AN INVESTIGATION by RTÉ's Prime Time has revealed that the detailed movements of tens of thousands of smartphones in Ireland were available for purchase by marketing and advertising companies.
This has led to serious concerns about national security, privacy and the limits of EU data protection laws.
The data includes geolocation information that can be used to track individual phones back to specific residential addresses.
The implications are quite serious, with devices shown to have entered high-security prisons, military facilities, mental health services, and even Leinster House, the seat of the Irish parliament.
The Prime Time team obtained a sample from one such data broker, revealing the movement of over 64,000 phones across a two-week period in April.
Following the broadcast, the Irish Data Protection Commission (DPC) expressed deep concern and confirmed it is actively investigating the data brokers involved.
A spokesperson stated that such location data poses, "a serious risk to (individuals) security and well-being.”
Efforts are now underway to determine whether the data broker responsible is based in Ireland or elsewhere in the European Union.
If located abroad, the DPC has committed to working with foreign regulators to address the breach.
Dr Cathal Berry, former commander of the Army Ranger Wing and military governor of Portlaoise Prison, cautioned that adversaries could exploit such data.
Devices were tracked from sensitive Defence Forces locations like McKee Barracks and Naval Headquarters in Haulbowline to private homes, potentially revealing the identities and routines of military personnel.
“There are nefarious actors out there who will take full advantage of this type of information,” Dr Berry said.
“It feels wrong, and if something feels wrong, it shouldn’t be legal.”
Additional risks were flagged regarding the potential to identify public officials.
One phone was traced from Leinster House back to a residential address.
Fine Gael TD Barry Ward, whose staff member's device was included in the data, called the incident, "frightening" and pledged to work with the DPC to strengthen legal protections.
Taoiseach Micheál Martin described the revelations as, “deeply concerning,” noting that they test the boundaries of the EU’s General Data Protection Regulation (GDPR), which only applies to personal data.
Since the location data is technically anonymised, it falls into a legal grey area.
“There could be a legal issue in terms of the dividing line between GDPR and anonymous location identification,” Martin said, adding that many users unknowingly grant access to such data when they hastily accept app permissions.
The Taoiseach confirmed that the government is now reviewing whether legislative changes are necessary to close these loopholes.
Labour Party leader Ivana Bacik labeled the situation “chilling,” while Johnny Ryan of the Irish Council for Civil Liberties condemned the DPC for years of inaction.
“The enforcer has the power. They can go to court, get a warrant, and kick doors down,” he said.
Data brokers involved in selling the information claim that no privacy breach has occurred because individuals are not directly identified.
They insist that users give consent through app terms and conditions, although these are often long and overlooked.
However, the Prime Time investigation demonstrated how easy it was to re-identify individuals by cross-referencing location data with known addresses.
The revelations have reignited calls for tighter regulation of the data economy and more robust enforcement of privacy protections.
The Defence Forces have pledged to review their policies and reduce the electronic footprint of operations where necessary.
See More: DPC, Data, Defence Forces, Micheál Martin, RTE
