BRUSSELS — The European Union is pressing ahead with talks to grant United States border authorities unprecedented access to Europeans’ data, despite growing concerns about American surveillance. The European Commission is brokering a deal to exchange information about travelers, including fingerprints and law enforcement records, so the U.S. can determine if they “pose a risk to public security or public order,” according to official documents. Commission officials flew to Washington last week for the first round of negotiations, according to two people familiar with the matter. The Trump administration’s request for deeper access comes after the U.S. border agency in December proposed reviewing five years of social media history. Talks are happening as the U.S. Immigration and Customs Enforcement (ICE) service is under heavy scrutiny for its use of surveillance technology against protesters in cities such as Minneapolis. The negotiations should be “put on hold” until the security and privacy of citizens in the EU and U.S. can be guaranteed, liberal European Parliament member Raquel García Hermida-van der Walle said in an interview. Romain Lanneau, a legal researcher with surveillance watchdog Statewatch, said police databases in Europe could contain information on anyone from protesters to journalists who might be considered a “threat,” and that — under the deal being discussed — this information would be at the fingertips of U.S. border authorities who could refuse those people entry to the United States or even detain them. European regulators are “very cautiously looking at what’s happening in the United States,” Wojciech Wiewiórowski, the EU’s in-house data protection supervisor, told POLITICO. Europe “has to be careful” about how it allows the data of Europeans to flow to the U.S., he said.  Hermida-van der Walle in January co-signed a letter by six prominent lawmakers calling on the Commission to stand down given the “current geopolitical context,” despite Washington’s admonition that failure to reach a deal will mean Europeans lose access to its visa waiver program. UNPRECEDENTED ACCESS The U.S. is seeking access to information including biometric data such as fingerprints that is stored on national databases in European countries, according to an explanatory note sent to national experts. The data would be used to “address irregular migration and to prevent, detect, and combat serious crime and terrorist offences,” the note said. In an earlier opinion on the deal, the European Data Protection Supervisor (EDPS) — a watchdog that advises the Commission on privacy policies — noted the deal would be the first of its kind to enable “large-scale sharing of personal data … for the purpose of border and immigration control” with a non-EU country. The Commission would negotiate a framework deal that would serve as a template for bilateral agreements called Enhanced Border Security Partnerships (EBSPs), which national governments agree with Washington. EU countries in December signed off on the Commission’s request to start talks with the U.S. Washington is pressuring its EU counterparts by imposing a deadline for the bilateral deals to be agreed by the end of 2026. If countries fail to reach a deal with the U.S. they risk being cut from the latter’s visa waiver program. The U.S has made it mandatory for all countries that are part of the visa waiver program to have an EBSP in place. “The pressure which the United States is extorting on our member states, the threats that if you don’t agree with this we will cancel your access to the visa waiver program, that is an element of blackmail that we cannot let go,” Hermida-van der Walle said. The EDPS watchdog has cautioned that the scope of data sharing should be as narrow as possible, with clear justifications for every query; transparency around how the data is used; and judicial redress available in the U.S. for any person. Commission spokesperson Markus Lammert emphasised at a recent press briefing that the framework being negotiated will involve “clear and robust safeguards on data protection,” and will ensure “a non-systematic nature of the information exchange and that the exchange is limited to what is strictly necessary to achieve the objectives of this cooperation.”  US PRIVACY UNDER PRESSURE Access to the data is the latest issue putting pressure on a troubled relationship between the U.S. and the EU on data privacy. Since whistleblower Edward Snowden in 2013 revealed U.S. mass surveillance practices affecting Europeans, the EU has tightened controls on how Washington handles Europeans’ data. Since the return of Donald Trump as president last year, officials and rights groups have deplored a move by the U.S. administration to gut a key privacy watchdog tasked with overseeing privacy safeguards in place to protect Europeans. The Trump administration has also been ramping up mass surveillance of citizens by federal agencies like ICE, including through contracts with Israeli spyware company Paragon, surveillance giant Palantir and other firms. Capgemini, a prominent French IT firm, on Sunday said it was selling off its American activities after it faced political backlash from the French government that its software was being used by ICE authorities. Civil rights groups, lawmakers and other watchdogs fear the new EU-U.S. data sharing deals would add to backsliding on privacy rights.    “The current initiatives are being presented as toward counter-terrorism, but a lot of them are actually adopted for the chilling effect [on political activism],” Statewatch’s Lanneau said. Hermida-van der Walle, the liberal lawmaker, warned: “If people have to go to the United States, if it’s not a choice but something that they have do, there is a risk of self-censoring.”  “This comes from an administration who claims to be the biggest defender of free speech. What they’re doing with their actions is curtailing the possibility of people to express themselves freely, because otherwise they might not get access into the country,” she said.

