Google Security VP Warns EU DMA Data-Sharing Plan Risks Fraud

Wired reported that Google's VP of Security Engineering, Heather Adkins, has warned that EU proposals to open Android and Search data to rival platforms could lead to a significant rise in fraud within weeks. The accompanying technical finding is specific: Google's red team managed to re-identify individual users from the Commission's proposed anonymized search data in less than two hours.

The data at issue is Google's search ranking signals, user queries, clicks, and view data, which the Digital Markets Act requires Google to share with rival search engines and AI providers on fair, reasonable, and non-discriminatory terms. Sergei Vassilvitskii, a distinguished scientist at Google since 2012, raised the re-identification finding directly with Commission officials. As The Next Web reported, his statement was blunt: "We are concerned because the EC's approach to anonymisation fails to protect Europeans' privacy: our red team managed to re-identify users in less than two hours." He added that Google is "eager to share our technical expertise and work with the EC to establish the right guardrails."

The Commission must finalize its data-sharing measures by July 27, 2026, and non-compliance can carry fines of up to 10% of Google's global annual revenue. The honest caveat is that Google's conflict of interest here is substantial: critics have noted that the company's stake in resisting these measures means its security claims deserve scrutiny, not automatic deference. What the reporting does not give you is a full accounting of what Google's proposed alternative privacy guardrails would look like in practice, or whether the Commission finds them genuinely adequate.

For AI companies such as OpenAI, which the Commission's framework would allow access to Google's search data on equal terms, a delayed or weakened implementation is the less favorable outcome. The more durable question is whether this standoff produces a workable differential privacy standard for mandated data sharing, or a rushed compromise before July 27 that satisfies neither the Commission's competition goals nor Google's security objections.