Brussels, October 2025
Re: Recent appointment of third Commissioner at the Data Protection Commission
To:
An Taoiseach, Micheál Martin, Government of Ireland,
Jim O’Callaghan, Minister for Justice, Home Affairs and Migration, Ian Simington, Chair, Top-Level Appointments Committee
Cc:
Dale Sutherland, Commissioner, Data Protection Commission, Dr. Des Hogan, Commissioner, Data Protection Commission
We, a large cross-partisan group of organisations and individuals write to publicly express our outrage and misgivings at the recent appointment of the third Commissioner of the Irish Data Protection Commission. The appointment reflects a concerning level of disregard for EU Law and for your government’s treaty obligations as per ARTICLE 4(3) of the Treaty on European Union, and Articles 16(2) and 291(1) of the Treaty on the Functioning of the European Union, which together require Member States to ensure the independent, impartial, and effective implementation of Union law, including the GDPR.
The appointed candidate has held a long-standing senior public affairs role at one of the largest technology platforms (META) that the DPC is mandated to regulate. In her most recent role at a consultancy called Milltown Partners, which ended only last August, she continued to advocate on behalf of these platforms. She may also be subject to NDA and other contractual obligations that prevent her from supervising these firms. This appointment therefore raises serious questions about the DPC’s independence at a time when its impartiality is of critical importance for the entire Union, and when public trust is already fragile.
The manner of this appointment also raises questions and was well covered recently by Politico in an article which outlines how a corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators.
Your government is obliged by Article 4(3) of the Treaty on European Union to adhere to the principle of sincere cooperation. The GDPR requires, under Article 52, that supervisory authorities act with full independence. Equally, Article 41 of the Charter requires that procedures are handled ‘impartially’ and ‘fairly’. This principle is fundamental to the credibility of the Regulation and to the rights it is designed to protect. Its importance is amplified in Ireland, where the DPC has responsibility as lead supervisory authority for many of the world’s largest technology companies. Indeed, the importance of independence has already been affirmed by the Court of Justice in Case C-288/12 Commission v. Hungary, where the premature ending of a data protection supervisor’s mandate was found to have violated EU law.
Concerns about enforcement are long-standing and ongoing. At the Irish DPC, investigations against major companies have been infrequent in the past few years, with critical decisions often only materialising, if at all, under pressure from the European Data Protection Board (EDPB) and other Member State authorities, or indeed even after intervention by the Court of Justice of the European Union (CJEU). Patterns of delayed or limited enforcement continue to undermine trust in the DPC as an effective enforcer of the law with, shockingly, only 0.16% of fines imposed having been collected. The record is simply abysmal.
We are not aware of any instance when the DPC has voluntarily enforced against these firms in a manner that significantly changes how they use personal data internally, with the narrow exception of recent AI scraping cases.
Furthermore, recent revelations have confirmed that intimate data, including sensitive information about survivors of sexual abuse, is still being traded through Real-Time Bidding, which has been discussed in the Irish parliament in recent weeks. That this continues is the direct result of the Irish DPC’s refusal to act, despite clear evidence of unlawful processing. Its failure is not limited to one case. Since 2018, civil society organisations have filed highly important and strategic complaints in Ireland, many without any material result. The absence of meaningful enforcement has become systemic, making Ireland the bottleneck in the application of the GDPR.
The appointment of an industry-connected Commissioner through a process that was both opaque and eschewed the necessary expertise and independence further reduces trust in the Irish DPC at precisely a time when even greater assurances of independence are needed, given wider geo-political tensions between the EU and US.
The credibility of the EU’s digital rulebook depends on strong, impartial and effective supervisory authorities. The selection process for such a critical position must reflect the independence and expertise necessary to restore trust in the DPC.
Therefore, we urge you to take the following steps:
- Conduct a new and fully transparent process to appoint a Commissioner to the Data Protection Commission with a proven capacity and record of protecting rights and fundamental freedoms, and data protection in particular.
- Commission an independent review of the process by which this appointment was made.
Signed:
1. International Press Institute (IPI)
2. Irish Council for Civil Liberties
3. Check My Ads
4. Noyb – European Center for Digital Rights
5. Liberties – Civil Liberties Union for Europe
6. ARTICLE 19
7. Bits of Freedom
8. RNW Media
9. Vrijschrift.org
10. The Electronic Privacy Information Center (EPIC)
11. Open Markets Institute (OMI)
12. Access Now
13. SOMO (the Centre for Research on Multinational Corporations)
14. The Molly Rose Foundation
15. WHAT TO FIX
16. Cori Crider, Hon Prof. UCL Laws (University College London)
17. Nicholas Shaxson, journalist and author, and Technology and Human Rights Fellow,
Carr-Ryan Center, Harvard Kennedy School
18. Maria Farrell, technology writer and author
19. Robin Berjon, public interest technologist, Supramundane Agency
20. European Centre for Press and Media Freedom (ECPMF)
21. Hope not Courage
22. Douwe KorI, Emeritus Professor of International Law, London Metropolitan
University
23. Corporate Europe Observatory
24. Professor Judith Membrives I Llorens, Universitat Oberta de Catalunya
25. Free Software Foundation Europe (FSFE)
26. Megan Kirkwood, Privacy & digital platform researcher
27. Adele Zeynep Walton, Independent Online Safety Campaigner and Journalist
28. Data Rights
29. Marc Prud’hommeaux, Founder of The App Fair Project
30. People vs Big Tech (PvsBT)
31. Foundation for Diaspora in Action for Human Rights and Democracy (DAHRD)
32. The Institute for Digital Citizenship Foundation
33. Danes je Nov Dan
34. Balanced Economy Project (BEP)
35. Rebalance Now
36. Aspiration
37. Panoptykon
38. Defend Democracy
39. IT-Pol Denmark
40. Community Media Forum Europe (CMFE)
41. Ena Bavčić, EU Advocacy OIicer, ECPMF
42. European Federation of Journalists (EFJ)
43. South East European Media Organisation (SEEMO)
44. Državljan D / Citizen D