The Trump administration is lashing out at foreign laws aimed at clamping down on online platforms that have gained outsized influence on people’s attention — while trying to avoid launching new trade wars that could threaten the U.S. economy. Over the past month, U.S. officials have paused talks on a tech pact with the United Kingdom, canceled a trade meeting with South Korean officials and issued veiled threats at European companies over policies they believe unfairly penalize U.S. tech giants. Several tech policy professionals and people close to the White House say the recent actions amount to a “negotiating tactic,” in the words of one former U.S. trade official. As talks continue with London, Brussels and Seoul, the Office of the U.S. Trade Representative is pressing partners to roll back digital taxes on large online platforms and rules aimed at boosting online privacy protections — measures U.S. officials argue disproportionately target America’s tech behemoths. “It’s telegraphing that we’ve looked at this deeply, we think there’s a problem, we’re looking at tools to address it and we’re looking at remedies if we don’t come to an agreement,” said Everett Eissenstat, who served as the director of the National Economic Council in Trump’s first term. “It’s not an unprecedented move, but naming companies like that and telegraphing that we have targets, we have tools, is definitely meaningful.” But so far, the administration has shied away from new tariffs or other aggressive actions that could upend tentative trade agreements or upset financial markets. And the new tough talk may not be enough to placate some American tech companies, who are pressing for action. One possible action, floated by U.S. Trade Representative Jamieson Greer, would be launching investigations into unfair digital trade practices, which would allow the administration to take action against countries that impose digital regulations on U.S. companies. “I would just say that’s the next level of escalation. I think that’s what people are waiting for and looking for,” said a representative from a major tech company, granted anonymity to speak candidly and discuss industry expectations. “What folks are looking for is like action over the tweets, which, we love the tweets. Everyone loves the tweets.” Trump used similar investigations to justify raising tariffs on hundreds of Chinese imports in his first term. But those investigations take time, and it can be years before any increases would go into effect. Greer has also been careful to hedge threats of new trade probes, stressing they are not meant to spiral into a broader conflict. Speaking on CNBC’s “Squawk Box” last week, he floated launching a trade investigation into the EU’s digital policies, but said the goal would be a “negotiated outcome,” not an automatic path to higher tariffs. “I don’t think we’re in a world where we want to have some renewed trade fight or something with the EU — that’s not what we’re talking about,” Greer said. “We want to finish off our deal and implement it,” he continued, referring to the trade pact the partners struck over the summer. Greer also raised the prospect of a trade probe in private talks with South Korea earlier this fall, saying the U.S. might have to resort to such action if the country continues to pursue legislation the administration views as harmful to U.S. tech firms. But a White House official clarified that the U.S. was not yet considering such a “heavy-handed approach.” Even industry officials aren’t certain how aggressive they want the Trump administration to be, acknowledging that if the U.S. escalated its fight with the EU over their tech regulations, it could spark a digital trade war that would ultimately end up harming all of the companies involved, according to a former USTR official, granted anonymity to speak candidly. President Donald Trump has long criticized the tech regulations — pioneered by the European Union and now proliferating around the globe. But he’s made the issue a much more central part of his second-term trade agenda, with mixed results. While Trump’s threat to cut off trade talks with Canada got Prime Minister Mark Carney to rescind their three percent tax on revenue earned by large online platforms, his administration has struggled to make headway with the EU, UK and South Korea in the broader trade negotiations over tariffs. The tentative trade deal the administration reached with the EU over the summer included a commitment from the bloc to address “unjustified digital trade barriers” and a pledge not to impose network usage fees, but left the scope and direction of future discussions largely undefined. The agreement fleshed out with South Korea this fall appeared to go even further, spelling out commitments that