ICLE Comments on Alphabet’s Obligations Under Article 6(7) DMA
I. Introduction
The International Center for Law & Economics (ICLE) appreciates the opportunity to respond to the European Commission’s consultation on proposed measures specifying Alphabet’s obligations under Article 6(7) of the Digital Markets Act (DMA). On 27 April 2026, the Commission adopted preliminary findings proposing measures Alphabet must implement to comply with the interoperability obligation for Google Android features relevant to providers of artificial-intelligence (‘AI’) services.[1]
The proceedings target a defined set of features grouped into four categories: (i) invocation, (ii) context, (iii) actions on apps and the operating system, and (iv) access to resources. The Annex to the preliminary findings also sets out 13 feature-specific measures, alongside a horizontal set of ‘measures for all features’ governing ecosystem-wide implementation, user consent, integrity, eligibility, equal effectiveness, free-of-charge access, documentation, technical assistance, future updates, reporting, and waivers.[2]
Article 6(7) DMA requires designated gatekeepers to provide third parties with ‘effective interoperability with, and access for the purposes of interoperability to, the same hardware and software features’ available to the gatekeeper’s own services, subject only to integrity measures that are ‘strictly necessary and proportionate’.[3] Google Android was designated a core platform service in September 2023. These proceedings therefore represent a significant early application of Article 6(7) to AI-facing operating-system features.
These comments address the proposed measures from two perspectives. First, the measures, as currently framed, do not appear well-targeted to the empirical realities of AI use on mobile devices or to the competitive dynamics of the upstream AI-assistant market. Requiring Google to dismantle a key source of Android product differentiation risks softening competition between Google and leading AI providers, such as OpenAI and Anthropic, under the guise of promoting intra-Android rivalry.
Second, the proposed measures do not adequately account for the security and integrity tradeoffs that arise when third parties receive system-privileged access to ambient sensor data, on-device databases, screen-automation APIs, and background-execution channels. The Commission’s narrow interpretation of the integrity provision in Article 6(7) risks leaving both Google and end users with insufficient flexibility to manage emerging security risks.
II. Weak Gateway Theory and Softer AI Competition
Against this backdrop, two questions become central. First, does mobile in fact constitute a critical gateway for AI services such that intervention at the Android layer is justified? Second, even if it does, how are the proposed remedies likely to affect competition in the AI-services market itself?
The answers to both questions cast doubt on the Commission’s approach. Current evidence suggests that users still access AI services predominantly through desktop browsers and browser-based interfaces, rather than through mobile-device integrations. That weakens the factual basis for treating Android as an indispensable gateway for AI-assistant providers.
At the same time, the proposed measures risk reshaping competition in ways the preliminary findings do not fully confront. To the extent the remedies limit Google’s ability to integrate Gemini deeply into Android, they may weaken rather than strengthen rivalry in AI services. The measures would reduce one of the principal ways Google can compete against specialist AI firms, while simultaneously granting equivalent system access to rivals that already hold leading positions in the market.
This creates a potential tension between the DMA’s twin objectives of fairness and contestability. Measures intended to expand intra-platform access may, in practice, reduce inter-firm competition in AI services overall.
A. Android Is Not Yet a Critical Gateway for AI Services
The DMA’s application turns on whether the relevant core platform service constitutes an ‘important gateway for business users to reach end users’.[4] The preliminary findings invoke that premise by observing that ‘around 60 per cent of mobile users in Europe own a Google Android smart mobile device’ and concluding that ‘mobile devices powered by Google Android represent a crucial gateway for providers of stand-alone AI services to reach end users’. That conclusion does not automatically follow from Android’s share of mobile devices. The relevant question is not whether Android is a popular operating system in the abstract, but whether mobile devices serve as a critical channel through which providers of stand-alone AI services reach end users.
The available evidence suggests that AI services remain disproportionately desktop-centric. Google’s own AI offering illustrates the point. In October 2025, Gemini recorded roughly 813 million monthly desktop sessions, compared with 369 million on mobile devices—a desktop-to-mobile ratio exceeding two-to-one.[5] Industry analyses indicate similar usage patterns across leading AI services.[6] AI firms currently build user engagement primarily through browser-based and desktop interfaces, rather than through mobile-device integrations.
That pattern reflects the nature of current AI-assistant use cases. Activities such as research, drafting, coding, and long-form querying typically involve sustained-attention workflows that users perform on larger screens. Mobile interactions, by contrast, remain shorter and more intermittent.
