The European Commission on Thursday ordered Google to give rival AI assistants the same reach into Android that Gemini already has: the camera, the microphone, whatever is on screen, a wake word that fires with the display off, and the ability to drive other apps in the background by imitating taps and typing.
Google has to ship it in the next major release, Android 18, and by 1 August 2027 at
The European Commission on Thursday ordered Google to give rival AI assistants the same reach into Android that Gemini already has: the camera, the microphone, whatever is on screen, a wake word that fires with the display off, and the ability to drive other apps in the background by imitating taps and typing.
Google has to ship it in the next major release, Android 18, and by 1 August 2027 at the latest.
That is one of two binding specification decisions adopted on 16 July under the Digital Markets Act, six months after the Commission opened proceedings on 27 January.
The second makes Google hand anonymised Search query, click, and ranking data to rival search engines, and to AI chatbots that do search, for a cost-based fee. Neither is a fine.
Specification proceedings only say what a gatekeeper has to build; the Commission’s separate power to open a non-compliance case, fines included, is untouched. Android carries around 60% of European mobile users.
Five features gated, six not
The Android decision covers 11 operating system features. Google may demand certification before an app touches five of them, which the published measures call restricted features:
- Centralised access to the on-device data apps opt in to sharing, today AppSearch.
- Context-aware intelligence, the always-on machinery behind proactive suggestions like Magic Cue.
- Structured on-device integration, meaning App Actions and App Functions.
- Screen automation, which Android implements as Computer Control.
- System integration: settings, media, screenshots, notifications, and power.
Paragraph 55 spells the third one out, and it points straight at Google’s own apps. A certified assistant gets to retrieve and draft Gmail, create and manage Calendar events, pull content out of Drive and Docs, trigger Maps navigation, control YouTube playback and query watch history, read and write SMS, MMS, and RCS in Messages, and place phone calls.
The other six carry no certification requirement at all: ambient data, always-on hotword detection, long-press invocation, the system-level on-device models, third-party model implementation, and background execution.
Paragraph 119 opens them to all third parties, user-installed apps included, and bars Google from restricting the type or use case of the app that calls them.
Ambient data means microphone input, system audio, camera, screen contents, location, and sensors such as the accelerometer, continuously and in the background, under the same consent prompts that Google’s own AI services get.
Those prompts are the light ones: the Commission’s case summary notes that Google’s first-party services reach the sensors today with reduced consent processes and privacy indicators, while third parties get runtime consent per use.
Hotword detection rides the low-power DSP, so it survives a locked screen and battery saver, and can keep recording until the user ends the request. That one only reaches phones already carrying the chip. Letting several assistants listen at once slips to Android 19 and 1 August 2028.
Consent still gates all of it, and Google can still require process isolation and encryption. What it cannot do, for these six, is decide who is allowed to ask. If it wants the raw sensor feed behind a gate, the measures leave it a route: file a reasoned request showing good cause, and the Commission may move the feature onto the restricted list.
The programme Google has to write
For the gated five, Google has to set up a Qualified AI Assistant Programme, let third-party Trusted Certification Authorities certify assistants into it free of charge, accept those certifications without bolting on conditions, and never revoke them.
It also writes the TCA programme’s terms and decides who gets approved as a certifier, on terms that have to be reasonable and non-discriminatory, and that it has to clear with the Commission two months before changing. So it cannot revoke a TCA’s certification of an assistant. It can revoke the TCA.
The bar itself is capped. Google may test whether an assistant reconfirms user intent before sensitive or irreversible actions, whether it minimises inadvertent data disclosure, whether it clears baseline mobile app security, and whether it is hardened against agentic risks that would negate user intent.
The measures offer input, supply chain, integration, model integrity and infrastructure as examples of those. Anything past that needs the Commission first, and the same conditions bind Gemini.
Suspension is narrow: Google needs a consistent body of evidence of practices causing severe and immediate harm, and it has to hand that evidence to the Commission and the certification authorities. Appeals get an answer within a month. There is also a door around the gate.
Paragraph 135 makes Google let users consent their way out of the certification requirement, per service, per device, without burying the switch behind developer mode.
Draft terms are due 1 February 2027, final terms and open applications 1 May 2027.
