Germany pushes for sweeping data protection simplification beyond EU proposal

On October 23, 2025, Germany submitted a comprehensive proposal to the European Commission calling for substantial modifications to the General Data Protection Regulation, extending far beyond the Commission's current simplification efforts. The 19-page document outlines both immediate targeted amendments for inclusion in the Digital Omnibus initiative and longer-term structural reforms to Europe's data protection framework.

The German proposal arrives as the Commission pursues what it characterizes as an "unprecedented simplification" agenda. According to the Commission's communication published February 11, 2025, European regulators aim to reduce reporting requirements by at least 25% for all companies and 35% for small and medium-sized enterprises. Eurostat approximated overall recurring administrative costs at €150 billion across the European Union in 2022, establishing a baseline for measuring progress toward burden reduction targets.

Germany explicitly welcomed these Commission efforts while asserting that current proposals "do not go far enough." The Federal Government's document proposes what it calls a "two-stage process" - immediate tactical changes through the Digital Omnibus, followed by what could amount to fundamental restructuring of European data protection law.

Short-term modifications target record-keeping and information requirements

For immediate implementation in the Digital Omnibus, Germany identified five priority areas requiring attention. The proposal would clarify that consent does not take precedence over other legal bases in Article 6 GDPR, addressing what Germany characterizes as "a growing tendency in practice" by supervisory authorities and courts to prioritize consent improperly.

The Federal Government document states this prioritization "leads to uncertainty in practice," though it provides no statistical evidence of prevalence or economic impact. The proposed amendment to Recital 40 would add explicit language that "the legitimate bases in Article 6 GDPR are equivalent."

Information requirements under Articles 13 and 14 drew particular criticism. Germany argues these provisions create "media discontinuities" that burden companies with updating numerous privacy policies across different touchpoints. The proposal would permit controllers to satisfy information obligations by providing contact details alongside a link or QR code to detailed information on a website.

According to the document, this concentration of information "would significantly reduce the burden on companies" by eliminating the need to update multiple privacy policies. The proposed amendment would deem information obligations fulfilled when controllers provide their name, contact details, and "further information required under this provision via an electronic link accessible to the data subject without disproportionate effort."

Germany also seeks to extend data breach notification deadlines. Current Article 33 requires notification within 72 hours of becoming aware of a breach. The proposal would change this to "three (3) working days," arguing the modification "would allow operators to meet the deadline regardless of weekends and national holidays."

The Federal Government document excludes longer closing periods such as "ferragosto" from this consideration, suggesting the change targets routine weekend occurrences rather than extended holiday periods.

Restricting access rights emerges as controversial priority

Perhaps the most contentious element involves proposed restrictions to the right of access under Article 15. Germany characterizes current access procedures as vulnerable to "misuse for purposes unrelated to data protection," claiming "an increasing number of cases" where data subjects use access requests to create "protracted and resource-intensive disputes."

The document describes data subjects who "express their discontent with the state and its institutions by using access procedures to artificially create" administrative burdens. It further alleges that "extensive information rights are increasingly coming into conflict with the legal procedures of the Member States and jeopardising quality of arms in court proceedings."

Germany proposes defining "excessive requests" across several non-exhaustive categories. These include initial requests where information cannot be provided without disproportionate effort, repeated requests where data subjects fail to justify necessity, circumstances indicating "abusive purposes," and impossible requests.

The proposal would shift burden of proof requirements. Rather than controllers bearing full responsibility to demonstrate requests are excessive, Germany suggests introducing a "court-verified documentation obligation." If controllers document reasons for assuming excessiveness "in a comprehensible manner," data subjects would need to explain why their requests pursue legitimate GDPR purposes.

For supervisory authorities facing similar excessive requests, Germany proposes parallel amendments to Article 57. The proposal states "supervisory authorities too are increasingly becoming the target of applicants acting in bad faith and are overwhelmed with excessive requests."

Sensitive data protections face significant narrowing

Germany's proposal would substantially narrow Article 9 protections for sensitive personal data. Current GDPR provisions protect data revealing ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and information about sexual orientation.

The Federal Government seeks amendments allowing use of health-related data for "civil protection and disaster relief" purposes. The proposed modification would extend Article 9(h) to include processing necessary for civil protection activities, while Article 9(i) would add language about "protecting the health of civil protection and disaster control personnel."

According to the document, disaster and civil protection services require health data collection in advance of operations. The proposal states that "administering vaccinations at short notice before operations is not a suitable means of ensuring the necessary health protection" in all conceivable operational situations.

The document emphasizes that volunteer emergency workers should receive treatment equivalent to full-time personnel, as they face "comparable health risks in civil protection and disaster relief." This framing positions the amendment as equality legislation rather than data protection reduction.

