zurück zum Artikel

Federal states are calling for corrections to the Brussels drafts for a Digital Omnibus to prevent legal uncertainties regarding data and innovation blockades.

The EU Commission has formulated an ambitious goal with the draft for a Digital Omnibus Regulation [1]: the legal framework for net policy is to be simplified, bureaucracy reduced, and innovation capacity strengthened. In its resolutions of Friday, the Bundesrat fundamentally supports this objective. At the same time, however, the federal states' representatives do not hold back with criticism of the specific design. There is great concern in the body that the intended simplification could turn into the opposite and create new, unpredictable hurdles.

The Bundesrat views [2] the planned amendment to the definition of personal data in the General Data Protection Regulation (GDPR [3]) with particular skepticism in its two relevant statements [4]. Here, it warns of increased legal uncertainty, as the classification is to depend more strongly on the subjective circumstances of the processing entity in the future.

Previously, there was a more objective standard for what constitutes personal information. In practice, according to the Bundesrat, the planned new regulation with its focus on pseudonymization [5] could lead to complete uncertainty about who the strict rules of the GDPR apply to in processes involving division of labor. Instead of relieving companies, this vagueness would lead to lengthy legal disputes and a withdrawal from data-driven business models, the federal states warn. This would negate the desired relief effect.

Data Protection Vabanque Game

Another point concerns AI and access to data in vehicles. For the development of autonomous driving systems and modern assistance systems such as emergency braking or lane keeping assistants, the automotive industry needs gigantic amounts of image and video data from real road traffic. The current regulation proposal provides for extensive consent requirements for this, which are hardly feasible in reality, fears the Bundesrat. According to it, it is impossible to obtain prior consent from every passerby who is incidentally captured by a vehicle camera. This would amount to a development ban for autonomous driving in Europe.

Such an approach would also endanger traffic safety, the chamber warns. Vulnerable groups such as children or people with disabilities cannot be reliably recognized by autonomous systems without this training data. If the AI does not learn what a young person on the roadside looks like, the safety level for all road users decreases. The federal states therefore call for a legally clear regulation for the use of such image data that goes beyond the narrow limits of the current AI definition and also includes classic assistance systems.

Bureaucracy Hammer for Law Enforcement Agencies?

While the Bundesrat acknowledges the effort to regulate the use of AI in law enforcement through the AI Act [6] and the Omnibus adjustments, it warns of excessive burdens from new documentation and proof requirements. Especially with high-risk systems, there is a risk that the enormous bureaucratic effort will hinder or even prevent the future use of AI in police work. The high investment costs for hardware would then no longer be in proportion to the operational benefit if officers had to spend a large part of their time creating compliance reports.

The federal states therefore advocate for extended exception provisions for law enforcement agencies. These are already subject to close parliamentary and judicial control. Additional bureaucratic EU layers would restrict operational capabilities without effectively increasing fundamental rights protection. The aim should be a responsible balance between rule-of-law control and the efficiency of the European security architecture, in order not to lose touch with "modern investigation methods" in international comparison.

Manufacturer Responsibility Instead of User Burden

In the area of consumer law, the Bundesrat demands that the simplifications must not lead to a reduction in the level of protection. It criticizes that the draft does not yet provide for sufficient manufacturer and provider responsibility. According to the federal states, producers of digital services must be held more accountable. It is important to ensure that their standard solutions function in a data protection-compliant manner ex works (Privacy by Design [7]). It cannot be the case that the responsibility for complex data protection settings lies solely with the end-user or the small medium-sized enterprise that uses the software.

[8]

(nen [9])

URL dieses Artikels:
https://www.heise.de/-11228783

Links in diesem Artikel:
[1] https://www.heise.de/news/EU-will-DSGVO-schleifen-fuer-KI-und-Cookie-Banner-11071630.html?from-en=1
[2] https://www.bundesrat.de/drs.html?id=33-26(B)
[3] https://www.heise.de/thema/DSGVO
[4] https://www.bundesrat.de/drs.html?id=34-26(B)
[5] https://www.heise.de/news/EuGH-staerkt-Datenschutz-Pseudonymisierung-allein-reicht-nicht-immer-10632783.html?from-en=1
[6] https://www.heise.de/news/AI-Act-beschlossen-Zwischen-vertrauenswuerdiger-KI-und-dystopischen-Technologien-9653984.html?from-en=1
[7] https://www.heise.de/news/EU-Datenschuetzer-fordert-Einbau-von-Datenschutz-in-die-Technik-960735.html?from-en=1
[8] https://www.heise.de/newsletter/anmeldung.html?id=ki-update&wt_mc=intern.red.ho.ho_nl_ki.ho.markenbanner.markenbanner
[9] mailto:nen@heise.de
[10] https://www.facebook.com/heiseonlineEnglish
[11] https://www.linkedin.com/company/104691972
[12] https://social.heise.de/@heiseonlineenglish
[13] https://www.heise.de/news/Digital-Omnibus-Bundesrat-warnt-vor-DSGVO-Chaos-und-KI-Vollbremsung-11228759.html

Copyright © 2026 Heise Medien