Will State Data Protection Authorities Be Disempowered?
The government is considering "abolishing the obligation to appoint a state data protection officer." Critics warn of a federal dismantling.
(Image: oatawa / Shutterstock.com)
As part of a comprehensive “state modernization” program, the federal government is considering a far-reaching reform of data protection supervision. This is evident from the federal modernization agenda. A central and controversial point of the initiative is the consideration of "abolishing the obligation to appoint a state data protection officer." The goal is to achieve more uniform legal interpretation and greater efficiency. In addition to constitutional hurdles, centralization must also be carefully considered.
Efficiency and Uniformity
According to a protocol of a meeting between the Federal Chancellor and the heads of government of the states from December 4, 2025, which is available to view online. Data protection supervision for the non-public sector is to be reformed by the end of the year. 2027. The stated goal is to ensure "uniform legal interpretation and application" and to increase efficiency in the interaction of supervisory authorities.
Possible measures mentioned in the paper include bundling competencies with the Federal Commissioner for Data Protection and Freedom of Information, strengthening the Data Protection Conference (DSK), and establishing one-stop-shop regulations to create uniform contact points for companies. However, central to the initiative is a complete rethinking of the state data protection authorities. "The federal government is examining the abolition of the obligation to appoint a state data protection officer."
Videos by heise
Constitutional law expert Dr. Jonas Botta urges differentiation when asked by heise online. One must clearly distinguish between the legal permissibility and the sense of such a step – and above all, between supervision of state bodies (public sector) and companies (private sector). In response to an inquiry from heise online, the Minister-President of North Rhine-Westphalia, Hendrik Wüst – who has caused a stir in the past with statements against data protection – has not yet responded.
Constitutional Limits
According to Botta, abolishing state authorities for the control of state data processing is constitutionally untenable. "For the public sector, the Federal Constitutional Court already emphasized the importance of independent supervision in its census ruling from 1983." This supervision must comply with the federal order. A federal authority like the BfDI must not simply control state authorities, as this would interfere with the "very essence of the states' sovereignty." Such a change would not be permissible without an amendment to the Basic Law.
Supervision of the Private Sector: Centralization Possible, but with Reservations
The situation is different in the private sector. Here, the federal government could use its economic competence to actually centralize supervision with the BfDI. The GDPR does not mandate a federal structure. However, according to Botta's crucial limitation, the "complete independence" of supervision required by the GDPR must be maintained. This means, above all, that centralization must be accompanied by a significant increase in personnel and financial resources at the BfDI. "If the aim is simply to save personnel now, then I believe the approach is wrong," says Botta.
Even according to a study by the Scientific Services of the Bundestag from March 2025, there are no "overriding legal concerns" against a centralization of supervision for the private sector. However, the expert opinion also confirms the constitutional limits in the public sector: "In the public sector, however, complete centralization of data protection supervision at the federal level is not possible," it states. The federal government lacks jurisdiction in areas where the states have legislative competence, such as in police or municipal law.
Opportunity for Unification or Danger of Dismantling?
While the government sees an opportunity for deregulation and the creation of uniform data protection law for companies in Germany, experts warn against a hasty decision. Thoughtful centralization of supervision over the private sector could indeed bring advantages, for example, for companies with branches throughout Germany. The state authorities could then concentrate more on their core tasks in the public sector, for instance, in the use of surveillance technology. According to Botta, the motive behind the reform will be decisive. Should data protection be strengthened with uniform legal application and the necessary resources, or is this a cost-saving measure?
Plans for centralization have already met with strong resistance from state data protection officers in the past. Citizen proximity and local expertise would be lost through centralization. Therefore, the state data protection officers called for strengthening cooperation within the Data Protection Conference and giving it the power to make binding majority decisions.
(mack)
