Databroker Files: Targeting the EU
Precise locations and revealing movement patterns: the mobile phone location data of millions of people in the EU is up for sale. Collected supposedly only for advertising purposes, this data can also be used for espionage. European data protection is failing – even top EU officials in Brussels are affected. The EU Commission says: ‚We are concerned.“
Hundreds of potentially sensitive EU employees can be targeted with openly traded cell phone location data. – Building: IMAGO/Zoonar; Figures: Pixabay/Mohammed Hasan; Fog: Vecteezy, Montage: netzpolitik.org
This is a joint investigation with Bayerischer Rundfunk, L’Echo (Belgium), Le Monde (France), BNR (Netherlands). It is part of the “Databroker Files”. A German version of this article was published under the title „Datenhändler verkaufen metergenaue Standortdaten von EU-Personal“.
There are detached houses with front gardens in an upmarket district of Brussels, and the political centre of the European Union is not far away. When they are out and about early in the morning, a top EU official only needs about 20 minutes by car to get to their workplace. They work in a unit under the authority of Commission President Ursula von der Leyen at the Berlaymont building, the European Commission’s headquarters. Conveniently, there’s a spa and fitness centre along their way to work – they have passed by it, too.
We know this and more because we have their exact location data. The data even tells us exactly where their office is in the EU Commission building. We discovered their movement patterns, along with those of millions of other Europeans, in commercially traded data.
This data reveals where people live and work, as well as their behaviour and preferences. It can also show visits to clinics, religious buildings, party and trade union headquarters, as well as brothels and swingers‘ clubs.
The investigative team has data records from several data brokers. They are giving these away as a sample — a free preview of what is on offer with a paid subscription. For this investigation, we analysed two new datasets containing around 278 million records of mobile phone locations in Belgium.
Danger of espionage like during the Cold War
Almost ten years ago, a revolution with four letters took place here in Brussels: GDPR. In December 2015, the European Parliament, the Council and the European Commission agreed on the text of the General Data Protection Regulation. It was intended to harmonise the protection of fundamental rights in the digital world with a data-based economy. And it came with the promise of informational self-determination: that people should generally have sovereignty over who does what with their data.
This promise remains unfulfilled to this day. Instead, the Databroker Files reveal an unprecedented loss of privacy that can affect all people who participate in digital life by using apps on smartphones or tablets. The uncontrolled data business is no longer just an issue of consumer and fundamental rights protection; it also poses a threat to Europe’s security.
The risk of espionage in the EU is high, at least since Russia launched its large-scale war of aggression against Ukraine in February 2022. Authorities warn of Russian sabotage suspicious drones violate European airspace, a Chinese spy infiltrated the EU Parliament – hardly a month goes by without a new espionage scandal. Back in 2020, the then president of the German domestic intelligence service compared the situation to that of the Cold War.
Those responsible have apparently not yet sufficiently recognised the extent of the danger posed by commercially collected data in this context. When confronted with the results of our research, the EU Commission stated: „We are concerned with the trade of geolocation data from citizens and Commission officials.“ The Commission has now issued new guidance to its staff regarding ad tracking settings on both corporate and private devices. It has also informed other Union entities and Computer Security Incident Response Teams (CSIRTs) in Member States.
In response to this investigation, members of the European Parliament (MEP) are demanding decisive action. „In view of the current geopolitical situation, we must take this threat very seriously and put an end to it,“ writes Axel Voss (CDU) from the conservative EPP group. Lina Gálvez Muñoz, a Spanish MEP from the Socialist Group S&D, calls for the EU to treat the issue „as a priority security threat, not just a privacy concern“. With regard to the military threat posed by Russia, German MEP Alexandra Geese (Greens/EFA) demands: „Europe must prohibit large-scale data profiling.“
Hundreds of potentially sensitive employees targeted
Our investigation shows how easy it is to spy on top EU staff using commercially traded location data. Based only on the preview data sets available to us, and without paying a cent, we were able to spot hundreds of devices belonging to people working for the European Union in sensitive areas. In the EU Commission headquarters alone, there were around 2,000 location pings from 264 different devices. In the European Parliament, there were around 5,800 location pings from 756 devices.
For example, a movement profile illustrates the daily commute of an EU Parliament employee. They travelled from a community near Brussels to the city centre via the urban motorway. The tracking shows how the employee visits several buildings of the EU Parliament, a supermarket and a restaurant.
