Germany

Germany establishes federal AI regulatory coordination body ahead of EU AI Act enforcement

The German federal government established a dedicated AI regulatory coordination body to prepare for EU AI Act enforcement, consolidating oversight responsibilities across federal ministries and state governments for high-risk AI system registration and market surveillance.

Act implementing EU Data Governance Act (Regulation 2022/868)

On 26 March 2026, the Act implementing the EU Data Governance Act (Regulation 2022/868) was adopted by the Parliament. The Act applies to data intermediary service providers, data altruism organisations, and public bodies holding protected data for re-use. It designates the Federal Network Agency as the supervisory authority for data intermediary services and data altruism organisations, and the Federal Statistical Office as both the competent support body for public bodies and the single nat...

Act for implementation of EU Regulation 2023/2854 on fair access to and use of data (No. 21/2998)

On 26 March 2026, the Act implementing Regulation (EU) 2023/2854 (the Data Act) was adopted by the Parliament. The Act designates the Federal Network Agency as the principal enforcement authority and establishes national rules on administrative procedure and sanctions. The Act applies to manufacturers and providers of internet-connected products and related services, as well as public bodies requesting access to privately held data. It grants the Federal Network Agency powers to investigate, ...

Federal Cartel Office's investigation into Adobe's acquisition of Semrush

On 20 March 2026, the Federal Cartel Office cleared the proposed acquisition of Semrush Holdings, Inc. by Adobe Inc. following a first-phase merger control review. Adobe develops creativity, productivity, and marketing software, including content management tools. Semrush provides online visibility software, including search engine optimisation applications and a tool for optimising brand presence across generative AI platforms such as ChatGPT and Gemini, also referred to as answer engines. T...

Lawsuit concerning 2016 update to WhatsApp terms of service and privacy policy (Federation of German Consumer Organisations v WhatsApp Inc. / 52 O 22/17)

On 23 February 2026, the 52nd Civil Chamber of the Berlin II Regional Court issued a judgment in Federation of German Consumer Organisations (vzbv) v WhatsApp Inc. (52 O 22/17) regarding claims for injunctive relief related to the 2016 update of the WhatsApp terms of service and privacy policy. The court ordered WhatsApp to refrain, in business transactions with consumers habitually resident in Germany, from disclosing personal data of WhatsApp users and data of third parties who do not use W...

Germany Approves Draft Legislation (KI-MIG) to Implement EU AI Act

Germany approved draft legislation (KI-MIG - Kunstliche Intelligenz Management-Gesetz) to implement the EU AI Act, designating the Federal Network Agency (Bundesnetzagentur) as the central AI supervisor and coordinator, with oversight shared among relevant sector regulators.

Lawsuit against Meta Group over data protection violations (Case No. 3 U 31/25)

On 2 March 2026, the 3rd Civil Senate of the Higher Regional Court of Jena issued a judgment ordering the Meta Group to pay damages for data protection violations. Business tools distributed by the Meta Group to website and app operators enable tracking of the internet usage of its social network members, including the collection of sensitive personal data such as health-related information, when a user researches mental health disorders, seeks therapeutic help via doctor portals, or orders m...

Lawsuit against Meta to prohibit use of certain customer data for AI training purposes (Case No. 6 UKI 3/25)

On 12 August 2025, the Schleswig-Holstein Higher Regional Court rejected an application filed by Stichting Onderzoek Marktinformatie (SOMI) against Meta to prohibit the use of certain customer data from Facebook and Instagram services for artificial intelligence (AI) training purposes, on the grounds of lack of urgency, in case number 6 UKI 3/25. The court found that Meta had publicly announced in 2024, and by direct email to users, including SOMI in April 2025, its intention to use certain p...