regulations governing online platforms and cross-border data flows won’t disadvantage American companies. But none of those governments have so far caved to U.S. pressure to abandon their digital regulations entirely, and the canceled talks and threatening social media posts are a sign of Trump’s growing frustration. “You won’t be surprised to know that what we think is fair treatment and what they think is fair treatment is quite different and I’ve been quite frankly disappointed over the past few months to see zero moderation by the EU,” Greer said Dec. 10 at an event at the Atlantic Council. Last week, Greer’s office amped up the rhetoric further, threatening to take action against major European companies like Spotify, German automation company Siemens and Mistral AI, the French artificial intelligence firm, if the EU doesn’t back off enforcement of its digital rules. The threat came a week after the EU fined X, the company formerly known as Twitter, $140 million for failing to meet EU transparency rules. Greer’s office also canceled a meeting planned for last Thursday with South Korean officials, as South Korean lawmakers introduced new digital legislation and held an explosive hearing on a data breach at Coupang, an American-headquartered e-commerce company whose largest market is in South Korea. The South Korean Embassy denied any relationship between the Coupang hearing and the cancellation of the recent meeting. “Neither Coupang’s data breach, the subsequent investigation by the Korean government, nor the National Assembly’s hearing played a role in the scheduling of the KORUS Joint Committee,” said an embassy official. The canceled meetings and frozen talks are significant — delaying implementation of bare bones trade agreements and investment pledges inked in recent months. But the Trump administration has shown little interest in blowing up the deals its reached and reapplying the steep tariffs it threatened over the summer, which could trigger significant retaliation and, as concerns about affordability and inflation continue to simmer in the U.S., prove politically dicey. Launching trade investigations at USTR or fining specific foreign companies could be a less inflammatory move. “What is happening is that these issues are starting to come to a head,” said Dirk Auer, a Director of Competition Policy International Center for Law & Economics, who focuses on antitrust issues and recently testified before Congress on digital services laws. “At some point the administration has to put up or shut up. They need to put their money where their mouth is. And I think that’s what’s happening right now.” Gabby Miller contributed to this report.

BRUSSELS — A fresh proposal by European Commission President Ursula von der Leyen to reform digital laws on Wednesday was welcomed by lawmakers on the right but shunned on the left. It signals a possible repeat of a pivotal parliamentary clash last week in which von der Leyen’s center-right European People’s Party sided with the far right to pass her first omnibus proposal on green rules — sidelining the centrist coalition that voted the Commission president into office last year. The EU executive on Wednesday presented plans to overhaul everything from its flagship General Data Protection Regulation to data rules and its fledgling Artificial Intelligence Act. The reforms aim to help businesses using data and AI, in an effort to catch up with the United States, China and other regions in the global tech race. Drafts of the plans obtained by POLITICO caused an uproar in Brussels in the past two weeks, as everyone from liberal to left-leaning political groups and privacy-minded national governments rang the alarm. Von der Leyen sought to extend an olive branch with last-minute tweaks to her proposal, but she’s still a long way away from center-left groups. The Progressive Alliance of Socialists and Democrats, Greens and The Left all slamming the plans in recent days. Tom Vandendriessche, a Belgian member of the far-right Patriots for Europe group, said the GDPR is not “untouchable,” and that there needs to be simplification “to ensure our European companies can compete again.” He added: “If EPP supports that course, we’re happy to collaborate on that.” Charlie Weimers a Swedish member of the right-wing European Conservatives and Reformists, welcomed the plan for “cleaning up overlapping data rules, cutting double reporting and finally tackling the cookie banner circus.” Weimers argued von der Leyen could go further, saying it falls short of being “the regulatory U-turn the EU actually needs” to catch up in the AI race. Those early rapprochements on the right are what Europe’s centrists and left fear most. The digital omnibus “should not be a repetition of omnibus one,” German Greens lawmaker