To,

An Taoiseach, Micheál Martin, Government of Ireland,

Jim O’Callaghan, Minister for Justice, Home AIairs and Migration,

Ian Simington, Chair, Top-Level Appointments Committee

Cc:

Mr Dale Sutherland, Commissioner, Data Protection Commission

Dr. Des Hogan, Commissioner, Data Protection Commission

We, a large cross-partisan group of organisations and individuals write to publicly express our outrage and misgivings at the recent appointment of the third Commissioner of the Irish Data Protection Commission. The appointment reflects a concerning level of disregard for EU Law and for your government’s treaty obligations as per ARTICLE 4(3) of the Treaty on European Union, and Articles 16(2) and 291(1) of the Treaty on the Functioning of the European Union, which together require Member States to ensure the independent, impartial, and eIective implementation of Union law, including the GDPR.

The appointed candidate has held a long-standing senior public aIairs role at one of the largest technology platforms (META) that the DPC is mandated to regulate. In her most recent role at a consultancy called Milltown Partners, which ended only last August, she continued to advocate on behalf of these platforms. She may also be subject to NDA and other contractual obligations that prevent her from supervising these firms. This appointment therefore raises serious questions about the DPC’s independence at a time when its impartiality is of critical importance for the entire Union, and when public trust is already fragile.

The manner of this appointment also raises questions and was well covered recently by Politico in an article which outlines how a corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators.

Your government is obliged by Article 4(3) of the Treaty on European Union to adhere to the principle of sincere cooperation. The GDPR requires, under Article 52, that supervisory authorities act with full independence. Equally, Article 41 of the Charter requires that procedures are handled ‘impartially’ and ‘fairly’. This principle is fundamental to the credibility of the Regulation and to the rights it is designed to protect. Its importance is amplified in Ireland, where the DPC has responsibility as lead supervisory authority for many of the world’s largest technology companies. Indeed, the importance of independence has already been amplified by the Court of Justice in Case C-288/12 Commission v. Hungary, where the premature ending of a data protection supervisor’s mandate was found to have violated EU law.

Concerns about enforcement are long-standing and ongoing. At the Irish DPC, investigations against major companies have been infrequent in the past few years, with critical decisions often only materialising, if at all, under pressure from the European Data Protection Board (EDPB) and other Member State authorities, or indeed even after intervention by the Court of Justice of the European Union (CJEU). Patterns of delayed or limited enforcement continue to undermine trust in the DPC as an eIective enforcer of the law with, shockingly, only 0.16% of fines imposed having been collected. The record is simply abysmal.

We are not aware of any instance when the DPC has voluntarily enforced against these firms in a manner that significantly changes how they use personal data internally, with the narrow exception of recent AI scraping cases.

Furthermore, recent revelations have confirmed that intimate data, including sensitive information about survivors of sexual abuse, is still being traded through Real-Time Bidding, which has been discussed in the Irish parliament in recent weeks. That this continues is the direct result of the Irish DPC’s refusal to act, despite clear evidence of unlawful processing. Its failure is not limited to one case. Since 2018, civil society organisations have filed highly important and strategic complaints in Ireland, many without any material result. The absence of meaningful enforcement has become systemic, making Ireland the bottleneck in the application of the GDPR.

The appointment of an industry-connected Commissioner through a process that was both opaque and eschewed the necessary expertise and independence further reduces trust in the Irish DPC at precisely a time when even greater assurances of independence are needed, given wider geo-political tensions between the EU and US. The credibility of the EU’s digital rulebook depends on strong, impartial and effective supervisory authorities. The selection process for such a critical position must reflect the independence and expertise necessary to restore trust in the DPC.

Therefore, we urge you to take the following steps:

1. Conduct a new and fully transparent process to appoint a Commissioner to the Data Protection Commission with a proven capacity and record of protecting rights and fundamental freedoms, and data protection in particular.
2. Commission an independent review of the process by which this appointment was made.