Among the various Digital Markets Act (DMA) provisions the European Commission (Commission) is implementing, the “Interoperability” obligation is especially consequential for small business innovators. The Association for Competitive Technology (ACT) has voiced concerns with unfettered open access mandates on platforms and operating systems, commenting on the associated implementation records. In the most recent implementation, the Commission has proposed extreme open access mandates on Android with respect to artificial intelligence (AI) services operating on the platform.

AI agents have the potential to massively benefit European consumers and provide critical new opportunities for innovation. However, with these considerable benefits come rather serious privacy and security questions. AI agents generally perform functions across apps and services, potentially requiring access to device features, system information, appropriate application programming interfaces (APIs), and similar permissions on behalf of users. Orchestrating these kinds of access in ways that respect consumer preferences and expectations while foreclosing access to personal information and intellectual property (IP) by bad actors requires careful planning and coordination among ecosystem participants.

Competitive pressure on these ecosystem actors, including operating system and device makers to support AI agents, while also protecting IP, privacy, and security, is yielding results. Alphabet has been working to enable AI agent functionality in balanced ways, including through pre-loaded agents and developer tools. Against this backdrop, it is fairly shocking to see the EC’s proposed measures take a sledgehammer to this balancing exercise, instead prioritizing unrestricted access over privacy, security, and IP.

In the Android proceeding, the Commission apparently seeks to require Android to support AppSearch for any third party. The proposed measure in this instance demands that Android allow third-party apps with AI components to access data stored on a consumer’s device as part of their use of a separate app.

What does this mean? Currently, developers commonly leverage AppSearch to make a user’s data searchable within an app they have downloaded on their device. For example, a health tracking app can use AppSearch to enable its users to search within the app across health parameters and dates for a given health outcome. However, the proposed measure in this instance appears to demand that Android enable any third-party app—from a banking app to a social media platform—to access data stored by the health tracker app on the user’s device.

This level of open access not only exposes sensitive user information to unwanted access by third parties, it also hands over proprietary information held by developers to opportunistic IP thieves. It is unclear if the Commission contemplates some sort of safeguards around this that are not immediately discernible in the proposed measures. But with only two weeks to learn about and respond to them, we are left with a strict reading of the document.

ACT’s members often create and distribute apps for both Android and iOS. They choose these platforms because their owners actively manage access to the storefronts and operating systems. Users trust that they can download the apps ACT members make on these platforms without fear of third parties gaining access to the information they choose to share or their activities within the apps themselves. The Commission’s proposed measures would turn this paradigm upside down, shifting security and privacy vetting onto users and IP policing and trust-building onto developers.