AI data economy – Fast track with guard rails for the EU omnibus
On December 18, 2025, the Society for Data Protection and Data Security (GDD) e.V. hosted its parliamentary evening in Berlin. The event focused on the reform plans for European digital and data protection law presented by the EU Commission on November 19, 2025, which are to be implemented as part of an accelerated “omnibus procedure.”
The discussion made it clear that the political will to simplify and accelerate the process is there, but at the same time there are considerable technical, legal, and organizational issues, particularly with regard to the practical implementation of the AI Regulation (AI-VO) and possible amendments to the General Data Protection Regulation (GDPR).
Political kick-off: pressure for reform and the need for change
In their welcoming remarks, Professor Günter Krings, deputy chairman of the CDU/CSU parliamentary group in the Bundestag and patron of the evening, and Professor Rolf Schwartmann, chairman of the GDD, emphasized the particular relevance of the event. The parliamentary evening provided an opportunity for professional and political exchange on a legislative project that is set to rapidly change the central pillars of European digital law.
Keynote speech by Thomas Jarzombek: “We cannot afford to wait and see when it comes to AI”
In his keynote speech, Thomas Jarzombek, Parliamentary State Secretary at the Federal Ministry of Digital and Public Service, made it clear that the German government wants to – and must – actively shape the regulatory framework for artificial intelligence (AI).
Responsibilities and governance
State Secretary Jarzombek made it clear that responsibility for AI regulation in Germany lies with the Federal Ministry of the Interior and Homeland (BMI). At the same time, he announced plans to establish the Federal Network Agency (BNetzA) as the central one-stop-shop authority for this specialist area in the future. In his view, such consolidation is necessary to reduce legal uncertainty and provide companies with clear points of contact.
Changes to the GDPR: Relief without lowering the level of protection
According to Jarzombek, the planned changes to the GDPR are aimed in particular at easing the burden on small and medium-sized enterprises (SMEs) and simplifying technical documentation requirements. In his opinion, this is expressly not about lowering the level of data protection, but about making data protection more practicable in its application and thereby strengthening it.
Competitiveness in an international context
A central motive behind the reform considerations is to enable European providers to “do the same as the Americans.” Regulation should not slow down innovation, but must address uncertainties and risks without unnecessarily complicating market access.
Perspective of the Federal Network Agency: Centralization with unresolved legal issues
Dr. Daniela Brönstrup, Vice President of the Federal Network Agency (BNetzA), followed up on these considerations, but also pointed out existing challenges. The federal government has announced that it intends to assign the BNetzA a central role in the implementation of the AI Regulation. However, the necessary legal basis for this does not yet exist. Nevertheless, the BNetzA is already preparing for this role and has offered companies a service desk as a point of contact.
Market surveillance and cooperation with data protection authorities
The BNetzA sees itself as the future market surveillance authority and single point of contact, also within the framework of the AI Regulation. However, this does not mean going it alone: close, direct cooperation with the data protection supervisory authorities is planned.
Real-world laboratories as an implementation tool
Brönstrup was particularly positive about the real-world laboratories provided for in the AI Regulation. These should be located in regions where functioning ecosystems exist and, above all, support user-oriented companies in the legally compliant development and application of AI.
Focus on data protection supervision: coordination, pace, and criticism
Professor Tobias Keber, State Commissioner for Data Protection and Freedom of Information in Baden-Württemberg and, from 2026, Chairman of the Data Protection Conference (DSK), examined the omnibus procedure from the perspective of data protection supervision. Professor Keber emphasized that the data protection supervisory authorities had already proven their ability to coordinate. Both the DSK and the European Data Protection Board (EDPB) commented on the omnibus proposals – in some cases within a day. However, the fast pace poses considerable challenges for the authorities.
Simplification – aspiration and reality
Keber critically questioned whether what was labeled “simplification” on the packages actually lived up to this aspiration. “Is the omnibus the right vehicle?” he asked, adding that it was equally important to consider what was not being regulated in the omnibus. The state commissioner described the real-world laboratories enshrined in the AI Regulation as an “enabling factor” and expressed his intention to establish such an instrument in Baden-Württemberg as well.
Rising number of complaints and practical burden
A look at the practical situation showed the increasing burden on the supervisory authorities: the number of complaints in Baden-Württemberg had risen from around 4,500 in 2024 to around 7,000 in 2025.
Media perspective: Regulation as a permanent state
Claus Grewenig, Chief Corporate Affairs Officer at RTL Deutschland and Chairman of the Board of VAUNET – Verband Privater Medien e.V. (Association of Private Media), presented the media industry's perspective. He made it clear that media companies are already subject to a very high level of regulation. His comment was correspondingly pragmatic: “In the media sector, we take every bus that comes along – even the Flixbus.” The statement illustrated the desire for practical, compatible solutions instead of further fragmented special rules.
Role of data protection officers: translating, not relieving
Kristin Benedikt, judge at the Regensburg Administrative Court and member of the GDD Executive Board, took a particularly practical approach. From her perspective as an official data protection officer at the court, she described her role as that of a “translator” between law, technology, and organization. However, she posed a key question: If data protection officers had the goal of making data protection increasingly simple, who would then translate the remaining complexity?
Omnibus: Not a big hit
Benedikt pointed out that the documentation requirements would not be abolished by the omnibus bill. Overall, she does not see the omnibus procedure as a big hit. She would find a fundamental further development in the sense of a “GDPR 2.0” much more exciting and worthy of discussion.
Conclusion: Acceleration with many open flanks
The GDD Parliamentary Evening clearly demonstrated that the political will to accelerate and simplify European digital law is there. At the same time, it became clear that key issues – from responsibilities and resources to the actual impact on reducing administrative burdens – have not yet been conclusively clarified.
The GDD remains highly relevant to its members and the professional public in this area: as a technical advisor to the legislative process, as a voice for practicable data protection, and as a bridge builder between politics, business, and supervision. The dialogue that began this evening will certainly continue to gain importance in the coming months.