Our latest investigation has shaken up Brussels by revealing that commercial datasets containing 278 million locations can be used to spy on the EU and NATO. The European Commission has expressed its concern, Members of Parliament are calling for action. One thing is clear: ad tracking and data brokers threaten Europe’s security.

<figure class="wp-caption entry-thumbnail"><figcaption class="wp-caption-text">Threat to privacy and national security. – Figure: Pixabay; Fog: Vecteezy; Montage: netzpolitik.org</figcaption></figure>

A German version of this article was published under the title „Das Wichtigste zur Spionage-Gefahr durch Handy-Standortdaten in der EU“.

---

New datasets containing millions of mobile phone location data reveal how easily the European Union can be spied on using data from the advertising industry. The investigative team obtained the data as free samples offered by data brokers to potential subscribers – and was able to use them to trace the movements of high-ranking EU personnel. The dataset even includes location pings from inside NATO headquarters in Brussels.

„We are concerned with the trade of geolocation data from citizens and Commission officials,“ the European Commission said in response to the findings. Members of the European Parliament describe the situation as a threat to Europe’s security and are calling for legislative action to curb rampant ad tracking and the largely uncontrolled trade of personal data.

The investigation published today together with BR, L’Echo, Le Monde and BNR is part of the Databroker Files. In this project, netzpolitik.org, Bayerischer Rundfunk, and international media partners have been shedding light on the global data industry since summer 2024.

Here’s an overview of the key questions regarding the current status of the investigation:

• 1. Who is affected by the risk of espionage from mobile location data?


• 2. Why is the trade in tracking data dangerous?


• 3. How do these sensitive data end up with data brokers?


• 4. Why doesn’t the GDPR stop data brokers?


• 5. What needs to be done to solve the problem?

1. Who is affected by the risk of espionage from mobile location data?

• No place is safe from surveillance using commercially traded mobile location data. Altogether, the investigative team now holds 13 billion location records from almost every EU country, the United States, and many other parts of the world.


• For the part of the investigation focusing on the EU, we analysed 278 million location pings from Belgium, covering a few weeks in both 2024 and 2025. At the Berlaymont building in Brussels – the European Commission’s headquarters – the dataset showed roughly 2,000 location pings from 264 different devices. Within the European Parliament, there were about 5,800 pings from 756 devices, in the NATO headquarters there were 9,600 location pings from 543 devices. The Council of the European Union, the European External Action Service, the European Data Protection Supervisor, and other EU institutions are also affected.


• All records are linked to unique device identifiers, allowing for the reconstruction of movement profiles that often reveal a person’s workplace, home address, and other places they frequent. Such data enables deep insights into people’s lives – from the grocery stores they frequent to trips abroad, and even visits to clinics or brothels.


• Even the limited datasets that we received as free samples led us to identify the home addresses of five individuals who are currently or have previously worked for the EU, including three in senior positions. Among the EU staff we identified are a top official at the Commission, a high-ranking diplomat representing an EU member state, and employees of the European Parliament and the European External Action Service. We also found data linked to a digital rights activist and a journalist.


• Earlier investigations had already shown that similar datasets could be used to spy on senior government officials, military sites, police departments, and even intelligence personnel in Germany – as reported in previous Databroker Files research.


• Independent investigations by colleagues in the Netherlands, Norway, Switzerland and Ireland reached similar conclusions, showing that even critical infrastructure, such as nuclear power plants, can be targeted.

2. Why is the trade in tracking data dangerous?

• The uncontrolled trade of such data not only poses an unprecedented threat to users’ privacy and informational self-determination. In times of an increased risk of espionage, it also endangers Europe’s security. As early as 2021, a study by NATO’s Stratcom research center warned that commercially traded advertising data could be exploited for espionage. Using such data, hostile actors could identify key military personnel, track them, or even monitor military operations. Other potential risks include the blackmail of high-profile individuals and the preparation of sabotage.


• At the Helsinki-based think tank HybridCoE, experts working on behalf of the EU and NATO study ways of counter hybrid threats. In light of our findings, spokesperson Kirsi Pere stated: “Mobile location data could be exploited by hostile actors to facilitate hybrid activities to harm the democratic society and undermine the decision-making capability of a state.​​​​​​​” It seems “only logical,” she added, that China and Russia would use advertising data for such purposes. In wartime, data from the advertising industry could help track military movements.


• In recent years, a dedicated branch of the global surveillance industry has emerged that specializes in harnessing data from the adtech ecosystem and data brokers for intelligence services and government agencies. The technical term is ADINT, short for advertising-based intelligence.


• The Belgian datasets once again illustrate how extensively the advertising industry collects near-meter-accurate location data from millions of people and distributes it globally through data brokers. This represents a new form of mass surveillance that is largely invisible to the public and enables deep intrusion into people’s private lives.

3. How does sensitive data end up with data brokers?

• The sometimes meter-accurate location data originates from smartphone apps and is allegedly collected only for advertising purposes. However, our investigation shows that such data can leak through virtually any commercial app. In January 2025, we reported on a dataset containing 380 million mobile location data points from 137 countries and linked to around 40,000 different apps. Within the advertising ecosystem, hundreds of companies often enjoy largely unrestricted access to such data. Data brokers acquire it, bundle it into packages, and sell it on.


• These datasets are marketed on data marketplaces. One key player identified in our research is Datarade, based in Berlin, whose platform has been used by several journalists to contact providers offering massive troves of European location data. Datarade itself does not process or sell the data, but rather facilitates contact between buyers and sellers.


• Apple and Google enable this form of tracking by assigning phones unique identifiers known as Mobile Advertising IDs.


• Several players in the location data trade are based in the EU. Journalists have repeatedly made contact with brokers via the Berlin-based