The Irish Council for Civil Liberties submitted a formal complaint to the European Commission regarding the appointment of former Meta lobbyist Niamh Sweeney as the new Data Protection Commissioner (DPC). The complaint alleges a major conflict of interest in Ms Sweeney’s appointment, and accuses the Government of failing to provide “adequate safeguards for independence and impartiality” in the appointment process.
Ms Sweeney’s appointment as Ireland’s third DPC was met with widespread criticism when it was announced in September.
From 2019-2021, Ms Sweeney led Meta subsidiary WhatsApp’s European lobbying activities. From 2021-2022, she led communications for Stripe, whose CEO sits on the board of Meta. From 2022 until a month before their appointment, she worked at lobbying firm Milltown Partners. The firm’s website says it “works with established and emerging technology companies, global investors, iconic brands, renowned sports franchises and influential individuals” and advises clients on “navigating public policy and regulatory debates to protect and grow businesses”.
In the complaint, ICCL says the “appointee is a communications expert with two degrees in journalism whose primary experience is in journalism and lobbying”. It says Ms Sweeney’s only stated technical or legal expertise is a 27-hour diploma on data protection.
In her new role, Ms Sweeney is now responsible for monitoring and enforcing the application of the GDPR with respect to Meta, Google, Microsoft, Apple, Snap, TikTok, and other large-scale processors. From 2026, the DPC will assume additional market surveillance authority responsibilities in relation to certain high-risk AI systems including law enforcement and certain biometrics.
“Compromised”
The ICCL has also expressed concern that the new DPC may be compromised by “legal obligations such as non-disclosure agreements, and perhaps by stock options”. The Council points to the case of Sarah Wynn-Williams, a former Meta lobbyist who departed from the company in 2018, and has admitted that she is barred from ever making any “disparaging, crucial or otherwise detrimental comments” about Meta under the terms of her severance contract. If the newly-appointed DPC is subject to a similar agreement, it would make it impossible for her to lead the supervision of Meta.
The ICCL complaint follows an investigation by Politico, which found that the panel that shortlisted candidates for the job included a partner from a major Irish law firm that represents several big tech companies. The inclusion of this lawyer on the panel triggered a conflict of interest complaint by a candidate that competed for the job.
In a confidential letter dated May 14 and seen by Politico, publicjobs said it had assembled a selection panel of five people to pick the new privacy DPC. According to the letter, the panel included “C-suite executive advisor” Shirley Kavanagh, and Leo Moore, a partner at law firm William Fry and head of the firm’s technology group. According to the company’s website, Mr Moore has advised domestic and multinational companies, including Big Tech and social media companies.
“The composition of this panel indicates a lack of procedural safeguards on Ireland’s part against conflicts of interests, partiality and political interference,” the ICCL says.
Panel “lacked necessary expertise”
The Council also says the shortlisting panel “lacked the necessary expertise to select candidates with the required expertise”. The panel had no technical expert and lacked data protection expertise.
“The deficits in Ireland’s panel raise serious questions about whether applicants with a deep background in privacy, data protection and technology were fairly evaluated by individuals with the necessary expertise. ICCL is aware of a number of recognised experts with the knowledge and experience necessary for the role of Data Protection Commissioner who made applications in this or previous rounds but who were not shortlisted,” the Council has said.
It said the absence of the necessary expertise on the panel is reflected in Ireland’s choice of appointee, “who appears to have no technical, legal, or investigative expertise. To the contrary, the appointee was in fact lobbying against a high standard of protection of personal data and the objectives of the DPC in their previous roles”.
“The Commissioner for Data Protection is tasked with regulating some of the largest and most sophisticated technology companies in the world. This requires more than legal acumen; it demands an understanding of complex technical systems-such as algorithmic decision-making, adtech infrastructure, biometric surveillance, and large-scale data processing – where subtle technical distinctions can carry enormous regulatory implications,” the ICCL complaint states.
According to the Council, EU Law requires that independent supervisory authorities must not only be impartial and independent but must also be above any suspicion of partiality.
“Ireland’s actions not only invite further reasonable doubts but may also be interpreted by the tech industry as a signal of impunity from the Irish Government. The European Commission must intervene,” the complaint submission states.