Sergey Lagodinsky told reporters on Wednesday. Lagodinsky warned EPP leader Manfred Weber that “there should be no games with anti-democratic and anti-European parties.” BIG REFORMS, SMALL CONCESSIONS The Commission’s double-decker digital omnibus package includes one plan to simplify the EU’s data-related laws (including the GDPR as well as rules for nonpersonal data), and another specifically targeting the AI Act. A Commission official, briefing reporters without being authorized to speak on the record, said the omnibus’ impact on the GDPR was subject to “intense discussion” internally in the run up to Wednesday’s presentation, after its rough reception from some parliament groups and privacy organizations. Much in the EU executive’s final text remained unchanged. Among the proposals, the Commission wants to insert an affirmation into the GDPR that AI developers can rely on their “legitimate interest” to legally process Europeans’ data. That would give AI companies more confidence that they don’t always have to ask for consent. It also wants to change the definition of personal data in the GDPR to allow pseudonymized data — where a person’s details have been obscured so they can’t be identified — to be more easily processed. The omnibus proposals also aim to reduce the number of cookie banners that crop up across Europe’s internet. To assuage privacy concerns, Commission officials scrapped a hotly contested clause that would have redefined what is considered “special category” data, like a person’s religious or political beliefs, ethnicity or health data, which are afforded extra protections under the GDPR. The new cookie provision will also contain an explicit statement that website and app operators still need to get consent to access information on people’s devices. SEEKING POLITICAL SUPPORT The final texts will now be scrutinized by the Parliament and Council of the European Union. Von der Leyen’s center-right EPP welcomed the digital simplification plans as a “a critical boost for Europe’s industrial competitiveness.” Parliament’s group of center-left Socialists and Democrats came out critical of the reforms. Birgit Sippel, a prominent German member of the group, said in a statement the Commission “wants to undermine its own standards of protection in the area of data protection and privacy in order to facilitate data use, surveillance, and AI tools ‘made in the U.S.’” On the EPP’s immediate left, the liberal Renew group cited “important concerns” about the final texts but said it was “delighted” that the Commission backtracked on changing the definition of sensitive data, one idea in the leaked drafts that triggered a backlash. Renew said it would “support changes in the digital omnibus that will make life easier for our European companies.” If von der Leyen goes looking for votes for her digital omnibus among far-right groups, she will find support but it might not be a united front. German lawmaker Christine Anderson of the Alternative for Germany party, part of the far-right Europe of Sovereign Nations group, warned the digital omnibus could end up boosting “the ability to track and profile people.” Weaker privacy rules would “enable enhanced surveillance architecture,” she said, adding her party had “always opposed” such changes. “On these issues, we find ourselves much closer to the groups on the left in the Parliament,” she said. Pieter Haeck contributed reporting.

BRUSSELS — European Union officials are ready to sacrifice some of their most prized privacy rules for the sake of AI, as they seek to turbocharge business in Europe by slashing red tape.  The European Commission will unveil a “digital omnibus” package later this month to simplify many of its tech laws. The executive has insisted that it is only trimming excess fat through “targeted” amendments, but draft documents obtained by POLITICO show that officials are planning far-reaching changes to the General Data Protection Regulation (GDPR) to the benefit of artificial intelligence developers.   The proposed overhaul will come as a boon to businesses working with AI, as Europe scrambles to stay economically competitive on the world stage. But touching the flagship privacy law — seen as the “third rail” of EU tech policy — is expected to trigger a massive political and lobbying storm in Brussels. “Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” said German politician Jan Philipp Albrecht, who as a former European Parliament member was one of the chief architects of the GDPR. “The Commission should be fully aware that this is undermining European standards dramatically.” Brussels’ shift on privacy comes as it frets over Europe’s waning economic power. Former Italian Prime Minister Mario Draghi namechecked the General Data Protection Regulation as