Data Protection, Innovation and Competitiveness Ain’t Just a Matter of Structure And Competence

The impulses are structured into four core sections:

1. Background (Catalyst)
2. Debunking Current Myths
3. Areas of Modernisation
4. Core Theses and Strategic Next Steps

Authorities explicitly recognise the evolving overlap and interaction of several landmark European acts, such as GDPR, DSA, DMA, Data Act and AI Act. Some of the most recent technical and societal developments could not have been foreseen when the GDPR was drafted over a decade ago. Yet, the fundamental principles of the GDPR, rooted in a constitutional and human rights dimension, remain fully present and relevant.

DPA seek to contribute to these emerging challenges proactively, by providing hands-on experience and empirical data. Under the umbrella of the “Datenschutzkonferenz” (DSK, the German Conference of DPA), the authorities aligned on a shared approach. Crucially, they conclude that alignments (and adjustments) across different legal spheres are of such significance that they are at best addressed EU-wide, rather than through isolated national approaches.

Regardless of the expected and required timelines, related to the importance of the decisions, to find mutual agreements among all relevant (and global) stakeholders, the DPA intend to showcase short-term opportunities. In their view, these do not require complex legislative adaptions, can be implemented easily, and will deliver immediate “quick-wins”.

The DPA address a variety of common so-called “myths” that they deem generally present within the reform debate. These misconceptions span several dimensions, from structural setups (federal vs. centralised), to the scalability of authoritative and regulatory tasks, material inconsistency, and alleged “gold-plating”.

Constitutional Facts: The paper concludes that Germany’s federal approach is constitutionally predetermined. While there may be room for manoeuvre regarding the supervision of private entities, federal authorities must constitutionally remain in place for public bodies anyway. Therefore, the debate should acknowledge these structural limitations.

Centralisation Fallacy: Alongside constitutional realities, the DPA conclude that simple centralisation of competences will not automatically increase efficiency. First, DPA state that a task requires the same resources regardless who performs it. Therefore, centralisation will not result in any win of efficiency or reduction of financial needs or workloads within the overarching DPA landscape. It will merely re-shuffle the full-time-equivalents (FTE) from regional authorities to one central authority.

Proximity is Key: Furthermore, the DPA claim that the current spread of offices and experts increase the availability for data subjects and SME. Centralisation might create obstacles for data subjects and SME to seek for advice or resolve issues at eye-level efficiently.

Especially focussing on data subjects’ complaints, the DPA emphasise that the processing of these cases requires individual legal assessments. Due process prevents any factory-like scaling effects. These case-by-case evaluations and discretions remain identical whether handled federally or centrally. Meaningful scalability – if at all permissible – will only be achieved by (legally) recognising, applying and executing elements such as a risk-based approach more often and more extensively.

The DPA reject the claim of unique “German Gold-Plating” by highlighting that most impactful decisions and guidelines, especially cross-border scenarios, are adopted by the European Data Protection Board (EDPB), where Germany’s vote carries the same weight as any other Member State. Additionally, the “German Vote” within the EDPB always reflects the aligned and unified stance of all 18 German DPA; an alignment that can gathered within 24 hours when necessary. As a side-note, the DPA refer to ECJ judgments, e.g. SCHUFA case, where the European Court of Justice ruled even more rigorously than the Germany authorities had originally interpreted the law.

Alongside DPA reject any claims of inconsistencies. First, the limited number of Federal Administrative Court Judgments shall prove the overarching consistency of the applied interpretation. Secondly, the DPA refer to administration's commitment to their own principles and prior-majority decisions, i.e. that authorities will act consistently and accordingly to their aligned positions.

In reference to the a Bundesrat initiative spearheaded by the Federal State of Hamburg, the DPA supports the momentum of increase consistency and efficiency across data protection law. Rather than centralising personnel and competences, they suggest to formalising and deepening co-operation amongst German DPA.

The DSK should be legally formalised and sufficiently equipped with dedicated resources, including a permanent Secretariat and central information hubs and portal(s). The current approach of annually rolling chairs creates unnecessary frictions and loss of hand-on expertise and institutional memory. Permanent structural and formal establishment - of the DSK – would streamline resource allocation, and subsequently facilitate procedural clarifications and enforcements, such a majority decisions.

Simple re-allocation of competences achieves little. Still, DPA acknowledge the potential for regional synergies. Regional deviations in industry and business might have created distinct expertise on such industries, related supply-chains and processing activities. Maintaining low-threshold accessibility and interaction between authorities and local business fosters expertise-building and awareness and better understanding of frontier developments.

Likewise, expertise and processes do not require unnecessary redundancies so that the DPA suggest to distribute and pool competences amongst their federal structures resulting in expert hubs.

Actions and positions of DPA should become more transparent. Therefore, enforcement decisions shall be published in a central database, similar to judgment databases, such as European Union’s (EU’s) CURIA, if and to the extent permitted by law.

Alongside, DPA suggest draft clear practical guidance to contour yet undefined or still ambiguous legal terms and requirements within GDPR. Drafting, related stakeholders dialogues and procedures around the publication of such guidelines shall advance.