Federal Cartel Office investigation into Qualcomm-Alphawave proposed merger

On 24 November 2025, the Federal Cartel Office (FCO) approved the Qualcomm-Alphawave merger. Qualcomm (US) develops semiconductors, primarily for use in vehicles, internet of things applications, and mobile devices. Alphawave (UK) develops high-speed wireless connectivity solutions used in semiconductors known as SerDes IP, which is used for semiconductors that develop artificial intelligence systems. Qualcomm intends to become a chip provider for data centres. The FCO approved the merger, re...

Resolution on amendments to General Data Protection Regulation focusing on child protection

On 20 November 2025, the Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments adopted a resolution calling for amendments to the General Data Protection Regulation to strengthen protections for children. The resolution applies to controllers and processors handling children’s personal data across the digital economy. It proposes new obligations, including compatibility tests for data processing, a ban on children’s consent for profiling and ad...

Report of the Hessian Commissioner for Data Protection and Freedom of Information on the Use of Microsoft 365

On 15 November 2025, the Hessian Commissioner for Data Protection and Freedom of Information released the Report on the Use of Microsoft 365, which examines the use of Microsoft 365 based on seven criticism points identified in 2022 by the Conference of Independent Data Protection Authorities of the Federal and State Governments. The Report includes recommendations for public and private users of Microsoft 365 products in Hessen to help them ensure that their use of such products complies wit...

Beschluss 4 L 3030/25

Pro Se Litigant appeared before the Köln. Misrepresented: Case Law | Antragsteller führt vermeintlich ergangene Entscheidungen des OVG NRW an, zitiert diese aber fehlerhaft; Gericht hält dies für ein Zeichen ungeprüfter KI‑Ergebnisse.

Beschluss 4 L 3030/25

Misrepresented: Case Law | Antragsteller führt vermeintlich ergangene Entscheidungen des OVG NRW an, zitiert diese aber fehlerhaft; Gericht hält dies für ein Zeichen ungeprüfter KI‑Ergebnisse.

Beschluss 4 L 3030/25

Lawsuit concerning alleged copyright infringement of song lyrics by AI systems (GEMA v Open AI) (Case No. 42 O 14139/24)

On 11 November 2025, the 42nd Civil Chamber of the Munich Regional Court largely upheld GEMA’s claims for injunctive relief and damages against two OpenAI group companies. GEMA, a collecting society, argued that lyrics by nine German songwriters had been memorised by OpenAI’s language models and reproduced in chatbot outputs, thereby infringing copyright exploitation rights. OpenAI maintained that its models consist of learned parameters rather than stored data, that users are responsible for...

Case 19 O 527/16

Expert appeared before the LG Darmstadt. Fabricated: Exhibits & Submissions Outcome: Expert fees reduced to naught.

State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania warning to public bodies against third-country cloud computing providers

On 11 April 2025, the State Commissioner for Data Protection and Freedom of Information Mecklenburg-Western Pomerania (LfDI MV) issued a public notice alerting authorities to the potential data protection risks associated with utilising cloud computing services from providers based in non-European Union countries. As many local municipalities phase out on-premise solutions, the LfDI MV recommends prioritising open-source products and solutions to ensure data sovereignty and mitigate legal unc...

Guidance on Artificial Intelligence systems with retrieval augmented generation

Official source record dated 2025-10-17 for DE concerning Guidance on Artificial Intelligence systems with retrieval augmented generation. See the linked datenschutzkonferenz-online.de source for the authoritative text, procedural context, and implementation details.

Lawsuit concerning text and data mining as a potential violation of copyright (Kneschke v LAION/Case 310 O.22723)

On 10 December 2025, the 5th Civil Senate of the Hanseatic Higher Regional Court dismissed an appeal against a Hamburg Regional Court judgment, holding that the use of a photograph in an Artificial Intelligence (AI) training dataset by an association was lawful. The case concerned the creation of a publicly available image–text dataset, used to train generative AI models, which involved temporarily downloading the photograph from a photo agency website to compare it with descriptive data. The...