Furthermore, we found thousands of location pings in various other institutions, ranging from the Council of the European Union to the European External Action Service and the European Data Protection Supervisor. The preview data sets used for this analysis are just the tip of the iceberg. Paid subscriptions promise large-scale mass surveillance with a constant supply of up-to-date location data.
Even with this limited data, we were able to identify the private addresses of five individuals who work or have worked for the EU, including three people in senior positions. Among the EU staff we identified are a the top Commission official mentioned at the beginning, a high-ranking diplomat from an EU country, and employees of the EU Parliament and the European External Action Service. Initially, they were all suspicious when we contacted them. Some preferred to speak to us only briefly or not at all. None of them wanted to be quoted publicly. Two of the individuals in question confirmed to us that the location data indeed shows their place of residence and workplace, as well as their movements in Brussels. We also found a digital rights activist and a journalist in the data, who confirmed its accuracy.
The data travels along winding paths through an opaque ecosystem, beginning with apps that claim to only track users for advertising purposes. Ultimately, it ends up in the hands of data brokers, and, potentially, anyone who asks for it. These could be advertising companies, journalists – or even foreign intelligence services.
Location data is not anonymous
The data sets offered by data brokers do not contain the names or addresses of mobile phone users who are tracked at every step. Nevertheless, we were able to identify several individuals. This was made possible, among other things, by the so-called Mobile Advertising ID, which is a unique identifier for the online advertising industry that Google and Apple automatically assign to each phone.
Each location in our data sets is linked to such an ID. This allows loose data points to be combined to form detailed movement profiles. Places of residence and work can easily be identified because locations are noticeably concentrated here. Particularly in the case of freestanding houses with publicly visible doorbell signs, it quickly becomes clear whose location data is involved. In some cases, the residents of a house can also be identified online, for example in the telephone directory or through the imprint on their website. Our investigation proves that location data is not anonymous.
Reactions to the Databroker Files in political Brussels are often characterised by surprise or nervousness. Even high-ranking employees responsible for data protection and digital regulation would not have expected the precision of openly traded mobile phone location data.
Urgent warning from NATO
NATO also has its headquarters in Brussels. In our sample data sets alone, there are 9,600 mobile phone location pings on NATO premises, recorded by 543 different devices. The alliance is under extraordinary pressure due to the tense military situation and Russian espionage, among other things. What is its response to the findings of our investigation?
„We are fully aware of the general risks that third-party data collction poses to the Alliance“ writes a NATO representative in French. Measures had been taken to mitigate these risks – but when asked, he would not explain what they were.
The fact that the military alliance apparently perceives such cell phone tracking by the advertising industry as a threat is demonstrated by the urgent request made by the NATO representative to the reporters. „We take the security of our staff very seriously, and trust that you will do your utmost not to publish any information that could harm them,“ he writes. „It is essential that no telephone located at NATO headquarters be identified or associated with named persons, and that no telephone linked to NATO be located in any other place.“
The Belgian military also responded to our research after L’Echo’s team discovered movement profiles on Belgian military sites. „We are fully aware of the problem,“ says the press office. The use of private devices is often already prohibited, but not in military quarters. They are working on a new directive that strongly advises personnel not to use applications that allow conclusions about their place of residence or workplace. However, our investigation shows that location data can potentially leak via almost any app
What intelligence services can do with advertising data
Several years ago, a study by the NATO research centre Stratcom (Strategic Communications Centre of Excellence) highlighted that such data poses a threat not only to our privacy, but also to military security. With the help of such data, enemy actors would be able to identify and spy on key military personnel or track military operations.
Neither NATO nor the EU or its member states have been able to find an antidote since then. In 2024, together with Bayerischer Rundfunk, we analysed commercially traded location data from Germany to demonstrate how it can be exploited to identify and spy on high-ranking government officials, as well as members of the military and intelligence services. Using the data, the most important US and NATO bases in Germany could also be spied on. It even revealed visits to brothels. We obtained the data from a US data broker, mediated through a Berlin-based data marketplace.
Similar journalistic investigations from European countries such as the Netherlands, Norway and Switzerland have also proven the problem. The new research by our partner L’Echo today demonstrates how vulnerable Belgium is due to openly traded location data. Police forces, prisons and critical infrastructure, such as nuclear power plants, can be spied on.
The dangerous business of advertising intelligence
If the investigative team was able to target high-ranking EU personnel with just two free data samples and these simple methods, what could well-resourced intelligence services or other malicious actors achieve with commercially available data?
