Europe’s Data Broker Problem Threatens U.S. National Security

On Sept. 18, RTÉ, Ireland’s national media broadcaster, published an investigation describing how its reporters gained access to brokered data on tens of thousands of smartphones in Ireland—which they noted was on the market and available to purchase. The report found that individual devices could be traced as they traveled between residential addresses, high-security prisons, health clinics, mental health facilities, military bases, and even Leinster House, where the Irish parliament is located. The country’s Data Protection Commission said it is “extremely concerned.”

Both this specific case and its root causes come back to data brokerage—the ecosystem of companies in the business of collecting, inferring, aggregating, packaging, and then selling people’s data. The national security risks of data brokerage have recently received more attention in the United States (including in a presidential executive order and a congressional law) than they have in Europe. Yet this investigation makes clear that data brokerage in Europe is a national security problem, too. (This article uses “Europe” generally, because the U.K. has its own General Data Protection Regulation and its own Information Commissioner’s Office to enforce data protection laws even if it no longer belongs to the EU.)

The sale of Europeans’ data on the commercial market creates risks that nation-states intending to do harm can buy and acquire data to profile European government personnel, learn more about the European defense industrial base, and otherwise advance cyber, information, intelligence, and other operations against the continent. But this activity also has implications for the United States. Data brokers headquartered or operating in Europe could collect data on U.S. government personnel, such as military service members and diplomats, when they’re stationed abroad in Europe and sell it; indeed, there are already indications this may be happening. There could also be front companies in Europe doing so under the cover of the wider data broker market.

In an ideal world, the United States would leverage diplomacy and its transatlantic relationships to encourage data security measures to protect Americans’ data and those of people serving the country; that seems unlikely in the current political climate. For now, it may be on Europe to leverage its data protection laws, look to the U.S.’s bulk data transfer and national security program for a potential model to attempt to constrain data brokerage for national security ends (as the U.K. is doing), and attempt to crack down on data brokerage practices for the sake of its own security.

Mind the Gap

The RTÉ prime-time investigation entailed the journalists setting up what they represented to be a new data analytics and marketing firm. An unnamed data broker then provided said journalists (representing themselves as part of the analytics firm) with a free sample of its location data. This sample covered the movements of 64,000 phones in Ireland over a two-week span, including visits to and from the aforementioned facilities such as military bases and Irish parliament. In one case, for instance, the outlet contacted someone captured in the data who worked in parliament; that individual confirmed that the data—including their exact routes to and from work, what they did on the weekend, and so forth—was accurate. All the data provided in the sample served as incentive for the “data analytics and marketing firm” to purchase more—which the data broker said could be a constantly updated feed of location data with a 24- to 72-hour delay (between the location pings’ collection from someone’s devices to its provision in the purchased data).

This is not the first time a European data broker was exposed for collecting and then making available for purchase the highly sensitive location data of individuals working in government and other roles. In February of this year, for example, an investigation from 404Media and Wired found that a Lithuanian company had collected location data on active-duty U.S. military service members stationed overseas in Germany and provided it to a U.S. data broker. The free data sample in that case alone covered 3.6 billion location points from up to 11 million different devices over one month—including devices inside a high-security German military installation, traveling from Ramstein Air Force Base to an elementary school, and even visiting off-base brothels. As with RTÉ’s investigation, the location data in this second example could be used to identify individuals working in government and military positions and to derive valuable, additional data about their lives, such as intelligence-exploitable insights into brothel visits or weekend, off-the-clock location patterns.

Europe has generally paid less attention to the national security risks from data brokerage and other data practices than has the United States. (Obviously there are exceptions, such as a 2023 report from the Irish Council for Civil Liberties that examined how real-time bidding systems for digital ads exposed security-sensitive EU data.) Several potential hypotheses may explain—in whole or, more likely, in part—why this gap appears.

For one, the EU’s General Data Protection Regulation (GDPR) focuses heavily on the relationship between a data subject, a “processor” of data, and a “controller” of data. (Primers on the distinctions are available—including for the U.K.’s GDPR.) There are plenty of ways, under this framework, that an EU-located company selling data could and would be covered under the GDPR; simultaneously, this framework can leave both legal and conceptual gaps when it comes to weighing the role that other, less directly consumer-connected parties gather, process, generate, and transmit data, such as the potential lack of GDPR coverage when one broker sells data it did not collect itself to another data broker. (The inferences that data brokers create and sell, such as by using location data to derive information about military service or children in the home, can also receive inadequate coverage under data protection law.)

