In the heart of Europe, a sweeping debate over digitalization, data privacy, and social inclusion is gaining momentum as Germany pushes for a fundamental shift in how personal data is protected and managed. The German federal government, in its "Modernization Agenda" published at the close of 2025, has proposed a landmark reform of the European Union’s General Data Protection Regulation (GDPR). This initiative aims to transfer the burden of ensuring data protection compliance from user companies—particularly small and medium-sized enterprises (SMEs)—to the actual manufacturers of software, signaling a significant change in the digital regulatory landscape.
According to reporting by MDR on January 5, 2026, the reform would require manufacturers of standardized IT products to legally implement "Privacy by Design." This means privacy safeguards would be built into products from the start, rather than being an afterthought or a responsibility left to end-users. For thousands of SMEs, often lacking the technical capacity to audit or influence global software vendors, such a shift could offer relief from complex compliance risks that currently fall squarely on their shoulders.
The German government’s proposal is not occurring in a vacuum. It seeks to harmonize the GDPR with recent EU laws such as the Cyber Resilience Act (CRA) and the Artificial Intelligence Regulation, both of which primarily hold manufacturers accountable for security and compliance. The CRA, already adopted, mandates that manufacturers ensure cybersecurity throughout a product’s lifecycle. The German initiative would extend this principle to data privacy, closing a regulatory gap where a product might be deemed "secure" under the CRA but still "non-compliant" with GDPR privacy requirements—leaving customers exposed to liability.
Legal experts and data protection authorities have voiced strong support for this approach. The joint resolution of the federal and state data protection conference (DSK) explicitly states that for "standard IT products," only the manufacturer is in a position to implement effective privacy measures. As the DSK puts it, "the manufacturer is the only party able to implement effective data protection measures for standard IT products."
Under the new plan, manufacturers would have to issue binding GDPR compliance declarations for their products. Companies using certified software could then rely on these declarations for their own compliance, creating a "safe harbor" and potentially reducing the need for individual data protection impact assessments (DSFA) for standard software. This could also contribute to the billions in administrative cost savings the European Commission aims to achieve by 2029.
However, the reform proposal is just one piece of a broader puzzle. The EU Commission is simultaneously pursuing a "Digital Omnibus" strategy, focusing on simplifying notification obligations, such as those related to cookie banners. The German proposal, however, digs deeper—altering the enforcement mechanisms of the GDPR and potentially reshaping the entire compliance ecosystem.
As the legislative process unfolds, the German government is also considering aligning national rules for appointing data protection officers with Article 37 of the GDPR, further harmonizing German law with EU standards and lowering barriers for international companies operating in Germany. If the liability shift is embraced at the EU level, targeted amendments to the GDPR could follow within the next 12 to 24 months, as indicated by the ongoing EU consultation on digital fitness, which runs until March 11, 2026.
While the proposed changes are welcomed by many SMEs and compliance officers, larger software providers may push back against the increased legal risks and potential costs. The move also signals the emergence of a new market for testing and certification bodies, similar to ISO standards or CRA conformity assessments, as manufacturers scramble to prove their products’ GDPR compliance.
Yet, as the regulatory landscape evolves, real-world data protection challenges persist—nowhere more evident than in the healthcare sector. MDR’s recent coverage highlights a growing trend: doctors, especially dentists and orthodontists, are increasingly outsourcing billing to factoring companies such as Mediserv, Zahnärztliche Abrechnungsgesellschaft AG, and BFS Health Finance (part of the Bertelsmann group). While this outsourcing streamlines administrative processes and accelerates payments for medical practices, it comes at a cost: sensitive patient health data is being shared with third-party financial service providers who are not bound by the same confidentiality obligations as healthcare professionals.
Thilo Weichert, former data protection officer for Schleswig-Holstein, raised the alarm, warning, "Health data is passed on to a third party. And this financial service provider is no longer bound by a confidentiality obligation or a right to refuse to testify, as is the case with doctors." He also pointed out that, hidden in patient consent forms, there are often clauses allowing inquiries to credit agencies such as Schufa, InfoScore, or Creditreform. This means that even the health data of minors—say, for orthodontic treatment—could end up in the hands of credit bureaus.
Factoring, a financial practice where companies sell their receivables to a third party (the "factor") for a fee, is booming in German healthcare. The German Factoring Association reports that around 76 billion euros are transacted annually in this sector, with steady growth. However, no one knows exactly how much patients end up paying to factoring companies or whether this model improves or undermines healthcare quality.
Data protection advocates and medical informatics experts are increasingly critical of the trend. Caroline Bönisch of Hochschule Stralsund argued that while factoring offers short-term relief from bureaucratic burdens, it may foster long-term dependencies and new IT security risks. "Factoring is more a symptom of structural problems—excessive bureaucracy or a lack of digitalization in healthcare—than a sustainable solution," Bönisch explained. Both she and Weichert advocate alternatives such as physician-led associations or cooperatives, which would be subject to medical confidentiality and maintain stronger control over sensitive patient data.
Beyond regulatory reform and sector-specific concerns, the broader societal impact of digitalization is also under scrutiny. On January 5, 2026, Alexander Roßnagel, the data protection officer for Hesse, publicly criticized the growing "digital compulsion" in everyday life—from parking to medical appointments. Roßnagel emphasized that digital accessibility is often overlooked, leaving vulnerable groups behind. "Between four and five percent of adults in Germany have no internet access or email account, and about 18 percent do not own a smartphone," he noted, highlighting that these are often older adults or those with disabilities.
Roßnagel warned that each new wave of IT development risks excluding the next generation of seniors, as technology continues to outpace the ability of many to adapt. "People without a smartphone can no longer park," he remarked, pointing to the shift toward app-based parking payments that collect far more personal data than traditional coin-operated meters. Similarly, arranging appointments with medical specialists increasingly requires navigating digital platforms, further marginalizing those without access or digital skills.
To counter these trends, Roßnagel urged that analog access to essential services must be preserved and that support structures—such as digital help desks in community centers and "digital assistance officers" in retirement homes—should be established to bridge the gap.
As Germany and the EU grapple with the challenges of digital transformation, the path forward will require balancing innovation, privacy, and inclusion. The coming months promise vigorous debate, as lawmakers, industry players, and advocates for vulnerable populations weigh in on the future of data protection and digital participation in Europe.