In recent years, a new branch of the global surveillance industry has emerged. It specialises in making data from the online advertising ecosystem available to government agencies. The US company Babel Street, for example, claims to have developed a kind of „Google Maps for mobile phones“ with its service Locate X. The system is said to allow law enforcement agencies to easily track down individuals.
The technical term for this is „ADINT“, which stands for Advertising Based Intelligence. The dangers posed by ADINT, for example from foreign intelligence services, can be described as hybrid threats. This term describes attacks that are not overtly military in nature, such as espionage or sabotage.
Researchers warn: „Extremely worrying“
At the Helsinki-based research centre Hybrid CoE, experts from several disciplines are conducting research on behalf of the EU and NATO into defending against hybrid threats. Regarding the results of our investigation, spokesperson Kiri Peres writes: „Mobile location data could be exploited by hostile actors to facilitate hybrid activities to harm the democratic society and undermine the decision-making capability of a state.“
As Peres explains, it seems „only logical“ for China and Russia to acquire data from the advertising industry. It could be used, for example, to track people who oppose the regime or attend mass protests. High-ranking individuals abroad could be identified and spied on, including politicians and journalists, members of the government, the military, and the secret services. In wartime, data from the advertising industry could be used to track military movements.
Corbinian Ruckerbauer researches surveillance and digital rights at the non-profit think tank interface in Germany. When asked by netzpolitik.org, he expresses considerable doubt that European intelligence services and security authorities are truly aware of the threat posed by mobile phone location data from the advertising industry.
„Neither do government agencies nor parliamentary committees publicly discuss such threat scenarios, nor is there any discussion of what contribution we Europeans would actually have to make in order to tackle this problem in a sustainable manner“, writes Ruckerbauer. He adds that EU states „should develop legal solutions and enforcement mechanisms to restrict this sprawling data market“.
His colleague Thorsten Wetzling from interface writes: „Especially at the current time, when the European security and defence landscape is being tested daily by Russia for possible attack vectors, it is extremely worrying that sensitive location data can still be acquired so easily on the data market to such an extent.“
However, it is worth noting that Western intelligence services and other government agencies are also reportedly using data from the advertising industry. In the USA, their services are used by the ICE deportation troops authority, among others.
In the jungle of data brokers
But how does this data end up in the hands of these companies in the first place? Our previous investigations habe given us unique insights into the depths of the data industry. In our explanatory article, we compare the tangled paths of the data trading ecosystem to a jungle.
It all starts with apps that people give permission to, either consciously or unconsciously, to collect their location data. In order to monetise their services, developers either embed code from tracking companies directly into their apps or offer advertising space to third parties. By doing the latter, they broadcast extensive information about their users to dozens or even hundreds of companies that participate in auctions, bidding for the opportunity to display ads to their target groups. Some use this data not only for advertising purposes, but also as a commodity – which is a tempting offer for data brokers.
The quality of the data varies. Data brokers sometimes present their data sets as larger than they really are, for example by adding fake advertising IDs to real location data. It is therefore possible that the data records available to us with 2.6 million different advertising IDs are actually based on fewer than 2.6 million different devices. Nevertheless, our investigation shows how individuals and institutions can be targeted even with inaccurate data.
The Databroker Files also reveal that many European companies are heavily engaged in the data industry. A data marketplace called Datarade, for example, is an important infrastructure for the industry. It is based in Berlin. Meanwhile, our conversations with developers show that they are often unaware of who their apps share users‘ data with. What they do notice, is the increase in revenue when the number of users increases, whether through payments from tracking companies or advertising revenue.
What tracked people in Brussels say
Only two individuals from our dataset are willing to publicly share their perspective. However, neither of them is employed by the EU. The first is Shubham Kaushik, who works for European Digital Rights (EDRi), an umbrella organisation for digital rights organisations. She volunteered her advertising ID to us – score. She says:
„It felt really invasive. Without my knowledge, personal information about me is out there for anyone with money to buy and access.“. The only way to preserve people’s right to privacy and live their lives freely is to ban the tracking industry.“
Only a single location ping of Kaushik appears in our data records. In contrast, a journalist from the Belgian newspaper L’Echo was tracked several times. The location data showed where he lives and where he had been on holiday. He says:
„I make efforts not to be tracked, but apparently they are not enough. Imagine if I were a journalist writing about China – and China could track and spy on me.“
Data protection as a race to the bottom
How is all this possible when the EU has the General Data Protection Regulation in place? This question shakes the very foundations of the European self-image. Through its comprehensive digital regulation, the European Union has sought to demonstrate how it can democratically shape the digital world by finding a fair compromise: Economically oriented forces got a regulation that did not contain any harsh prohibitions, but merely rules and guidelines for data processing. Fundamental rights orientated forces obtained individual rights, such as the right to information or deletion of data, as well as strengthened supervisory authorities.
