The government of Germany’s 21st legislative period—formed by CDU/CSU and SPD—has made one thing clear in its coalition agreement: data protection must be future-ready, efficient, and innovation-friendly. At the heart of this initiative is the goal of reducing administrative burdens without compromising the high standard of personal data protection.

The government is committed to reducing bureaucratic complexity in data protection. Specifically, for public services, the coalition aims to replace complex consent mechanisms with transparent opt-out models—always upholding the fundamental right to informational self-determination and ensuring compliance with European law.

However, the centerpiece of this reform agenda is the restructuring of data protection oversight.

A cornerstone of the reform would be the centralization of data protection oversight for the private sector under the Federal Commissioner for Data Protection and Freedom of Information (BfDI). Germany remains the only EU country with a decentralized supervisory structure for the private sector—resulting in inconsistent legal interpretations and regulatory uncertainty for businesses.

The proposed centralization promises multiple benefits:

At the same time, maintaining the current close relationships between businesses and their regional supervisory authorities poses a challenge. Whether the BfDI can fulfill this advisory role at a national level remains to be seen.

A symbolic but meaningful step would be the proposed renaming of the BfDI to “Federal Commissioner for Data Use, Data Protection, and Freedom of Information”—signaling a progressive approach to data governance that positions data protection as an enabler of innovation within the European data economy.

The Data Protection Conference (DSK)—the key coordinating body of Germany’s federal and state supervisory authorities—is set to be legally enshrined in the Federal Data Protection Act. This would reinforce efforts to establish unified standards and strengthen cooperation across governance levels.

With the centralization of oversight for the private sector, the DSK would primarily focus on coordinating supervision in the public sector moving forward.

The coalition also aims to reduce regulatory burdens for small and medium-sized enterprises (SMEs), volunteer organizations, and low-risk data processors. By leveraging existing flexibilities within the GDPR, the government seeks to simplify compliance for non-commercial entities and everyday business processes—such as customer lists maintained by small service providers.

Although the scope for national exceptions under the GDPR is limited, the intent is clear: to create a more pragmatic, proportionate data protection regime that supports operational feasibility without undermining individual rights.

The coalition agreement underscores that data protection should not impose a barrier, but provide a strategic asset for digital progress and societal trust. Accordingly, it is planned—especially in the healthcare sector—to reassess data protection provisions for their necessity and practical implications.

Additionally, a three-month retention requirement for IP addresses and port numbers is being considered to support user identification—although further details have yet to be released.

With its coalition agreement, the German government attempts to ushering in a new era of data protection: clearer rules, leaner processes, and stronger support for innovation. The proposed reforms offer a pivotal opportunity to redefine data protection—as a foundation for trust, digital sovereignty, and economic development. Businesses, public institutions, and civil society now have the chance to shape this transformation actively and constructively.