These figures weaken the empirical basis for treating Google Android as an ‘important gateway’ for AI services in the manner suggested by the preliminary findings. End users currently access AI services predominantly through other channels, most notably desktop browsers. This does not call Android’s gatekeeper designation into question more broadly. It does, though, counsel caution. Given current AI-usage patterns, the Commission’s limited enforcement resources may be better directed elsewhere.
B. The Proposed Measures May Soften Competition in AI Services
Even if Android constitutes a meaningful distribution channel for AI services, the proposed measures should still be assessed in light of their likely effect on competition in the AI-services market itself. The most recent industry data indicate that Gemini is not the market leader in AI-assistant usage. ChatGPT reportedly accounted for roughly 70 per cent of EU AI-chatbot usage in April 2026.[7] Claude, meanwhile, has captured substantial enterprise and developer demand, with an estimated $14 billion annualised revenue run-rate by February 2026 and adoption by eight of the Fortune 10.[8] In the market targeted by the proposed measures, Google is therefore the challenger, not the incumbent.
That distinction matters because the proposed measures threaten one of the principal ways Google differentiates its AI offering. As the Commission itself recognises, Google’s AI strategy relies on a vertically integrated stack that spans chips (Tensor and TPU), cloud infrastructure (Google Cloud), foundation models (the Gemini family), platform integration (Search, Maps, Calendar, Gmail, YouTube, and Photos), and distribution channels (Android, Chrome, and Google Play). Deep system-level integration with Android—including wake-word reservation, on-device database access through the default-assistant role, AI Core preferential RAM access, and structured App Functions—is one of the few mechanisms through which Google can translate that integrated stack into a differentiated end-user experience capable of competing with the specialist offerings of leading AI labs.
Requiring Google to reduce that integration to the level available to third-party applications may promote intra-Android rivalry. It may also deprive Google of a key means of competing against OpenAI and Anthropic. The likely effect would not necessarily be a more competitive AI-assistant market overall, but a softer one in which the trailing integrated competitor cannot compete on the basis of its comparative strengths. This raises a potential tension within the DMA’s dual objectives. Measures intended to promote fairness through intra-platform competition may simultaneously reduce contestability by weakening inter-firm rivalry in AI services.
The likely beneficiaries further reinforce this concern. The firms best positioned to take immediate advantage of equal access to wake-word detection, screen automation, App Functions, AI Core, and ambient sensor data are the companies that already lead the global AI-assistant market, including OpenAI and Anthropic, alongside well-resourced firms such as Microsoft, Meta, and major Chinese model providers. In practice, the remedies risk transferring competitive advantages from the trailing integrated operator of the Android platform to dominant specialist AI firms. That outcome sits uneasily with the DMA’s contestability rationale, which ordinarily targets entrenched market leaders rather than reinforcing their position.
This concern is not merely theoretical. A close functional analogue emerged in connection with Meta’s integration of its AI assistant into WhatsApp. In October 2025, Meta amended its WhatsApp Business Solution Terms to restrict the provision of general-purpose AI-assistant services through the WhatsApp Business API, while preserving the preferential in-platform position of Meta AI. The Italian Competition Authority subsequently adopted interim measures requiring Meta to suspend the policy. The European Commission opened formal proceedings in December 2025, and other authorities launched parallel investigations. The remedies under consideration would require Meta to allow third-party AI assistants to operate on equivalent terms to Meta AI within the platform.
At a high level, the policy objective resembles that of the present proceedings: protecting AI competition on widely used consumer platforms. The practical effect, though, may again be to remove a differentiating integration that Meta could otherwise use to compete with leading AI providers. Taken together, the two cases suggest a broader pattern. Enforcement actions nominally aimed at promoting AI competition on major digital platforms may instead require Google and Meta to grant equivalent system access to the very firms—OpenAI, Anthropic, and others—that already lead the AI-assistant market.
III. The Proposed Measures Underestimate Security Risks
The proposed measures, taken together, would grant third-party AI services access to an unusually broad and sensitive set of system capabilities. In practical terms, the Annex would require Alphabet to provide third parties with access, on terms ‘equally effective’ to those available to Google’s own services, including:
- continuous background access to core ambient sensors—including the microphone, camera, screen, speakers, accelerometer, and GPS—with consent flows, latency, and data quality equivalent to Google’s own services (paragraphs (48)–(56));
- centralised and concurrent access to data donated by apps through on-device databases such as AppSearch, including data donated by Google’s own first-party applications (paragraphs (21)–(28));
- always-on custom wake-word detection operating through the digital signal processor, including in battery-saver mode and with third-party-controlled second-stage validation (paragraphs (9)–(20));
- the ability to control other applications through screen automation, simulate user inputs, observe screen content, and execute multi-step transactions in a virtual background window (paragraphs (66)–(74));
- interaction with operating-system settings and ongoing system activities—including Bluetooth, do-not-disturb, media playback, alarms, and messaging—on the same footing as Gemini (paragraphs (85)–(93));
- system-level access to AI Core, Gemini Nano, and underlying NPU, GPU, and RAM resources, including the ability for users to grant third-party on-device models the same preferential hardware access currently reserved for Google’s own services (paragraphs (94)–(111)); and
- expanded background-execution privileges, including the ability for users to grant third-party applications the same level of persistent background execution that Alphabet requires OEMs to provide to Google applications (paragraphs (112)–(120)).