Longer-term reform agenda targets fundamental GDPR architecture

Beyond immediate Digital Omnibus measures, Germany's document outlines extensive areas for Commission review through a planned Digital Fitness Check. These longer-term considerations could fundamentally reshape European data protection law.

The Federal Government "strongly supports" Commission intentions to examine whether further measures are necessary to strengthen competitiveness "without lowering the general level of protection provided by the GDPR." The document requests "broad dialogue with relevant stakeholders" including small and medium-sized enterprises, volunteer organizations, the digital sector, civil society, researchers, cultural institutions, media sector representatives, and data protection authorities.

Germany asks the Commission to investigate whether GDPR actually impairs European competitiveness or provides competitive advantages. The document notes "it has been claimed" that GDPR reduces competitiveness, while "others claim" compliance provides advantages. The Federal Government requests examination of "whether and, if so, to what extent the GDPR affects the competitiveness of European companies."

The proposal also questions whether GDPR creates "chilling effects" that prevent beneficial data processing. Germany suggests examining whether controllers avoid digitalization "out of fear of sanctions" or whether "the GDPR is being used as an excuse not to push ahead with digital transformation."

Excluding non-commercial activities from GDPR scope

One of Germany's most significant longer-term requests involves potentially exempting certain activities from GDPR entirely. The Federal Government references its coalition agreement commitment to discuss "possible exclusion of non-commercial activities, small and medium-sized enterprises and low-risk data processing (e.g. customer lists of tradespeople) from the scope of the GDPR."

The document states these exclusions must comply with "primary European law, in particular Articles 7 and 8 of the European Charter of Fundamental Rights, and international law." Germany specifically asks the Commission to examine "the extent to which the household exemption in Article 2 GDPR could be used to exempt voluntary activities in associations from obligations under the GDPR."

This represents a fundamental departure from GDPR's current comprehensive application. The regulation currently exempts only processing by natural persons "in the course of a purely personal or household activity," not organizational or commercial activities regardless of scale or risk level.

Germany proposes "anchoring the principle of practical concordance" more explicitly in legislative text rather than merely in recitals. The document notes that "currently, only Recital 4 reflects the relativity of personal data protection and its interaction with other fundamental rights."

Anonymization and pseudonymization concepts require clarification

The Federal Government identifies anonymization and pseudonymization as areas needing substantial clarification. Germany states "it is still unclear what anonymisation and pseudonymisation requirements need to be fulfilled to comply with the GDPR."

The proposal references a September 4, 2025 European Court of Justice ruling (C-413/23 P) establishing the concept of "relative anonymity." According to that judgment, pseudonymisation can effectively prevent persons other than the controller from identifying data subjects, meaning "for them, the data subject is not or is no longer identifiable."

Germany suggests either clarifying in Article 4(1) that anonymous information does not constitute personal data, or excluding anonymous information from GDPR's material scope in Article 2. The proposal also seeks an elaborate definition of anonymization referencing "state-of-the-art technical measures" and the relative anonymization concept from the Court's ruling.

A critical unresolved question involves whether anonymization itself constitutes data processing requiring a legal basis under Articles 6 or 9. Germany proposes explicitly mentioning anonymization as processing in Article 4(1), while examining whether legal bases for anonymization should be created or whether obligations could be waived entirely during anonymization activities.

Artificial intelligence training receives special attention

The Federal Government dedicates substantial discussion to artificial intelligence challenges under GDPR. The document notes that personal data "can play a role in virtually all phases of AI use" including data collection, training, fine-tuning, deployment, prompting, and output generation.

Germany identifies "numerous regulatory frictions that lead to legal uncertainty and thus burdens for users" despite GDPR technically remaining "untouched" by the AI Act. According to the document, "companies and authorities will often have to double-check and balance conflicts between regulatory standards" while "mechanisms for solving these conflicts are missing."

The Federal Government asks the Commission to examine "how AI models and systems can be set up in way that enables compliance with the GDPR." Where compliance proves impossible or infeasible, Germany requests examination of "whether separate legal bases would be appropriate for the training and use of AI."

The proposal specifically mentions examining whether Member State law and GDPR opening clauses could provide solutions for AI use "in the public interest." It also questions "how data subjects' rights in the context of general-purpose AI can be guaranteed."

Germany emphasizes the need to examine "how regulatory frictions between GDPR and AIA could be reduced, how uncertainties about the legal basis for training AI and similar activities could be removed," and "how unnecessary administrative burdens could be reduced."

Commission announces ambitious digital omnibus for late 2025

The European Commission's broader simplification strategy, outlined in its February 11 communication titled "A Simpler and Faster Europe," encompasses multiple sectoral initiatives beyond data protection. The Commission announced plans to pursue "unprecedented simplification to unleash opportunities, innovation and growth."

