The new legislative initiative could really shake up data protection - and the state data protection authorities are anything but enthusiastic.
The Data Act: A revolution or a nightmare for data protection?
In February 2025, the Ministry of Economic Affairs and Digital Affairs presented a new draft that promises far-reaching changes to the way data is handled in Germany: the so-called Data Act. However, what sounds like a modern law on data sharing could have far-reaching consequences for data protection - and not in a positive sense. The data protection commissioners of the federal states are extremely critical of the draft and fear that it will disempower them.
The concern of the state data protection authorities: a "shift" of power
The core of the concerns lies in a decisive innovation of the Data Act: According to the draft, the responsibility for monitoring data protection regulations under the new law will no longer lie with the state data protection officers as before, but with the Federal Data Protection Commissioner (BfDI). For many of the 17 data protection authorities at state level, this means a considerable loss of influence - and they argue that this step violates European data protection law and the German constitution.
More bureaucracy instead of clarity: duplicate structures on the rise?
What is particularly problematic for the state authorities is that the draft could lead to a duplication of supervisory structures. This is because when implementing the Data Act, both the BfDI and the state authorities are to monitor data processing at different levels. The result: endless bureaucracy, especially for companies and authorities. Meike Kamp, the Berlin data protection officer, warns that these new regulations will not only create more work and uncertainty for those involved, but could also jeopardize data protection as a whole.
The dissenting voice: Need for a central authority
However, not everyone is of the opinion that the draft jeopardizes data protection. The IT association Bitkom, for example, believes that the responsibility of the federal authority makes sense in order to implement the Data Act efficiently. They argue that central supervision is necessary in view of the complexity of the law. However, it remains to be seen how the authorities and companies will adapt to the new regulations in practice.
Data protection in transition - a necessary step or a bureaucratic mess?
What remains after this discussion? The Data Act could certainly be useful for simplifying data sharing for networked products and their services. However, the concerns of data protection officers clearly show that it is not just a law that is being called into question here, but an entire system. A healthy degree of central supervision could certainly help, but the danger of data protection in Germany becoming a bureaucratic nightmare cannot be dismissed out of hand.
The Data Act seems to have the right aim - more transparency and control over our data - but the way it is to be implemented could only make things worse. Bureaucratic duplication is the last thing we need at a time when the digital world is advancing ever faster. Whether the BfDI is really the right body to safeguard data protection remains questionable.
