The European Commission’s Search-Data Trust Fall
The European Commission is trying to pull off a difficult trick: force Google to share search-query data with rivals while insisting the shared data is no longer personal data at all.
That is the central tension in the Commission’s April 16 preliminary findings under Article 8(2) of the Digital Markets Act (DMA), which specify how Alphabet must comply with Article 6(11)’s data-sharing obligations. The consultation closed May 1, and a final implementing act is due by July 27.
The proposed measures are detailed, and they reflect a serious effort to reconcile the DMA’s data-access mandate with the General Data Protection Regulation’s (GDPR) anonymization requirement. In particular, the Commission proposes a two-layer regime: a technical anonymization pipeline—attribute suppression, allowlisting, length thresholds, metadata generalization, and “mini-sessionization”—backed by contractual restrictions and recurring audits.
The problem is that the regime works only if both layers hold. And each layer depends heavily on trust in the other.
This post examines two questions the Commission has not adequately answered.
First, are the technical measures sufficient—on their own terms—to render the Search Dataset anonymous under European Union law? Put differently, do they ensure that re-identification “appears in reality to be insignificant,” under the Court of Justice of the European Union’s (CJEU) standard in Breyer, later reaffirmed in Single Resolution Board (SRB)?
Second, are the contractual and audit mechanisms robust enough to handle the realistic range of recipients? That includes recipients who are technically competent, commercially sophisticated, and not formally designated as hostile, but who may still behave adversarially in practice.
My short answer to both questions is no. More importantly, the two weaknesses reinforce each other.
The Commission has shifted meaningful risk-bearing work from the technical layer to the contractual layer, and from the contractual layer to private enforcement after the fact. If the audit process cannot be trusted, the anonymization process cannot be trusted. If the anonymization process cannot be trusted, the data was never lawful to share.
I will explain why both lines of defense are weaker than the consultation document suggests. In doing so, I draw on my earlier analyses of the coming GDPR/DMA Article 6(11) conflict, my coverage of the 2024 and 2025 DMA compliance workshops, and my comparison of the EU DMA regime with Judge Amit Mehta’s user-side data-sharing remedy in U.S. v. Google. I also draw on the International Center for Law & Economics (ICLE) comments submitted to the Commission during the consultation by Geoffrey Manne, Dirk Auer, and Mario Zúñiga regarding Alphabet’s Article 6(11) obligations.