One Blueprint, Two Standards: The Commission’s Inconsistent DMA Decisions on Google
One Blueprint, Two Standards: The Commission's Inconsistent DMA Decisions on Google
17 July 2026
The Commission has just handed down two DMA decisions against Google, and on the search data side, it has landed close to exactly what EPICENTER argued for in April. Tiered access, proportionate safeguards, a built-in amendment mechanism. We called for it. They adopted it. The Android side is a different story.
One forces Android to open its AI-relevant features to rival assistants. The other requires Google to share anonymised search ranking, query and click data with competing search engines and AI chatbot providers. Both are framed as pro-competition. Neither is as straightforward as that framing suggests.
"These decisions swap consumer choice for regulatory design," says Dr Diana Nasulea, EPICENTER Fellow. "Instead of users deciding which products win on quality, Commission specification documents now define, field by field, what data must flow and on what terms."
That is the core problem with both decisions. Each one replaces market competition with a regulator's blueprint for how these markets should work. That is a real cost, and it does not disappear just because the goal is more competition.
Once the Commission has decided to design the market rather than let it compete, though, the design still has to be good. On search data, it mostly is. On Android, it falls short in a way that is fixable, and worth fixing before the next round of this framework arrives.
Where the design at least holds up
"The Commission has adopted a recipient-by-recipient risk assessment before any data is shared, together with a built-in mechanism to amend the decision as the market evolves," Diana notes. "That is exactly the calibration we called for in our April briefing: access proportionate to demonstrated safeguards, not uniform access for anyone who happens to qualify."
Credit where it is due. This is not consumer choice, competitors still get access because the Commission decreed it, not because users chose them. But if the Commission is going to specify access by decree, tying that access to a genuine risk assessment, and building in a mechanism to revise it, is the least damaging way to do it.
Where it does not
Android access rests on a thinner foundation: user consent, plus the Commission's assurance that "robust safeguards" will protect device integrity and security. Consent sounds like it restores user choice. It does not. A consent screen tells a user what will happen. It does not tell them, or the Commission, whether the recipient on the other end can be trusted with deep system access.
As Diana puts it: "Half of this decision vindicates the tiered-access approach we proposed in April. Search data flows only after a recipient risk assessment, with an amendment clause built in, and putting user consent at the centre of Android access is exactly what we argued competition policy should do. But consent screens are not security architecture. Deep system access still comes with no independent certification requirement and a narrow integrity exception that asks Google to prove harm before preventing it. Calibrated safeguards for data, consent gates for the operating system. The logic should be the same for both."
The Commission did not need to choose the weaker option. It had already written the stronger one, on the same day, for the other decision. Extending an equivalent, clearly specified certification requirement to Android access would not be a concession to Google. It would just be the Commission applying its own logic consistently instead of accepting a consent screen as a substitute for security architecture.
A gap that will not stay small
There is a second reason to fix this now rather than later. The Android decision confirms AI chatbots as eligible data recipients, and in doing so dissolves the line between search and conversational AI. The specification written for today's assistants will govern tomorrow's autonomous agents.
"The Commission wisely gave itself the power to amend the anonymisation measures," Diana says. "It will need an equivalent mechanism on the Android side well before agentic AI makes 2026's access rights look like handing over the keys."
An agent with system-level Android access carries a different risk profile to a chatbot answering search queries. The Commission built itself room to adjust the search data regime as that risk evolves. It did not do the same for Android, and the gap between the two will only get more consequential as agentic AI matures.
Neither decision restores the consumer choice these markets have lost. Both hand the Commission the pen. Given that starting point, the search data decision at least ties its access grants to real risk assessment and leaves room to correct course. The Android decision does not, and there is no good reason for that inconsistency. The Commission has already shown it knows how to do this properly. It should not settle for a weaker standard on the side of the market that, on current evidence, needs the stronger one most.
EPICENTER publications and contributions from our member think tanks are designed to promote the discussion of economic issues and the role of markets in solving economic and social problems. As with all EPICENTER publications, the views expressed here are those of the author and not EPICENTER or its member think tanks (which have no corporate view).



