A German version of this article was published under the title „Das Wichtigste zur Spionage-Gefahr durch Handy-Standortdaten in der EU“.

New datasets containing millions of mobile phone location data reveal how easily the European Union can be spied on using data from the advertising industry. The investigative team obtained the data as free samples offered by data brokers to potential subscribers – and was able to use them to trace the movements of high-ranking EU personnel. The dataset even includes location pings from inside NATO headquarters in Brussels.

„We are concerned with the trade of geolocation data from citizens and Commission officials,“ the European Commission said in response to the findings. Members of the European Parliament describe the situation as a threat to Europe’s security and are calling for legislative action to curb rampant ad tracking and the largely uncontrolled trade of personal data.

The investigation published today together with BR, L’Echo, Le Monde and BNR is part of the Databroker Files. In this project, netzpolitik.org, Bayerischer Rundfunk, and international media partners have been shedding light on the global data industry since summer 2024.

Here’s an overview of the key questions regarding the current status of the investigation:

1. Who is affected by the risk of espionage from mobile location data?

• No place is safe from surveillance using commercially traded mobile location data. Altogether, the investigative team now holds 13 billion location records from almost every EU country, the United States, and many other parts of the world.
• For the part of the investigation focusing on the EU, we analysed 278 million location pings from Belgium, covering a few weeks in both 2024 and 2025. At the Berlaymont building in Brussels – the European Commission’s headquarters – the dataset showed roughly 2,000 location pings from 264 different devices. Within the European Parliament, there were about 5,800 pings from 756 devices, in the NATO headquarters there were 9,600 location pings from 543 devices. The Council of the European Union, the European External Action Service, the European Data Protection Supervisor, and other EU institutions are also affected.
• All records are linked to unique device identifiers, allowing for the reconstruction of movement profiles that often reveal a person’s workplace, home address, and other places they frequent. Such data enables deep insights into people’s lives – from the grocery stores they frequent to trips abroad, and even visits to clinics or brothels.
• Even the limited datasets that we received as free samples led us to identify the home addresses of five individuals who are currently or have previously worked for the EU, including three in senior positions. Among the EU staff we identified are a top official at the Commission, a high-ranking diplomat representing an EU member state, and employees of the European Parliament and the European External Action Service. We also found data linked to a digital rights activist and a journalist.
• Earlier investigations had already shown that similar datasets could be used to spy on senior government officials, military sites, police departments, and even intelligence personnel in Germany – as reported in previous Databroker Files research.
• Independent investigations by colleagues in the Netherlands, Norway, Switzerland and Ireland reached similar conclusions, showing that even critical infrastructure, such as nuclear power plants, can be targeted.

2. Why is the trade in tracking data dangerous?

• The uncontrolled trade of such data not only poses an unprecedented threat to users’ privacy and informational self-determination. In times of an increased risk of espionage, it also endangers Europe’s security. As early as 2021, a study by NATO’s Stratcom research center warned that commercially traded advertising data could be exploited for espionage. Using such data, hostile actors could identify key military personnel, track them, or even monitor military operations. Other potential risks include the blackmail of high-profile individuals and the preparation of sabotage.
• At the Helsinki-based think tank HybridCoE, experts working on behalf of the EU and NATO study ways of counter hybrid threats. In light of our findings, spokesperson Kiri Peres stated: “Mobile location data could be exploited by hostile actors to facilitate hybrid activities to harm the democratic society and undermine the decision-making capability of a state.​​​​​​​” It seems “only logical,” she added, that China and Russia would use advertising data for such purposes. In wartime, data from the advertising industry could help track military movements.
• In recent years, a dedicated branch of the global surveillance industry has emerged that specializes in harnessing data from the adtech ecosystem and data brokers for intelligence services and government agencies. The technical term is ADINT, short for advertising-based intelligence.
• The Belgian datasets once again illustrate how extensively the advertising industry collects near-meter-accurate location data from millions of people and distributes it globally through data brokers. This represents a new form of mass surveillance that is largely invisible to the public and enables deep intrusion into people’s private lives.