holding back European innovation on artificial intelligence in his landmark competitiveness report last year. European privacy regulators have already been spoiling Big Tech’s AI party in recent years. Meta, X and LinkedIn have all delayed rollouts of artificial intelligence applications in Europe after interventions by the Irish Data Protection Commission. Google is facing an inquiry by the same regulator and was previously forced to pause the release of its Bard chatbot. Italy’s regulator has previously imposed temporary blocks on OpenAI’s ChatGPT and Chinese DeepSeek over privacy concerns. Those same tech giants are racing ahead in the U.S., without an equivalent blanket privacy law barring them from feeding AI with citizens’ data. UNLEASH THE LOBBYISTS The General Data Protection Regulation’s initial drafting in 2012-2016 triggered one of the biggest lobbying efforts Brussels has ever seen. Since taking effect in 2018, the EU has steered clear of amending it, fearing it would reignite the vicious lobbying war.  In past months, Commission officials have sought to preempt worries that it was overhauling the privacy rulebook. It insisted that its simplification proposals wouldn’t touch the underlying principles of the GDPR.  Now that draft plans are out, civil society campaigners have begun sounding the alarm. The Commission is “secretly trying to overrun everyone else in Brussels,” said Max Schrems, founder of Austrian privacy group Noyb — and Europe’s infamous privacy campaigner who was behind court cases that brought down major data transfer deals with the United States in the past. “This disregards every rule on good lawmaking, with terrible results,” he said. “Is this the end of data protection and privacy as we have signed it into the EU treaty and fundamental rights charter?” said German politician Jan Philipp Albrecht. | Heiko Rebsch/picture alliance via Getty Images One line of attack from privacy groups is to poke holes in what they say is a rushed omnibus process. While the GDPR took years to negotiate, public consultation on the digital omnibus only ended in October. The Commission has not prepared impact assessments to accompany its proposals, as it says the changes are only targeted and technical. The Commission’s tunnel vision on the AI race has resulted in a “poorly drafted ‘quick shot’ in a highly complex and sensitive area,” said Schrems. LOOSENING PRIVACY RULES The draft proposal obtained by POLITICO shows how far the European Commission is willing to go to placate industry on AI. Draft changes would create new exceptions for AI companies that would allow them to legally process special categories of data (like a person’s religious or political beliefs, ethnicity or health data) to train and operate their tech. The Commission is also planning to reframe the definition of such special category data, which are afforded extra protections under the privacy rules.   Officials also want to redefine what constitutes as personal data, saying that pseudonymized data (where personal details have been obscured so a person can’t be identified) might not always be subject to the GDPR’s protections, a change that reflects a recent ruling from the EU’s top court. Finally, it wants to reform Europe’s pesky cookie banner rules by inserting a provision into the GDPR that would give website and app owners more legal grounds to justify tracking users beyond simply obtaining their consent. The draft proposal could still change before the Commission officially unveils its plans on Nov. 19. Once presented, the omnibus package has to pass muster with EU countries and lawmakers, who are already sharply divided on whether to touch privacy protections.   But Finnish center-right lawmaker Aura Salla said she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies. | Alexis Haulot/European Parliament Documents seen by POLITICO show that Estonia, France, Austria and Slovenia are firmly against any rewrite of the General Data Protection Regulation. Germany — usually seen as one of the most privacy-minded countries — on the other hand is pushing for big changes to help AI. In the European Parliament, the issue is expected to divide groups. Czech Greens lawmaker Markéta Gregorová said she is “surprised and concerned” that the GDPR is being reopened. She warned that Europeans’ fundamental rights “must carry more weight than financial interests.”  But Finnish center-right lawmaker Aura Salla — who previously led Meta’s Brussels lobbying office — said she would “warmly” welcome the proposal “if done correctly,” as it could bring legal certainty for AI companies. Salla emphasized that the Commission will have to “ensure it is European researchers and companies, not just third country giants that gain a competitive edge from our own rules.” 

