Both the DACH region and U.S. states are tightening data‑privacy requirements, forcing companies to revamp consent practices, embed AI risk assessments, and adapt cross‑border transfer contracts. You’ll need to align with stricter GDPR enforcement, the new AI Act in Germany, Austria and Switzerland, and Maryland’s Consumer Data Protection Act to avoid hefty fines and disrupted data flows.
Key Regulatory Changes in the DACH Region
GDPR Enforcement Continues
The European Union is intensifying scrutiny of GDPR compliance, especially around purpose limitation and consent. Regulators now demand fresh consent when data is repurposed, and they are issuing larger penalties for violations.
AI Act (KI‑Gesetz) Requirements
The AI‑specific law introduces risk‑based obligations for automated decision‑making. Companies must document training‑data provenance, conduct bias‑mitigation assessments, and embed AI‑risk evaluations into both customer‑facing and internal systems.
New Data Privacy Laws in the United States
Maryland Consumer Data Protection Act
Effective this year, Maryland’s law sets a “reasonable security” standard and grants individuals the right to demand deletion of their data. It also requires data‑impact assessments for high‑risk processing, mirroring the EU’s DPIA requirement.
Implications for Cross‑Border Transfers
Following the Schrems II fallout, the U.S. is introducing a Data Protection Review Court and an executive order aimed at providing a judicial backstop for EU‑U.S. data flows. Companies will need to certify adequacy under the new framework or risk losing access to U.S. cloud services.
Impact on Business Operations
Cost and Compliance Burden
Compliance costs are rising sharply. Manufacturers must now embed AI‑risk assessments into supply‑chain software, while fintech firms face dual breach‑notification timelines—30 days under GDPR and 48 hours to the Maryland attorney general.
Dual Obligations for Multinational Firms
U.S. subsidiaries can no longer hide behind “local processing” to dodge EU rules. A single data‑center serving both regions must meet GDPR’s consent and breach standards as well as state‑level deletion and security mandates.
Actionable Steps for Compliance
- Conduct a gap analysis against the AI Act and Maryland’s consumer‑data requirements.
- Review and update all cross‑border transfer agreements to reference the upcoming EU‑U.S. Data Privacy Framework and Review Court procedures.
- Integrate DPIA‑style assessments into every AI system that processes personal data, even if the system is used internally.
- Allocate budget for privacy‑by‑design initiatives and train your team on the new consent and data‑minimisation standards.
- Establish a unified global privacy function to streamline compliance across jurisdictions.