Much of this is held together by the instrument of consent. It is the legal basis for many cases of data processing and is intended to give people freedom of choice. Particularly when it comes to data processing for apps and online services, the idea was that people do not actually have to consent – but they can, as long as they are informed and do it voluntarily.
The idea was that this would lead to a competition and a race to the top, resulting in only trustworthy providers receiving consent. In the words of the the EU Commission: „Data protection as a competitive advantage“. In practice, however, it has become a race to the bottom, with companies doing everything they can to collect as much consent as possible. They trick users with manipulative design or simply give them no choice but to consent to tracking. The Databroker Files are a direct consequence of this competition for the worst data protection.
Illegal on paper
On paper, there is little doubt among data protection experts that the data broker business we have uncovered is illegal. This view was expressed, for example, by the Federal Data Protection Commissioner of Germany, Louisa Specht-Riemenschneider.
The problem begins with the issue of consent. According to the unanimous legal interpretation of data protection authorities, consent is the only legal basis on which advertising tracking can be based. In addition to the aforementioned problems with voluntariness, the main issue here is that the consent is often not informed. For instance, anyone who has agreed to the privacy policy when installing a weather app would not be able to understand where their data ends up, especially if it is being traded freely.
This also undermines the rights of data subjects, since they cannot make requests for information or deletion to companies they are not familiar with. In addition, location data can reveal sensitive personal information that is specially protected by the GDPR. This could include location tracking in rehab clinics, religious buildings, party and trade union buildings or queer sex clubs, for example.
Another issue is the purpose limitation, a principle of the GDPR, according to which data may only be used for the purposes for which it was collected. However, with data brokers, data that is allegedly only collected for advertising purposes becomes a commodity without a more precisely defined purpose. According to data protection experts, this constitutes a clear violation.
The problem of GDPR enforcement
There are two related reasons why the authorities have not taken stronger action against the system of advertising tracking and data trading. Firstly, the authorities only tend to take action when they receive complaints from citizens, and citizens can only complain about companies they know. This is why there are so many complaints about faulty cookie banners, but not about the invisible infrastructure behind them. Tracking companies have made themselves comfortable in the shadow of the GDPR, which is why Irish data protection activist Johnny Ryan coined the term „data protection free zone“ for everything that happens behind the cookie banner.
Secondly, European data protection authorities are often still inadequately equipped. They receive so many complaints from citizens that they have hardly any resources left for conducting strategic ex officio investigations. Additionally, the authorities are primarily legally equipped and lack the technical expertise and personnel required for more complex analyses.
In Germany, our reporting has triggered first investigations and consequences from state data protection authorities. However, the Data Protection Commissioner of Berlin, Meike Kamp, is also calling for legislative support to get the systematic problem under control. According to her, “clearer statutory regulation of online tracking and profiling” would be “desirable.”
Her colleague Bettina Gayk from North Rhine-Westphalia says that, as a data protection authority, she can only take action in individual cases. “A truly comprehensive impact could only be achieved by a legal ban that precisely defines permissible processing of location data for specific purposes, tightly limits it, and fundamentally prohibits any personal or identifiable onward sharing of the data.” She warns that location tracking in hospitals or at political events, for example, can reveal particularly sensitive data. “This kind of thing must never become a commodity.“
From the siding to the graveyard
Can the European Union muster the strength for further digital regulation in the current situation? Laws such as the AI Act, the Digital Services Act and Digital Markets Act are under massive pressure from companies and countries within and outside Europe. When discussing a reform of the data protection, it is almost always just about making things easier for businesses.
This spring, the EU Commission buried a proposed regulation intended to solve the problem of consent online, after years of stagnation. The ePrivacy Regulation was actually due to be adopted in 2018 to supplement the GDPR, which came into effect that year. Had the EU Parliament had its way, users would have been able to decide centrally, in their browser or smartphone operating system, whether and by whom they wanted to be tracked. This decision would have been legally binding.
The prospect of users actually being able to decide who receives their data online caused sheer panic in the data industry. Online advertising companies, Silicon Valley corporations and time-honoured European media companies joined forces in a broad alliance to prevent the regulation. They compared it to a nuclear bomb for the internet and warned of the end of free – meaning ad-financed – journalism on the internet.