Enrico Letta is president of the Jacques Delors Institute and a former prime minister of Italy. Pascal Lamy is vice-president of the Paris Peace Forum and a former European commissioner for Trade. Kolinda Grabar-Kitarović is co-chair of the Global Preparedness Monitoring Board and a former president of Croatia. They are all members of the Governing Board of the new Jacques Delors Friends of Europe Foundation. For too long, the European project has been treated like an à la carte menu. Leaders cherry-pick advantages, blame Brussels for the compromises they’ve accepted, and leave citizens to bear the consequences of watered-down decisions and years-long delays. This habit of the political dodge, of agreeing in public and unraveling at home, has dented public trust, and it must stop. By 2028, Europe must complete the single market — not in slogans but in the concrete areas that shape everyday life, like energy, telecommunications, savings and investments, and the free circulation of knowledge and innovation. A real single market in these fields will deliver tangible benefits for citizens: Harmonized energy markets mean cross-border trade of electricity and gas, stabilized supplies and lower bills when markets work properly. Unified telecoms will reduce roaming and domestic price monopolies, improve service and widen access. Integrated capital markets will give savers better returns, channel funds to growing firms and make loans cheaper for small businesses. And removing barriers to research and data flows will allow students, scientists and entrepreneurs to collaborate and scale up without coming up against national borders. In short: more choice, lower costs, better opportunities and faster innovation. Alongside these priorities, Europe must also adopt what Enrico Letta and others call the “28th regime” — a mechanism that allows individuals and businesses to operate under uniform EU standards when national rules obstruct progress. Voluntary pioneers shouldn’t be hostage to vetoes from lone capitals. Where national foot-dragging denies benefits to citizens elsewhere, European law should offer an alternate path to deliver those benefits. This is about fairness and security. The fragmented status quo leaves households overpaying for energy, students facing unequal digital access and entrepreneurs boxed into tiny domestic markets. It also weakens Europe geopolitically: Fragmented energy systems increase vulnerability to hostile suppliers; disjointed capital markets amplify financial shocks; and splintered telecoms and digital rules hamper our ability to control critical infrastructure and data flows. Deadlines force choices and sharpen political will — without them, the default remains delay. Europe’s leaders thus need to set a clear, nonnegotiable deadline to complete the single market in energy, telecoms, capital and knowledge by 2028. And here are the concrete steps they must take: First, they must institutionalize the fifth freedom — the free circulation of knowledge and innovation — by removing regulatory barriers to research collaboration, data exchange, university partnerships and mobility for knowledge workers. Next, they need to adopt EU-wide rules where national governments block progress. Activating the 28th-regime concept will allow willing member countries and their citizens to benefit, even if one or two vetoers refuse to move. Then, break energy silos by fast-tracking cross-border interconnectors, harmonizing grid and wholesale market rules, and prioritizing joint procurement to prevent costly duplication. Also, unify telecoms by eliminating burdensome national licensing, promoting Pan-European operators, and creating a regulatory environment that rewards competition and coverage. Europe’s leaders thus need to set a clear, nonnegotiable deadline to complete the single market in energy, telecoms, capital and knowledge by 2028. | Thierry Monasse/Getty Images Finally, complete the capital markets union through the Savings and Investments Union, linking finance to the real economy and fostering investments in the common goods that Europe needs, such as innovation and digital, security, and the fight against climate change. Completing the single market must also go hand in hand with security and resilience. If Europe is to spend billions on defense, those investments must translate to more than trophies for national procurement agencies. We need a single market for defense, with interoperable equipment, joint procurement, shared standards and industrial cooperation. Defense purchases need to build common capabilities — not 27 bespoke systems that can’t communicate with each other. Societal resilience matters too. Authoritarian and malign actors weaponize disinformation, exploit social divisions and erode trust in institutions. Fighting disinformation is as much about strengthening communities as it is about policing platforms, and Europe must invest in civic resilience. We must also be clear-eyed about enlargement. Ukraine’s and Moldova’s resilience have shown democratic determination in the face of Russian aggression, and their efforts should inspire concrete progress. Former European Commission President Jacques Delors called enlargement “our duty” — and he was right. Widening the single market to include the Western Balkans, Ukraine and Moldova, while rigorously enforcing rule of law and democratic standards, is not charity. It’s a strategic investment in Europe’s security and prosperity. Europe now faces a stark choice: Inertia on the one hand, meaning fragmented markets, stranded talent, fragile societies and rising illiberalism; or integration on the other — a single market that lowers costs, boosts competitiveness, enhances security and renews citizens’ trust. The 2028 deadline shouldn’t be seen as a slogan. It’s a contract with Europeans who want results, not reassurances. And leaders must treat it as such. Delors said Europe needs a soul. Today, it needs delivery. Let’s strengthen our defenses and societies, meet our duty to our neighbors and finish the job. Let’s do it by 2028.

