Millions Of EU Officials' Phone Data Tracked and Sold

BNR and partner news organisations obtained a sample of location data from 2.6 million phones in Belgium: 278 million individual location records collected over several weeks in 2024 and early 2025. Researchers were able to track hundreds of mobile devices inside EU institutions including the European Commission, Parliament, Council, and diplomatic service, as well as NATO headquarters. In some cases, they could pinpoint movements down to specific offices. By linking these movement patterns to home and work addresses, investigators could infer the identities of phone owners.

Many smartphone apps request permission to access your location and then share or sell that information into the digital advertising industry. Each phone carries a unique Mobile Advertising ID (MAID), a tracking code that allows data brokers to build detailed profiles of where you go, even without knowing your name. Previous investigations into what researchers call the "Databroker Files" have shown that tens of thousands of apps feed information into these datasets, which are then packaged and sold to anyone willing to pay.

The European Commission called the findings "worrying" and said national authorities need to investigate possible privacy violations. NATO acknowledged it is aware of location-tracking risks and stated it has protective measures in place to mitigate threats.

Dutch locations are vulnerable too. While this investigation focused on Belgium, The Hague hosts critical EU agencies including Europol (the EU's law enforcement agency) and Eurojust (which coordinates cross-border criminal investigations). These facilities face the same location-tracking risks as institutions in Brussels.

Dutch phones have been exposed before. In 2024, BNR reported that location data from potentially millions of Dutch mobile devices could be purchased online, making clear this is a problem affecting the Netherlands directly, not just Belgium.

Security implications. Dutch security authorities have repeatedly warned about espionage by foreign governments. Detailed movement data about officials and sensitive facilities can be used for targeting, blackmail, or planning sabotage operations.

Legal violations under privacy law. Under EU and Dutch data protection rules (GDPR/AVG), location information and advertising identifiers are considered personal data. Collecting or selling this information typically requires clear, informed consent from users and must respect their privacy rights. The Dutch Data Protection Authority has emphasised strict requirements for how advertising-related data can be used.

Data protection authorities and security agencies are likely to increase their scrutiny of this industry. Expect potential enforcement actions against data brokers and app developers who don't comply with privacy laws. There will also be renewed pressure on smartphone platforms and operating system companies to give users better control over third-party tracking. This case is likely to strengthen calls across the EU for tighter regulations on the commercial sale of location data.