Each capability raises substantial security and privacy concerns on its own. Taken together, they create an attack surface qualitatively different from anything Article 6(7) has previously been used to open.[9] The Apple iOS specification decisions adopted in March 2025 concerned comparatively bounded connectivity functions, such as NFC, Bluetooth pairing, Wi-Fi accessory configuration, and notification forwarding.[10] By contrast, the measures proposed here concern continuous ambient audio and video capture, cross-application access to device-level data layers, and agentic control over other applications. In the wrong hands, such capabilities could facilitate mass surveillance, credential exfiltration, and unauthorised transactions.
Article 6(7), properly interpreted, does not require unconditional openness. The provision expressly permits ‘strictly necessary and proportionate’ measures to ensure interoperability does not compromise the integrity of the operating system or its features. Recital 50 likewise recognises integrity protections as a legitimate component of Article 6(7) compliance. The relevant question, therefore, is not whether integrity measures are permissible, but how they should be scoped so as not to nullify interoperability obligations while still recognising that greater openness can materially increase security risks.
The proposed measures nonetheless interpret the security and integrity exceptions narrowly. Section 5.3 of the Annex requires any integrity measure to be ‘duly justified’ and based on ‘transparent, objective, precise, and non-discriminatory conditions’ that also apply to Google’s own services. It further requires ‘objective and verifiable evidence showing the existence and magnitude of the integrity risk’, proof of the measure’s effectiveness, and the possibility of ‘independent verification’ not ‘exclusively within the gatekeeper’s control’.[11]
Applied together, these requirements substantially constrain the most natural response to genuinely novel security risks: declining to expose highly sensitive capabilities until the threat landscape becomes better understood. By definition, emerging harms rarely produce ‘objective and verifiable’ evidence ex ante.
Three concerns with the current framework deserve particular attention. First, the requirement for ‘objective and verifiable evidence’ sits uneasily with established security-engineering practice. Many successful security architectures rely on conservative assumptions about adversarial behaviour, rather than waiting for demonstrated exploitation. A framework that treats the absence of proven past harm as evidence against precaution risks undermining the very safeguards that make modern operating systems secure.
Second, the requirement that integrity measures apply equally to Google’s own services compresses the available design space in ways that may ultimately harm users. On paper, symmetry appears attractive. In practice, Google differentiates between first-party services and third-party applications across multiple trust dimensions, including code-signing provenance, internal security review, contractual relationships with OEMs, and the company’s ability to revoke access rapidly if problems emerge. The Annex would nonetheless require any restriction imposed on third parties to apply equally to Google’s own services, regardless of those trust differences.
That creates a stark binary choice: either Google extends highly sensitive capabilities to third parties on equal terms, or it withdraws those capabilities from its own services entirely. The former may create unacceptable security risks. The latter would reduce consumer welfare by degrading—or preventing access to—innovative features.
Third, the Annex underestimates the interaction between interoperability mandates and the EU’s own data-protection framework. Mandated openness may place gatekeepers in tension with their parallel obligations to protect user data. This concern is especially acute where Google would need to provide third-party AI services with concurrent access to data stored on-device by first-party applications such as Gmail, Calendar, and Photos.
User consent alone does not fully resolve that tension. Consent frameworks that produce formal parity at the system level may still generate meaningful asymmetries in user understanding where one party is a globally recognised platform and the other is a newly installed third-party application.
IV. Conclusion
The Commission’s proposed measures face two fundamental problems.
First, the preliminary findings do not adequately account for the broader competitive effects of the remedies in AI services themselves. Current evidence suggests that AI usage remains heavily desktop-centric, which weakens the premise that Android presently functions as an indispensable gateway for AI-assistant providers. More importantly, Google is not the dominant player in the AI-assistant market. It is a trailing integrated competitor attempting to challenge specialist firms such as OpenAI and Anthropic through deep integration across hardware, software, cloud infrastructure, and distribution.
