Anonymous Location Data of EU Officials Put Up for Sale Online

The European Commission acknowledged the “worrying findings” of the investigation and said it had issued new guidance to staff regarding ad-tracking settings on both work and personal devices, while also alerting other EU bodies.

The investigation was conducted by L’Echo, Le Monde, German public broadcasters BR and ARD, Netzpolitik.org, and Dutch radio BNR nieuwsradio. Reporters, posing as employees of a marketing firm, gained access to hundreds of millions of phone location points in Belgium through data brokers. These companies collect and resell large datasets of personal information obtained from mobile apps and online trackers, marketing them to advertisers — and at times, to government or law enforcement agencies.

Although location data is formally considered anonymous, a combination of several coordinates can reveal a person’s routes and identity. The authors of the investigation managed to determine the names, addresses, and routines of at least five current or former EU officials, three of whom hold “senior positions.” Two confirmed that the data accurately reflected their home, workplace, and daily routes.

Under the EU’s General Data Protection Regulation (GDPR), such data may be collected only with user consent, which must clearly explain how it will be used. Although Google Play and Apple’s App Store require developers to disclose their data practices, analysis by Netzpolitik.org found that some apps still collect geolocation data without notifying users.

Earlier, in September, a similar investigation by Ireland’s public broadcaster led to the suspension of one local data broker by the Data Protection Commission. The agency said it had identified two additional companies operating in other EU countries and was coordinating with regulators responsible for their oversight.