Former WhatsApp and Facebook Policy Chief Named to Irish Data Protection Commission

September 22, 2025

In a move that privacy advocates are calling the ultimate conflict of interest, the Irish government has appointed Niamh Sweeney, a former senior Meta lobbyist who spent over six years defending the tech giantโ€™s interests, to the Data Protection Commission (DPC) โ€“ the very body responsible for regulating Meta and other Big Tech companies in Europe.

The appointment, which takes effect October 13, 2025, has sparked outrage among privacy advocates and raised serious questions about regulatory independence. Prior to being entrusted with the responsibility of regulating US Big Tech, Sweeney spent more than 6 years at Meta. For 3.5 of those years, she was head of public policy at Facebook, Ireland, before becoming director of public policy for Europe at WhatsApp.

A History of Defending Meta Through Scandals

Sweeneyโ€™s tenure at Meta coincided with some of the companyโ€™s most controversial moments. Ireland has officially announced that it is handing over one of the Commissioner positions at the DPC to a US Big Tech lobbyist that defended Meta in a time where it was involved in the โ€œCambridge Analyticaโ€ scandal and during proceedings that led to a โ‚ฌ 390 million fine over not collecting consent from users or a โ‚ฌ 1.2 billion fine over illegally transferring personal data to the US.

Metaโ€™s privacy violations extend far beyond these headline cases. The company has faced scrutiny for psychological experimentation on users without consent, invasive tracking pixels that monitor user behavior across the web, and more recently, allegations of torrenting adult content for AI training. The company has also faced lawsuits over social media addiction and harmful effects on teens.

Her professional background includes:

The โ‚ฌ3.26 Billion Illusion: When Fines Donโ€™t Mean Accountability

Perhaps the most damning context for this appointment is the DPCโ€™s track record of non-enforcement. Despite issuing billions in fines against Big Tech, the reality is starkly different. Of all fines issued between 2020 and the end of October this year, only โ‚ฌ19.9m of the total has been paid so far. The total amount paid represents just 0.6% of the penalties decided on by the DPC, most of which relate to Big Tech.

This means that while the DPC has levied โ‚ฌ3.26 billion in fines over the past five years, it has collected a mere โ‚ฌ19.9 million โ€“ creating what critics call an illusion of enforcement while allowing Big Tech to operate with impunity.

The Fine Collection Crisis: A Breakdown

  • 2020: โ‚ฌ785,000 fined, โ‚ฌ75,000 collected- 2021: โ‚ฌ225 million fined, โ‚ฌ800,000 collected- 2022: Over โ‚ฌ1 billion fined, โ‚ฌ17.6 million collected- 2023: โ‚ฌ1.55 billion fined (including Metaโ€™s record โ‚ฌ1.2 billion), โ‚ฌ815,000 collected- 2024 (through October): โ‚ฌ401 million fined, โ‚ฌ582,500 collected

Max Schrems: โ€œMeta Now Officially Regulates Itselfโ€

Privacy activist Max Schrems, who has won multiple cases against Facebook at the European Court of Justice, didnโ€™t mince words about the appointment. โ€œWe now literally have a US big tech lobbyist policing US big tech for Europe. For 20 years, Ireland did not actually enforce EU law, but at least they had enough shame to undermine enforcement secretly.โ€

Schremsโ€™ organization, noyb (None of Your Business), has been at the forefront of challenging the DPCโ€™s handling of GDPR enforcement. The activist points to a pattern of deliberate obstruction: โ€œFor years, there was always some alleged โ€˜reasonโ€™ or โ€˜problemโ€™ why the DPC โ€˜unfortunatelyโ€™ was unable to enforce EU law in Ireland. We spent months in courts over these alleged reasons and problems, knowing that this follows a political playbook.โ€

A Regulator Already Under Fire

The DPC has faced sustained criticism for its handling of GDPR enforcement:

Systematic Non-Decision Making

The Irish Regulator does not decide on citizensโ€™ complaints - in violation of EU law. In a parliamentary hearing, the DPC acknowledged it โ€œhandlesโ€ 99.93% of GDPR complaints without actually issuing decisions on them.

Secret Meetings and Procedural Issues

Privacy advocates have accused the DPC of holding secret meetings with Big Tech companies and creating procedural obstacles for complainants. Documents are withheld, hearings are denied and submitted arguments and facts are simply not reflected in the decision, according to noybโ€™s complaints about the DPCโ€™s procedures.

Record Fines That Go Uncollected

Meta alone has been hit with massive fines:

  • โ‚ฌ1.2 billion (May 2023) for illegal data transfers to the US- โ‚ฌ390 million (January 2023) for Facebook and Instagram consent violations- โ‚ฌ405 million (September 2022) for Instagram childrenโ€™s privacy violations- โ‚ฌ265 million (November 2022) for data scraping failures- โ‚ฌ251 million (December 2024) for data breach violations- โ‚ฌ225 million (September 2021) for WhatsApp transparency violations - a platform Sweeney directly represented while it grappled with complex encryption implementations that raised both privacy and security concerns

These fines place Meta among the top GDPR violators historically, with the December 2024 fine being one of the most significant penalties that month.