With success: Under the constant fire of their lobbying initiatives, the project was pushed further and further onto the back burner. Although the European Parliament adopted an ambitious draft in 2018, the member states were unable to reach an agreement in the Council for years. In spring 2025, the EU Commission finally withdrew the proposed regulation.
The Digital Fairness Act gives little hope
The EU Commission has vaguely promised a follow-up initiative, but it is uncertain whether it will actually materialise. First up is the Digital Fairness Act, which Commission President Ursula von der Leyen first announced at the start of her second term of office.
The law is intended to close gaps in digital consumer protection. The Commission collected feedback on this in a public consultation until October; the wish list of possible regulations is long. It remains to be seen whether the problem of consent, advertising tracking and data trading will be included.
Parliamentary circles say that hopes should not be too high. It is considered unlikely that comprehensive regulation will be put on the agenda in the current political climate, in which reducing bureaucracy is the order of the day.
Civil society organisations such as the Chaos Computer Club and the Federation of German Consumer Organisations are calling for an approach that tackles the root of the problem head on: a blanket ban on advertising tracking and data trading.
In fact, there was already a cross-party initiative in the EU Parliament in 2020 that aimed to achieve just that. The „Tracking-Free Ads Coalition“ wanted to enshrine a corresponding ban in the Digital Services Act (DSA) being negotiated at the time, but failed to gain a majority in favour. Today, the DSA only prohibits targeting with data relating to minors and sensitive data, such as religion, sexuality, health or politics.
MEP: „Ban tracking completely“
In response to our investigation, the European Commission prefers not to talk about new regulation. „We already have put strong legislation in place in the EU, namely the GDPR,“ writes a spokesperson. He states that it is a matter for the national supervisory authorities, including the national data protection authorities, to determine whether EU data protection laws have been breached. „The Commission stands ready to cooperate with those authorities.“
Axel Voss, a German digital politician from the conservative EPP group in the EU Parliament, believes the EU should take decisive action in light of the investigation. „We need a more precise definition of the use of location data and therefore a clear ban on trading particularly sensitive location data for other purposes“. For reasons of data protection and security, he believes that „strict restrictions are necessary, especially where movement or behavioural data allow conclusions to be drawn about sensitive areas“. The aim must be to „protect citizens and security interests without unnecessarily burdening European companies“.
Voss also calls for „a Europe-wide registration obligation for data traders and consistent enforcement of existing data protection rules“. In contrast, he is cautious about a comprehensive ban on tracking and profiling for advertising purposes: „A complete ban is a far-reaching step that needs to be carefully considered.“ However, it must be clear that location data should not be treated as an „economic object“.
Spanish MEP Lina Gálvez Muñoz commented on the research on behalf of the Socialist Group S&D in the EU Parliament. With regard to data trafficking, she writes: „In a context of escalating geopolitical tensions, this poses direct threats to national and collective security.“ The EU has „a good legal framework as a starting point,“ she continues, citing the Cyber Solidarity Act and the Cybersecurity Act as examples. „We need to keep working on strengthening and adapting it to the current geopolitical context as well as on implementing and enforcing it.“ Gálvez Muñoz also believes that the EU needs to expand the scope of the existing legislation.
Alexandra Geese, a German MEP from the Green Group, reiterates the call for a ban on tracking and profiling for advertising purposes. „I have championed such a prohibition for years,“ writes Geese. „Detailed knowledge about individuals held by data brokers constitutes a national security risk.“ She warns: „If the bulk of European personal data remains under the control of U.S. companies and opaque data brokers, defending Europe against a Russian attack becomes markedly more difficult.“ She sees „compelling grounds to ban tracking outright and to create a new, privacy respectful advertising ecosystem“.
---
Team L’Echo: Nicolas Baudoux, Benjamin Verboogen. Team Le Monde: Martin Untersinger, Damien Leloup. Team BNR: Lisanne Wichgers, Bart van Rijswik. Team BR: Katharina Brunner, Rebecca Ciesielski, Maximilian Zierer, Florian Heinhold. Team netzpolitik.org: Ingo Dachwitz, Sebastian Meineck, Maximilian Henning, Anna Biselli, Daniel Leisegang.
---
Die Arbeit von netzpolitik.org finanziert sich zu fast 100% aus den Spenden unserer Leser:innen.
Werde Teil dieser einzigartigen Community und unterstütze auch Du unseren gemeinwohlorientierten, werbe- und trackingfreien Journalismus jetzt mit einer Spende.
