BRUSSELS – A bombshell joint investigation by several leading European media outlets has exposed a massive trade in mobile phone location data across Belgium, revealing that hundreds of millions of data points – including those from devices belonging to employees at EU institutions, NATO headquarters, and sensitive military installations – are being openly sold by data brokers to anyone with the funds to purchase them.
The probe, published on Tuesday and coordinated by Belgian newspaper L’Echo, France’s Le Monde, German public broadcasters BR and ARD, the investigative platform Netzpolitik.org, and Dutch radio station BNR Nieuwsradio, lays bare the alarming ease with which supposedly “anonymous” location information can be acquired, repackaged, and resold on the open market. Far from being abstract coordinates, the datasets allow purchasers to reconstruct the daily routines of individuals with startling precision: their homes, workplaces, places of worship, medical appointments, and even fleeting stops at cafes or parks.
The investigation’s most chilling findings center on the penetration of this data into some of Europe’s most secure sites. Journalists purchased sample datasets from brokers and geolocated thousands of mobile devices inside the perimeters of critical infrastructure. At NATO’s headquarters in the Brussels suburb of Evere, more than 1,000 unique phones were detected over a single month-long period. Similar clusters appeared at the Supreme Headquarters Allied Powers Europe (SHAPE) in Mons, the Belgian air base at Kleine-Brogel – widely believed to house U.S. nuclear weapons under NATO’s nuclear-sharing agreement – and inside the high-security fences of the Doel and Tihange nuclear power plants.
Additional pings originated from within the walls of Belgium’s most restrictive prisons, including the Ittre and Lantin facilities, where inmate and staff movements are tightly controlled. Military bases at Florennes, Beauvechain, and Koksijde also registered hundreds of devices. In each case, the data points formed predictable patterns: phones arriving between 7 and 9 a.m., lingering for eight to ten hours, then departing in the late afternoon or early evening – unmistakable signatures of shift workers, administrators, and security personnel.
A NATO spokesperson, speaking on background to L’Echo, acknowledged that the alliance is “fully aware of the general risks that third-party data collection poses to operational security.” The official insisted that “robust measures have been implemented across NATO facilities to mitigate these risks,” including device restrictions and employee awareness campaigns. However, the spokesperson declined to elaborate on specific protocols or confirm whether the alliance had purchased counter-surveillance data to audit its own exposure.
Engie Electrabel, the French-Belgian utility that operates Doel and Tihange, issued a statement emphasizing that “no personal connected devices are authorized inside the technical nuclear zones except for strictly professional equipment under controlled conditions.” The company added that it continuously monitors compliance and conducts regular security audits. Belgium’s Ministry of Defense echoed this line, asserting that “the use of smartphones is strictly prohibited in all classified or sensitive areas” and that violations are subject to disciplinary action.
Despite these official prohibitions, the datasets tell a different story. Phones were not merely detected near entrances or parking lots; many remained stationary for hours inside buildings that require multiple layers of badge access and biometric screening. Security experts consulted by the investigative team suggested several explanations: employees smuggling devices in pockets or bags, contractors using personal phones for navigation en route to secure zones, or the simple fact that many facilities maintain less restrictive policies in administrative wings, cafeterias, and visitor lobbies.
The mechanics of the data trade are deceptively straightforward. Mobile apps – from weather widgets to fitness trackers, coupon platforms to period calculators – request location permissions that users routinely grant. These apps embed software development kits (SDKs) from location-data firms, which continuously ping GPS, Wi-Fi, and Bluetooth beacons. The resulting breadcrumb trails are aggregated, stripped of direct identifiers like names or phone numbers, and sold in bulk to brokers. Those brokers then repackage the data into subscription products marketed for “foot traffic analytics,” “out-of-home advertising optimization,” and “urban planning insights.”
Annual access to Belgium’s full location feed – covering up to 700,000 devices per day and generating roughly 300 million pings monthly – ranges from $24,000 for basic historical aggregates to $60,000 for real-time streams with sub-meter accuracy. Clients include hedge funds modeling retail performance, political campaigns micro-targeting voters, and – according to cybersecurity researchers – state intelligence services seeking passive surveillance without deploying their own infrastructure.
