Cyber security and information or network protection. Future cyber technology web services for business and internet project
Open Letter: Recent appointment of third Commissioner at the Data Protection Commission

ECPMF

23 October 2025

No Comments

To,

An Taoiseach, Micheál Martin, Government of Ireland,

Jim O’Callaghan, Minister for Justice, Home AIairs and Migration,

Ian Simington, Chair, Top-Level Appointments Committee

 

Cc:

Mr Dale Sutherland, Commissioner, Data Protection Commission

Dr. Des Hogan, Commissioner, Data Protection Commission

 

We, a large cross-partisan group of organisations and individuals write to publicly express our outrage and misgivings at the recent appointment of the third Commissioner of the Irish Data Protection Commission. The appointment reflects a concerning level of disregard for EU Law and for your government’s treaty obligations as per ARTICLE 4(3) of the Treaty on European Union, and Articles 16(2) and 291(1) of the Treaty on the Functioning of the European Union, which together require Member States to ensure the independent, impartial, and eIective implementation of Union law, including the GDPR.

 

The appointed candidate has held a long-standing senior public aIairs role at one of the largest technology platforms (META) that the DPC is mandated to regulate. In her most recent role at a consultancy called Milltown Partners, which ended only last August, she continued to advocate on behalf of these platforms. She may also be subject to NDA and other contractual obligations that prevent her from supervising these firms. This appointment therefore raises serious questions about the DPC’s independence at a time when its impartiality is of critical importance for the entire Union, and when public trust is already fragile.

 

The manner of this appointment also raises questions and was well covered recently by Politico in an article which outlines how a corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators.

 

Your government is obliged by Article 4(3) of the Treaty on European Union to adhere to the principle of sincere cooperation. The GDPR requires, under Article 52, that supervisory authorities act with full independence. Equally, Article 41 of the Charter requires that procedures are handled ‘impartially’ and ‘fairly’. This principle is fundamental to the credibility of the Regulation and to the rights it is designed to protect. Its importance is amplified in Ireland, where the DPC has responsibility as lead supervisory authority for many of the world’s largest technology companies. Indeed, the importance of independence has already been amplified by the Court of Justice in Case C-288/12 Commission v. Hungary, where the premature ending of a data protection supervisor’s mandate was found to have violated EU law.

 

Concerns about enforcement are long-standing and ongoing. At the Irish DPC, investigations against major companies have been infrequent in the past few years, with critical decisions often only materialising, if at all, under pressure from the European Data Protection Board (EDPB) and other Member State authorities, or indeed even after intervention by the Court of Justice of the European Union (CJEU). Patterns of delayed or limited enforcement continue to undermine trust in the DPC as an eIective enforcer of the law with, shockingly, only 0.16% of fines imposed having been collected. The record is simply abysmal.

 

We are not aware of any instance when the DPC has voluntarily enforced against these firms in a manner that significantly changes how they use personal data internally, with the narrow exception of recent AI scraping cases.

 

Furthermore, recent revelations have confirmed that intimate data, including sensitive information about survivors of sexual abuse, is still being traded through Real-Time Bidding, which has been discussed in the Irish parliament in recent weeks. That this continues is the direct result of the Irish DPC’s refusal to act, despite clear evidence of unlawful processing. Its failure is not limited to one case. Since 2018, civil society organisations have filed highly important and strategic complaints in Ireland, many without any material result. The absence of meaningful enforcement has become systemic, making Ireland the bottleneck in the application of the GDPR.

 

The appointment of an industry-connected Commissioner through a process that was both opaque and eschewed the necessary expertise and independence further reduces trust in the Irish DPC at precisely a time when even greater assurances of independence are needed, given wider geo-political tensions between the EU and US. The credibility of the EU’s digital rulebook depends on strong, impartial and effective supervisory authorities. The selection process for such a critical position must reflect the independence and expertise necessary to restore trust in the DPC.

 

Therefore, we urge you to take the following steps:

  1. Conduct a new and fully transparent process to appoint a Commissioner to the Data Protection Commission with a proven capacity and record of protecting rights and fundamental freedoms, and data protection in particular.
  2. Commission an independent review of the process by which this appointment was made.

