EU Mandates Open Access for AI Assistants on Android, Demands Google Search Data Sharing
The European Commission has issued two landmark binding decisions under the Digital Markets Act (DMA), compelling **Google** to significantly open its **Android** ecosystem and share anonymized **Search** data. These mandates aim to foster greater competition for AI assistants and search engines, while raising critical questions about security, privacy, and the future of digital ecosystems.
In a move set to reshape the competitive landscape for artificial intelligence and search services, the **European Commission** has adopted two binding specification decisions targeting **Google** under the **Digital Markets Act (DMA)**. These decisions, six months in the making, mandate substantial changes to how **Android** operates and how **Google Search** data is handled, without imposing immediate fines.
### Opening Android to Rival AI Assistants
The first decision requires **Google** to grant rival AI assistants the same deep integration into **Android** as its own **Gemini**. This includes access to crucial device features such as the camera, microphone, on-screen content, background app control (mimicking taps and typing), and a wake word that functions even with the display off. **Google** must implement these changes by the next major release, **Android 18**, and no later than August 1, 2027.

Of the eleven operating system features covered, five are designated as 'restricted features' and require certification through a new **Qualified AI Assistant Programme**.
These restricted features include:
* Centralized access to opt-in on-device data (**AppSearch**).
* Context-aware intelligence (e.g., **Magic Cue**).
* Structured on-device integration (**App Actions** and **App Functions**).
* Screen automation (**Computer Control**).
* System integration (settings, media, screenshots, notifications, power).
Notably, certified assistants will gain the ability to interact deeply with **Google's** own apps, such as retrieving and drafting **Gmail**, managing **Calendar** events, accessing **Drive** and **Docs**, controlling **YouTube**, and handling messages and calls in **Messages**.
Six other features will have no certification requirement, opening them to all third-party, user-installed apps without restriction on type or use case. These include ambient data (microphone, system audio, camera, screen contents, location, sensors), always-on hotword detection, long-press invocation, system-level on-device models, third-party model implementation, and background execution.
Consent remains paramount for all these features, and **Google** can still enforce process isolation and encryption. However, for the unrestricted features, **Google** cannot dictate which apps are permitted to request access. If **Google** wishes to gate raw sensor feeds, it must file a reasoned request with the Commission.
### The Qualified AI Assistant Programme
**Google** is tasked with establishing a **Qualified AI Assistant Programme** by August 2027. This program will allow third-party **Trusted Certification Authorities (TCAs)** to certify assistants free of charge. **Google** must accept these certifications without additional conditions and cannot revoke them, though it can revoke a **TCA's** approval.
The certification criteria are capped, focusing on user intent confirmation for sensitive actions, data minimization, baseline mobile app security, and hardening against agentic risks. Draft terms for the program are due by February 1, 2027, with final terms and open applications by May 1, 2027.
Crucially, users will also have the option to bypass the certification requirement on a per-service, per-device basis, making the switch easily accessible.

### Implications for Android App Developers
By August 2027, app developers must be prepared for certified (or user-approved uncertified) AI assistants to interact with their applications on virtual displays, read screen content, and perform actions as if a user were physically tapping. Apps can block sensitive views from controlling assistants, a decision developers should implement before the **Android 18** beta. **Google** is permitted, but not required, to build features allowing apps to block automation on specific parts or keep app context separate from proactive suggestions.
### Sharing Search Data with Rivals
The second decision compels **Google** to provide anonymized **Search** query, click, and ranking data to rival search engines and AI chatbots for a cost-based fee. The anonymization method involves a three-pass process:
1. Stripping direct identifiers and attributes that could re-link records.
2. Suppressing records with rare terms (e.g., full names, passwords) or unusually long queries.
3. Generalizing metadata to ensure each user is part of a group of at least 1,000, with 95% in groups of 29,000 or more.
Recipients of this data must have at least 50,000 monthly average EU users, not be sanctioned, and not be controlled by countries deemed a cybersecurity or data protection risk by the EU. Strict contractual terms will govern data use, prohibiting re-identification, linking to other datasets, and onward disclosure. Independent audits will be required before and annually after access. Data will be at least seven days old and cut off after five years per beneficiary. **Google** also retains the right to assess specific recipients for cybersecurity and data protection risks.
### Google's Objections and Security Concerns
**Kent Walker**, **Google's** President of Global Affairs, has voiced strong objections. He argues that the **Android** decision "threatens device security by granting external apps sensitive and powerful device permissions," asserting that it undermines existing safeguards where phone makers vet assistants. On the **Search** data front, **Walker** claims the anonymization is insufficient, user consent is lacking, and that sharing could compromise trade secrets and national security. He cited a recent **ENISA** report highlighting that "security fundamentals matter more than ever in the age of frontier AI."
These decisions underscore the **European Commission's** commitment to fostering competition in key digital markets, but they also ignite a critical debate on the delicate balance between market access, user privacy, and device security in an increasingly AI-driven world.