Germany says EU Commission backs draft AI law that sidelines privacy watchdogs
Germany is pushing a national AI Act implementation that would put a non-DPA authority in the driver's seat for AI enforcement. The country's data protection authorities oppose the plan, warning it weakens privacy oversight. Berlin says the European Commission supports its approach and is holding firm.
For legal teams, the signal is clear: expect a split between AI Act supervision and GDPR enforcement in Germany. Prepare for dual regulators, dual processes, and more coordination work inside your organization.
What Germany's draft aims to do
- Designate a primary AI supervisor (market surveillance authority) rather than a data protection authority.
- Centralize enforcement for AI Act obligations (e.g., provider and deployer duties, conformity, documentation, incident reporting).
- Leave GDPR enforcement with DPAs, but keep AI-specific oversight elsewhere.
This is permitted under the AI Act, which lets Member States choose their competent authorities. The friction comes from where to draw the line when AI systems process personal data-which most do.
Why privacy watchdogs push back
- Overlap with GDPR: Many AI risks are privacy risks. DPAs argue they should lead or at least have a formal gatekeeping role.
- Coherence concerns: Splitting oversight can produce conflicting guidance, duplicated audits, and enforcement gaps.
- Fundamental rights: DPAs want stronger guarantees that human rights assessments tie into GDPR duties, not sit in a separate silo.
What "Commission backing" likely means
According to the German government, the Commission supports its model. Legally, the AI Act allows Member States to assign AI supervision to one or more authorities, provided cooperation and independence standards are met.
Even with a non-DPA lead, DPAs keep full GDPR powers. When a case touches both frameworks, companies should expect parallel inquiries and information-sharing between authorities.
Practical implications for in-house legal and compliance
- Map systems: Classify AI use cases under the AI Act risk scheme and identify where personal data is involved.
- Unify assessments: Align GDPR DPIAs with AI Act risk and fundamental-rights assessments to avoid duplicate work and inconsistent outcomes.
- Assign ownership: Clarify who speaks to which regulator. Name a single internal owner for cross-regulator requests.
- Evidence trail: Keep technical documentation, data governance records, and human oversight controls audit-ready for both AI and GDPR inquiries.
- Contract hygiene: Update supplier and deployer terms to allocate AI Act duties (testing, monitoring, incident reporting, post-market surveillance).
- Incident playbooks: Add AI-specific triggers (serious incidents, performance degradation, safety risks) alongside data breach procedures.
- Monitor guidance: Track Commission, national authority, and DPA guidance to reconcile conflicting expectations early.
Enforcement and timing
The AI Act rolls out in phases over the next 1-3 years. Bans on unacceptable-risk uses apply first, with most high-risk system duties later. GPAI obligations are phased in as EU guidance and codes of practice mature.
Germany's institutional setup will shape how quickly obligations bite in practice. A centralized AI supervisor could move faster on market surveillance, while DPAs will continue driving privacy cases under GDPR timelines.
Open legal questions to watch
- Cooperation mechanics: How will the AI supervisor and DPAs coordinate, especially on investigations with mixed AI/GDPR scope?
- One-stop shop tension: Will GDPR's lead-DPA model clash with nationally designated AI supervisors in cross-border cases?
- Penalty stacking: How will fines be calibrated when AI Act and GDPR violations arise from the same facts?
- Rights redress: Will complaint channels be streamlined, or will individuals and NGOs need to file with multiple bodies?
Action checklist
- Finish an AI system inventory, link each system to AI Act duties, and tie it to your GDPR RoPA.
- Stand up a combined AI/GDPR risk committee that can make quick calls on assessments and regulator engagement.
- Update board reporting to include AI-specific risk metrics (model changes, data provenance, monitoring outcomes).
- Budget for external testing and conformity support for high-risk systems.
Authoritative resources
Need to upskill your legal team on AI compliance?
Explore AI courses for legal and compliance teams to accelerate readiness for the AI Act and GDPR overlap.
Your membership also unlocks:
