Apple AI Privacy Risks in Europe Go Beyond the EU Regulatory Fight

The debate over Apple AI privacy risks in Europe is being framed as a Brussels problem. Apple used part of its WWDC 2026 keynote to announce a product it isn't shipping: Siri AI, the most capable version of its assistant, demonstrated at WWDC pulling a FIFA World Cup schedule from the internet, searching a user's Messages history for a recipe, drafting a party invitation, and preparing to send it to a group chat, all without the user opening a single app. That assistant will not reach iPhones or iPads in the EU when iOS 27 launches this fall. Apple says European regulators left it no choice.

That argument has genuine substance. It also sidesteps the more consequential problem.

Europe's interoperability demands on Apple AI do create real data-risk implications. But the same risks are already built into Apple's global iOS 27 architecture, where the company is voluntarily opening its AI stack to competitors. Anyone waiting for the regulatory standoff to resolve before thinking about what their AI assistant can do with their data is waiting for the wrong thing.

The scale of what's actually at stake: according to Beri.net's analysis earlier this month, Apple Intelligence already processes roughly 1.2 billion Siri queries daily across 940 million active devices, with Writing Tools alone handling 340 million daily actions. At the same WWDC where Apple explained why it couldn't open Siri to Europe, the company also announced iOS 27's Extensions framework, which lets users designate Claude, Gemini, ChatGPT, or Grok as their system-level AI across Siri, Writing Tools, and Image Playground, routing queries to those providers under each company's own privacy policy.

Why agentic AI creates a new kind of privacy risk before any regulator gets involved

To understand what's at stake in the EU fight, you first need to understand what Siri AI actually does. This isn't a chatbot that answers isolated questions. It's an agent.

The WWDC demonstration described above required what Apple has historically kept behind its highest walls: access to mail, photos, messages, and calendar, simultaneously and in context, as Scientific American reported this month. That kind of cross-app, cross-data orchestration is exactly what makes the privacy architecture worth scrutinizing.

Security researchers have a framework for what this creates. Programmer Simon Willison calls it the "lethal trifecta": any assistant that can read private data, ingest untrusted content, and transmit information outward can be tricked into handing that private data to an attacker, a technique known as indirect prompt injection, without requiring the user to click anything (Scientific American). This isn't theoretical. Last year, researchers at Aim Security demonstrated it against Microsoft 365 Copilot in a vulnerability they named EchoLeak: a single malicious email planted instructions the assistant executed later, silently exfiltrating data through an image it loaded on its own, with nothing visible to the user. Microsoft patched it before known exploitation, but the architecture that made it possible, an agent with read access, untrusted external inputs, and outbound capability, appears to share the same basic risk pattern that Siri AI now operates under (Scientific American).

Apple acknowledges this class of risk directly, citing security researchers' demonstrations of AI systems being hijacked to steal passwords and photos. It uses those demonstrations as justification for opposing the DMA's interoperability terms. What Apple does not say is that these risks are structural to agentic AI, not a product of European regulation, and that its own Siri AI implementation carries them regardless of what Brussels decides.

Apple Intelligence privacy concerns in the EU aren't just about the DMA

With the underlying risk established, the DMA dispute becomes easier to evaluate on its actual terms.

The DMA's Article 6(7) requires gatekeeper platforms to give third-party services access to the same OS features they make available to their own services. The European Commission's factsheet is unambiguous that users remain free to control which apps they use and what permissions they grant, and that Apple remains free to decide what features exist on the OS at all. The law simply requires a level playing field (European Commission DMA Factsheet, published last month). The same enforcement has already produced cross-OS eSIM transfers, a bidirectional browser data portability API, and notification interoperability, none of which required anything resembling unlimited device access.

Apple's characterization goes considerably further than the text. Its newsroom post describes the Commission's position as requiring "nearly unlimited access" to a user's device, including autonomous app-control capabilities "without a user's ongoing visibility and control" (Apple Newsroom). Apple proposed a "Trusted System Agent" intermediary that it says would give rivals equivalent access through a controlled layer, plus an 18-month phased rollout. According to Apple, the Commission rejected this. Both sides then gave flatly contradictory accounts of what happened: Commission spokesperson Ricardo Cardoso told The Verge earlier this month that Apple "did not develop proposals for DMA compliant interoperability solutions," while Apple's Greg Joswiak said the Commission had not "meaningfully engaged" with Apple's proposals.

No expert quoted in the source record has confirmed Apple's reading of what DMA compliance would practically require for an AI assistant. Jan Penfrat of European Digital Rights called Apple's public campaign "very much a lobbying tactic," and competition law researcher Floris Bostoen pointed to recent UK and US court rulings that were skeptical of Apple's privacy-framed arguments against opening its systems (The Verge). Apple may be right that unmediated parity access for any assistant would be riskier than a mediated intermediary. But it is presenting its preferred interpretation of a contested regulatory question as settled fact, and the strongest language about catastrophic data exposure originates with Apple.

