The Center for Cybersecurity Policy & Law (Center) issued comments in response to DMA.100209 – Alphabet – Article 6(11) -- warning of the security and privacy risks of proposed data sharing requirements.

The preliminary findings in the case would require Google to share highly granular search data – including query, click, view, and ranking data – with a broad range of third-party recipients on a daily basis. The Center’s submission warn that:

• The scope and sensitivity of the data at issue create significant security and privacy risks.
• The diversity of potential recipients expands the number of potential points of vulnerability.
• The proposed technical and contractual safeguards are insufficient to address these risks.

The Center urges the European Commission to revise the measures to account for the significant security, privacy, and associated public safety risks.

Background: 

In November 2022, the EU’s Digital Markets Act (DMA) went into effect. Among other measures, the DMA imposes data-sharing obligations on designated “gatekeepers.” Google’s parent, Alphabet, was designated a gatekeeper in 2023 in response, Google implemented a program to provide qualifying third parties with access to certain search data, subject to security conditions. 

In 2026, the European Commission opened proceedings to further define Alphabet’s data sharing  obligations. On April 16, 2026, it issued preliminary findings that would significantly expand the scope of required data sharing. Specifically, the proposed measures would require Alphabet to share detailed search data at the individual record level, on a daily basis, and with a broad range of eligible recipients — including chatbots with online search engine functionalities, even if the search engine functionalities are just one part of a broader service being provided. 

CCPL Comments - Key Concerns: 

The Center’s comments focus on the cybersecurity and privacy risks associated with these proposed remedies, to include a discussion of the following:

• The increasingly complicated threat landscape -  The cybersecurity threat landscape is rapidly evolving in both sophistication and scale. Already, over the past decade, the number and sophistication of cyber-attacks and cyber intrusions have increased exponentially — highlighting the critical importance of strong digital security.
  The emergence of increasingly capable frontier models is making it easier to identify, chain, and exploit vulnerabilities and automate attacks, thus reducing the time, expertise, and resources needed to carry out complex cyber operations. 

• The sensitivity of granular search data -  The proposed measures require Alphabet to share click, view, and query data at the individual level. This is highly sensitive data. Such data reflects what individuals are thinking about, struggling with, or seeking to understand at a particular moment in time. It includes incredibly sensitive information about individuals’ personal affiliations, interests, health status and location — creating valuable insights into user behavior, preferences, and patterns of activity.

• The risks of distributing sensitive data at scale - The proposed measures would require large-scale data sharing with a potentially broad set of third parties, on a daily basis. Each additional holder of the data and each new transit point introduces new potential entry points for malicious actors and new opportunities for de-identification. Even with safeguards in place, each additional point of access introduces new opportunities for de-identification, unauthorized use, interception, tracking, or exploitation.
  
  
• Insufficient Safeguards - The proposal relies on a mix of technical measures (i.e., anonymization and pseudonymization techniques) and contractual requirements (i.e., restrictions on re-identification and onward sharing) to minimize security and privacy risks. But these safeguards do not sufficiently address the risks. The risk of data re-identification remains a possibility, even if the anonymization and re-identification procedures are properly applied. The rapid evolution of data analytics, artificial intelligence, and machine learning techniques heightens these risks. Moreover, there are multiple unanswered questions about oversight and enforcement. Alphabet is charged with imposing and enforcing a large list of compliance and related contractual obligations. But it does not have the authority to actively monitor use, nor should it.

• Broader security and strategic concerns - The definition of qualifying services extends to AI chatbots and others that meet the definition of online search engine. Despite that, the proposed sharing requirements do not account for ownership structure, jurisdictional affiliation, or the broader data ecosystem in which those entities operate. In practice, this may result in access being granted to a wide swath of entities that, while operating within the EU or EEA, are headquartered elsewhere or subject to foreign ownership or control. Third-party recipients may be required to comply with foreign legal obligations that could compel access to or disclosure of the data, and without regard to EU law.

The Center urges the European Commission to revisit the proposed measures to better account for the security, privacy, and broader public safety risks. The comments call for a more calibrated approach: one that narrows the scope of required data sharing, strengthens security requirements for recipients, ensures that appropriate safeguards and oversight mechanisms are in place, and limits recipients to those that do not have ties to state actors outside of the European Union.  

‍