Second, European regulators enforcing these laws (e.g., EU GDPR, U.K. GDPR) have remained steadily focused on American Big Tech companies like Meta and Alphabet. Of course, there are plenty of reasons behind this regulatory focus, such as Meta’s many documented privacy abuses. But an overarching regulatory emphasis on certain large U.S. players may skew attention away from companies like data brokers—based both in the United States and in European countries. (To be clear, the EU does bring GDPR cases against companies in sectors ranging from gaming to health care, and many cases are not made public, so understanding the exact breakdowns is difficult; this point is more about an overarching emphasis on Big Tech privacy (mis)behaviors.) In a similar vein, many European regulators discussing regulation of “data” or “technology” in general often explicitly reference or implicitly mean the same group of Big Tech companies; companies like Google, Facebook, Instagram, TikTok, and now, OpenAI occupy a prominent role in the European regulator imagination. This is arguably less the case for obscure data sellers, digital advertisers, and analytics companies.

Third, within the world of data, Europe has devoted relatively less attention to the potential national security implications of commercial data practices in general. (Of course, the United States is not exempt from this problem.) European discussions center around data protection as a fundamental human right more than, say, the potential for adversarial exploitation of data. Ironically, when the privacy debate in the EU does focus on transfers to foreign countries and potential national security issues, the debate is about U.S. companies and data transfers to the United States—legitimate in some cases—but focuses comparatively little (if at all) on issues vis-a-vis countries like China.

The Risk Space

This matters for Europe in and of itself. Much as the widespread availability of commercial data and open-source information on Americans can create or exacerbate risks to U.S. national security—such as across cyber, information, and intelligence operations—the same can be said for Europe. Saliently for many European security experts, Russian security agencies continue to set up front companies in Europe to evade sanctions and even establish bases of cyber operations. What if they did the same with commercial data, using their expertise in circumventing regulations and security controls to trick companies into selling them Europeans’ data—or even outright buying it from a company that doesn’t know better or doesn’t care about selling to a Russia-tied entity? This is the kind of question European policymakers should ask when it comes to the intersections of data brokerage, European data protection law, and the national security risks to Europe at hand.

But the presence of underregulated data brokers and related companies in Europe also creates risks for the United States. As exemplified by the reporting on the Lithuanian data broker and data on U.S. military service members in Germany, a Europe-based data broker could collect data on Europe-deployed U.S. military service members and sell it to U.S. adversaries, outside the direct reach of U.S. privacy laws. The United States would then be relying, theoretically, on the presence or enforcement of European laws to prevent or mitigate a harmful outcome.

Relatedly, a U.S. adversary could exploit the presence of many data brokers already in Europe to buy data, through a series of middlemen, that originates with a U.S. data broker and covers U.S. government personnel. This would enable adversaries to effectively circumvent U.S. regulations on data brokerage and national security that mostly prohibit direct or near-direct sales to a few countries, such as China. This is the third-country security risk problem. The reported proliferation of Russian front companies and illicit liaison relationships across the European continent (e.g., in Turkey) appears to both indicate and further an especially exploitable environment for these ends.

In an ideal world—in which the United States invests in calibrated diplomacy and maintains robust, healthy relationships with European allies and partners—the solution to this problem might be diplomatic engagements. Europe ultimately needs to ensure it has the right laws, regulations, and enforcement in place to address data brokerage threats to national security. If the United States could communicate the risk space to Europe—including through military and other channels that complement diplomatic ones—in ways that are clear, evidence based, and tied to European-specific concerns, such as around Russia or EU citizen data, such an outcome might be possible. The last of these points is especially critical given that many European capitals can be much more skeptical of U.S. talking points on China (even if real) but need no persuading about threats from Russia.

For example, the United Kingdom’s Department of Science, Innovation and Technology is establishing a regulatory program focused on data brokers and national security. The U.S. regulatory program on bulk data transfer, data brokerage, and national security (a program I worked on)—implemented by the U.S. Department of Justice—may be one model for the U.K. to consider, building on its definitions, design mechanisms, and so on. However, in a time of fractured partnerships, it is unclear how much room for productive engagement there is with the U.K. on this new program. Still, it represents a productive step that the U.K. is charging ahead with—and an effort that others in Europe would do well to consider emulating.

In the meantime, government personnel in the United States—who may be at risk via European data brokers—are left waiting on European action. One hopes that Ireland’s investigation into this latest data-selling scandal catalyzes the broader conversation.