The contradiction built into iOS 27: Apple's own interoperability architecture

This is where Apple's argument runs into its most direct difficulty.

iOS 27's Extensions framework, announced at the same WWDC where Apple explained why it couldn't open Siri to Europe, lets any user install Claude, Gemini, ChatGPT, or Grok from the App Store and designate it as their system-level AI. Siri becomes an orchestration layer routing queries to the selected provider across Siri, Writing Tools, and Image Playground. Apple plans an Extensions SDK open to any App Store-distributed AI service, meaning the launch roster of four providers could expand well beyond that initial group (Beri.net). Each provider's own privacy policy governs what happens to routed data.

Apple draws a distinction that deserves fair treatment: the Extensions framework blocks access to contacts, messages, photos, and health data unless the user explicitly grants permission per query. Extensions are opt-in, user-initiated, and scoped. The DMA scenario Apple objects to, in its telling, would require always-on, pre-granted access for any assistant without those per-query gates (Beri.net). That distinction is architecturally real.

It doesn't resolve the contradiction, though. It narrows it. The cloud infrastructure Apple built for Siri AI's most capable functions already relies on non-Apple hardware and non-Apple models: the AFM 3 Cloud Pro model, used for "agentic tool use and complex reasoning," runs on Nvidia hardware inside Google's data centers, and according to Bloomberg's reporting as cited by Scientific American, the underlying model was reportedly derived from a specialized version of Gemini that Google has reportedly licensed to Apple for approximately $1 billion annually. Apple has extended its Private Cloud Compute framework to this third-party infrastructure using Nvidia Confidential Computing, Intel TDX, and Google's Titan chip, and maintains a cryptographically verifiable hardware ledger for its Google Cloud fleet, with devices trusting only Apple-signed software on those servers (Ars Technica).

That's a substantive technical effort. University of Michigan privacy researcher Florian Schaub acknowledged Apple's openness to external inspection as meaningful, while noting that "consumers often lack the expertise to inspect code," and that Apple's approach "at least enables external validation" of its claims without fully delivering it (Scientific American). UCL researcher Michael Veale put it more directly: Apple's privacy model is "built like a Jenga tower, based on extreme vertical control by the firm, and risks collapsing when interoperability is introduced." Veale's assessment, as The Verge reported, is that Apple is making an exception to its own long-standing privacy setup in order to stay relevant in AI. Apple is already introducing interoperability, on its own schedule, under terms it controls.

What to watch, and what the EU fight is actually about

The dispute will likely resolve slowly. Apple has no timeline for Siri AI on iPhone or iPad in the EU, while the Commission maintains that nothing in the DMA prevents Apple from launching. European Digital Rights' Penfrat invoked USB-C as precedent: Apple resisted that mandate loudly and eventually complied (The Verge). Whether the same dynamic plays out here depends on whether a compliant architecture is technically achievable or genuinely incompatible with Apple's security model, a question no neutral party has yet been asked to answer.

Three things are worth tracking in the meantime, because they bear on users everywhere, not just in Europe.

Who actually controls your data routing. Under Extensions, each query sent through a third-party provider travels under that provider's privacy policy, not Apple's. The per-query permission gates are a real safeguard, but they place significant governance weight on individual decisions at massive scale. According to Beri.net's analysis, 81% of Apple Intelligence queries currently run on-device, with 14% going to Private Cloud Compute and 5% to ChatGPT by user opt-in. When Extensions go live this fall, Beri.net warns that distribution will shift, routing some queries to providers whose data practices vary considerably.

Where Apple's privacy claims rest on Apple's own assurances. The Private Cloud Compute architecture is technically sophisticated and more open to external scrutiny than most comparable systems. But the strongest claims about data deletion, minimal off-device transmission, and third-party hardware isolation are currently verifiable primarily through Apple's descriptions and the limited inspections Apple enables. That gap matters whether you're a regulator deciding policy or a user deciding how much to trust the system (Ars Technica).

What the EU fight is really about. Apple has a legitimate technical argument that mediated, controlled interoperability is safer than unmediated parity access. The Commission has a legitimate competition argument that Apple shouldn't be the sole arbiter of which AI tools Europeans use. Neither position is obviously wrong. What both positions share is that they're advanced by parties with substantial competitive interests, and that user privacy is a useful argument for both, which is not the same as it being the primary concern of either.

The data risk from agentic AI is real, it's growing, and it was identified by researchers well before this regulatory standoff began. Europe didn't create it. Apple hasn't solved it. The structural vulnerabilities that come with giving any AI assistant deep access to your personal data exist independent of where negotiations between Cupertino and Brussels eventually land.