The proposed measures would weaken one of Google’s principal channels of differentiation while simultaneously extending equivalent system access to rivals that already lead the market. In practice, the remedies risk protecting intra-Android rivalry at the expense of broader inter-firm competition in AI services. The parallel proceedings concerning Meta AI and WhatsApp underscore the point. Taken together, the cases suggest an emerging enforcement pattern in which vertically integrated platform operators must open key integration points to specialist AI firms that already occupy leading market positions.
Second, the proposed measures interpret the integrity exception in Article 6(7) too narrowly. The capabilities covered by the Annex—including ambient sensor access, centralised on-device databases, always-on wake-word detection, agentic screen automation, system-level AI resources, and expanded background execution—create security and privacy risks materially different in scale and kind from those addressed in prior Article 6(7) proceedings. Yet the framework for integrity protections has narrowed correspondingly.
The Annex’s insistence on ‘objective and verifiable’ evidence of harm risks preventing gatekeepers from responding prudently to emerging threats before those threats materialise. That approach sits uneasily with established security-engineering principles, which frequently rely on precautionary assumptions precisely because novel attack vectors are difficult to demonstrate ex ante. Likewise, the requirement that restrictions apply identically to Google’s own services disregards meaningful differences in trust, accountability, and security oversight between first-party and third-party applications.
The likely result is one of two undesirable outcomes. Either the Android ecosystem becomes materially less secure for European users, or Google responds by withdrawing or degrading advanced AI functionality across the platform in order to avoid asymmetric obligations. Early DMA implementation in other contexts already points toward the risk of this kind of defensive levelling-down.
The Commission should therefore reconsider three aspects of the proposed measures. First, it should reassess whether extensive intervention at the Android layer represents a prudent use of enforcement resources given current AI-usage patterns. Second, it should evaluate more explicitly the cross-market consequences of the remedies for competition in AI services, including their asymmetric effects on Google relative to the market leaders. Third, it should recalibrate the integrity framework to preserve meaningful room for genuine security protections, including temporary restrictions on particularly sensitive functionalities where the risks remain uncertain or rapidly evolving.
In short, the Commission should give equal weight to both halves of Article 6(7): openness and integrity. Effective DMA enforcement should promote competition without undermining security, innovation, or rivalry in the AI markets that matter most to European consumers.
[1] Eur. Comm’n, Case DMA.100220, Alphabet—Google Android (AI) (2026).
[2] Eur. Comm’n, Case DMA.100220, Annex (Draft Measures), Google Android Interoperability (2026), https://digital-markets-act.ec.europa.eu/document/download/bb7151ff-5d0a-420e-abaa-a2bdbfd30c26_en?filename=DMA.100220%20-%20Annex%20%28draft%20measures%29%20-%20Google%20Android%20-%20interoperability.pdf [hereinafter Annex].
[3] Regulation 2022/1925 of the Eur. Parl. & of the Council of 14 Sept. 2022 on Contestable & Fair Markets in the Digital Sector (Digital Markets Act), art. 6(7), 2022 O.J. (L 265) 1.
[4] Regulation 2022/1925, supra note 3, art. 3(1)(b) (defining a core platform service as an important gateway for business users to reach end users).
[5] Elton Chan, 30+ Google Gemini Statistics for 2026: Usage, Market Share, Growth, & Performance, SecondTalent (21 Apr. 2026), https://www.secondtalent.com/resources/google-gemini-statistics.
[6] How Desktop & Mobile Influence AI Search Traffic Referrals, Passionfruit (10 Nov. 2025), https://www.getpassionfruit.com/blog/how-desktop-and-mobile-influence-ai-search-traffic-referrals.
[7] AI Chatbots—Market Share Europe, StatCounter, https://gs.statcounter.com/ai-chatbot-market-share/all/europe (last visited 12 May 2026).
[8] Anthropic, Press Release, Anthropic Raises $30 Billion in Series G Funding at $380 Billion Post-Money Valuation (12 Feb. 2026), https://www.anthropic.com/news/anthropic-raises-30-billion-series-g-funding-380-billion-post-money-valuation.
[9] Mikolaj Barczentewicz, Opening Pandora’s Interface: AI Assistants and the DMA, Truth on the Mkt. (14 Apr. 2026), https://truthonthemarket.com/2026/04/14/opening-pandoras-interface-ai-assistants-and-the-dma.
[10] Eur. Comm’n, Case DMA.100203, Apple iOS (Features for Connected Physical Devices) (2025).
[11] Annex, supra note 2, ¶¶ 125–131, 138–142.