According to the communication, the Commission will "radically lighten the regulatory load for people, businesses and administrations in the EU." The strategy includes "stress-testing" the entire EU acquis through a continuous review process examining legislation for cumulative impacts and simplification opportunities.

The Commission announced several omnibus packages for 2025 adoption. A sustainability omnibus will address reporting requirements, due diligence, taxonomy, and the carbon border adjustment mechanism. An investment simplification package will facilitate InvestEU and European Fund for Strategic Investments deployment. A small mid-caps omnibus will ensure adapted requirements for smaller companies while removing "inefficient requests for paper format in product legislation."

A Digital Package will review cybersecurity legislation, assess whether the digital acquis "adequately reflects the needs and constraints of businesses such as SMEs and small midcaps," and establish a European Data Union Strategy. According to the Commission, this will create "a simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale."

The Commission work programme also includes Agricultural Policy simplification addressing "sources of complexity and excessive administrative burden for farmers and national administrations." An Industrial Decarbonisation Accelerator Act will extend accelerated permitting to more sectors in transition.

Implementation dialogues and reality checks planned

To inform simplification efforts, the Commission announced new engagement mechanisms. Each Commissioner will host "at least two implementation dialogues a year with stakeholders" to assess progress and identify areas requiring attention. The dialogues will target "industry, including SMEs, social partners, regional and local authorities and civil society."

Outcomes will appear in annual progress reports on enforcement and implementation. According to the Commission, these reports will "help identify issues of poor implementation, gold plating, over-compliance or fragmentation, and uncover opportunities for simplification and harmonisation."

The Commission will also conduct "reality checks" reaching out to practitioners in companies across various sectors. These exchanges "at the technical level will help identify and solve practical issues, such as issues linked to authorisations, permitting, control or compliance."

Reality checks seek to "identify any hurdles or positive experiences, and how they relate to EU rules, implementation and national transposition." According to the communication, they will "help to verify whether the assumptions underpinning EU legislation are correct and deliver the expected benefits."

Digital omnibus faces November deadline

The Commission plans to adopt its Digital Omnibus proposal in the fourth quarter of 2025. According to previous PPC Land coverage, the Commission opened public consultation on September 16, 2025, with feedback periods closing in mid-October.

The initiative addresses multiple digital regulations simultaneously including data legislation, cookie consent requirements, cybersecurity reporting, AI Act implementation, and European Digital Identity Framework modifications. Implementation targets include reducing administrative burden by at least 25% for all companies and 35% for small and medium-sized enterprises.

The Commission's call for evidence specifically sought input on areas where digital regulations create excessive compliance costs or overlapping requirements. Stakeholder feedback during consultation periods will inform final proposal content when the Commission presents its omnibus package.

Parallel enforcement developments continue across member states. German data protection authorities established unified fine procedures in June 2025 to standardize GDPR enforcement approaches. The European Data Protection Board issued comprehensive guidance throughout 2025 on topics including Digital Services Act compliance and data protection impact assessments.

Record-keeping requirements saw modification in May 2025 when the Commission proposed increasing employee thresholds from 250 to 750 for exemptions. The European Data Protection Board and European Data Protection Supervisor issued a joint opinion on July 8, 2025, supporting that targeted initiative while requesting clarifications.

Industry reactions remain muted pending proposal details

Formal industry responses to Germany's October 23 proposal have not yet emerged publicly. The Federation of Business Information Services reported on October 30, 2025, that Germany submitted the document calling for GDPR simplification and broader data reform debate.

According to that reporting, Germany's proposals address the Commission's objective of reviewing and streamlining digital regulation "including the area of data protection." The federation noted Germany's support for Commission efforts while emphasizing the Federal Government's position that Omnibus IV proposals for GDPR simplification fall short of necessary reforms.

Privacy advocacy organizations have not issued public statements specifically addressing Germany's October 23 document. Previous positions on GDPR simplification efforts have emphasized maintaining fundamental rights protections while acknowledging legitimate administrative burden concerns for small enterprises.

The European Data Protection Board has not commented on Germany's specific proposals. The board's 2024-2025 work programme, announced in October 2024, included developing guidance on anonymization, pseudonymization, legitimate interest, and children's data among other topics.

Trade associations representing digital economy interests typically support simplification initiatives that reduce compliance costs while maintaining legal certainty. The Bundesverband Digitale Wirtschaft, representing over 600 digital economy companies in Germany, has expressed concerns about AI Act implementation but has not publicly addressed the broader GDPR reform proposal.

