The Masks Are Off: Ireland Appoints Meta Lobbyist to Police Meta on Data Protection

Compliance Hub

Compliance Hub

7 min read
The Masks Are Off: Ireland Appoints Meta Lobbyist to Police Meta on Data Protection

Former WhatsApp and Facebook Policy Chief Named to Irish Data Protection Commission

September 22, 2025

In a move that privacy advocates are calling the ultimate conflict of interest, the Irish government has appointed Niamh Sweeney, a former senior Meta lobbyist who spent over six years defending the tech giant's interests, to the Data Protection Commission (DPC) – the very body responsible for regulating Meta and other Big Tech companies in Europe.

The appointment, which takes effect October 13, 2025, has sparked outrage among privacy advocates and raised serious questions about regulatory independence. Prior to being entrusted with the responsibility of regulating US Big Tech, Sweeney spent more than 6 years at Meta. For 3.5 of those years, she was head of public policy at Facebook, Ireland, before becoming director of public policy for Europe at WhatsApp.

A History of Defending Meta Through Scandals

Sweeney's tenure at Meta coincided with some of the company's most controversial moments. Ireland has officially announced that it is handing over one of the Commissioner positions at the DPC to a US Big Tech lobbyist that defended Meta in a time where it was involved in the "Cambridge Analytica" scandal and during proceedings that led to a € 390 million fine over not collecting consent from users or a € 1.2 billion fine over illegally transferring personal data to the US.

Meta's privacy violations extend far beyond these headline cases. The company has faced scrutiny for psychological experimentation on users without consent, invasive tracking pixels that monitor user behavior across the web, and more recently, allegations of torrenting adult content for AI training. The company has also faced lawsuits over social media addiction and harmful effects on teens.

Her professional background includes:

The €3.26 Billion Illusion: When Fines Don't Mean Accountability

Perhaps the most damning context for this appointment is the DPC's track record of non-enforcement. Despite issuing billions in fines against Big Tech, the reality is starkly different. Of all fines issued between 2020 and the end of October this year, only €19.9m of the total has been paid so far. The total amount paid represents just 0.6% of the penalties decided on by the DPC, most of which relate to Big Tech.

This means that while the DPC has levied €3.26 billion in fines over the past five years, it has collected a mere €19.9 million – creating what critics call an illusion of enforcement while allowing Big Tech to operate with impunity.

The Fine Collection Crisis: A Breakdown

  • 2020: €785,000 fined, €75,000 collected
  • 2021: €225 million fined, €800,000 collected
  • 2022: Over €1 billion fined, €17.6 million collected
  • 2023: €1.55 billion fined (including Meta's record €1.2 billion), €815,000 collected
  • 2024 (through October): €401 million fined, €582,500 collected

Max Schrems: "Meta Now Officially Regulates Itself"

Privacy activist Max Schrems, who has won multiple cases against Facebook at the European Court of Justice, didn't mince words about the appointment. "We now literally have a US big tech lobbyist policing US big tech for Europe. For 20 years, Ireland did not actually enforce EU law, but at least they had enough shame to undermine enforcement secretly."

Schrems' organization, noyb (None of Your Business), has been at the forefront of challenging the DPC's handling of GDPR enforcement. The activist points to a pattern of deliberate obstruction: "For years, there was always some alleged 'reason' or 'problem' why the DPC 'unfortunately' was unable to enforce EU law in Ireland. We spent months in courts over these alleged reasons and problems, knowing that this follows a political playbook."

A Regulator Already Under Fire

The DPC has faced sustained criticism for its handling of GDPR enforcement:

Systematic Non-Decision Making

The Irish Regulator does not decide on citizens' complaints - in violation of EU law. In a parliamentary hearing, the DPC acknowledged it "handles" 99.93% of GDPR complaints without actually issuing decisions on them.

Secret Meetings and Procedural Issues

Privacy advocates have accused the DPC of holding secret meetings with Big Tech companies and creating procedural obstacles for complainants. Documents are withheld, hearings are denied and submitted arguments and facts are simply not reflected in the decision, according to noyb's complaints about the DPC's procedures.

Record Fines That Go Uncollected

Meta alone has been hit with massive fines:

  • €1.2 billion (May 2023) for illegal data transfers to the US
  • €390 million (January 2023) for Facebook and Instagram consent violations
  • €405 million (September 2022) for Instagram children's privacy violations
  • €265 million (November 2022) for data scraping failures
  • €251 million (December 2024) for data breach violations
  • €225 million (September 2021) for WhatsApp transparency violations - a platform Sweeney directly represented while it grappled with complex encryption implementations that raised both privacy and security concerns

These fines place Meta among the top GDPR violators historically, with the December 2024 fine being one of the most significant penalties that month.

Yet these headline-grabbing penalties remain largely uncollected, with companies using appeals and legal challenges to delay payment indefinitely. This stands in stark contrast to Meta's settlements in other jurisdictions, where the company has actually paid out substantial sums, including $1.4 billion to Texas over biometric data violations and an $8 billion privacy settlement that offers key compliance lessons.

