The “anonymous” location data of EU officials in Brussels is up for sale, according to a joint investigation by European media outlets.

Three senior officials working for the EU were identified as part of an investigation into phone location data being sold by data brokers. Other phones were located in NATO sites and Belgian military bases.

The European Commission has recognized the “worrying conclusions” of the investigation and, as a result, told investigating outlets that it has “issued new guidance to its staff regarding ad tracking settings on business and home devices, and has informed other Union entities.”

The investigation was conducted by L’Echo, Le Monde, German public broadcasters (BR / ARD), Netzpolitik.org and BNR nieuwsradio.

Journalists posed undercover as employees at a marketing company, and were able to obtain hundreds of millions of location data points from phones in Belgium through data brokers.

Data brokers collect and sell aggregated databases of personal information, often gathered from mobile apps or online web trackers. The data is bundled and resold to advertisers, or even law enforcement and governments.

Location data is supposed to be anonymous, but it can be used to paint a picture of someone’s daily movements, and combining a few anonymous data points together can lead to re-identifying a person.

Investigating publications were able to use the data to figure out surnames, first names and lifestyle habits of at least five people who work or have worked for the EU, three of whom “hold positions of high responsibility.”

Two confirmed that the data collected corresponded to their home, workplace and travel.

Under the EU’s General Data Protection Regulation (GDPR), it is legal to collect this kind of data from mobile phone users if they consent, but users must be clearly informed about how their data will be used.

The Google Play Store and Apple App Store have requirements for apps to disclose the information they gather, but analysis by investigating outlet Netzpolitik has revealed that some apps still gather information such as location data without disclosing this in their policies.

A similar undercover investigation by Ireland’s public broadcaster in September spurred Ireland’s Data Protection Commission to suspend the activities of an Irish data broker. The Irish DPC has said it has also identified two data broker companies in other EU member countries, and is engaging with data protection authorities responsible for regulating them.