A shocking new report has revealed that data brokers were selling the phone location data of European Union officials, exposing what experts now call the EU phone data breach. The discovery has raised urgent questions about whether Europe’s privacy protections work at all.
Journalists across Europe obtained a dataset from a commercial broker that included 278 million location points. Inside were traces from hundreds of government phones, including those used by senior officials working at the European Commission and European Parliament.
The EU phone data breach included thousands of markers that showed where top policymakers lived, worked, and traveled. All of it came from ordinary apps that quietly sent users’ coordinates to data brokers, who then sold the information to advertisers, governments, and private buyers.
According to the report by Netzpolitik, over 2,000 data points belonged to 264 officials, and nearly 6,000 markers came from 750 phones used inside the Parliament. That means the movement of key decision-makers could be reconstructed in detail.
The General Data Protection Regulation (GDPR) was meant to make such practices impossible. Yet, as this EU phone data breach proves, the data trade continues to thrive in Europe because enforcement remains weak. Regulators rarely act against data brokers who claim user consent, even when that consent comes from buried app permissions.
Following the revelation, the European Commission issued new internal guidance to protect staff from tracking. But experts say this is only a temporary fix. “Once location data is sold, it cannot be taken back,” said a privacy researcher. “The EU phone data breach shows that even regulators are not safe.”
Last year’s Gravy Analytics incident in the United States revealed similar patterns. That breach exposed the movements of millions of people, proving how location data can easily be used for surveillance, blackmail, or manipulation.
Device makers like Apple and Google have since added features that anonymize tracking IDs, but these safeguards only work going forward. The data already in circulation from the EU phone data breach cannot be erased.
The breach highlights a growing irony. Europe built its reputation on privacy leadership, but the very institutions enforcing those laws are now caught in their own surveillance net.
Read the original coverage at TechCrunch.
Explore more Laterstack cybersecurity insights:
AI browsers cybersecurity time bomb
Inside TikTok’s silent policy shift on government data requests