The European Commission this week sent Alphabet its preliminary findings in case DMA.100209, setting out proposed measures that would require Google to share detailed search data with competing online search engines on fair, reasonable and non-discriminatory (FRAND) terms. The proposals, adopted on 16 April 2026, are preliminary - not yet binding. A public consultation runs until 1 May 2026 at 23:59 CEST, after which the Commission may adjust the measures before adopting a final, binding decision by 27 July 2026.

If adopted in their current form, the measures would represent one of the most technically detailed regulatory interventions in the history of digital competition enforcement. Rather than simply asserting that Alphabet must share data, the Commission has produced a 29-page specification document that defines, at the field level, precisely what data would need to flow, how it would have to be anonymised, how it could be priced, and what auditing regimes would govern it.

Background: a gatekeeper obligation years in the making

Alphabet was designated as a gatekeeper under the Digital Markets Act on 5 September 2023, with Google Search listed among the core platform services subject to DMA obligations. Full compliance requirements became legally binding on 7 March 2024. Article 6(11) of the DMA - the provision at the centre of these proceedings - requires gatekeepers operating online search engines to share anonymised search data with third-party search engines on FRAND terms.

The Commission opened specification proceedings on 27 January 2026 under Article 8(2) of Regulation (EU) 2022/1925. Specification proceedings are a formal instrument allowing the Commission to move beyond abstract obligations and define in precise technical terms what compliance would look like. The Commission has six months to conclude such proceedings. Alphabet received preliminary findings 81 days after the proceedings opened - within the three-month window the DMA sets for preliminary findings under Articles 8(5) and 8(6).

Prior to this action, industry groups had grown increasingly vocal about the pace of enforcement. In March 2026, eighteen European industry organisations wrote directly to Commission President Ursula von der Leyen demanding a formal non-compliance decision on a separate Article 6(5) self-preferencing case, noting the Commission was already approximately 12 months past the statutory 12-month deadline for adopting such a decision.

What data Alphabet would have to share

According to the preliminary measures document, the proposed data sharing obligation covers four categories: query dataview dataclick data, and ranking data. The document applies a parity principle: Alphabet would be required to share data on par with what it collects and uses internally for the purpose of optimising Google Search.

Query data would include the initial query as entered by end users, any modifications made by users or by Alphabet - whether through autocomplete, query shortcut chips, entity results, the "see results about" feature, or advanced search filters - plus metadata covering query timestamp, user location, device identifier, access point, and method of input (text, voice or photo). According to the preliminary measures, access points in scope would include the browser omnibox on Chrome and third-party browsers, the Google Search website, Google Search widget, Google Search application, Google Assistant, Gemini, Google Lens, Circle to Search, and Text Search on Android.

View data would encompass all URLs and visual content displayed on search engine results pages (SERPs). According to the document, this would apply regardless of format (photos, videos, text), structure (main URLs, associated URLs), or type (organic, paid, or advanced results displayed in search modules). All tab types would fall within scope: Videos, Short Videos, News, Forums, Web, Books and Images.

Click data, according to the document, would include the timing, order and duration of any user interaction with the SERP - clicks, clicks back to the SERP after visiting a page, hover events, scrolling, swipes, and expansions. For each URL served in response to a user query, Alphabet would share this interaction data, with individual paid search result URLs excluded at the record level. Interaction data for paid results would instead be shared at the block level - meaning the aggregate block of ads is tracked, but individual ad URLs are not individually attributed.

Ranking data would accompany every URL shared under view data: its position in the SERP, its ordinal position relative to other URLs in the same SERP area, and any other information on relative or absolute position, prominence and visibility. Individual paid search result URLs would be excluded here too; ranking data for paid results would be shared at the block level only.

How anonymisation would work

The anonymisation architecture is the most technically complex section of the proposed measures. It would operate in two layers: technical measures that alter the data before sharing, and contractual measures that govern what recipients may do with it.

At the technical level, according to the document, Alphabet would be required to share data daily at record level. Each record would begin with attribute suppression. Direct user identifiers - Google account IDs, whether the user was signed in, IP addresses, device IDs - would be removed. Precise timestamps would be suppressed. Information about the height and size of result modules, their distance from the top of the SERP, and their share of the user's viewport would all be removed. Image-based queries would be replaced with a placeholder, and click-back times would be binned into six intervals: 0-10 seconds; 10-25 seconds; 25 seconds to 1 minute; 1 to 3 minutes; 3 to 20 minutes; and more than 20 minutes.

Alphabet would also be required to generate and update, on a weekly basis, an allowlist of words appearing in search queries from signed-in users using the past 13 months of EEA search data. According to the document, an entity would be added to this allowlist for five years if it appears in queries submitted by more than 50 unique signed-in users within that window. Queries failing to meet this threshold - or failing a separate length-based character threshold computed weekly so that 95% of unique queries in the relevant language fall below it - would be removed entirely from the shared dataset.

