Google's most senior privacy and security executives are warning that European Union plans to force open its search data and Android ecosystem could expose users to hacking and fraud — with one executive predicting it could take just weeks after implementation for criminal activity to spike.
The warnings come ahead of a July 27 deadline, when European Commission officials are expected to finalize decisions under the Digital Markets Act (DMA) — the EU's landmark competition framework targeting Big Tech "gatekeepers."
What the EU Is Proposing
The European Commission's proposals have two main components:
- Search data sharing: Google would be required to provide rival search engines with access to query inputs, click data, and ranking results — data "on par" with what Google itself collects
- Android interoperability: Third-party AI services would gain expanded access to the Android operating system
Anonymization requirements and contractual restrictions are built into the proposals, prohibiting recipients from attempting to re-identify users or combine the data with other sources.
Google's Security Warning
Heather Adkins, Google's VP of security engineering and a founding member of its security team, delivered a stark assessment.
"If implemented as described today, I think within a short period of time on Android, we'd see a significant increase in fraud in the EU. The fraudsters are creative and informed. Past implementation date, I would give it maybe weeks before we began to see an increase in fraud in Europe."
On the search data side, Adkins raised concerns about the contractual security model for smaller companies receiving the data.
"Our working assumption is, if we are asked to hand over data we lose control of it. If you're a small European startup and you're getting this data from Google, you're going to get hacked — and that's just the kind of reality of the situation."
The Anonymization Debate
David Lewis, Google's director of privacy advisory for EMEA, claims the proposed anonymization techniques have "deep weaknesses" and that privacy engineers have already demonstrated the data can be re-identified.
"Privacy engineers have proved that this data can be easily reidentified. If data can be reidentified, it is not anonymous in the first place. And the law specifically requires it to be anonymized."
Google has reportedly claimed its security red team could re-identify search users from the shared data in less than two hours, though the full methodology hasn't been published.
Adkins also flagged large language models as a potential tool bad actors could use to de-anonymize leaked search data.
A Divided Response
Not everyone accepts Google's framing. Critics — including search engine competitors who stand to benefit from the data access — argue the risks are overstated.
Kamyl Bazbaz, chief communications and policy officer at a privacy-focused search competitor, pushed back directly:
"The legal standard here doesn't require eliminating every theoretical risk of reidentification — it requires reducing it to an insignificant level, which the Commission's approach does."
Independent perspectives are similarly split:
- Independent security researcher Lukasz Olejnik wrote that the "sanitization" measures around the data "are not adequate for this volume, scale, and privacy landscape"
- University of Vienna professor Lena Hornkohl argued the reidentification risk should be evaluated against the proposed protection systems — not treated as disqualifying
- Brave, the privacy-focused search engine, called the current proposals a "severe privacy risk" but said the Commission should pursue other measures to curb Google's dominance instead
What's at Stake
Google's search business controls an estimated 90 percent of the global search market — making it the only search engine subject to DMA rules. The data it would be required to share is, as Alissa Cooper of the Knight-Georgetown Institute put it, "a unique data set which only Google has had access to for many, many years."
The European Commission acknowledged WIRED's request for comment but did not respond to Google's specific concerns before publication. A final decision is expected before the end of July.



