European Commission accused of rigging data watchdog appointment
The European Commission has been accused of rigging the selection process for Europe’s next data protection watchdog in favour of its own candidate, according to a complaint submitted to the European Ombudsman and shared with Computer Weekly.
Submitted by privacy experts Maria Farrell, Douwe Korff and Ian Brown, the complaint alleged “procedural irregularities” with the commission-led process, including a lack of transparency around the selection criteria for shortlisted candidates, the identities of the selection committee and why certain decisions have been made.
The authors of the complaint have accused European Commission officials of “cronyism”.
They claim the inclusion on the shortlist of Bruno Gencarelli – a commission official who played a key role in green-lighting European data deals with the UK and US, and a frontrunner for the post – contravenes a legal requirement that all candidates for the position be “persons whose independence is beyond doubt”.
Ian Brown, one of the authors of the complaint, said there was a danger that the European Commission could set a precedent by imposing its own candidate on an independent regulator.
“If the commission was able to push its own staff into supposed independent oversight roles across the EU institutions, that would be a disaster for the independence of oversight of the EU [European Union] institutions,” he told Computer Weekly.
Summoning Churchill
Gencarelli told a meeting of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs in January that he would not have difficulties acting in an independent and impartial way if he was chosen as the next data protection supervisor. He said that when Winston Churchill first became prime minister, one of the first things he did was reject a request he himself had made a few days earlier as a minister of the previous government.
“That shows that we can have different roles in our career, in our life,” he said. “The important thing is that we exercise each role fully committed and loyal to the mandate of that office, of that rule, and that, of course, means in this case being independent and impartial.”
Other shortlisted candidates include Wojciech Wiewiórowski, the current office holder; François Pellegrini, a professor of informatics at the University of Bordeaux; and Anna Pouliou, chair of the European Organization for Nuclear Research.
Although the decision of who to appoint as the next European data protection supervisor (EDPS) is made by member states in the European Parliament, their choices are limited by the commission, which runs the selection and shortlist process.
According to the complainants, the commission’s secrecy around its decision-making contravenes key General Data Protection Regulation (GDPR) requirements that a transparent procedure be used to ensure the supervisor’s independent oversight (article 53).
“This requirement for independence – for a position whose core role is oversight of commission activities – should preclude any consideration of candidates currently employed by the European Commission,” they said in the complaint.
‘Different level of criticality’
While there is some precedent for heads of data protection authorities to be appointed from government bodies that they will now be overseeing at a national level, the constitutional role of the EDPS is “of a different level of criticality entirely” for the rule of law in the EU.
“The independence requirement is there to ensure that fundamental rights and freedoms are protected without fear or favour, and with no bias – either intended or otherwise – in favour of the institutions the EDPS essentially regulates.
“It is simply not possible for an employee of one body to take control of its oversight organisation without weakening it; the treaty obligations both in letter and principle are designed to prevent ‘the fox being put in charge of the chicken coop’, however well-intentioned the fox.”
There are several outstanding legal matters between the EDPS and the commission that could create conflicts of interest if a former commission employee were to be appointed to the supervisor role.
These include action being taken by the EDPS against Europol over its retention of sensitive data on tens of thousands of Europeans, as well as against the European Single Resolution Board (which the commission is intervening on behalf of) over its alleged sharing of pseudonymised data without informing data subjects.
Noting that no selection criteria has been made available, nor any “post facto reasoning” for the candidates included, the privacy experts alleged that the commission purposefully anticipated the preferences of the centre-right European People’s Party in its shortlist creation.
They claim that voting for candidates in the Parliament was done by party group rather than individually – as is normally the case – “indicating that this is a political decision made with party political preferences and biases foremost, rather than fairly, independently, transparently, objectively and predictably”.
They said the process has been marred further by the inclusion of a “less experienced female applicant” in the final shortlist, “and the exclusion of a more relevantly qualified and experienced one”, which has created “the impression of sex discrimination”.
The complainants added that the “tokenistic inclusion … of a woman who has no serious possibility of success, [is] a very common and discriminatory tactic seen in selection processes where the outcome and winning candidate is pre-determined”.
Prior to submitting the complaint on 30 June 2025, the authors attempted to raise all of these issues directly with European commissioner Michael McGrath and commission president Ursula von der Leyen via an open letter to their offices.
While the authors asked for their offices “to provide any indication of remedies” in five working days, no response was given, leading them to escalate the issue to the Ombudsman 10 days later.
“In the current circumstances, amidst the stated intent of [the Directorate-General for Justice and Consumers] DG JUST to water down (‘simplify’) data protection law, specifically the General Data Protection Regulation, the procedural irregularities and principled maladministration apparent in this selection process appear to be a deliberate attempt to weaken the functioning and undermine the reputation of the EDPS,” they wrote.
“At a crucial moment when Europe needs above all to protect and uphold the rule of law – particularly with regard to critical matters of data, surveillance, privacy, security and sovereignty in the technology space – this weakening of a key institution requires your urgent attention.”
The European Commission said that it required to draw up a short list of at least three candidates following a call for interested parties across the European Union to submit applications.
“The decision on the shortlist was the result of a full selection procedure, conducted in accordance with the rules for the selection of senior officials,” a spokesperson said.
“The procedure ensures the equal treatment of candidates and selection is based solely on merit. No conflict of interests were declared or identified during the selection process.”
Source link