Signed by:

1. International Press Institute (IPI)
2. Irish Council for Civil Liberties
3. Check My Ads
4. Noyb – European Center for Digital Rights
5. Liberties – Civil Liberties Union for Europe
6. ARTICLE 19
7. Bits of Freedom
8. RNW Media
9. Vrijschrift.org
10. The Electronic Privacy Information Center (EPIC)
11. Open Markets Institute (OMI)
12. Access Now
13. SOMO (the Centre for Research on Multinational Corporations)
14. The Molly Rose Foundation
15. WHAT TO FIX
16. Cori Crider, Hon Prof. UCL Laws (University College London)
17. Nicholas Shaxson, journalist and author, and Technology and Human Rights Fellow, Carr-Ryan Center, Harvard Kennedy School
18. Maria Farrell, technology writer and author
19. Robin Berjon, public interest technologist, Supramundane Agency
20. European Centre for Press and Media Freedom (ECPMF)
21. Hope not Courage
22. Douwe KorI, Emeritus Professor of International Law, London Metropolitan University
23. Corporate Europe Observatory
24. Professor Judith Membrives I Llorens, Universitat Oberta de Catalunya
25. Free Software Foundation Europe (FSFE)
26. Megan Kirkwood, Privacy & digital platform researcher
27. Adele Zeynep Walton, Independent Online Safety Campaigner and Journalist
28. Data Rights
29. Marc Prud’hommeaux, Founder of The App Fair Project
30. People vs Big Tech (PvsBT)
31. Foundation for Diaspora in Action for Human Rights and Democracy (DAHRD)
32. The Institute for Digital Citizenship Foundation
33. Danes je Nov Dan
34. Balanced Economy Project (BEP)
35. Rebalance Now
36. Aspiration
37. Panoptykon
38. Defend Democracy
39. IT-Pol Denmark
40. Community Media Forum Europe (CMFE)
41. Ena Bavčić, EU Advocacy OIicer, ECPMF
42. European Federation of Journalists (EFJ)
43. South East European Media Organisation (SEEMO)
44. Državljan D / Citizen D

Read news by categories:

Related news

Statement

Italy: MFRR flags ongoing media freedom erosion

Media freedom in Italy has continued its overall downward trajectory in the past two years, amidst the car bomb attack on one of the country’s most famous journalists, new spyware attacks on reporters, politicisation of the public broadcaster, legal harassment of journalists by governing politicians, and continued concerns over media pluralism, partner organisations of the Media Freedom Rapid Response (MFRR) said today.

READ MORE
Statement

Council of Europe Platform Partners to Conduct Fact-Finding Mission on Media Freedom in Kosovo

Më 24 dhe 25 mars 2026, organizatat partnere të Platformës së Këshillit të Evropës për sigurinë e gazetarëve dhe organizata të tjera do të zhvillojnë një mision faktmbledhës dyditor në Prishtinë, Kosovë. Qëllimi i misionit është të adresojë sfidat ndaj lirisë së medias në vend dhe të diskutojë zgjidhjet e mundshme me akterët e medias dhe me autoritete.

READ MORE
Statement

Systemic Siege of Independent Journalism in Türkiye: Media Freedom Mission Report 2025

A coalition of eight international press freedom organisations, including ECPMF and OBCT as part of MFRR, conducted the seventh joint mission to Türkiye from 24-26 November 2025 in Ankara. The delegation met with stakeholders such as the Constitutional Court, RTÜK representatives, EU delegation, opposition MPs, and journalists' associations, but government requests went unanswered.

READ MORE
Statement

Gender-based violence, a growing weapon against women journalists

To mark International Women’s Day, partners of the Media Freedom Rapid Response (MFRR) published alarming data highlighting the continued and systematic targeting of women journalists through gender-based violence in Europe.

READ MORE
Statement

Take care of your health

This International Women's Day, the European Centre for Press and Media Freedom (ECPMF) and our partners Women in Media are proud to continue their joint programme supporting the health and well-being of women working in Ukrainian media, and to announce a new open call for health check-ups.

READ MORE
Statement

North Macedonia: Appeal court ruling on Investigative Reporting Lab a worrying setback for media freedom

A recent defamation decision by the Court of Appeal in North Macedonia against the Investigative Reporting Lab (IRL) is a worrying development for media freedom in the country which should be overturned on further appeal, the undersigned partner organisations of the Media Freedom Rapid Response (MFRR) said today.

READ MORE