A Google scientist claims users can be re-identified from supposedly anonymized search data in under two hours, raising questions about the EU's Digital Markets Act proposals.
Google is pushing back hard against a European Commission proposal that would force it to share search data with competitors, arguing the plan has a glaring privacy problem: the anonymization doesn’t actually work.
A senior Google scientist demonstrated that users could be re-identified from the supposedly anonymized datasets in under two hours.
What the EU wants and why Google says no #
The European Commission proposed on April 16, 2026, that Google must share search data, including ranking, query, click, and view data, with third-party search engines and AI services. The terms would be fair, reasonable, and non-discriminatory, known in regulatory shorthand as FRAND.
On May 6, 2026, Google’s scientist publicly flagged the re-identification vulnerability. Clare Kelly, Google’s Senior Competition Counsel, echoed the concern, stating that additional rules may compromise user privacy and innovation. Google has already begun licensing some data as part of its compliance with the Digital Markets Act, but the company is drawing a line at broader mandates.
The Commission’s final decision on the data-sharing measures is expected in July 2026. Separately, investigations into Google’s possible self-preferencing practices under the DMA could result in fines in the high triple-digit million euro range.
The privacy paradox at the heart of competition law #
The EU has spent years building the world’s most aggressive data protection regime through GDPR. Now it’s asking Google to pipe massive datasets of user behavior to third parties under a different regulatory framework.
Anonymization is supposed to be the bridge between them. But Google’s test results suggest that bridge has holes. If users can be re-identified in under two hours, the anonymization is cosmetic rather than functional.
Why crypto and Web3 should be paying attention #
The entire debate centers on data sovereignty, privacy, and who controls access to information. Zero-knowledge proofs allow one party to prove something about a dataset without revealing the underlying data. Homomorphic encryption lets computations run on encrypted data without ever decrypting it. These are being deployed in blockchain-based identity systems, DeFi compliance tools, and private AI inference.
If traditional anonymization techniques can’t survive a two-hour attack, regulators may eventually need to look at cryptographic alternatives. That would be a meaningful tailwind for privacy-focused blockchain projects and the broader Web3 infrastructure layer. Investors in the crypto space should watch the July 2026 decision closely, because it will signal how European regulators balance competition against privacy. The EU has been the most active jurisdiction globally in regulating big tech, and its frameworks tend to ripple outward. MiCA set the template for crypto regulation in multiple countries.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our