Google isn't fighting the order to share its search data. It's fighting how often.

The reported version is alarming and tidy: Google has warned Brussels that the European Union's new data-sharing rules could expose people's most private searches — the health worries, the money trouble, the things you type when you are sure no one is watching. A senior Google scientist ran a test and found that supposedly anonymized search data could be unwound in under two hours, putting names back on the queries. The company invoked the ghost of the 2006 AOL leak, when researchers de-anonymized real users from a public release of "anonymous" searches. It is a serious argument, and it is worth reading carefully — not least because of what it is an argument against.

Start with the text, because the text is not in dispute. The obligation lives in Article 6(11) of the Digital Markets Act, and it says that Google, as a designated gatekeeper, must give third-party online search engines access to anonymised ranking, query, click and view data from Google Search on fair, reasonable and non-discriminatory terms. That clause is already in force. Google is not arguing that it shouldn't have to share. That ship sailed when the company was designated and the obligation attached. The fight that is actually happening is narrower, and far more consequential than the headline suggests.

Not whether. How often.

In January the Commission opened proceedings to "assist Google in complying" — the bloodless phrase for deciding what compliance actually has to look like. The open question is scope, and within scope, the live question is frequency: must Google share the data at roughly the same cadence it uses internally — in something close to real time — or may it hand over a delayed, aggregated version, batched and stale? On that single dial the whole remedy turns.

Here is why, and it is the part the security framing is built to keep you from noticing. Search is a real-time signal. What people are asking right now, and which results they click right now, is the raw material a competing search engine needs to rank well. Give a rival that signal a month late, smoothed into aggregates, and you have given it a fossil. A ranking model trained on last month's batched clicks is studying a photograph of a river. So "comply, but slowly" is, in operational terms, indistinguishable from "do not comply." Win the frequency argument and you have won the case while remaining, on paper, fully obedient to it.

When you cannot defeat an obligation, you litigate its schedule. Delayed data is data a rival cannot use.

This is a pattern anyone who has watched these remedies will recognize. The contested ground is almost never the headline duty, which is settled and quotable. It is the operative detail — the cadence, the format, the threshold, the deadline — where the real allocation of advantage happens, and where a press release never looks. The reported story is the obligation. The binding story is the schedule.

The security argument, read closely

None of which means the privacy risk is invented. It is not. Re-identification is a genuine, well-documented hazard; search histories are extraordinarily revealing; and Google's own researcher demonstrating that an anonymized set could be reversed in two hours is a real finding, not a talking point. A serious regulator has to take it seriously, and the honest reader should too.

But read what the argument proves, and notice that it proves too much. The operative clause already requires the shared data to be anonymised. Google's claim is not that the Commission forgot about privacy; it is that anonymisation can fail. And that is true — of all anonymisation, of every dataset, always. There is no anonymisation technique that can promise it will never, under any attack, be reversible. So if "this anonymised data might be re-identifiable" is enough to defeat Article 6(11), it is enough to defeat every data-sharing and interoperability obligation in the Act, because none of them can clear a bar of perfect, permanent irreversibility. The argument is not really about this dataset. It is a master key, and it opens every lock in the building.

There is a further answer the critics make, and it is a fair one. The data is not being dumped on the open web, as AOL's was. Under Article 6(11) it would be anonymised and disclosed only to vetted recipients — themselves bound by security and data-protection obligations — on fair, reasonable and non-discriminatory terms. The relevant comparison is not a public file anyone could download; it is a controlled transfer to a small set of accountable parties. That does not make the risk zero. It does make the AOL analogy do more rhetorical work than it can honestly bear.

It also helps to see the move as part of a strategy rather than a one-off. Google and Apple have spent months mounting a coordinated case against their DMA obligations on the shared ground of security and privacy — Apple delaying features in Europe on the same reasoning, both arguing that openness endangers users. When two of the most capable engineering organizations on the planet insist a problem is unsolvable, the competition lawyer's instinct is to ask whether the obstacle is the engineering or the incentive. These companies routinely solve harder problems than differential disclosure when solving them is in their interest.

Who is bound, who benefits, when it bites

Bound: Google, as a gatekeeper. The duty is asymmetric by design — it attaches to the firm with the dominant position, not to its rivals. Benefiting: competing search engines, and — the detail that makes this 2026 and not 2021 — the AI developers building search-grounded answer engines, who need genuine query and click signal to rank and to ground what their models say. The data Google is being asked to share is now an input to the AI-search race, which is precisely why the frequency fight is sharper than a classic antitrust remedy. The prize is not a slightly better also-ran search box; it is the training and grounding signal for the products meant to replace search outright.

When it bites: a final decision on scope is expected by July 27. That is the load-bearing date, the one to put in the calendar, because it is when the Commission resolves the frequency question that decides whether the remedy has teeth or theatre. The penalty for non-compliance runs up to 10 percent of global annual turnover, and up to 20 percent for repeat breaches — but the fine is not the story. The scope ruling is. A fine punishes a refusal; the cadence decision defines what counts as compliance in the first place.

Why a scheduling decision in Brussels is everyone's

A ruling about how often a gatekeeper must share data, and about whether "it might be re-identifiable" can shrink an obligation, will not stay in Brussels. It rarely does. It becomes the template for how every interoperability and data-access remedy under the Act is operationalized, and the reference text other regulators reach for when they draft their own. No global company builds one compliance posture for Europe and another for everywhere else when the European one is the strictest; the European answer becomes the default.

So the Commission is not only deciding what Google owes its rivals. It is deciding, for everyone, whether a security objection is a scalpel — narrowing a remedy to protect users where the risk is specific and real — or a veto, a phrase that can be attached to any obligation to make it disappear. The difference between those two outcomes is the difference between a Digital Markets Act that binds and one that merely declares. The deadline is July 27. The word that decides it is not "share." It is "often."