A coalition of European news organizations has uncovered a startling reality: commercially sold location datasets include mobile-phone records linked to high-ranking officials of the European Commission and other institutions of the European Union.
This disclosure has triggered what the Commission calls “worrying conclusions” about the trade in geolocation data – and what it means for individual privacy and institutional security.
What the Investigation Found
Journalists working with data-broker samples obtained location traces of millions of mobile devices in Belgium covering weeks of activity.
Among the data: roughly 2,000 location “pings” traced to 264 devices inside the European Commission headquarters, and about 5,800 to 756 devices inside the European Parliament in Brussels.
The datasets, offered as free samples by brokers, are only a fraction of what might exist for paying clients.
Though the data lacked direct identifiers like names or phone numbers, movement patterns proved sufficient in many cases to re-identify individuals — including some officials in senior roles.
The investigation revealed that so-called “anonymous” location data is far from anonymized when combined with background information and device identifiers.
Why It Raises Major Concerns
- Privacy of individuals: Location data traces the places people live, work and visit, building detailed lifestyle or behavioral profiles without explicit awareness.
- Institutional and national security: Some devices were tracked within high-security sites such as NATO headquarters and nuclear power plants in Belgium.
- Regulatory and legal gaps: The European Union has long touted the General Data Protection Regulation (GDPR) as its flagship privacy law, yet the investigation highlights how opaque data-broker markets continue to operate with little oversight.
- Risk of misuse: Commercial location-data markets may provide access to data that can serve advertising firms, insurers, surveillance providers — or even foreign intelligence actors. Experts warn of “hybrid threat” vectors in which location data is weaponized.
Response from the European Commission
The European Commission described the findings as “disturbing” and said it was “concerned about the trade of geolocation data from citizens and Commission officials.”
In light of the investigation, the Commission issued updated guidance to its staff on how to disable ad tracking settings on corporate and private devices. It has also alerted national Computer Security Incident Response Teams (CSIRTs) in Member States.
While the Commission emphasized that national supervisory authorities must determine whether data-protection law has been breached, the spotlight is now firmly on data-broker industries and their regulatory treatment.
Practical Takeaways for Organisations & Privacy Teams
Organizations and privacy professionals should consider the following strategic actions:
- Audit your exposure to location-data flows: Identify how your mobile apps, device fleet or third-party services collect and share geolocation or advertising-ID data, and map where that data may end up.
- Review consent and transparency practices: Even when apps ask for location permissions, users may not understand that the resulting data could be sold downstream — strengthen notices and governance accordingly.
- Evaluate supply-chain risk: Data brokers and ad-tech firms are part of the wider data-ecosystem — ensure contracts and vendor management cover geolocation data, movement profiles and re-identification risks.
- Align with incident-response processes: Although this investigation does not point to a classic data breach (in the sense of hacking), it shows exposures of person-linked movement data can trigger privacy, reputational and security risk — treat them accordingly.
- Support regulatory readiness: As the EU revisits its digital-services and data-governance frameworks, ensure your privacy program is aligned with upcoming changes and cross-border digital-profiling rules. (And yes — the privacy-rights workflow platform offered by Captain Compliance can help with request-handling, audit logs and vendor-management modules.)
Why This Is a Wake-Up Call
The investigation shines a harsh light on how location data often viewed as relatively innocuous compared with financial or health data can enable detailed surveillance of individuals and institutions.
It also reveals a fundamental tension in the data-economy model: while regulation may assert individuals’ rights to control their data, the commercial marketplace for that same data behaves in ways that sidestep many of those protections.
For privacy-leaders, the implication is clear: don’t assume location or advertising data-flows are benign or outside the risk profile. They must be treated with the same rigor as other personal-data types, especially where high-value or high-visibility individuals are involved.
How To Protect Your Business?
Conduct a targeted review of your geolocation-data ecosystem today. Map what you collect, how you share it and where it might be resold. Ensure vendor contracts limit onward sale of movement-profiles. Update your mobile-fleet policy, disable unnecessary location tracking in enterprise devices and consider mandatory privacy-impact reviews for apps handling sensitive movement data and register with Captain Compliance to do assessments and stand up our data privacy software to ensure GDPR compliance.
The growing scrutiny from EU institutions and data-protection regulators means the window for reactive fixes is closing — proactive governance of geolocation risk will be a differentiator.
