On March 14, 2025, Germany witnessed two significant developments in the field of data protection regulations. Firstly, the introduction of the "DSGVO – information privacy standard" marked the release of the country's first criteria catalog for GDPR certification. This initiative allows both data controllers and processors to receive official certification, signaling enhanced adherence to privacy standards.
This new certification is expected to pave the way for improved data management practices across various sectors. By aligning with international standards set forth by the EU's General Data Protection Regulation (GDPR), organizations will not only bolster their compliance but may also gain greater trust from consumers concerned about privacy.
Simultaneously, state data protection officers across Germany are mobilizing against the draft law proposed by the Ministry of Economic Affairs and Digital Affairs concerning the implementation of the Data Act. This draft law suggests transferring monitoring responsibilities of the GDPR from state authorities to the Federal Data Protection Commissioner (BfDI), which has raised concerns among those tasked with safeguarding data privacy.
According to the proposed legislation, detailed under paragraph 3, BfDI would oversee the application of GDPR within the framework of the Data Act. This has drawn sharp criticism from the 17 data protection officers representing the various federal states, who fear this shift undermines local autonomy and creates unnecessary complexity.
Meike Kamp, the Berlin Data Protection Officer, commented, "Statt Zuständigkeiten zu vereinfachen, führen die Pläne des Bundes zu Doppelstrukturen bei der Aufsicht und geringerer Rechtssicherheit für alle Beteiligten.” Her concerns reflect fears of duplication and diminished legal clarity for businesses and consumers alike.
Adding to the complexity, the Data Act obligates providers of networked products to present data generated by their products to users accessibly and free of charge. If these generated data contain personal information, their processing will still fall under the jurisdiction of the GDPR, which inherently carries precedence.
Critics argue the overlapping jurisdictions could lead to confusion and inefficiency when addressing data protection issues. State authorities have emphasized the need for clear guidelines to avoid disputes over responsibility, warning against the proposed federal oversight potentially violating EU law and established constitutional principles governing administrative competencies.
The IT association Bitkom has expressed its perspective as well, stating, "Eine ausnahmsweise Kompetenz des Bundes für die Ausführung des Data Acts könnte sich aus der Natur der Sache und Artikel 87 Grundgesetz zur Aufgabenverteilung im Postwesen und der Telekommunikation ergeben.” This comment indicates they believe there might be valid grounds for federal oversight but emphasizes careful consideration of the broader legal framework.
Both developments occurring simultaneously highlight the delicate balance between effective data governance and administrative efficiency. With the new criteria catalog for GDPR certification expected to encourage compliance, the ensuing controversy over the Data Act's oversight indicates broader challenges lie ahead.
The resolution of these conflicts will be closely watched, as they have the potential to impact not just regulations but also the operational frameworks within which both private and public organizations must navigate. Amidst this backdrop, stakeholders from various sectors are called upon to engage proactively, ensuring the final regulatory environment fosters clarity and reinforces protections for individuals' data rights.