The European Commission is finalizing binding measures under its Digital Markets Act that would force Google to share granular search data and open mobile operating systems to third parties, but those requirements directly contradict the EU's own Cyber Resilience Act, according to a commentary published by the R Street Institute. The two regulations mandate platform operators to take opposing actions—one requires them to reduce the number of pathways an attacker can exploit, while the other requires them to create new ones. Both Google decisions are expected as early as July 16.
Under Article 6(11) of the Digital Markets Act, search providers would be required to share anonymized ranking, query, click, and behavioral data with any qualifying search engine or AI chatbot at the same frequency with which they access it internally for a period of at least five years. The recipient list isn't limited to European companies—any qualifying service can request access, including entities outside EU jurisdiction that don't meet EU data protection standards. Under Article 6(7), third-party service providers would receive access to voice activation and screen content capture, with the ability to execute across other applications on a user's device. Real-time screen capture and overlay execution would become standard, available to any app provider.
The report finds that these approaches "bear no technical guarantee against the re-identification of individual users by those with the computational power to perform inference on the data." According to the commentary, "a data pipeline is only as secure as its weakest participant, and the DMA's framework requires no specific security capabilities from its prospective data recipients." The authors write that the Digital Markets Act's interoperability requirements would extend "deep into device architecture with cascading security consequences," requiring significant overhauls of core security and representing "the exact opposite of the principle of least privilege, a core tenet of cybersecurity."
The Cyber Resilience Act requires products to be designed with minimized attack surfaces, with possible penalties of up to 15 million euros or 2.5 percent of global turnover for non-compliance. Device manufacturers bear this responsibility across the entire lifecycle of their products, but the Digital Markets Act's competition measures would require those same companies to expand their attack surfaces. The report notes that the Commission's own data protection body hasn't finalized any anonymization guidelines as it moves ahead to implement binding data-sharing obligations. Different directorates with different mandates developed each measure, and the Digital Markets Act's current proceedings fail to take Cyber Resilience Act requirements into account.
The report concludes that the Commission must address a question it has avoided: when two of its own regulations directly oppose each other, which one takes precedence? The authors recommend setting technical eligibility requirements for data recipients, creating graduated access tiers, and establishing mandatory security baselines—considerations they say have been overlooked. If the Commission doesn't choose the security measure, the report warns, millions of users will bear the consequences of a competition regulation that treats consumer protection as an afterthought.

