Legal uncertainty costs ideas: BfDI aims to counteract with ReguLab

Contents

Louisa Specht-Riemenschneider, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), and Dr. Linda Bienemann, digital policy advisor at the Federal Chancellery, presented the "ReguLab" at the HPI Digital Health Innovation Forum. It is a "sandbox" designed to provide early guidance for data protection-compliant developments.

Between inventiveness and legal uncertainty

According to Specht-Riemenschneider, who recently announced her withdrawal for health reasons, Germany is the European champion in invention. In 2024 alone, according to figures from the European Patent Office, around 25,000 patent applications from Germany were registered. At the same time, many German companies report that data protection is hindering innovation. Furthermore, most EU citizens express concerns about the protection of their personal data. The actual problem is not data protection law itself, but a lack of legal certainty about which rules apply and how they are to be interpreted.

The ReguLab, established in 2025, is aimed at teams that have already identified a concrete use case and know in which direction their technology should be developed; i.e., they are no longer in the pure concept phase but have encountered fundamental data protection issues. Only recently, the BfDI launched its first tender "for health risk detection according to § 25b SGB V." According to this, health and pension insurance funds are allowed to "detect individual health risks based on data." Questions include, for example, whether health data may be used to train AI systems and when further protective measures are necessary.

Bienemann explained that in a selection phase, projects are admitted through topic-specific tenders. Subsequently, an expert team from the BfDI accompanies the technical development over several months with ongoing legal assessment. The process concludes with a confidential final report for the project participants and a public "ReguLab Report" that makes the acquired knowledge usable for comparable projects. According to Bienemann, more people, including companies, research institutions, supervisory authorities, and policymakers, are expected to benefit from the results in the future.

Role model UK, growing ecosystem in Germany

As an international role model, Specht-Riemenschneider cited the British data protection authority ICO, which looks back on five years of successful work in its "Regulatory Sandbox." The fact that the sandbox concept has also found favor in Germany is demonstrated by further initiatives: For example, Prof. Tobias Keber, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, operates an AI real-world laboratory at the state level. At the federal level, the BfDI, the Federal Network Agency, and the Hessian Ministry of Digital Affairs are jointly working on the foundations for a national AI real-world laboratory according to the European AI Regulation.

Legal basis and self-understanding

The still-acting Federal Commissioner for Data Protection emphasized that supervisory authorities are not only permitted but obliged to advise innovators according to the GDPR and the Federal Data Protection Act. "The better we understand data-based technologies, the better we can advise the legislator on innovation-friendly regulation that protects fundamental rights," it stated in January from the BfDI. ReguLab is therefore not a special path, but the consistent implementation of the legal mandate. In January, the BfDI pointed out that ReguLab should not be confused with the project "for the simulation of an AI real-world laboratory according to the European AI Regulation," in which it is working with the Federal Network Agency (BNetzA) and the Hessian Ministry of Digital Affairs on "foundations for a national AI real-world laboratory."

(mack)