Historical context reveals long-standing implementation debates

Since GDPR entered into force in May 2018, implementation challenges have generated continuous discussion among member states, businesses, and civil society organizations. The Commission's second GDPR report, published July 25, 2024, documented €4.2 billion in fines and 6,680 enforcement actions while noting 72% public awareness of the regulation.

That report acknowledged "diverging interpretations of key data protection concepts by national authorities create legal uncertainty and increase compliance costs for businesses, particularly for small and medium-sized enterprises." The Commission proposed procedural rules to streamline cross-border case handling, currently under negotiation by the European Parliament and Council.

Enforcement patterns have varied significantly across member states. PPC Land reported in April 2025 that attempts to fix GDPR enforcement through a new procedural regulation risked creating "unprecedented complexity that will further delay privacy enforcement across Europe."

According to that analysis, what began as simplification efforts evolved into "an extraordinarily complex framework" potentially creating approximately ten different types of GDPR procedures rather than streamlining core mechanisms. Data protection authorities reportedly acknowledged serious problems but appeared "unwilling to delay its passage."

Consent mechanisms remain particularly contentious. The European Data Protection Board issued Opinion 08/2024 in April 2024 determining that most 'consent or pay' models fail to comply with GDPR standards for valid consent. According to EDPB Chair Anu Talus, "models we have today usually require individuals to either give away all their data or to pay."

Technical implementation continues evolving

Digital infrastructure supporting GDPR compliance has matured substantially since 2018. The European Data Protection Board launched a free website auditing tool in February 2024 to help organizations assess compliance. The tool enables legal and technical auditors to "efficiently conduct website audits" directly within its interface.

Early industry efforts to demonstrate compliance included blockchain-based solutions. In 2021, location intelligence company Cuebiq launched a Consent Management and Data Provenance solution using blockchain technology to provide "verifiable proof" of GDPR and California Consumer Privacy Act compliance.

Cross-border coordination mechanisms continue developing. Under the Internal Market Information System, the Commission facilitates digital administrative cooperation in implementing Single Market rules. The Technical Support Instrument provides assistance helping member states build administrative capacity and implement EU priorities with minimal burden.

Judicial interpretations have shaped practical application. German courts issued several significant rulings addressing GDPR implementation. The Leipzig District Court awarded €5,000 compensation on July 4, 2025, for Meta Business Tools violations, while the Lörrach Local Court ruled on March 3, 2025, that controllers need not provide deletion proof to data subjects.

Timeline

• February 11, 2025: European Commission publishes "A Simpler and Faster Europe" communication outlining comprehensive simplification agenda with burden reduction targets
• May 21, 2025: Commission proposes increasing GDPR record-keeping exemption threshold from 250 to 750 employees
• June 16, 2025: German data protection authorities establish model guidelines for unified fine procedures across federal and state jurisdictions
• July 8, 2025: European Data Protection Board and European Data Protection Supervisor issue joint opinionsupporting record-keeping simplification with clarifications
• September 11, 2025: EDPB adopts Guidelines 3/2025 on Digital Services Act and GDPR compliance coordination
• September 16, 2025: Commission launches Digital Omnibus call for evidence with consultation ending October 14
• October 23, 2025: Germany submits 19-page proposal calling for immediate GDPR amendments and longer-term reform examination
• Fourth quarter 2025: Commission plans to adopt Digital Omnibus proposal
• 2026: Digital Fitness Check launch planned for comprehensive acquis review

Summary

Who: The German Federal Government submitted proposals to the European Commission, with the document representing views from the coalition government including contributions from stakeholders consulted about needs of German companies and organizations.

What: A comprehensive two-stage proposal requesting immediate GDPR amendments through the Digital Omnibus initiative including changes to consent hierarchies, information requirements, breach notification deadlines, access rights, and sensitive data protections, alongside longer-term examination of fundamental structural reforms potentially excluding non-commercial activities and low-risk processing from GDPR scope entirely.

When: Germany dated the policy document October 23, 2025, following earlier consultations with relevant stakeholders, and submitted it as input to the Commission's Digital Omnibus initiative planned for adoption in fourth quarter 2025, with longer-term reforms to be examined through a Digital Fitness Check launching in 2026.

Where: The proposals would affect implementation across all 27 European Union member states and European Economic Area countries where GDPR applies, with particular impact on Germany's federal and state administrative structures, small and medium-sized enterprises, volunteer organizations, and disaster relief services.

Why: Germany argues that while supporting high data protection standards and the GDPR's role as "a core part of the European community of values," current implementation creates disproportionate administrative burdens particularly for small businesses and organizations with fewer than 750 employees, while regulatory uncertainty and complexity undermine European competitiveness and innovation in artificial intelligence and digital transformation without corresponding benefits for data subjects who face information overload and inadequate protection against misuse of access rights procedures.