German AI Law and Regulation

German AI Strategy and Policy Framework

Germany’s approach to artificial intelligence regulation is shaped by its commitment to fundamental rights, strong data protection traditions, and a corporatist model that involves social partners in technology governance. The German AI Strategy (KI-Strategie), first published in 2018 and updated in 2020 and 2023, articulates a vision of responsible, human-centred AI development. The strategy is organised around three pillars: strengthening AI research and innovation, promoting the transfer of AI into the economy and society, and establishing a regulatory framework that fosters trust and protects fundamental rights.

The Data Ethics Commission (Datenethikkommission), appointed by the federal government, produced influential recommendations in 2019 that have shaped German and European AI policy. The Commission proposed a five-tier risk classification for algorithmic systems, a framework that anticipated the EU AI Act’s risk-based approach. Its recommendations emphasised algorithmic auditing, transparency obligations, and the need for human oversight of automated decisions that affect individuals.

Algorithmic Auditing and BSI Oversight

The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has been tasked with developing standards for algorithmic auditing and AI security. The AI Act assigns the BSI responsibilities as a notified body for conformity assessments of high-risk AI systems. Germany has been proactive in developing the technical infrastructure for AI auditing, including the Algorithmenaufsicht pilot project that tested state-level oversight of algorithmic decision-making in administrative practice.

AI in Employment Law

German labour law imposes uniquely stringent requirements on the use of AI in the workplace. The Betriebsrat (works council) enjoys extensive co-determination rights under the Works Constitution Act (Betriebsverfassungsgesetz) regarding the introduction and use of AI systems that monitor employee performance or behaviour. Section 87(1)(6) of the Act requires works council approval for technical systems designed to monitor employees. The Betriebsrat may veto AI deployments that violate data protection or employee privacy.

Automated individual decision-making under Article 22 of the GDPR is implemented in German law through the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Section 24 BDSG restricts automated decision-making in the employment context, requiring meaningful human involvement and providing employees the right to contest AI-generated decisions. The case of Hessisches Landesarbeitsgericht (2023) held that an AI-driven hiring tool that screened applicants without human review violated the employee’s right to human consideration.

Automated Driving Law

Germany was among the first jurisdictions to enact legislation specifically addressing autonomous vehicles. The Road Traffic Act (Straßenverkehrsgesetz, StVG) was amended in 2017 (Level 3) and again in 2021 (Level 4/5 automated driving) to permit autonomous vehicles on public roads. The 2021 amendment created a legal framework for driverless vehicles in defined operational design domains, including shuttle services, logistics, and last-mile transport. It establishes the technological supervisor (Technische Aufsicht) as a responsible natural person who can override the autonomous system remotely.

The Act imposes strict liability on the vehicle operator and manufacturer for harm caused by autonomous driving functions, with mandatory insurance coverage. The Kraftfahrt-Bundesamt (Federal Motor Transport Authority) approves autonomous vehicle systems and monitors their safety. A data recorder (Datenrecorder) is mandatory in all Level 4/5 vehicles to determine liability in case of accidents.

AI Liability and Insurance Law

German courts have applied existing tort law to AI-caused harm, relying primarily on § 823 BGB (delictual liability) and § 1 Produkthaftungsgesetz (product liability). The strict liability framework for autonomous vehicles (StVG §§ 7a–7f) provides a model for broader AI liability reform. The German government has supported the EU AI Liability Directive as a harmonising measure.

Insurance law implications are significant. The German Insurance Association has developed standard terms for AI-related coverage, addressing the difficulty of calculating premiums when AI systems can modify their behaviour post-deployment. Cyber insurance policies increasingly exclude or limit AI-related risks, creating a gap in the liability coverage market.

Constitutional Implications

The Grundgesetz (Basic Law) imposes constraints on AI decision-making. The Allgemeine Persönlichkeitsrecht (general personality right), derived from Articles 1(1) and 2(1) GG, protects individuals against automated profiling that intrudes on personal identity. The Bundesverfassungsgericht (Federal Constitutional Court) recognised a Recht auf informationelle Selbstbestimmung (right to informational self-determination) in the landmark Volkszählungsurteil (1983), which limits the collection and use of personal data, including for AI training. More recently, the Court’s Recht auf Gewährleistung der Vertraulichkeit und Integrität informationstechnischer Systeme (right to confidential integrity of IT systems) may constrain government use of AI surveillance tools.

Implementation of the EU AI Act

As the EU’s largest member state, Germany plays a decisive role in implementing the AI Act. The German government has proposed a national AI implementing act that would designate the Bundesnetzagentur as the national market surveillance authority, establish a national AI registry, and create specialised AI oversight chambers within existing administrative courts. The implementation process involves complex federal coordination between the Bund and the Länder, given that many AI applications fall within Land regulatory competence.

Outlook

German AI law navigates between European harmonisation and distinctive national traditions of labour co-determination, data protection, and administrative oversight. The implementation of the AI Act will be layered onto existing German frameworks, creating a multi-level regulatory regime that will require careful coordination.