The investigative team purchased several weeks of Belgian data for under €2,000 and fed it into open-source mapping tools. Within hours, they had reconstructed the lives of dozens of individuals. Three senior EU officials – two commissioners’ cabinet members and one director-general – were positively identified by cross-referencing home-to-work trajectories with public records, LinkedIn profiles, and parliamentary attendance logs. When confronted, two of the officials confirmed the accuracy of the tracked movements but asked that their names be withheld, citing personal security concerns. The third did not respond.
Privacy scholars have long warned that location data is uniquely vulnerable to re-identification. A landmark 2018 study published in Nature Communications demonstrated that just four spatiotemporal points are sufficient to uniquely fingerprint 95% of individuals in a dataset of 1.5 million people. In the Belgian case, the brokers’ own marketing materials boast of “95%+ match rates” when their feeds are fused with demographic overlays from credit bureaus or voter rolls.
Yves Poullet, professor emeritus at the University of Namur and former president of Belgium’s Data Protection Authority, called the findings “a textbook illustration of privacy theater.” Speaking to Le Monde, Poullet argued that “anonymization in the location-data ecosystem is a marketing fiction. Once you have a dense enough trail, the individual emerges inevitably.”
The European Commission, which itself appears compromised by the breach, issued a terse statement Tuesday afternoon. “These revelations are deeply disturbing,” said spokesperson Ana Martinez. “The Commission is concerned about the uncontrolled trade in sensitive personal data and will examine whether existing GDPR enforcement mechanisms are sufficient.” Behind the scenes, officials confirmed that internal audits of staff devices have been accelerated, though no suspensions have been announced.
Under the EU’s General Data Protection Regulation, location data is classified as personal data when it can be linked – even indirectly – to an identifiable person. Companies caught processing such data without a lawful basis face fines of up to 4% of global turnover. Yet enforcement has lagged. Belgium’s Data Protection Authority (APD) has opened fewer than a dozen location-tracking cases since 2018, issuing total penalties below €1 million. Critics attribute the leniency to resource constraints and the technical complexity of tracing multi-jurisdictional data flows.
The brokers themselves operate in a regulatory gray zone. Many are registered in Cyprus, Malta, or the British Virgin Islands, with servers in Singapore and sales offices in London. Their terms of service contain blanket disclaimers that data is “anonymized and aggregated,” shifting liability to downstream purchasers. When Netzpolitik.org contacted one prominent broker for comment, a sales director replied via email: “We comply with all applicable privacy frameworks. Our datasets power billions of dollars in economic activity. Banning them would be like banning electricity because someone might get shocked.”
Security analysts warn that the risks extend far beyond individual privacy. State actors could exploit the feeds to map guard rotations at nuclear sites, identify undercover officers by their absence from expected home locations, or track journalists meeting confidential sources. In 2021, a similar U.S. location-data scandal revealed that bounty hunters could purchase real-time pings for $300 per target; the Belgian market appears even less regulated.
Belgian Prime Minister Alexander De Croo, briefed on the findings Tuesday morning, told reporters outside the Wetstraat 16 residence that “national security is non-negotiable.” He pledged to convene an emergency inter-ministerial task force and explore legislation requiring apps to disclose data-sharing partners in plain language. Opposition lawmakers from the Green and Socialist parties demanded an immediate parliamentary inquiry, accusing the government of “sleeping at the wheel while foreign brokers monetize our sovereignty.”
As of Tuesday evening, none of the named institutions had reported confirmed espionage incidents linked to the leaked datasets. Yet the mere availability of such granular intelligence – for prices within reach of mid-tier consulting firms – has reignited debates over digital surveillance capitalism. In the words of one EU cybersecurity official, speaking anonymously: “We built fortress walls around our buildings, but forgot that every employee carries a tracking beacon in their pocket.”
The investigation’s raw datasets have been sealed to prevent further exploitation, but the journalists have shared methodology and sample visualizations with regulators. Whether Europe’s fragmented privacy watchdogs can muster a coordinated response remains uncertain. For now, the invisible map of Belgium’s most guarded secrets lies exposed on brokers’ servers, waiting for the next bidder.