3. How does sensitive data end up with data brokers?

• The sometimes meter-accurate location data originates from smartphone apps and is allegedly collected only for advertising purposes. However, our investigation shows that such data can leak through virtually any commercial app. In January 2025, we reported on a dataset containing 380 million mobile location data points from 137 countries and linked to around 40,000 different apps. Within the advertising ecosystem, hundreds of companies often enjoy largely unrestricted access to such data. Data brokers acquire it, bundle it into packages, and sell it on.
• These datasets are marketed on data marketplaces. One key player identified in our research is Datarade, based in Berlin, whose platform has been used by several journalists to contact providers offering massive troves of European location data. Datarade itself does not process or sell the data, but rather facilitates contact between buyers and sellers.
• Apple and Google enable this form of tracking by assigning phones unique identifiers known as Mobile Advertising IDs.
• Several players in the location data trade are based in the EU. Journalists have repeatedly made contact with brokers via the Berlin-based Datarade marketplace. Germany’s most popular weather app, WetterOnline, shared precise location data with third parties without valid user consent, as confirmed by the competent data protection authority following our reporting. The Lithuania-based marketing firm Eskimi was reportedly a source of mobile location data from Germany for a U.S. data broker, although Eskimi denies this.

4. Why doesn’t the GDPR stop data brokers?

• Data brokers, tracking companies, and app operators involved in the trade of mobile location data claim that their business is legal and that they rely on users’ supposed consent. However, data protection authorities and legal experts – including Germany’s Federal Commissioner for Data Protection, Louisa Specht-Riemenschneider – disagree. The data trade uncovered in the Databroker Files is not compatible with the GDPR for several reasons.
• Under the General Data Protection Regulation, consent must be informed to be valid, meaning users must know who is receiving their data and for what purposes. Yet, location data is often passed on to hundreds of entities and resold multiple times. The GDPR’s purpose limitation principle is also violated when data become a traded commodity without any defined purpose. Moreover, data subject rights, such as the ones to access, correct, or delete personal data, are effectively nullified.
• Location data can also reveal information considered particularly sensitive under the GDPR, such as visits to medical facilities, political party headquarters, religious institutions, or trade union offices. Since mobile data can also disclose home addresses, it is rarely anonymous.
• Until our investigations, data protection authorities had apparently not grasped the full scale of the problem. They are underfunded and typically act only when citizens file complaints about specific data processors, barely scratching the surface of the issue.

5. What needs to be done to solve the problem?

• In response to our findings, civil society organisations such as Germany’s Federation of Consumer Organisations and even the Federal Ministry for Consumer Protection have called, in response to our findings, for a ban on tracking and profiling for advertising purposes, which woul cut off the data trade at its source.
• The European Commission expressed its concern in response to the investigation but saw no immediate need for new regulation. Instead, it argues that the GDPR should be enforced more effectively by national supervisory authorities.
• For the conservative European People’s Party (EPP), German MEP Axel Voss (CDU) commented: „In view of the current geopolitical situation, we must take this threat very seriously and put an end to it.” The EU, he said, must act decisively: “We need a more precise definition of the use of location data and therefore a clear ban on trading particularly sensitive location data for other purposes“. He also called for a Europe-wide registration requirement for data brokers and for the consistent enforcement of existing data protection rules.
• For the Socialists and Democrats (S&D), Spanish MEP Lina Gálvez Muñoz stated that while the EU already has a strong legal framework in place, “we need to keep working on strengthening it and adapting it to the current geopolitical context as well as on implementing and enforcing it.​​​​​​​“
• For the Greens/EFA group, German MEP Alexandra Geese commented: “If the bulk of European personal data remains under the control of U.S. firms and opaque data brokers, defending Europe against a Russian attack becomes markedly more difficult.” She added: “Europe must prohibit large scale data profiling.“

Contact the investigative team and find all netzpolitik.org coverage of the Databroker Files here. Use your browser – for example, Firefox’s built-in translation feature – to quickly translate our German texts into English.