Decisions shall be accelerated and access facilitated. This shall be accomplished by several elements:

• Internal Enhancements: Internally, procedures shall be streamlined, while coordination between DPA shall be strengthened.
• Centralised Portals: For data subjects and businesses, access to procedures shall be facilitated by centralised portals and clarified competences. Meaning that a processing activity of national relevance shall be decided upon by one authority in representation for any other potentially competent authorities (One-For-All-Principle). Likewise, legally required submission of information, such as data breach notifications, or any other mandatory communication with DPA shall be funneled through one central portal. Data subjects and businesses submit their information or needs once, any subsequent coordination amongst DPA will be managed by the DPA.

The DPA outline several fields where substantive data protections rules might benefit from targeted, short-term amendments.

AI-Guardrails: Those elements relate to necessary guardrails in the context of Artificial Intelligence (AI). While AI training has been in focus already, subsequent processing and enforcement of GDPR-priniciples including data subject rights will require further attention.

Art. 40 et seq: Alongside, elements of Art. 40 et seq will require streamlining to enable the operational benefits.

Processors and Manufacturers: The current concept of processors might require a massive paradigm shift. Controllers – especially SME – frequently appear subject to an asymmetric situation. Moving processorship away from tedious individual contracts to a legally defined statutory framework might be better suited to reflect market realities and distribute liabilities more equitably. In this vein, also (software and application) manufacturers should become subject to adequate obligations and liabilities.

Integrating Data Protection Into the Landscape of Fundamental Rights: Data protection is one of many fundamental rights. This reality aligns with the acknowledgement that a greater focus must be placed on risk-based approaches. The effectuation of fundamental rights in their entirety might be one relevant key aspect in future. Data protection should not unduly limit the enactment of other further fundamental rights but be one of many relevant pillars; yet data protection should not be undermined either. Legal uncertainty might be resolved in a much speedier fashion, if authorities could prioritise their (enforcement) efforts, also regarding complaints, in order to actively secure data protection in emerging, innovative processing activities that yield high societal benefits.

The self-critical humbleness displayed by German Data Protection Authorities (DPAs) in their recently published "Stuttgarter Impulse" is, at first glance, deeply refreshing. To hear regulators openly admit that data protection procedures take too long, lean heavily on bureaucratic formalism, and place an asymmetric burden on market participants is a welcome departure from typical administrative defensiveness.

However, beneath this veneer of operational pragmatism pokes a defence of status-quo federalism. While the DPAs present their structural setup as an unalterable constitutional reality, a deeper legal and economic analysis might allow of diverse conclusions.

The DPAs argue that Germany’s decentralized structure is a hard constitutional limit, pointing out the divergence between federal legislative competence and state-level administrative execution. Indeed, the current constitutional framework precludes a federal structure. It is also accurate that there is a difference between the competence to set the laws (Arts. 30, 70 et seq GG) and the competence to administer and enforce the laws (Arts. 83 et seq).

Yet, this constitutional defence feels structurally weak. The Grundgesetz is not a divine decree shielded from reasonable modernisation; it is an organic framework designed to be amended when reality outpace text. Any law, including the German Constitution (GG), can be adapted, if deemed necessary and in alignment with the additional safeguards of Art. 79 GG. In fact, the constitution already tolerates centralisation when convenient, thereby deviates from the proclaimed principles, i.e. by appointing the Federal Commissioner (BfDI) as sole data protection authority in telecommunications and postal services.

Where the DPAs' argument does gain traction is the economic reality of headcount. A regulatory task requires the same resources regardless of who performs it. Federal authorities must remain in place anyway, at a minimum for federal state concerns. It therefore seems appropriate to conclude that deepening co-operation and leveraging synergies might be as effective as legally restructuring the entire setup and competences.

Unfortunately, the DPA have not mentioned any perspectives on budgeting synergies, financial and political independence.

Currently, the DPA entirely ignore the efficiency gains of pooling fragmented headcount. While it is accurate that the same task will require the same resources, centralisation might help lifting “fractioned full-time-equivalents”. Five regional authorities might each require a 0.1 FTE expert on a niche subject matter – a position that is de-facto impossible to hire on the open market. Consolidating those tractional needs into a single, cohesive 0.5 FTE role at a centralised authority is a tangible efficiency win that the “Impulses” conveniently gloss over.

German DPA are and must remain independent. The paper passionately defends the pluralism of 18 independent authorities as a vital safeguard against undue political influence. True, distributing power prevents a single state parliament from hijacking national data protection policy. But this independence is largely functional, not financial.

German DPAs remain dependent on their respective state parliaments for budgetary sign-offs and commissioner appointments. Furthermore, German DPA must not litigate their cases themselves, but are dependent on Public Prosecutors’ Offices.