The Bigger Picture: Ireland's Role as Big Tech's European Gateway

Ireland's position as the European headquarters for most major US tech companies makes the DPC the de facto privacy regulator for companies like Meta, Google, Microsoft, and Apple across the entire EU. This gives the Irish regulator enormous influence over how strictly GDPR is enforced against Big Tech.

This appointment occurs against a backdrop of Ireland's increasingly controversial approach to digital rights. The country is simultaneously pursuing sweeping digital surveillance legislation and proposed media monitoring laws that critics argue threaten fundamental freedoms. The convergence of weak data protection enforcement with expanded surveillance powers creates what privacy advocates call a perfect storm for digital rights erosion.

The appointment comes at a critical time, as "From 2026, the DPC will assume significant market surveillance authority responsibilities in relation to certain high-risk AI systems including law enforcement and certain biometrics", according to Justice Minister Jim O'Callaghan. This is particularly concerning given Meta's rejection of the EU AI Code of Practice, raising questions about how effectively Sweeney will regulate her former employer's AI activities.

International Criticism and Concerns

The appointment has drawn criticism beyond Ireland's borders. European data protection activist Max Schrems, who has been at loggerheads with the DPC for years and has already sued the supervisory authority, called the appointment an absurdity. German publication Heise Online noted that "The appointment of the former television journalist, lobbyist, and consultant has significance beyond the island's borders: hardly any other EU member state plays as important a role in enforcing European data protection law as Ireland."

What This Means for European Data Protection

The End of Pretense

"We now witness a time where just pleasing US big tech behind the scenes is not enough anymore. The US demands that European countries publicly bow before US big tech," Schrems observed, suggesting this appointment reflects broader geopolitical pressures.

The cases Sweeney defended Meta against are still under appeal, creating an immediate conflict where she will now oversee the regulator pursuing these very cases against her former employer. This is particularly problematic given her specific role as WhatsApp's Director of Public Policy for Europe, where she would have been intimately involved in defending the platform's data practices that led to the €225 million GDPR fine. Her tenure at WhatsApp also coincided with critical debates around encryption implementation and the platform's response to government surveillance pressures and spyware threats - all issues that continue to require regulatory oversight.

Trust Deficit

The appointment risks further eroding public trust in data protection enforcement at a time when AI regulation and digital rights are becoming increasingly critical issues.

Looking Ahead: A Crossroads for Privacy Rights

As Sweeney prepares to take office on October 13, 2025, alongside commissioners Des Hogan and Dale Sunderland, the appointment represents what critics call a watershed moment for European data protection. "At least this brings some honesty to the situation we've witnessed over the last 15 years," Schrems noted sardonically.

The Irish government defends the appointment by citing Sweeney's "diverse professional experience spanning technology policy, government service, and journalism." She previously worked as a Special Adviser at the Department of Foreign Affairs and as a journalist at RTÉ, Bloomberg, and the Irish Times.

However, for privacy advocates and millions of European citizens whose data protection rights hang in the balance, the message seems clear: when it comes to regulating Big Tech in Ireland, the masks are finally off.

The Response: Diplomatic Silence and Cautious Optimism

While privacy advocates have been vocal in their criticism, the official response has been notably muted. The DPC itself welcomed Sweeney's appointment, stating commissioners "look forward to welcoming Ms. Sweeney and to working with her as the DPC continues to uphold the EU's fundamental right to data protection."

Even some Irish critics are taking a wait-and-see approach. Johnny Ryan from the Irish Council for Civil Liberties, typically one of the DPC's loudest critics, offered only diplomatic expectations on LinkedIn rather than direct criticism.

Conclusion: A Test for European Digital Sovereignty

The appointment of Niamh Sweeney to the DPC is more than a simple personnel decision – it's a litmus test for Europe's commitment to digital sovereignty and citizen privacy rights. With only 0.6% of billions in fines actually collected, and a former Meta lobbyist now helping oversee Meta's regulation, the question isn't whether there's a conflict of interest, but whether anyone in power still cares.

As Europe prepares for the AI Act's implementation and faces continued challenges around data transfers to the US, Ireland's decision sends a clear signal about its priorities. Whether other EU member states and the European Data Protection Board will accept this state of affairs remains to be seen.

For now, as Max Schrems puts it: "Now, Ireland is officially kissing US Big Tech's backside on the global stage."

This article is based on public records, official statements, and reporting from multiple sources including noyb, the Irish Times, RTÉ, and documents obtained through Freedom of Information requests.

WhatsApp and Encryption Issues

AI and Compliance

GDPR Enforcement and Fines

Ireland's Digital Rights Landscape

Read more

Navigating Sweden's New Cyber Horizon: Deep Dive into Cybersäkerhetslagen and the Quest for Societal Resilience

Navigating Sweden's New Cyber Horizon: Deep Dive into Cybersäkerhetslagen and the Quest for Societal Resilience

Sweden, long recognized as a global leader in digital infrastructure, is facing an increasingly complex security environment exacerbated by geopolitical shifts and sophisticated cyber threats. In response, the country is undertaking a significant legislative overhaul to enhance national resilience: the implementation of the EU’s NIS2 Directive through the proposed

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates