Google Scientist Warns EU Data Rules May Hurt Privacy

A top Google scientist has warned that the European Union's sweeping data-sharing measures — designed to curb Big Tech dominance — could paradoxically create serious privacy risks for the very users they are meant to protect. The warning highlights a growing tension between competition enforcement and data security that could reshape how AI companies operate across Europe.

The remarks come as the European Commission, which serves as the EU's primary competition enforcer, has in recent years cracked down on Big Tech through a slew of legislation including the Digital Markets Act (DMA), the Digital Services Act (DSA), and the EU AI Act. Together, these laws represent the most aggressive regulatory framework targeting technology companies anywhere in the world.

Key Takeaways

• A senior Google researcher warns that EU data-interoperability mandates could expose user data to less-secure third parties
• The Digital Markets Act requires designated 'gatekeepers' like Google, Apple, Meta, and Amazon to share certain data with competitors
• Forced data portability may create new attack surfaces that hackers and bad actors can exploit
• The EU has imposed over $10 billion in fines on Google alone over the past decade for competition violations
• Privacy advocates are increasingly split on whether data-sharing mandates help or harm consumers
• The debate mirrors similar regulatory discussions underway in the US, UK, Japan, and Australia

EU Data Mandates Force Big Tech to Open Up

The Digital Markets Act, which took full effect in March 2024, designates the largest technology platforms as 'gatekeepers' and imposes strict obligations on how they handle user data. Companies including Alphabet (Google), Apple, Meta, Amazon, Microsoft, and ByteDance have all been designated under the law.

One of the DMA's core requirements is data interoperability — the mandate that gatekeepers must allow users to port their data to rival services and, in some cases, share aggregated data with competitors. The European Commission argues this levels the playing field and prevents monopolistic lock-in.

However, Google's research team contends that these requirements fundamentally conflict with privacy-by-design principles. When data moves between systems with different security architectures, the risk of breaches multiplies. Unlike previous EU regulations like GDPR, which focused on restricting data flows, the DMA actively encourages them — creating what critics call a regulatory contradiction.

Google Scientist Raises Alarm on Security Gaps

The core of the argument centers on what happens when highly sensitive user data — search histories, location data, behavioral patterns, and AI-generated profiles — must be made available to third-party services that may not maintain the same security standards as Google's infrastructure.

Google has invested an estimated $10 billion annually in cybersecurity and data protection infrastructure. Smaller competitors receiving shared data under DMA mandates may lack comparable defenses. The Google scientist argues this creates an asymmetric risk profile where users' data becomes only as secure as the weakest recipient in the chain.

This concern is not purely theoretical. In 2023, several data breaches at mid-sized European tech companies exposed millions of user records. If those companies had also been receiving Google-shared data under interoperability mandates, the scope of such breaches would have been significantly larger.

• Attack surface expansion: Each new data recipient adds potential vulnerability points
• Inconsistent encryption standards: Not all companies implement end-to-end encryption at Google's level
• Third-party API risks: Data-sharing APIs can be exploited if not rigorously secured
• Regulatory arbitrage: Some recipients may operate in jurisdictions with weaker enforcement

Privacy Advocates Are Divided on the Issue

The debate has created an unusual split within the privacy community. Traditional digital rights organizations like Electronic Frontier Foundation (EFF) and Access Now have long advocated for breaking Big Tech's data monopolies, viewing data portability as empowering for users.

But a growing faction of privacy researchers argues that the EU's approach conflates competition policy with privacy policy in dangerous ways. Max Schrems, the Austrian privacy activist whose legal challenges led to the invalidation of the EU-US Privacy Shield, has expressed nuanced concerns about ensuring data-sharing mandates don't undermine GDPR protections.

The tension is particularly acute in the AI sector. Large language models and generative AI systems are trained on vast datasets, and forced data sharing could inadvertently expose proprietary training data or user interactions to competitors. Google's Gemini, OpenAI's ChatGPT, and Anthropic's Claude all process enormous volumes of personal data that could fall under interoperability requirements.

Compared to the US approach — where regulation has been largely sector-specific and voluntary — the EU's comprehensive framework represents a fundamentally different philosophy. Washington has so far relied on executive orders and industry self-regulation, while Brussels has opted for binding legislation with significant penalties.

The Broader AI Industry Faces Regulatory Uncertainty

Google's warning reflects a wider anxiety across the technology industry about the cumulative impact of EU regulation. Companies now face compliance obligations under at least 4 major EU frameworks simultaneously:

• GDPR (2018): Governs data collection, processing, and user consent
• Digital Services Act (2022): Regulates content moderation and platform transparency
• Digital Markets Act (2024): Mandates interoperability and data sharing for gatekeepers
• EU AI Act (2024): Classifies AI systems by risk level and imposes corresponding requirements

The compliance burden is substantial. Industry estimates suggest that major tech companies are spending between $500 million and $1.5 billion each on EU regulatory compliance. For smaller AI startups, these costs can be prohibitive — ironically benefiting the very incumbents the regulations aim to constrain.

Microsoft and Apple have also raised concerns about the DMA's data-sharing provisions, though they have been less vocal than Google. Meta has taken a different approach, arguing that some interoperability requirements actually benefit its ecosystem by allowing cross-platform messaging integration.

What This Means for Users and Businesses

For everyday users, the implications are significant but complex. On one hand, data portability gives consumers more choice and makes it easier to switch between services. On the other hand, each data transfer creates a moment of vulnerability.

Businesses operating in Europe face a difficult balancing act. They must comply with GDPR's data minimization principles while simultaneously meeting DMA's data-sharing requirements. Legal experts describe this as navigating 'regulatory crosscurrents' that sometimes pull in opposite directions.

AI developers building products for the European market need to consider several practical steps:

• Implement robust data-in-transit encryption for all interoperability endpoints
• Conduct regular third-party security audits of data-sharing partners
• Build granular user consent mechanisms that explain exactly where data flows
• Maintain detailed data lineage tracking to satisfy both GDPR and DMA requirements
• Invest in privacy-enhancing technologies (PETs) like differential privacy and federated learning

For US-based companies, the EU's approach serves as a preview of potential domestic regulation. Several bills currently before Congress — including the American Innovation and Choice Online Act — contain similar interoperability provisions.

Looking Ahead: A Regulatory Collision Course

The coming 12 to 18 months will be critical. The European Commission is expected to issue its first major DMA compliance assessments by late 2025, and enforcement actions could follow quickly. Google, Apple, and Meta have all submitted compliance plans, but the Commission has signaled that some measures may fall short.

Meanwhile, the EU AI Act's tiered enforcement timeline means that additional obligations will phase in through 2026. The intersection of AI regulation and data-sharing mandates creates a particularly complex landscape that no jurisdiction has fully navigated before.

Google's warning may ultimately serve both its corporate interests and a legitimate public concern. The company clearly benefits from keeping user data within its own secure ecosystem. But the underlying technical argument — that forced data sharing creates privacy risks — has merit that regulators would be unwise to dismiss.

The most likely outcome is a compromise framework where data-sharing mandates come with minimum security standards that recipients must meet before accessing gatekeeper data. Several members of the European Parliament have already proposed amendments along these lines.

What remains clear is that the EU's ambitious regulatory experiment is entering its most consequential phase. The decisions made in Brussels over the next year will determine whether Europe's approach becomes a global model for tech regulation — or a cautionary tale about unintended consequences.