Location generalisation would follow an S2 cell hierarchy. According to the measures, Alphabet would express location as a country plus an S2 cell bounding box that includes at least 1,000 signed-in users and covers at least 3 square kilometres. If fewer than 50 signed-in users share the same combination of inferred language, location, and device type, Alphabet would be required to generalise metadata further, progressively, before ultimately removing the record.

Mini-sessionisation - a limited form of query grouping - would be permitted. Alphabet could group records from the same user in chronological order when a current query follows from a query refiner, an autocomplete selection, or a substring extension of the previous query. Under the proposed contractual restrictions, this would be the only form of sessionisation that recipients could use.

Contractual obligations on recipients

Third-party online search engines (OSEs) receiving the Search Dataset would face a detailed set of contractual restrictions. According to the document, recipients would need to be recognised as independent controllers under GDPR Article 4(7). They could not attempt to link the dataset with auxiliary datasets at the record level, re-identify end users, or augment the data in any way that reverses the anonymisation applied.

Recipients would be required to separate access to the Search Dataset from access to auxiliary advertising and analytics datasets at the infrastructure level. The permitted purpose would be limited to optimising or improving OSE services - explicitly including grounding AI chatbot services, refining retrieval and ranking systems, web crawling and index building, and functionalities such as query analysis, spell-checking, auto-suggestion, and auto-completion. The dataset could not be used for unrelated purposes.

Data retention would be capped at 13 months. Onward sharing or sublicensing to any third party would be prohibited. Recipients would be required to encrypt the dataset at rest and in transit, restrict access using least-privilege and need-to-know principles, apply phishing-resistant multi-factor authentication for authorised personnel, and prohibit copying or local storage of dataset records to personal devices.

All access would have to be logged, and access logs would need to be retained for one year. Data breaches would need to be handled in compliance with GDPR Articles 33 and 34 - the provisions covering notification to supervisory authorities and communication to data subjects respectively.

Audit requirements: Level 1 and Level 2 assurance

Before a third-party OSE could gain initial access to the Search Dataset, it would be required to submit a Level 1 assurance report prepared under ISAE 3000 or an equivalent internationally recognised framework. This report would need to provide reasonable assurance - defined as a high but not absolute level of assurance, expressed as a positive conclusion - on four Commission-defined objectives: that the recipient is not subject to sanctions or restrictive measures that would prohibit data use; that it has credible and documented plans to use the data for OSE optimisation; that it has implemented technical and organisational measures to ensure continued anonymisation; and that it has implemented measures to protect the integrity and confidentiality of the dataset.

To maintain access on an ongoing basis, recipients would be required to submit Level 2 assurance reports annually. The first Level 2 report would be due within 15 months of initial access; subsequent reports within 12 months of the previous submission. According to the document, the independent assurance practitioner assessing operating effectiveness would need to draw on a continuous operating period of not less than 12 months within the reporting period.

Failure to submit a Level 2 report on time, or receipt of a limited assurance conclusion rather than a reasonable assurance conclusion, would trigger suspension. Failure to remedy the suspension within three months would trigger permanent termination of access.

FRAND pricing: incremental cost plus reasonable return

The pricing framework would be built around incremental cost-based methodology. According to the document, Alphabet could charge eligible beneficiaries only the incremental costs it incurs to make the data available - covering dataset preparation, storage attributable to sharing, and dissemination costs - plus a reasonable return on capital employed that could not exceed Alphabet's weighted average cost of capital.

Micro, small and medium-sized enterprises, as defined in Commission Recommendation 2003/361/EC, would be explicitly protected: they could not be charged more than the incremental cost plus the WACC-capped return, regardless of any other exceptions that might apply to larger beneficiaries.

Two exceptions could allow Alphabet to charge more. First, if Alphabet demonstrates it cannot recover the costs of collecting the underlying data from its own commercial use - with Google Search revenue defined to include all revenue directly or indirectly attributable to the provision or monetisation of Google Search - an additional margin up to Alphabet's operating margin percentage for its Google Search business could apply. Second, for beneficiaries operating at very large scale - defined as having more than 45 million monthly active users in the EU and annual Union turnover at or above 7.5 billion euros in each of the last three financial years, or average market capitalisation of at least 75 billion euros in the last financial year - additional margin could also apply.

FRAND pricing terms would apply for five years from the date sharing begins for each distinct beneficiary. After five years, Alphabet could renegotiate, but the resulting terms would still need to be FRAND within the meaning of Article 6(11).