A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. Niamh Sweeney will take up her role as one of three chief regulators at Ireland’s powerful Data Protection Commission (DPC) next week. Her previous experience as a lobbyist for Facebook and WhatsApp has reignited concerns that Ireland’s top data regulator is too close to Big Tech. Now, new details about her appointment process seen by POLITICO show that a lawyer representing tech giants at a prominent law firm in Ireland was a member of a small panel that picked Sweeney. The inclusion of that lawyer on the panel triggered a conflict of interest complaint by a candidate that competed with her for the job earlier this year. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. For years, the Irish authority has faced criticism for being too soft on tech giants, with critics pointing to Ireland’s heavy reliance on Big Tech for its domestic economy. After the GDPR took effect in 2018, it took years before the DPC started imposing sizable fines on tech giants. Commissioners at the Irish DPC are appointed by the Irish government on the advice of the Public Appointments Service, the authority that provides recruitment services for public jobs. The authority is known as publicjobs. In a confidential letter dated May 14 and seen by POLITICO, publicjobs said it had assembled a selection panel of five people to pick the newest privacy chief. According to the letter, that panel included consultant Shirley Kavanagh as chair, Department of Justice Deputy Secretary Doncha O’Sullivan, the head of Ireland’s ComReg communications watchdog Garrett Blaney, publicjobs recruitment specialist Louise McEntee, and Leo Moore, a partner at law firm William Fry. Moore heads the firm’s technology group. He has advised domestic and multinational companies, including “several ‘Big Tech’ and social media companies,” the law firm’s own website states. The law firm advised Microsoft in a landmark court case where U.S. authorities wanted to access data on Irish servers, it said in a 2016 press release. Irish media also reported that the firm had advised the Irish government in a case in which the government pushed back on collecting almost €14 billion in back taxes from Apple. Moore did not respond to POLITICO’s requests for comment. William Fry did not provide a comment in time for publication. The Irish Data Protection Commissioner enforces Europe’s mighty General Data Protection Regulation (GDPR) on many of the world’s largest technology companies, including Meta, X, Google, TikTok and others that have their European headquarters in Ireland. | Artur Widak/NurPhoto via Getty Images The chair of the panel, Kavanagh, has previously worked in senior leadership roles in the pharma, financial services, retail and public sectors, including with Inizio, Axa, Primark and Ireland’s central bank, she stated on her website. The site said she has also worked with “technology companies” as a “coach and senior team facilitator.” Kavanagh declined POLITICO’s request for comment, directing questions to the publicjobs service and the Irish justice department. REVOLVING DOOR COMPLAINT Sweeney is set to take office Oct. 13 alongside co-Commissioners Des Hogan and Dale Sunderland. The DPC switched to having three top commissioners after former Data Protection Commissioner Helen Dixon (who carried out the role alone) left office in 2024. Sweeney worked as Facebook’s head of public policy in Ireland from 2015-2019, then as EMEA director of public policy for WhatsApp until 2021, followed by a year working as head of communications for financial technology firm Stripe. She was a director at lobby firm Milltown Partners until this summer, her LinkedIn page showed. Sweeney’s appointment as co-commissioner raised concerns among privacy activists when it was announced in September. Austrian privacy group Noyb described it as Ireland’s “kissing US Big Tech’s backside” and said it left companies like Meta to regulate themselves. A candidate competing with Sweeney for the commissioner role submitted a complaint about the process in April, publicjobs’ May letter seen by POLITICO showed. The complainant’s name was redacted from the documents. The complainant questioned the inclusion of tech lawyer Moore on the panel that selected the former Meta official. They alleged that Moore had a conflict of interest given his role “as a corporate lawyer who represents clients whose business practices are regulated by the very agency this role oversees,” according to the letter, which responded to the complaint. Publicjobs in the letter defended the independence and expertise of the board that it had assembled and said it was “assured that Mr Moore’s professional role was not considered to conflict with his role on the Board.” The complainant also argued that no member of the panel had enough technological expertise to make a fair assessment of applications.   In the letter, publicjobs highlighted the “extensive” expertise of Moore in data protection and cybersecurity. GOVERNMENT STANDS BY APPOINTMENT Publicjobs said in the letter that it found “no evidence that the Board convened was inappropriate, or incapable of assessing candidates against the key requirements of the role in question.”  In a written comment to POLITICO, a spokesperson for publicjobs said the authority has “full confidence in the composition, independence, expertise and qualifications of the chosen Assessment Board” to recruit a third data protection commissioner, and that the complaint submitted about the competition had been “fully addressed” by the service’s review process.     A corporate lawyer who has worked for Big Tech played a key role in picking a former lobbyist for Facebook and WhatsApp as one of Europe’s most powerful privacy regulators. | Samuel Boivin/Getty Images They said publicjobs works to ensure assessment boards for senior roles are “balanced, diverse and not conflicted, with all panelists required to complete a confidentiality agreement and a conflict-of-interest form.” Boards at this level are approved by the service’s Chief Executive Margaret McCabe and Head of Recruitment Talent Strategy Michelle Noone, the spokesperson added. A spokesperson for Ireland’s Department of Justice, Home Affairs and Migration told POLITICO the ministry is “fully satisfied with the appointment process.” The Irish Data Protection Commission declined to comment, saying it was not involved in the appointment process. Blaney declined to comment, directing POLITICO to publicjobs and Ireland’s justice department. McEntee did not immediately respond to a request for comment.