If you ship an Android app
By August 2027, a certified assistant, or an uncertified one the user waved through, can open your app on a virtual display, read its screen, and click through it while the user does something else.
The feature’s functionality list includes letting a controlled app block sensitive views from the controlling app. Wire that decision before the Android 18 beta.
Two other outs exist only if Google chooses to build them: blocking automation on parts of your app, and keeping your app’s context away from proactive-suggestion components. The decision permits both. It requires neither.
The search dataset
The anonymisation method is published, and it runs three passes. Strip direct identifiers and the attributes that let records be stitched back together: usernames, IP addresses, precise timestamps, input format.
Suppress any record whose query carries rare terms such as full names, passwords, street addresses or bank account numbers, or that runs unusually long. Then generalise metadata until every user sits in a group of at least 1,000 sharing location, device type, and query language, with 95% landing in groups of 29,000 or more.
Contracts carry the rest: ringfenced processing, no linking to other datasets, no onward disclosure, no re-identification attempts, an independent audit before access, and annually after.
Recipients need 50,000 monthly average EU users over the past year, cannot be sanctioned, and cannot be controlled by a country the EU treats as a serious and structural cybersecurity or data protection risk. Data arrives at least seven days stale and cuts off after five years per beneficiary. Google also gets to assess, before it shares anything, whether a specific recipient poses serious cyber security and data protection risks.
Its clock here is short: eligibility form and a beneficiary webpage by end of August, finished dataset by November, pricing by January 2027.
Google’s objection
Kent Walker, Google’s president of global affairs, said the Android decision “threatens device security by granting external apps sensitive and powerful device permissions”. He said phone makers vet assistants today, and that the decision strips that safeguard out.
On the Search half his position is that the anonymisation is not good enough, that users are not being asked, and that the fallout reaches trade secrets and national security. He cited ENISA, the EU’s cybersecurity agency, which wrote this month that “security fundamentals matter more than ever in the age of AI”.
That ENISA paper is about frontier models collapsing the window between vulnerability discovery and exploitation toward zero. It does not mention Android, interoperability or app permissions.
The objection is not imaginary. Gemini is the proof. The decision’s digital-context list hands third-party assistants notifications, SMS, screen contents, and screenshots. Notification content is the channel SafeBreach used to hijack Gemini’s own Android Utilities agent by indirect prompt injection, no malicious app on the device required.
Google mitigated that one server-side in November 2025, before SafeBreach published last month. Input risk is now one of the things a candidate assistant has to be hardened against. Google writes the test.
What the April draft said
The safeguards Walker says are missing are the ones that arrived after Google complained. The Commission’s draft measures from 27 April have no restricted features, no Qualified AI Assistant Programme, and no certification authorities.
Draft paragraph 134 forbade Google from restricting who benefits, and allowed a verification process only if it was run by neutral and independent third parties and applied only on the Play Store. The final lets Google certify applicants itself.
The draft’s integrity clauses barred limits on purpose, beneficiaries, apps, technologies, and use cases; the final bolts “unless specified otherwise in this Annex” onto each. The Search draft was looser still: no user threshold, no capital requirement, no country-risk exclusion, and a metadata group floor of 50 rather than 1,000.
The deadlines moved in the same direction. Most Android features were due 1 January 2027 in the draft. They land on 1 August 2027 in the decision. Concurrent hotwords go from that same January date to August 2028. The Commission says the final measures take due account of what Google and third parties filed during the consultation, and the diff shows what was bought.
What Google did not get is discretion. Integrity measures have to be strictly necessary, justified by objective evidence it must retain, verifiable by someone other than Google, and applied identically to its own services.
It may not impose “a higher level of integrity on third parties than it applies to itself”. It owes the Commission four weeks’ notice before it applies one. The only way around that is a change that is non-user-facing, purely technical, identical for Google and everyone else, and harmless to third parties. All four, or notice.
So the fight moves to 1 February 2027, when the draft programme terms land. Google spent the spring arguing that uncertified assistants should not hold these permissions, and won a certification regime that did not exist in April. Now it has to write the thing down, in public, and once, knowing the definition gets read straight back to Gemini.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.