Testing samples before acquisition

Alphabet would be required to provide three types of testing samples to eligible third-party OSEs considering whether to acquire the full Search Dataset. Sample A - a 1,000-row sample covering 58 unique queries - would be provided free of charge and could be downloaded. Sample B would be a synthetic dataset of up to 10 million artificially generated unique queries, available for download, for which a fee could be charged. According to the document, Sample B would need to accurately resemble the real Search Dataset in content and form, faithfully reflect the relationship between queries and metadata, and have the same technical anonymisation measures applied as the real dataset. Sample C would be a 5% sample of the final Search Dataset, drawn from no less than one month and no more than one year of queries, also available for download at a fee.

Implementation timeline if measures are adopted

According to the preliminary measures document, Alphabet would be required to finalise the Search Dataset as soon as possible and no later than three months after the Commission adopts a final implementing act. Template licence agreements for the Search Dataset and all three test data samples would need to be prepared within two months of that implementing act. The final binding decision must be adopted by 27 July 2026.

What this could mean for the search advertising ecosystem

The implications for the digital marketing community extend beyond search engine competition. The dataset in scope includes paid search result data - not individual paid search URLs, but interaction and ranking data at the paid block level. Smaller search engines that could gain access to this data would, in principle, be able to train ranking and query analysis systems competitive with Google's, potentially accelerating competition in markets where Google has faced sustained enforcement pressure since DMA obligations became binding in March 2024.

The inclusion of AI chatbots within the definition of eligible OSEs carries particular weight. According to the eligibility provisions, undertakings providing AI chatbots with online search engine functionalities would qualify for access, provided they meet the definition of an OSE under Article 2(5) of Regulation (EU) 2019/1150. This means services combining search retrieval with AI-generated responses could potentially apply for access to Google's search data - a development with direct implications for how AI-powered search products are trained and ranked.

Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, said in the Commission's announcement: "Search engines must be able to innovate and keep pace with evolving user needs. Our work to create opportunities in this sector continues - and comes at a crucial moment of growing interconnection with AI services."

Teresa Ribera, Executive Vice-President for Clean, Just and Competitive Transition, said: "Data is a key input for online search and for developing new services, including AI. Access to this data should not be restricted in ways that could harm competition. In fast-moving markets, small changes can quickly have a big impact."

The consultation is open to all citizens, companies and organisations, though the Commission specifically welcomes contributions from companies providing online search engine services, including AI chatbots with search functionality. All contributions must be non-confidential, as they will be shared with Alphabet for comment. The Commission notes it is running a separate consultation on Alphabet's Android operating system interoperability with third-party AI services under case reference DMA.100220.

Timeline

  • November 2022: Digital Markets Act enters into force in the European Union
  • 5 September 2023: European Commission designates Alphabet as a DMA gatekeeper, including Google Search as a core platform service
  • 7 March 2024: DMA obligations become legally binding for designated gatekeepers, including Alphabet
  • November 2024: Google announces more than 20 modifications to European search functionality for DMA compliance
  • December 2024: Coalition of over 20 European price comparison websites criticises Google's DMA compliance approach
  • March 2025: Commission sends Alphabet preliminary findings on a separate Article 6(5) self-preferencing proceeding
  • 27 January 2026: European Commission opens specification proceedings DMA.100209 under Article 8(2)
  • 15 March 2026: Eighteen industry groups write to Commission President von der Leyen demanding formal non-compliance action on Google Search self-preferencing
  • 16 April 2026: Commission adopts preliminary findings in case DMA.100209, proposing detailed search data sharing measures for Alphabet; public consultation opens with deadline of 1 May 2026
  • 27 July 2026: Deadline for Commission to adopt final binding decision in case DMA.100209

Summary

Who: The European Commission, acting as the DMA enforcement authority, and Alphabet Inc. (Google's parent company), designated as a gatekeeper under the Digital Markets Act. Eligible third-party online search engines operating in the EEA, including AI chatbots with search functionality, would be the intended beneficiaries of the proposed measures.

What: The Commission today adopted preliminary findings in case DMA.100209 setting out proposed measures that would require Alphabet to share anonymised Google Search data - covering query, view, click and ranking data - with third-party online search engines on FRAND terms, via an API, subject to detailed technical anonymisation requirements and independent audit obligations. The measures are preliminary and not yet binding.

When: Preliminary findings were adopted on 16 April 2026. The public consultation runs until 1 May 2026. The final binding decision must be adopted by 27 July 2026. The specification proceedings were opened on 27 January 2026. If measures are adopted, FRAND pricing terms would apply for five years from the date sharing begins for each beneficiary.

Where: The proposed measures would apply within the European Union and the European Economic Area. The proceedings are conducted by the European Commission under the Digital Markets Act, Regulation (EU) 2022/1925.

Why: Article 6(11) of the DMA requires Alphabet, as a designated gatekeeper, to share anonymised search data with third-party search engines on FRAND terms. Specification proceedings were opened to define precisely what effective compliance would require, following years in which the broad obligation existed but no detailed implementation framework had been specified. The Commission's stated aim is to allow third-party online search engines to optimise their services and effectively contest Google Search's market position.

Share this article
The link has been copied!