Microsoft has cut off services it was supplying to Israel’s Defense Ministry, after finding that they were being used for mass surveillance of Palestinians. In August, The Guardian reported that the Israeli military is conducting mass surveillance of Palestinians, by gathering troves of phone call data from civilians in Gaza and the West Bank, and storing it on Microsoft servers in Europe. In a blog post Thursday, Microsoft President Brad Smith said that an internal review has “found evidence that supports elements of The Guardian’s reporting,” including details relating to Israel’s use of Azure storage in the Netherlands and use of AI services. Smith said that Microsoft’s terms of service prohibit the use of its tech for mass surveillance of civilians. He said the company has therefore ceased and disabled certain subscriptions and services it was supplying to Israel’s Defense Ministry, including their use of specific cloud storage, and AI services and technologies. The Guardian investigation said the storage of Palestinians’ phone records on Microsoft’s Azure cloud platform had facilitated deadly airstrikes and shaped military operations in Gaza and the West Bank. After a previous internal review in May, Microsoft said there was “no evidence” that its technologies have been used to target or harm people during the conflict in Gaza. On Thursday, Smith noted that Microsoft has a policy of respecting customer privacy, and that the company does “not access our customers’ content in this type of investigation.” He expressed “appreciation” for The Guardian report which revealed information that couldn’t be accessed in light of those “customer privacy commitments.” Microsoft said the decision will not impact its work protecting the cybersecurity of Israel and other countries in the Middle East, including under the Abraham Accords. Privacy advocates have been ratcheting up pressure on the EU in recent months to reconsider its data-sharing relationship with Israel, partially over concerns about its surveillance activities. The European Commission renewed an adequacy decision for Israel last year, meaning that the EU executive deems Israel’s privacy safeguards to be on par with the EU’s General Data Protection Regulation.

Ireland’s Data Protection Commission (DPC) has launched a fresh inquiry into TikTok’s transfers of personal data to Chinese servers, it said Thursday, following on from its investigation that led to a €530 million fine against the company in April. The Irish regulator in April was informed by TikTok of an issue that meant a limited amount of EU user data had been stored on servers in China, an issue it said it discovered in February. The discovery contradicted the firm’s long-held position that personal data of EU users was only accessed remotely by the platform’s staff in China. But it came only just before the investigation concluded. Because of this, the DPC did not investigate it fully. The regulator in April fined TikTok for not sufficiently protecting EU personal data from Chinese state surveillance. The DPC earlier this year expressed “deep concern” that TikTok submitted “inaccurate information to the inquiry.” In a statement on Thursday, it said it had decided to open a new inquiry into the personal data transfers to servers in China after consulting with other data protection authorities in Europe. The Irish regulator said the inquiry will focus on whether TikTok has complied with its obligations under the EU’s General Data Protection Regulation, including articles relating to accountability, transparency, cooperation with supervisory authorities and compliance with rules around data transfers outside of the EU. TikTok was notified earlier this week about the Irish DPC’s decision to launch a fresh inquiry. The company has been contacted for comment.