How EU’s AI rules could backfire on user privacy and security

Google is raising the alarm about a proposed European Union regulatory push that could inadvertently compromise user safety across Android devices. European Commission officials are preparing to unveil a set of rules next month aimed at curbing the dominance of major tech platforms. While the intent is to foster competition, Google argues the measures could introduce serious security and privacy vulnerabilities if implemented without careful adjustments.

The draft regulations contain two key provisions that have drawn pushback from the Silicon Valley giant. First, the Commission wants to prevent Google from bundling its own AI assistant, Gemini, as the default or exclusive option on Android. Instead, users would be allowed to integrate alternative AI models with system-level permissions similar to those granted to Google’s tool. Second, the proposals would require Google to share anonymized search data with competitors, a move intended to level the playing field but one that Google says could backfire on privacy protections.

In a recent interview with Wired, Heather Adkins, Google’s Vice President of Security Engineering, emphasized that these changes could have unintended consequences. “If implemented as described today, I think within a short period of time on Android, we’d see a significant increase in fraud in the EU,” Adkins warned, noting that such risks could materialize within weeks of the rules taking effect.

Google frames its opposition not as resistance to competition, but as a genuine concern for user protection. The company argues that integrating third-party AI models with deep system access could create new attack vectors for malicious actors. By allowing unvetted AI services to interact with sensitive device functions, the proposed rules might inadvertently weaken the security layers currently enforced by Google’s tightly controlled ecosystem.

The anonymized data sharing requirement presents another layer of complexity. While the intent is to enable competitors to improve their services, Google contends that removing personally identifiable information from search logs does not fully eliminate privacy risks. Aggregated datasets can still reveal patterns that, when combined with other data sources, may allow re-identification of individual users. Additionally, Google points to the operational burden of anonymizing vast volumes of search data while maintaining utility for third-party developers.

These warnings come amid a broader regulatory shift in Europe, where lawmakers are increasingly focused on breaking up the dominance of large technology firms. The Commission’s upcoming announcement follows years of antitrust investigations and previous rulings against Google, including multibillion-dollar fines for anticompetitive practices related to its Android operating system and search engine.

For Google, the stakes are high. Android powers over 70% of the global smartphone market, and the company has long defended its integrated approach as essential for maintaining security and user experience. The company has previously argued that open ecosystems without strict controls can lead to fragmentation, inconsistent performance, and increased exposure to malware.

As the European Commission prepares to finalize its proposals, Google is likely to engage in intense lobbying efforts to refine the language of the regulations. The company may push for clearer definitions of “system-level access” for third-party AI models, stricter anonymization standards for shared data, and longer implementation timelines to allow for security assessments.

Regardless of the outcome, the debate underscores a growing tension between competition policy and digital security. Policymakers will need to balance the goal of fostering innovation and choice with the imperative of protecting user privacy and safety in an increasingly interconnected digital landscape.