Licensing program. Under that program, Google used a threshold of more than 30 signed-in users over 13 months. The Commission said that approach excluded 90–100% of unique queries and 30–40% of overall query volume.[2]
Those figures matter more than the existence of a licensing program. A dataset that omits nearly all unique queries may protect against certain privacy risks, but it also removes much of what makes search data competitively valuable: rare formulations, emerging topics, long-tail intent, and the interaction patterns that help a search service understand what users actually meant. For a rival search engine or an AI chatbot with search functions, access to a sanitized residue is not the same thing as access to a usable learning signal.
The final July measure therefore makes the categories explicit. Google must share anonymized ranking, query, click, and view data with eligible third-party search engines and AI chatbots with search functions by January 2027.[1] The covered fields are not interchangeable. Ranking data shows how Google ordered results. Query data captures demand and language. Click data records which result users selected. View data helps distinguish what users saw from what they acted on. Taken together, those fields can support relevance testing, index improvement, product benchmarking, and AI search responses that depend on fresh or web-grounded signals.
The beneficiary class is also important. The Commission did not limit the remedy to classic ten-blue-link search engines. It included AI chatbots with search functions, which is where the DMA measure most visibly touches AI competition without needing to relabel generative AI as a separate regulatory universe.[1] A chatbot that retrieves or summarizes web information competes for some of the same user intent as a search engine, even if the interface is conversational and the output is synthesized.
Why Google’s Prior Model Failed the Remedy Test
The Commission’s objection to Google’s voluntary model was not that Google had done nothing. It was that the design converted a data-sharing obligation into a narrow licensing product with a threshold that removed too much of the relevant data. A 30-plus signed-in-user threshold over a 13-month period may be administrable from Google’s side, but the Commission’s April assessment indicates that it made the resulting dataset materially incomplete for Article 6(11) purposes.[2]
This is the point at which the DMA’s specification power matters. Article 6(11) says a gatekeeper must provide business users and third parties with access to ranking, query, click, and view data generated by end users on its search engine, subject to anonymization. Article 8(2) lets the Commission move from that statutory formulation to concrete implementation requirements when there is a compliance dispute.[1] Without that second step, the argument can stall indefinitely around whether some access, however truncated, counts as access.
The January 2027 deadline gives counsel and compliance teams something to track. Eligible recipients will need to evaluate whether they qualify, what contractual commitments they must accept, what technical environments they must use, and whether the delivered fields match the categories in the decision. Google will need to show that its anonymization choices protect users without recreating the exclusions the Commission already found inadequate.
The Anonymization Architecture
The Commission’s Developer Portal materials describe a layered anonymization framework rather than a single threshold rule. The architecture includes direct identifier removal, entity thresholding above 50 users, query-length filtering at the 95th percentile, k-anonymity with minimum groups of 1,000 users, metadata generalization, mini-sessionisation, and contractual safeguards such as ringfenced environments, purpose limitations, and independent annual audits.[3]

Each layer answers a different risk. Direct identifier removal strips obvious personal fields. Entity thresholding addresses queries or records tied to identifiable entities. Query-length filtering reduces the risk that unusually long strings contain names, addresses, or other revealing detail. K-anonymity groups records so that an individual user is not isolated in a small crowd; the Developer Portal states that the minimum group is 1,000 users and that 95% of users fall in groups of 29,000 or more.[3]
Metadata generalization matters because location, time, device, and other context can re-identify a person even when obvious identifiers are gone. Mini-sessionisation is aimed at limiting the continuity of behavioral trails, so a recipient does not receive an easily linkable history that reconstructs one person’s search activity over time. Ringfenced environments and purpose limits then move the protection from data transformation into data governance: who can access the data, where it can be used, and for what purpose. Annual audits make that governance reviewable rather than purely contractual.[3]
This structure is not a guarantee that no privacy dispute remains. It is, however, more administrable than a broad assurance that privacy prevents disclosure. The Commission’s design accepts that anonymization is a technical and legal process with multiple controls, not a binary state reached by deleting names or withholding rare queries.
The Privacy Dispute Is Real, but It Cannot Do All the Work
Google’s privacy objection should not be dismissed as theater. Search logs can be sensitive, and combinations of query text, time, location, and click behavior can expose more than users expect. Google has also argued publicly that DMA requirements can undermine security and privacy for Europeans.[4]
The harder question is whether privacy risk justifies withholding the long-tail data that makes Article 6(11) meaningful. Kluwer’s June 2026 analysis identifies the central legal tension: unique does not automatically mean identifiable. It also notes Google’s reported internal red-team claim that re-identification was possible within two hours, while stressing that the methodology behind that claim has not been independently verified or published.[5]
That distinction matters for enforcement. A gatekeeper can properly object to a remedy that would expose personal data. It cannot, without more, treat uniqueness as a synonym for identifiability. The Kluwer analysis links this to the Court of Justice’s EDPS v SRB ruling in Case C-413/23, which approached identifiability contextually rather than as a purely abstract possibility.[5] In practical terms, the question is not whether an isolated query could look unusual. It is whether, given the actual data fields, recipient controls, technical environment, and reasonably available means, a person is identifiable.
That is why the Commission’s move from Google’s threshold approach to a multi-layer framework is the center of the remedy. If the framework is too loose, users bear the cost. If it is too restrictive, rivals receive a dataset that verifies compliance formalities while preserving Google’s informational advantage. The January 2027 implementation will be judged in the space between those two failures.
