Germany has called for further simplification of the EU’s data protection law, according to a policy paper dated Oct. 23 and seen by MLex. The paper urges the European Commission to adopt a two-stage approach: first, to make targeted adjustments through the Digital Omnibus initiative in the short term, and later to launch a broader discussion on a potential data protection reform.
In the first stage, Germany outlines a series of targeted GDPR amendments aimed at cutting regulatory burdens for smaller organizations while preserving high data protection standards.
The proposals include clarifying that consent shouldn’t take precedence over other lawful bases for processing and easing information and reporting duties through digital links and proportionality exemptions. Germany also wants to extend the data breach notification period from 72 hours to three working days, saying this would help operators meet deadlines regardless of weekends and public holidays.
Germany also calls for tighter rules to curb abusive data-access requests and for explicit inclusion of volunteer emergency workers within the GDPR’s health data provisions.
Together, these measures should be addressed through the Digital Omnibus, an upcoming commission initiative to streamline EU digital laws, to “achieve rapid relief for SMEs, small mid-caps and other organizations of similar size,” the paper says.
In a different paper, Germany’s digital minister is pushing for a one-year delay and significant relaxations to the EU Artificial Intelligence Act, and further simplification of data protection rules.
Germany’s proposals come as the commission pursues a broader simplification agenda aimed at reducing compliance burdens for companies.
— Reform needed —
In a second phase, outlined in the policy document, Germany calls for a broader debate on modernizing the GDPR as part of the commission’s planned Digital Fitness Check, a further effort to streamline and simplify EU data rules.
Berlin urges a thorough review of how the regulation affects competitiveness and innovation, particularly for SMEs, and whether its rules can be applied more proportionately without undermining privacy rights.
Germany suggests strengthening the GDPR’s risk-based approach by potentially exempting low-risk or non-commercial processing from parts of the regulation and embedding a clearer balance between privacy and other fundamental rights, such as freedom of sciences and to conduct business.
It also wants legal clarity on anonymization and pseudonymization, drawing on recent EU court rulings, and proposes making software manufacturers partly responsible for ensuring products are data-protection compliant by design.
Berlin further highlights the need to resolve frictions between the GDPR and the AI Act and review how the GDPR protects minors, particularly regarding mechanisms for verifying users’ age.
Source: MLex
Write a comment