Any adaptations on the very structural core might have positive and negative implication on those matters, as well. The diversity of 18 authorities could be seen as advantage and safeguard against undue parliaments influence: appointing one Commissioner might give the competent parliament extreme powers. Likewise, one might argue, budgeting discussions with one parliament could be streamlined and performed much more effectively, than diverging the process across 18 authorities. Structural revamps could also be used to implement additional safeguards and optimisation, such as the competency of DPA to litigate their own cases, budgeting safeguard similar to the German Commission for the Assessment of Financial Requirements (KEF), or suitability to allocate administrative fines partially to DPA.

In short: It would have been a pleasant surprise, if the "Impulses" proposed structural bold steps to secure financial and litigious autonomy, such as:

• Establishing an independent funding allocation model, similar to the KEF (Commission for the Assessment of the Financial Requirements of Public Broadcasters).
• Granting DPA the statutory authority to litigate their own enforcement cases in court.
• Allowing DPA to retain a portion of administrative fines to directly fund operational capabilities or – at a minimum – awareness projects and implementation funding.

It is a fundamental right that laws will be applied consistently, i.e. equally. Therefore, any claims in respect of due consistency are fair, and non-disputable. Likewise the DPA conclude, appropriately, that real life is anything but a laboratory. Real life cases will always entail (subtle) differences.

Therefore, claims of inconsistency should be made carefully, because they inherently carry the accusation of illegitimate arbitrariness, which eventually may undermine trust in and resilience of democratic structures and its rule of law.

Therefore, the DPA could have made their stance more boldly that most probably there is no undue inconsistency. Even though, the DPA confidently point to the low volume of Federal Administrative Court proceedings as empirical proof of their "overarching consistency". This is a shaky metric at best. Regulatory consistency should not be measured by the rarity of highest-court litigation, which can be driven by a multitude of external factors, including litigation costs and corporate risk mitigation.

More concerning is the DSK's aggressive push for binding majority decisions. In an area of law where fact-specific balancing of interests is paramount, a structural transfer of a judgment from one case to another is legally perilous. It risks trampling the principle of inter partes effects (that a ruling binds only the specific parties involved).

Furthermore, in a German administrative and political perception culture that traditionally disdains non-consensual outcomes, forcing binding majority votes risks creating two counter-productive incentives:

• A Non-Decision: Gridlock by committee, slowing down enforcement even further.
• A Race to the Top: The adoption of the lowest common denominator of risk tolerance, resulting in a hyper-conservative, rigid stance.

This would eliminate the one hidden benefit of the current fragmentation: the ability for innovative businesses to strategically design their corporate setups to fall under the jurisdiction of a more tech-literate, commercially balanced regional authority.

Ultimately, inconsistency is rarely the true bottleneck to corporate innovation. Almost half a century after the first data protection laws were drafted, one might and should expect core elements to be settled already. This certainly addresses common daily processing activities that happen millions of times, and that are duly accepted and expected by data subjects.

The real friction occurs when businesses choose to step outside well-trodden, compliant paths into frontier tech. When they do, they control the processing activity, evaluate the risks, and potentially reach out to supervisors for guidance.

This is where the process breaks down. If authorities remain structurally risk-averse, focusing heavier on hypothetical worst-case scenarios than on realistic, engineered safeguards, it ceases to be a problem of legal consistency. It becomes a problem of institutional paradigm.

This paradigm may have – to some extent – its foundation in the current legal text; while in other scenarios GDPR might give leeway for less rigorous positions.

The market players demanding flexibility to foster innovation must learn to tolerate a healthy degree of legal ambiguity. Conversely, those corporate legal departments demanding absolute, bulletproof predictability must accept the price tag: regulatory rigidity and a complete incompatibility with future technical developments.

The "Stuttgarter Impulse" contextualises itself in exceptionally dense political and legislative times. It addresses highly relevant operational elements that will provide genuine quick wins. However, as the paper itself emphasises, the structural core requires adjustments at the European level and a rephrasing of the law.

The paper will certainly build a highly constructive foundation for further discussions. Yet, it is vital that relevant stakeholders impartially reflect on the effective consequences and probably counter-indicative incentives embedded within their demands towards authorities and legislature.

It requires critical assessment whether the requested "consistency" will streamline compliance, or simply formalise a collective institutional or societal reluctance to embrace technological risk.

This highlights a broader, non-DPA-related systemic necessity. Existing legislative procedures and legal drafting techniques were designed for mid- to long-lasting stability. Real-world developments, both technical and societal, outpace such stability, requiring procedures that allow for more dynamic adjustments. While historically, ambiguous legal terms could be contoured by binding decisions from authorities or courts, these legacy processes routinely outlive the market relevance of the underlying cases - especially when a reference to the ECJ becomes mandatory.

The upcoming digital legislative session will be compelling to follow. The ultimate challenge will be to accept the impossibility of regulatory perfection, creating a framework solid enough to protect fundamental rights, yet fluid enough for stakeholders to navigate uncharted digital waters.

The suggested way to reference this article in any other (academic) publication is: Ingenrieth, Frank, Data Protection, Innovation and Competitiveness Ain’t Just a Matter of Structure And Competence, Document-ID: 2026-Q2-002, Permalink: https://ingenrieth-online.de/did-2026-q2-002