Android Interoperability Puts AI Assistants Inside the DMA Machinery
The Android measure is more straightforward but still significant. Under the Article 6(7) specification, Google must provide rival AI assistants with access to Android interoperability functions including voice activation, in-app actions, and device permission access. The Commission said the relevant Android access affects roughly 60% of EU users.[1]
For an assistant, those are not decorative integrations. Voice activation affects whether the user can summon the service hands-free or from a default device flow. In-app actions affect whether the assistant can act across installed services instead of merely answering in its own interface. Device permission access affects whether the assistant can use the phone’s capabilities on comparable terms, subject to user consent and operating-system controls.
The Verge’s coverage translated the effect in consumer-facing terms: rival assistants such as ChatGPT, Claude, and Perplexity could gain more functional access on Android devices rather than being confined to app-level interactions.[6] The regulatory point is narrower and more important than feature speculation. The Commission is using Article 6(7) to prevent the operating-system layer from becoming the place where Google’s own AI assistant receives privileged invocation, action, or permission pathways.
The July 2027 deadline is later than the search-data deadline, which is unsurprising given that interoperability changes can require operating-system, API, security, and developer-documentation work. The relevant compliance question will be whether rival assistants can actually use the specified functions on non-discriminatory terms, not whether Google publishes an interface whose constraints make meaningful substitution unlikely.
AI Implications Without Overclaiming the AI Category
The measures matter for AI because they target two assets that can carry market power into AI-mediated search and assistance: mobile-system access and search-interaction data. They do not prove that the DMA has solved AI competition, and they do not require a finding that every generative AI product is itself a designated core platform service. They show something more concrete: existing DMA hooks can be specified when a gatekeeper’s controlled infrastructure affects how AI rivals reach users or improve search-linked products.
For AI chatbots with search functions, the search-data measure could matter in product development and evaluation. Query and click patterns can help identify gaps between user phrasing and retrieved results. Ranking and view data can help benchmark whether a system is surfacing the right sources and whether users engage with them. None of that means access will automatically make a rival search chatbot competitive with Google. It means the Commission has identified data inputs that are sufficiently connected to competition to justify a mandatory access remedy.
The Android measure works from the distribution side. A capable assistant still needs a practical way to be invoked, authorized, and used across the device. If those pathways are reserved in practice for the operating-system provider’s own assistant, product quality may not be enough to discipline the incumbent. Article 6(7) is doing its work at the level of technical access rather than at the level of after-the-fact discrimination claims.
Search Data Access Is Becoming a Remedy Design Question Elsewhere
The EU proceeding is not occurring in isolation. Knight-Georgetown has framed search data sharing as a competition remedy for the AI era, emphasizing design choices around eligible recipients, data scope, privacy protections, and oversight.[7] That is the same menu of questions now embedded in the Commission’s Google specification measure, although the EU legal hook is Article 6(11) DMA rather than a court-imposed antitrust remedy.
The comparison is useful because it keeps the discussion focused on remedy design rather than jurisdictional branding. A search-data remedy can fail by being too vague, too privacy-invasive, too limited to matter, or too hard to audit. The Commission’s July package is notable because it moves several of those design variables into a trackable compliance document: covered data categories, eligible AI search recipients, anonymization controls, contractual safeguards, and a January 2027 delivery date.
What Remains Open for Compliance Teams
The legal obligations are now more concrete, but implementation still carries the practical risk. For search data, the immediate questions are whether Google’s delivered dataset includes the required ranking, query, click, and view categories in a usable form; whether the anonymization framework preserves enough long-tail information to make access meaningful; and whether eligible recipients can operate within ringfenced environments and purpose limits without losing the ability to improve their products.
For Android, the questions are more functional: whether rival assistants can trigger voice activation on comparable terms, perform in-app actions without unnecessary friction, and obtain device permissions through user-controlled processes that are not designed to discourage switching. The Commission’s reference to access affecting roughly 60% of EU users makes the user reach significant, but reach will not answer whether the interfaces are workable.[1]
Google’s privacy and security objections remain part of the record, especially for search logs. The Commission’s position, however, is now tied to a specific anonymization and governance architecture rather than a general expectation that Google should share more. That makes future disputes easier to locate. They will turn on thresholds, fields, environments, audits, and recipient behavior rather than on whether Article 6(11) has any operational content.
As of Q3 2026, the significance of the July 16 measures is concrete but not settled. The DMA is no longer only constraining self-preferencing or app-store terms; it is being used to specify access to infrastructure advantages that can shape AI assistants and AI search. Whether that becomes meaningful access or another managed compliance perimeter will depend on what Google ships by January 2027 for search data and by July 2027 for Android interoperability.
References
- Commission provides guidance to Google on AI interoperability on Android and sharing of Google Search data under the Digital Markets Act, European Commission, July 16, 2026.
- Commission proposes measures to Google on sharing search engine data with third parties under the Digital Markets Act, European Commission, April 16, 2026.
- Alphabet specification proceedings: sharing Google Search data, European Commission Developer Portal.
- The DMA should not undercut security and privacy for Europeans, Google.
- Unique Does not Mean Identifiable – Google Search Data Sharing under Article 6(11) DMA, Kluwer Competition Law Blog, June 2026.
- EU orders Google to open Android to rival AI assistants, The Verge.
- Designing Europe’s Search Data Sharing Rules for Competition in the AI Era, Knight-Georgetown Institute.
Comments
Join the discussion with an anonymous comment.