Federal Commissioner for Data Protection and Freedom of Information inquiry on data protection-compliant handling of personal data in large language models

On 10 August 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) closes the consultation on data protection-compliant handling of personal data in large language models (LLMs). The consultation applies to stakeholders in science, industry, and civil society. It seeks insights on issues including anonymisation limits, memorisation of personal data, risks of data extraction, and enforcement of General Data Protection Regulation data subject rights in Artificial ...

Beschluss 2-13 S 56/24

Lawyer used Unidentified in proceedings before the LG Frankfurt a. M.. False Quotes: Case Law | verbatim quotations from the Federal Court of Justice (BGH) that did not even exist

Restructuring of German data protection authority in CDU, CSU, and SPD coalition agreement

On 9 April 2025, CDU, CSU, and SPD agreed on a coalition agreement for the 21st legislative period, which outlines changes to the organisation and tasks of the German data protection authority. According to the agreement, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) is to be restructured into a Federal Commissioner for Data Use, Data Protection and Freedom of Information. The agreement further provides that the Data Protection Conference (DSK) is to be anchor...

3 ORbs 164/25

Lawyer appeared before the KG Berlin. Fabricated: Exhibits & Submissions | Factually incorrect submissions

3 ORbs 164/25

Fabricated: Exhibits & Submissions | Factually incorrect submissions

3 ORbs 164/25

Federal Commissioner for Data Protection and Freedom of Information information updated Information Brochure on General Data Protection Regulation and Federal Data Protection Act

On 13 August 2025, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) published an informational brochure on the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). It was highlighted that the GDPR applies to all controllers and processors of personal data across the European Union, affecting over 449 million citizens, and imposes obligations including transparency, purpose limitation, data minimisation, technical and organisationa...

Federal Cartel Office approved acquisition of Informatica by Salesforce

On 4 August 2025, the German Federal Cartel Office (FCO) approved the acquisition of sole control of Informatica by Salesforce, both headquartered in the United States, following a merger control assessment of vertical integration in digital markets. Salesforce is the world’s largest provider of customer relationship management (CRM) software, while Informatica is a leading provider of data integration tools, integration platform as a service (iPaaS), data quality solutions, and data and analyti

Federal Office for Information Security white paper on bias in Artificial Intelligence

On 24 July 2025, the German Federal Office for Information Security (BSI) published a white paper on bias in Artificial Intelligence (AI). The paper applies to developers, providers, and operators of AI systems across all sectors. The paper highlights practices including designating bias-responsible personnel, implementing organisational and technical measures during data collection to reduce bias, and prioritising pre-processing and in-processing mitigation methods over post-processing appro...

State Data Protection Commissioner of North Rhine-Westphalia guidance on processing employee health data

On 17 July 2025, the State Data Protection Commissioner of North Rhine-Westphalia published the guidance on processing employee health data. The guidance clarifies that employers may only process employee health data when strictly necessary to verify continued payment of wages during extended illness, in line with the Continued Payment of Wages Act (EFZG) and data protection laws. It was highlighted that processing requires a concrete presumption of a continuing illness, with less intrusive a...

Lawsuit relating to joint controllership and cookie consent obligations for social media fan pages (Federal Press and Information Office and Meta Platforms v The Federal Commissioner for Data Protection and Freedom of Information)

On 17 July 2025, the Administrative Court of Cologne annulled a data protection prohibition order issued by the Federal Commissioner for Data Protection and Freedom of Information against the German Federal Press Office regarding its Facebook fan page operation. The ruling affects social media operators and public sector entities, establishing that joint data protection responsibility under Article 26(1) of General Data Protection Regulation requires joint determination of both purposes and m...

VGH 3 S 1012/25; VG 2 K 1899/25

Lawyer appeared before the VGH Baden-Württemberg. Fabricated: Case Law | Applicants cited a multitude of non-findable decisions and claimed higher-court jurisprudence that, as far as the court could see, does not exist; the court noted this and treated the complaint as lacking substantive engagement.

