The EU's competition rule for big tech gatekeepers is set to force Google to share anonymized search data with rivals. Independent researchers and Google's own security staff warn the design is itself a new attack surface.
Over the past two decades, Google has built part of its reputation around protecting the queries users type into its search box. A pending European Commission decision would force the company to hand that data over, anonymized, to its competitors. According to independent security researchers and Google's own security leadership, the result could be one of the largest accidental hacking targets ever written into European law.
The Commission published initial details in April on how Google should share anonymized search results with rivals and let outside AI services reach certain Google data, under the EU's Digital Markets Act (DMA), the bloc's competition rule for "gatekeeper" platforms. The specific mandate sits in Article 6(11). A parallel consultation on Android interoperability under Article 6(7) is moving at the same time. Final decisions on both Google cases are expected in the coming weeks.
That is where Google's security team started objecting. According to a Wired report, Google's security leadership, including vice president of security engineering Heather Adkins, has warned that forcing large volumes of search telemetry to flow to outside systems would expose the data to hacking and cybercrime in ways the company's internal protections were never designed to handle. Google's framing has an obvious commercial interest. The reason the warning still matters is that an outside researcher is saying the same thing, for different reasons.
Łukasz Olejnik, an independent security researcher, argues in a recent post that the Commission's anonymization scheme is itself the vulnerability. Query-level data at Google's scale, he writes, resists true anonymization: with the right auxiliary information, individual users can be re-identified, and the resulting corpus becomes a target for scraping, account takeover, and downstream AI training pipelines that reuse the data in ways the original regulation never contemplated.
The mechanism is straightforward. Search queries reveal medical conditions, location patterns, financial stress, and political views. Once that signal is aggregated and shipped to dozens of recipients under a single interoperability obligation, each recipient becomes a new custodian of a high-value target. Anonymization softens the obligation. It does not change who holds the data.
The two critiques do not cancel each other; they reinforce each other. Companies regularly invoke "security" when they want to slow a regulation, and the Commission's consultation can absorb that. What it cannot easily dismiss is a parallel critique from researchers who are not aligned with Google's commercial position and who arrive at a similar risk surface for technical reasons. Even if the loudest warnings came from Google alone, the design questions raised by Olejnik would still be in front of the Commission when its decision lands.
That leaves the Commission with a narrow set of options. It can narrow the data scope to exclude query-level signals, push anonymization toward differential-privacy or aggregation thresholds that resist re-identification, restrict which counterparties are eligible to receive the data, or delay the decision and reopen the technical design. Doing none of those things leaves the rule as drafted, with the researcher community already on record that the design is unsafe.
What to watch: the Commission's final decisions on the search data-sharing and Android interoperability measures, expected in the coming weeks. The technical annex attached to those decisions will show whether the Commission adopted any of the structural mitigations researchers have asked for, or whether the regulation ships as drawn.