A recent investigation by various European media outlets has revealed that the location data of EU officials in Brussels is being sold, raising significant privacy concerns. The inquiry has identified three senior EU officials connected to the sale of phone location data by data brokers, with additional phones traced to NATO installations and Belgian military bases.
EU’s response to the alarming findings
The European Commission has acknowledged the “worrying conclusions” drawn from this investigation. In response, it has communicated to the media outlets involved that new guidance has been issued to its staff regarding advertising tracking settings for both business and personal devices. Moreover, the Commission has reached out to other EU entities to address this issue comprehensively.
How the investigation was conducted
The investigation, which was a collaborative effort by L’Echo, Le Monde, German public broadcasters (BR / ARD), Netzpolitik.org, and BNR nieuwsradio, involved journalists posing undercover as marketing company employees. This tactic allowed them to access hundreds of millions of location data points from mobile phones in Belgium via data brokers. These brokers aggregate personal information from various sources, including mobile applications and online trackers, before reselling it to advertisers and even government agencies.
Although this location data is marketed as anonymous, it can reveal intricate details about individuals’ daily movements. By combining multiple anonymous data points, investigators were able to re-identify specific individuals. The data uncovered by the publications revealed the full names, first names, and lifestyle habits of at least five people associated with the EU, including three individuals holding high-ranking positions. Notably, two of these individuals confirmed that the data accurately represented their home addresses, workplaces, and travel patterns.
Under the EU’s General Data Protection Regulation (GDPR), the collection of this type of data is permissible if users consent and are informed about the intended use of their data. Both the Google Play Store and Apple App Store mandate that applications disclose the information they collect, including location data. However, an analysis conducted by Netzpolitik has indicated that some applications continue to collect such information without making it clear in their policies.
This situation echoes a previous undercover investigation carried out by Ireland’s public broadcaster, which prompted the Irish Data Protection Commission to suspend the operations of an Irish data broker. The Irish DPC has also identified two data broker companies operating in other EU member states and is currently collaborating with relevant data protection authorities to regulate their activities.