Yet these headline-grabbing penalties remain largely uncollected, with companies using appeals and legal challenges to delay payment indefinitely. This stands in stark contrast to Metaโ€™s settlements in other jurisdictions, where the company has actually paid out substantial sums, including $1.4 billion to Texas over biometric data violations and an $8 billion privacy settlement that offers key compliance lessons.

The Bigger Picture: Irelandโ€™s Role as Big Techโ€™s European Gateway

Irelandโ€™s position as the European headquarters for most major US tech companies makes the DPC the de facto privacy regulator for companies like Meta, Google, Microsoft, and Apple across the entire EU. This gives the Irish regulator enormous influence over how strictly GDPR is enforced against Big Tech.

This appointment occurs against a backdrop of Irelandโ€™s increasingly controversial approach to digital rights. The country is simultaneously pursuing sweeping digital surveillance legislation and proposed media monitoring laws that critics argue threaten fundamental freedoms. The convergence of weak data protection enforcement with expanded surveillance powers creates what privacy advocates call a perfect storm for digital rights erosion.

The appointment comes at a critical time, as โ€œFrom 2026, the DPC will assume significant market surveillance authority responsibilities in relation to certain high-risk AI systems including law enforcement and certain biometricsโ€, according to Justice Minister Jim Oโ€™Callaghan. This is particularly concerning given Metaโ€™s rejection of the EU AI Code of Practice, raising questions about how effectively Sweeney will regulate her former employerโ€™s AI activities.

International Criticism and Concerns

The appointment has drawn criticism beyond Irelandโ€™s borders. European data protection activist Max Schrems, who has been at loggerheads with the DPC for years and has already sued the supervisory authority, called the appointment an absurdity. German publication Heise Online noted that โ€œThe appointment of the former television journalist, lobbyist, and consultant has significance beyond the islandโ€™s borders: hardly any other EU member state plays as important a role in enforcing European data protection law as Ireland.โ€

What This Means for European Data Protection

The End of Pretense

โ€œWe now witness a time where just pleasing US big tech behind the scenes is not enough anymore. The US demands that European countries publicly bow before US big tech,โ€ Schrems observed, suggesting this appointment reflects broader geopolitical pressures.

The cases Sweeney defended Meta against are still under appeal, creating an immediate conflict where she will now oversee the regulator pursuing these very cases against her former employer. This is particularly problematic given her specific role as WhatsAppโ€™s Director of Public Policy for Europe, where she would have been intimately involved in defending the platformโ€™s data practices that led to the โ‚ฌ225 million GDPR fine. Her tenure at WhatsApp also coincided with critical debates around encryption implementation and the platformโ€™s response to government surveillance pressures and spyware threats - all issues that continue to require regulatory oversight.

Trust Deficit

The appointment risks further eroding public trust in data protection enforcement at a time when AI regulation and digital rights are becoming increasingly critical issues.

Looking Ahead: A Crossroads for Privacy Rights

As Sweeney prepares to take office on October 13, 2025, alongside commissioners Des Hogan and Dale Sunderland, the appointment represents what critics call a watershed moment for European data protection. โ€œAt least this brings some honesty to the situation weโ€™ve witnessed over the last 15 years,โ€ Schrems noted sardonically.

The Irish government defends the appointment by citing Sweeneyโ€™s โ€œdiverse professional experience spanning technology policy, government service, and journalism.โ€ She previously worked as a Special Adviser at the Department of Foreign Affairs and as a journalist at RTร‰, Bloomberg, and the Irish Times.

However, for privacy advocates and millions of European citizens whose data protection rights hang in the balance, the message seems clear: when it comes to regulating Big Tech in Ireland, the masks are finally off.

The Response: Diplomatic Silence and Cautious Optimism

While privacy advocates have been vocal in their criticism, the official response has been notably muted. The DPC itself welcomed Sweeneyโ€™s appointment, stating commissioners โ€œlook forward to welcoming Ms. Sweeney and to working with her as the DPC continues to uphold the EUโ€™s fundamental right to data protection.โ€

Even some Irish critics are taking a wait-and-see approach. Johnny Ryan from the Irish Council for Civil Liberties, typically one of the DPCโ€™s loudest critics, offered only diplomatic expectations on LinkedIn rather than direct criticism.

Conclusion: A Test for European Digital Sovereignty

The appointment of Niamh Sweeney to the DPC is more than a simple personnel decision โ€“ itโ€™s a litmus test for Europeโ€™s commitment to digital sovereignty and citizen privacy rights. With only 0.6% of billions in fines actually collected, and a former Meta lobbyist now helping oversee Metaโ€™s regulation, the question isnโ€™t whether thereโ€™s a conflict of interest, but whether anyone in power still cares.

As Europe prepares for the AI Actโ€™s implementation and faces continued challenges around data transfers to the US, Irelandโ€™s decision sends a clear signal about its priorities. Whether other EU member states and the European Data Protection Board will accept this state of affairs remains to be seen.

For now, as Max Schrems puts it: โ€œNow, Ireland is officially kissing US Big Techโ€™s backside on the global stage.โ€

This article is based on public records, official statements, and reporting from multiple sources including noyb, the Irish Times, RTร‰, and documents obtained through Freedom of Information requests.

WhatsApp and Encryption Issues

AI and Compliance

GDPR Enforcement and Fines

Irelandโ€™s Digital Rights Landscape