A senior Google researcher has challenged the European Commission’s data-sharing mandates, arguing that regulations designed to boost competition and user choice may inadvertently create new privacy vulnerabilities. The criticism, made public this week, highlights a growing tension within Europe’s aggressive tech regulation framework: the trade-off between competitive openness and data protection, a debate with significant implications for how technology platforms operate globally, including in India and South Asia.
The European Commission has positioned itself as the world’s most assertive tech regulator over the past five years, deploying a series of landmark laws—including the Digital Markets Act (DMA) and the Data Act—to limit the dominance of Big Tech giants and create space for smaller competitors. These measures mandate that large platforms share user data with third parties, open their ecosystems to rivals, and provide users greater control over their digital footprint. The regulatory push reflects growing consumer and political pressure across Europe to curtail the market power of companies like Google, Meta, and Amazon.
The Google scientist’s intervention signals internal concern within one of the world’s largest tech companies about unintended consequences of Europe’s regulatory approach. By requiring platforms to share sensitive user data more freely with competing services and startups, the argument goes, regulators may be expanding the pool of entities handling personal information—potentially increasing exposure to breaches, misuse, or inadequate protection standards. This creates a paradox: rules intended to protect users from monopolistic control could expose them to privacy risks from a wider ecosystem of data handlers with varying security practices.
The EU’s Data Act, which began enforcement this year, mandates that companies holding user data make it accessible to competitors and service providers upon request. The Digital Markets Act similarly requires interoperability and data portability for designated “gatekeepers.” These measures aim to level the playing field for startups and alternative services that cannot otherwise compete with data-rich incumbents. However, the concern raised suggests that moving data beyond the controlled environment of established platforms—where privacy and security infrastructure is typically more mature—into smaller, potentially less-resourced competitors could introduce new vulnerabilities.
The Indian technology industry and policymakers are watching Europe’s regulatory experiment closely. India’s own Digital Personal Data Protection Act (DPDPA), which took effect in 2023, attempts to balance innovation with privacy safeguards through a lighter regulatory touch than Europe’s approach. Unlike the EU’s data-sharing mandates, India’s framework emphasizes user consent and purpose limitation without forcing inter-platform data transfers. Industry voices in India have expressed concern that aggressive data-sharing requirements could hamper innovation, discourage investment in security infrastructure, and complicate compliance for startups. The Google scientist’s warning may reinforce arguments from Indian tech advocates that mandatory data-sharing, while well-intentioned, requires careful calibration to avoid creating new harms.
The debate also raises questions about whether privacy and competition can be simultaneously maximized through regulation. Privacy advocates argue that data concentration itself is problematic because it enables behavioral tracking and manipulation regardless of the competitive structure. Competition advocates counter that breaking up data silos is essential to prevent monopolistic gatekeeping. The Google scientist’s position suggests a third view: that privacy must be embedded in the design of data-sharing mechanisms, not treated as secondary to competitive concerns. This could mean requiring stronger encryption, shorter data retention periods, and stricter liability frameworks for companies receiving shared data.
Moving forward, the European Commission faces pressure to conduct a thorough impact assessment of its data-sharing rules on user privacy outcomes. Regulators across Europe, and increasingly in South Asia, must grapple with this central question: how can rules designed to protect competition avoid inadvertently creating privacy risks? Any revision or refinement of the EU’s approach will likely influence how India and other South Asian nations calibrate their own regulatory frameworks. The coming years will reveal whether Europe’s assertive tech regulation can achieve both goals—fair competition and robust privacy—or whether these objectives are fundamentally in tension, requiring difficult policy trade-offs.