VGH 3 S 1012/25; VG 2 K 1899/25

Fabricated: Case Law | Applicants cited a multitude of non-findable decisions and claimed higher-court jurisprudence that, as far as the court could see, does not exist; the court noted this and treated the complaint as lacking substantive engagement.

VGH 3 S 1012/25; VG 2 K 1899/25

Cologne District Court, 312 F 130/25

Lawyer appeared before the Cologne District Court (Family Court). Fabricated: Doctrinal Work | Court found citation to 'Viefhues' in a Munich commentary and marginal nos. (9th ed. 2021, marginal no. 65 ff.) to be incorrect and fictitious; actual commentary and edition details differ. Outcome: Court admonished the attorney and warned that knowingly disseminating untruths may violate BRAO §43a(3).

Cologne District Court, 312 F 130/25

Fabricated: Doctrinal Work | Court found citation to 'Viefhues' in a Munich commentary and marginal nos. (9th ed. 2021, marginal no. 65 ff.) to be incorrect and fictitious; actual commentary and edition details differ. || Fabricated: Doctrinal Work | Court could not locate the cited book 'Brons, Kindeswohl und Elternverantwortung, 2013, pp. 175 ff.' and determined the reference to be fictitious. || Fabricated: Doctrinal Work | Reference to 'Völkl, FamRB 2015, p. 74' was found to be incorrect/misleading; the actual FamRB 2015 pages cited contain a different essay (pp. 70-77) and the asserted citation is fictitious. || Fabricated: Doctrinal Work | Citation 'Meyer-Götz, in: Hauß/Gernhuber, Familienrecht, 6th ed. 2022, § 1671, marginal no. 33' was not found; court concluded the reference does not exist and appears conflated. || Fabricated: Case Law | Citation to an 'OLG Frankfurt' decision reported at 'FamRZ 2021, p. 70' was incorrect; the court determined the cited decision/reference was fictitious or mislocated.

Cologne District Court, 312 F 130/25

Data Protection Commissioner's assessment of Apple and Google's compliance with Digital Services Act concerning removal of DeepSeek AI following its classification as illegal

On 27 June 2025, the Berlin Commissioner for Data Protection and Freedom of Information, together with the Data Protection Commissioners of Baden-Württemberg, Rhineland-Palatinate, and the Free Hanseatic City of Bremen, formally notified Apple and Google in Germany that the artificial intelligence (AI) application DeepSeek constitutes illegal content. The authorities emphasised that the application unlawfully transfers large volumes of personal data from German users to servers in China witho...

Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments Model Guidelines for procedures on imposing fines by the data protection supervisory authorities under GDPR

On 16 June 2025, the Conference of Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) adopted the model guidelines for procedures on imposing fines by the data protection supervisory authorities (MRiDaVG), establishing standardised rules for conducting administrative fine proceedings under the General Data Protection Regulation (GDPR). The Guidelines define procedural principles, including the primacy of EU law, equivalence, and effectiveness, outli...

Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments resolution addressing the interplay between data protection and security in the context of proposed reforms to German security laws

On 16 June 2025, the Conference of the Independent Data Protection Authorities of the Federal and State Governments (DSK) adopted a resolution addressing the interplay between data protection and security in the context of proposed reforms to German security laws. The resolution applies to public authorities involved in policing and data processing, emphasising that data protection is a fundamental element of democratic governance and not a barrier to effective law enforcement. It calls for p...

Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments Resolution on confidential cloud computing

On 16 June 2025, the Conference of the Independent Data Protection Supervisory Authorities of the Federal and State Governments (DSK) adopted a Resolution on confidential cloud computing, addressing its technical and security implications. The resolution applies to cloud service providers and organisations processing sensitive or personal data using cloud infrastructure. It highlights that marketing claims about data being confidential often overlook the technical complexities involved. It hi...