M L

07.07.2026

Sharing Search Data Under the DMA: The Risks for User Privacy

The European Commission has proposed measures that could require Google to share search data with rival search engines. But is the anonymisation required sufficient to protect the privacy of European users?

Maria da Assunção da Cunha Reis and Ana S. Pereira Coutinho authored the article "Sharing Data to Promote Competition: The End of Anonymisation as We Know It?", published in the June 2026 edition of Advocatus. The starting point is a concrete regulatory question, but the implications go further: the European Commission's preliminary findings on Alphabet Inc.'s compliance with the Digital Markets Act (DMA) could require Google to share search data with competitors, raising serious concerns in the field of data protection.

What is at stake

The DMA requires gatekeepers, such as Google, to share data on rankings, searches, clicks and views, covering both free and paid searches, with competing search engines. The regulation requires that personal data be anonymised beforehand, but it is precisely the effectiveness of that anonymisation that the article calls into question.

What the Commission Proposes

To mitigate the risks, the Commission proposes a combination of technical and contractual measures. On the technical side, Alphabet would be required to remove direct identifiers such as IP addresses and device IDs, eliminate long queries or those containing rare words, and generalise metadata such as location and device type. On the contractual side, entities receiving the data would be prohibited from linking it to other datasets or sharing it with third parties, with a maximum retention period of 13 months.

The Limits of Anonymisation

The problem, the authors argue, is structural. The anonymisation of behavioural data is inherently imperfect: the combination of multiple data points may be sufficient to re-identify a user. The fact that the Commission felt the need to propose contractual measures as an additional safeguard is itself telling of the doubts surrounding the robustness of the technical measures. Users, moreover, do not expect that their search activity will be transmitted to third parties. Their reasonable privacy expectations cannot be disregarded.

The proposed measures also cover data from artificial intelligence chatbots, which considerably increases the risks. Interactions with these systems tend to be far more granular and revealing than conventional searches, amplifying the likelihood of re-identification.

DMA and GDPR: Challenges of Articulation

What the article ultimately brings to light are the challenges arising from the interplay between two European regulatory frameworks. Drawing the line between personal and non-personal data is, in the digital environment, a complex task: data that appears anonymous may, when combined with other elements, allow the identification of its subjects. If anonymisation mechanisms are not truly irreversible, the GDPR continues to apply, regardless of what the DMA requires.

The public consultation launched by the Commission closed on 1 May 2026. Its outcomes, eagerly awaited, may redefine what is required of organisations in this area, in a direction that could facilitate greater data sharing between entities.

Read the full article here.