The Hague's New Privacy Chief Used to Defend Big Tech. That Should Worry Brussels.

The Netherlands has named a lawyer with a career defending large technology platforms to chair its data protection authority, the Autoriteit Persoonsgegevens. I have read the announcement three times to make sure I was not misinterpreting it.

I was not.

This matters far beyond The Hague. The Dutch AP is one of the most active regulators in the European Data Protection Board, the body that coordinates GDPR enforcement across the twenty-seven member states. Its chair carries a vote, a voice, and a tone.

The tone is now the question.

Let me be precise about what is and is not at stake. A career defending corporate clients does not, in itself, disqualify a regulator. Half the senior figures inside DG COMP came from competition law firms whose client lists read like the Fortune 500. The revolving door spins in both directions, and sometimes the best poacher really does make the best gamekeeper.

But symbolism in European regulation is not decoration. It is signaling to markets, to litigants, and to fellow regulators about which way the wind is blowing.

And the wind, right now, is blowing toward leniency.

Consider the timing. The Digital Markets Act is entering its second full year of enforcement, with the Commission weighing how aggressively to pursue non-compliance findings against designated gatekeepers. The AI Act's general-purpose model obligations are crystallising into codes of practice that will determine, in effect, whether the regulation has teeth or gums. The GDPR itself is under quiet but sustained pressure from member states who want a "simplification" package, which in Brussels dialect usually means a softening package.

Into this moment walks a new Dutch chair whose professional reflexes have been shaped by arguing the other side.

"In European regulation, who sits in the chair is often more consequential than what is written in the statute."

I will not pretend to know how this particular lawyer will conduct herself in office. People surprise you. Margrethe Vestager surprised plenty of people. The Dutch civil service tradition is genuinely independent, and the AP has institutional muscle memory built over years of confronting Silicon Valley.

The concern is structural, not personal.

European data protection authorities are chronically under-resourced relative to the entities they supervise. The Irish DPC, lead regulator for most US tech giants under GDPR's one-stop-shop mechanism, has been criticised for years by civil society groups as too slow and too soft. The Dutch AP has historically been one of the counterweights, willing to push the EDPB toward firmer positions when Dublin hesitated.

If that counterweight now tilts, the centre of gravity of European privacy enforcement tilts with it.

Who benefits? The large platforms whose business models depend on the precise interpretation of "legitimate interest," "necessary processing," and "appropriate safeguards." Every shade of softness in those definitions is worth, according to industry estimates, considerable sums in avoided compliance costs and preserved data flows. Recent reports from civil society groups suggest the cumulative effect of incremental regulatory drift is already measurable in enforcement statistics.

Who loses? The thirty-thousand-euro complainant in Eindhoven whose subject access request goes unanswered for eighteen months. The journalist whose source list ends up in a discovery pile. The small competitor who cannot afford the legal team to argue back.

These are not abstractions. They are the actual constituency of data protection law.

There is a defence to be made of the appointment, and intellectual honesty requires me to make it. Regulators who understand industry from the inside can sometimes craft more effective rules than those who only ever viewed it through subpoenas. The best DMA enforcement decisions I have seen drafted in Brussels were written by people who had, at some earlier point, helped a platform try to wriggle out of an obligation. They knew where the wriggle room was because they had built it.

The question is whether knowing where the wriggle room is leads you to close it, or to widen it.

We will find out. The first real test will be the AP's posture in the next EDPB consultation on AI Act interpretation, and whether the Dutch position aligns with the firmer line out of Berlin and Paris or drifts toward the more accommodating tone of Dublin.

Watch that vote. It will tell you more about the future of European tech regulation than any speech in the Berlaymont.