New Irish Data Protection Commissioner Niamh Sweeney addresses scrutiny over her appointment, shares agency priorities

Last September, the Irish government announced the appointment of Niamh Sweeney as commissioner for data protection, filling out the third and final slot for the recently reorganized data protection authority. Joining Commissioners Dale Sunderland and Des Hogan, Sweeney started her five-year term 13 Oct. 2025. 

On Tuesday, she joined IAPP Country Leader for Ireland and Pembroke Privacy's Kate Colleary, CIPP/E, CIPM, FIP, at the IAPP Global Summit 2026 in Washington, D.C., to discuss her role and the agency's priorities in 2026 and beyond. 

Sweeney has faced scrutiny for her appointment due to her previous work with Big Tech companies Meta and Stripe and concerns about conflicts of interest. In a separate Q&A discussion Monday, the scrutiny continued when Max Schrems, co-founder of NOYB and critic of some of the Irish DPC's enforcement work, suggested it was "mind-blowing" that a "former lobbyist of Meta" came to the DPC.

However, Sweeney addressed those concerns Tuesday during her discussion with Colleary. 

"I think a certain amount of scrutiny is absolutely to be expected and appropriate," she said. "What I think is also important to remember is that I'm a statutory officer. That statutory obligation is a point of why the government and myself are duty-bound to uphold the impartiality, the independence, the integrity of the commission." 

She pointed out that, as a government-appointed statutory officer, she is subject to several legal obligations, including the Ethics in Public Office Act, the Regulation of Lobbying Act, the Official Secrets Act, as well as provisions under the Data Protection Act. 

Sweeney said that on day one, she, Sutherland and Hogan, "sat down and discussed the idea of the potential perception" of the issue. "What we decided collectively was that I would recuse myself from any decisions that related to either Meta or Stripe, and related matters that occurred or arose during the periods of time when I worked there." These time periods would include the years 2015 through 2021 for Meta-related activities and 2021 through 2022 for Stripe-related activities. 

"I also believe I bring a valuable and distinct skill set," Sweeney said. "One that complements those of my colleagues, and I would like to see more people with similar industry or policy backgrounds join regulatory bodies. Our sister regulators, the Media Commission, has successfully done this." 

Internal restructuring and agency priorities

Though the DPC continues to work on several high-profile investigations, including litigation with TikTok over data transfers to China, the agency is also continuing its internal restructuring after moving from a single commissioner to three. Sweeney pointed out, however, that external stakeholders will not notice much difference, that things will continue to remain "business as usual." 

With nearly 300 staff, up from 27 in 2014, Sweeney said that growth "has plateaued," with some active hires. "We will need ongoing discussions with government to ensure we can continue to meet demand." 

Part of that quantifiable demand stems from a dramatic increase in complaints, which are up by 50%. With an uptick in the number of complaints, Sweeney noted the complexity of those complaints is also increasing, "likely because people are using generative AI tools to word their complaints, which can lead to more complicated submissions." Data subject access requests account for 42% of the complaints the DPC has received, "often tied to employer-employee disputes," and the agency has seen an increase in complaints related to social media accounts.
"A common issue," she said, "is that organizations rely on valid restrictions, but fail on transparency. They must explain why data cannot be provided." 

With limited resources, the DPC is also "exploring AI tools to improve efficiency," but she pointed out they are doing so "carefully, because anything we use must be auditable and traceable."

Enforcement, fines and corrective measures

Sweeney did not get into specifics with ongoing enforcement measures at the DPC, but noted they've completed 15 large-scale inquiries. "Several ongoing inquiries are progressing internally," she said, "even if not visible externally. I expect some developments later this year." She said the major platform investigations underway "remain a top priority," but these take time as they are complex and involve cooperation with the European Data Protection Board. 

According to the DPC, the agency has issued fines totaling more than 4 billion euros, but to date, has only collected approximately 20 million euros. 

"Under Irish law," Sweeney said, "fines must be confirmed by the courts before they can be collected. Of the 15 large investigations concluded, 13 are in litigation. We also have over 40 active court cases." As part of this process, the DPC faces 28-day statutory appeals, three-month judicial review windows, and for at least seven cases decided under Article 65 of the EU General Data Protection Regulation, annulment actions. 

Ireland's common-law system demands "a high level of scrutiny in judicial reviews, especially around fair procedures," she said. "This makes the process slower than in civil-law jurisdictions." Yet, Sweeney also pointed out that many of these cases are setting key precedents, which could mean things will speed up in the future. 

Though fines make good headlines, Sweeney said corrective measures are powerful enforcement tools as well. "Fines are important, but not the most impactful," she said. Requiring changes to product design, for example, often provide better outcomes. As an example, both Instagram and TikTok were required to implement default private settings for users under age 18. They required the companies to issue compliance reports until the commission was satisfied, while also requiring strengthened transparency. 

"These measures," she said, "directly reduce harm and protect millions of users."