Espionage via Online Gray Market: EU Staff Exposed by Mobile Location Data

Research by BR, from Netzpolitik.org and international partners such as Le Monde and L'Echo from the "Databroker Files" series reveals the ease with which sensitive movement data, including that of EU and NATO personnel, can be intercepted. The reporting team has received free sample material from data brokers, which includes location data from millions of mobile phones from Germany and the EU – with a focus on Belgium. The most recent dataset dates from July 2025.

The analysis of the information, which serves only as a lure for paid subscriptions with more comprehensive holdings, enabled the unambiguous identification of several high-ranking individuals from the Brussels political scene. These include employees of the EU Parliament and the European External Action Service, as well as a diplomat from an EU member state.

The location data reveals users' homes, workplaces, behavior, and preferences. They can document visits to highly sensitive areas such as clinics, religious buildings, party and trade union headquarters, or even brothels and swingers' clubs, thereby disclosing highly sensitive data protection information.

From Advertising ID to Movement Profile

The datasets each contain a Mobile Advertising ID, a unique identifier that Google and Apple automatically assign to each mobile phone. It functions as a kind of super cookie. Every location in the data is associated with this ID. This allows loose data points to be assembled into detailed movement profiles, even if no direct names or addresses are included.

The analyzed datasets alone – around 278 million mobile phone location data from Belgium – are linked to thousands of location pings in EU institutions. Approximately 5800 location data points from 756 devices related to the EU Parliament. The Commission's headquarters are represented by 2000 geolocations from 264 smartphones & co.

Particularly explosive: NATO headquarters in Brussels is also affected. The datasets contained 9600 mobile phone location pings from 543 devices on the alliance's premises, which, given the military situation and the risk of Russian espionage, constitutes a significant security risk.

Reactions: No One Is Responsible

The Commission considers the findings "disturbing." It has issued new internal guidelines on advertising tracking on private and work devices. The Brussels government institution refers to the General Data Protection Regulation (GDPR) and considers the responsibility for identifying legal violations to lie with the national supervisory authorities.

The Data Protection Commissioner of North Rhine-Westphalia, Bettina Gayk, emphasizes that the recording of every single step reveals highly sensitive information that should by no means become a commodity. She calls for a legal ban on the trade in precise location data, as individual measures against gray markets on the internet would not have a comprehensive effect.

MEPs – in unison with consumer advocates and civil liberties organizations – are calling for stricter measures: "Given the current geopolitical situation, we must take this threat very seriously and stop it," says Axel Voss (CDU/EVP), for example, applying pressure. The EU must treat the issue "as a priority security threat – not just a data protection problem," says Lina Gálvez Muñoz of the Social Democrats. Green MEP Alexandra Geese demands a ban on the mass creation of data profiles.

(vbr)