Working Group GDPR: Reform Building Blocks for Data Protection and Data Use
Need for Reform in the GDPR
The General Data Protection Regulation (GDPR) – the central pillar of European data protection law – is increasingly coming under scrutiny in expert discussions. In Brussels, Berlin, and elsewhere, voices calling for a further development of the GDPR are growing, while citizens are viewing data protection with ever greater skepticism. The Digital Omnibus put forward by the EU Commission on 19 November 2025 has fuelled the debate.
"The concept of consent has failed – at least in its far-reaching and unlimited form," argues Louisa Specht-Riemenschneider, Federal Commissioner for Data Protection and Freedom of Information and member of the working group. "The GDPR creates the illusion of a gold standard while all too often leaving those affected in the lurch. Companies that want to comply with data protection law frequently despair at considerable legal uncertainty, inconsistent interpretation of the law, and extensive documentation requirements. Companies that circumvent the law too often benefit from inadequate enforcement."
The GDPR Working Group at the TUM Think Tank aims to address this and develop concrete proposals by December 2025 on how data protection can be strengthened, made more effective, and at the same time the usability of data for economic and societal problem-solving can be increased. The group deliberately does not seek a complete redesign of the GDPR. Rather, the goal is to "remain compatible with existing regulations and be able to move quickly into implementation," according to Kai Zenner and Max Schrems, two of the group's co-initiators.
"The rapidly evolving digital landscape brings new challenges for data protection law. It is therefore necessary to review and adapt data protection provisions in order to adequately keep pace with these developments and to ensure both the protection of data subjects and the promotion of innovation," says Boris Paal, another co-initiator of the working group.
Members of the Working Group
The working group brings together experts from academia, practice, regulatory authorities, and civil society. Its members include (in alphabetical order):
- Christoph Bausewein | Association of Data Protection Officers of Germany (BvD) e.V.
- Linda Bienemann | Personal Advisor to the Federal Commissioner for Data Protection and Freedom of Information (BfDI)
- Franziska Boehm | FIZ Karlsruhe & Karlsruhe Institute of Technology (KIT)
- Stefan Brink | Scientific Institute for the Digitalisation of the World of Work (WIDA) / Berlin
- Thomas Fuchs | Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI)
- Niko Härting | HÄRTING & German Bar Association
- Peter Hense | Spirit Legal Rechtsanwaltsgesellschaft mbH
- Boris Paal | Technical University of Munic
- Frederick Richter | Stiftung Datenschutz (Data Protection Foundation)
- Max Schrems | noyb
- Louisa Specht-Riemenschneider | Federal Commissioner for Data Protection and Freedom of Information (BfDI)
- Christiane Wendehorst | University of Vienna
- Michael Will | Bavarian State Office for Data Protection (BayLDA)
- Kai Zenner | MEP Axel Voss, European Parliament & TUM Think Tank
The TUM Think Tank provides the organisational platform. The working group was initiated by Kai Zenner, Max Schrems, Boris Paal, and Markus Siewert.
Following several working meetings, as well as exchange and consultation formats with an extended circle of practitioners and stakeholders from policy, business, and civil society between September and December 2025, four concrete policy recommendations on key challenges of the GDPR and its further development were produced.
Reform Proposals
The present reform proposals (Version 1.0) are supported by a majority of the working group. However, individual members hold diverging views on certain aspects, and there are indeed differing priorities, preferences, and at times controversial opinions.
Different perspectives are deliberately part of the process here; they are discussed openly and constructively. The reform proposals are therefore explicitly formulated as a draft and are intended not as an endpoint, but as a starting point for further debate – within the working group and beyond. In the coming weeks and months, the working group will continue to develop the proposals and elaborate additional reform building blocks, particularly in light of the Digital Omnibus, which raises new questions and opens up a wide range of opportunities.
The reform building blocks focus on four key areas:
- (Further) development of a risk-based approach for the GDPR
- Simplification of B2B compliance
- Greater legal certainty through permitted and prohibited lists (traffic light system)
- Mehr Rechtssicherheit durch Erlaubnis- und Verbotslisten (Ampelsystem)
- Reform options in the area of consent and "Do Not Track"
Read our working group's first proposals for GDPR reform here (in German):
Reformvorschlag 1Reformvorschlag 2
Reformvorschlag 3 Reformvorschlag 4
The assessments presented in the proposals represent the views of the authors and are not attributable to the TUM Think Tank as an institution or its members.
