On December 4, 2025, the German Federal Government published its Federal Modernization Agenda, setting out a series of suggested amendments to the GDPR and the Federal Data Protection Act (Bundesdatenschutzgesetz). Among the key measures, Germany seeks to shift certain responsibilities from users to manufacturers and providers of standard IT products—following the model of the Cyber Resilience Act (CRA) and the AI Act—so that organizations can deploy standard solutions more easily and in compliance with the law.
The German Data Protection Conference (Datenschutzkonferenz, DSK)—the body of federal and state data protection authorities—has adopted a resolution strongly supporting this approach. The resolution builds on recommendations the DSK first made in its 2019 evaluation of the GDPR.
Key Points of the DSK’s Resolution
- Extend Article 25 GDPR: Although the current “Data Protection by Design and by Default” obligations are directed at manufacturers, importers, and suppliers, it is not these groups but rather controllers who are de facto subject to data protection obligations. The DSK proposes making manufacturers and providers responsible for embedding privacy features at the design stage.
- Harmonization with EU Digital Acts: The proposal seeks to bring GDPR obligations for manufacturers and providers in line with existing EU legislation such as the CRA and the AI Act.
- Compliance Declarations: Manufacturers and providers would issue GDPR compliance statements, easing accountability for users.
- Certification Models: The DSK suggests exploring product certifications based on GDPR schemes.
- Include Processors: Privacy-friendly default settings obligations would also apply to processors, not just controllers.
Other Proposed Amendments by the Federal Government
In addition to the expansion of GDPR responsibility to cover manufacturers and providers of standard IT products, and its support for the Commission’s proposed GDPR changes under the Digital Omnibus, the Federal Government proposes further amendments, including:
- Repealing national rules on appointing data protection officers, relying solely on Article 37 GDPR.
- Amending Section 15e(6) of the Transplantation Act by replacing the current obligation for transplant centers to obtain explicit consent prior to transmitting data to the independent trust center for pseudonymization and subsequent transfer to the transplant register with an opt-out mechanism, under which data may be transmitted unless the data subject objects.
- Assess the implementation of the Health Data Usage Act (Gesundheitsdatennutzungsgesetz) and the Electronic Patient Record (elektronischen Patientenakte), in cooperation with the Länder, to identify additional areas where an opt-out mechanism may be appropriate, which could potentially facilitate the secondary use of health data.
- Incorporating provisions for “regulatory sandboxes” modeled on Article 57 of the AI Act into the GDPR.
- Establishing a new, practical rule on anonymization in the GDPR, either in Recital 26, in Article 4 GDPR, or by creating a dedicated legal basis.
The Federal Government has announced plans to reform data protection supervision for the non-public sector in Germany. The objective is to achieve a consistent interpretation and application of data protection law while enhancing efficiency in the coordination among supervisory authorities. To this end, the Federal Government is considering several measures, including consolidating competencies either at the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) or within the supervisory authorities of the federal states, for example through a concentration of responsibilities.
DSK’s Position and AI Reforms
While supporting many modernization goals, the DSK opposes, for example, abolishing company data protection officers. In addition, the DSK calls for targeted GDPR reforms for AI that go beyond the EU Commission’s proposals, including:
- New legal bases for AI-related processing, covering both public and private actors and reflecting technical specifics—such as web scraping for training, re-use of existing datasets, embedded personal data in models, healthcare AI applications, and generative AI systems.
- Enhanced transparency and rights, including obligations to inform individuals when their data is processed by AI and a right to request details.
* * *
At Covington & Burling LLP, we are closely following the proposed GDPR amendments from the European Commission and Member States. We actively engage in stakeholder discussions and contribute to position papers to help shape practical and balanced outcomes. We would be happy to assist you with any questions regarding these proposed changes and their potential impact on your business.