On June 2, 2026, netzpolitik.org and Bayerischer Rundfunk reported, as part of their ongoing Databroker Files investigation, that police in at least two German states had purchased commercial location data of the kind harvested from ordinary smartphone apps. The criminal police office (Landeskriminalamt, LKA) of Mecklenburg-Vorpommern confirmed it had used "location data from the advertising industry" for early-stage analysis in cybercrime and economic-crime cases; Brandenburg's LKA acknowledged buying commercial data but later said it had not sourced phone-location data specifically. Mecklenburg-Vorpommern's state data protection commissioner, Sebastian Schmidt, has opened an examination of the practice.
The detail that should concern anyone who carries a phone is mundane: this is the same data a weather app, a dating app or a mobile game quietly streams to ad-tech brokers, usually without the user's knowledge. Aggregated, it yields meter-level movement profiles — home, workplace, the clinic you visited, the rally you attended. When a police force buys that on the open market, it acquires, without a judge's sign-off, a capability the law deliberately gates behind one.
The case for letting investigators use it
Start with the strongest argument for the police. Cybercrime and financial-fraud cases are genuinely hard to crack; leads are thin and offenders are mobile and pseudonymous. Commercial data is, on its face, lawfully on sale to any buyer, and using a low-cost analytical tool at the Vorfeld (pre-investigation) stage — before a formal suspect exists — can look like efficient, harm-reducing policing. Eight states, including Bavaria, Baden-Württemberg and North Rhine-Westphalia, told the reporters they consider the practice permissible under existing investigative powers. That is not a frivolous position: general clauses authorising data-gathering are broad, and nothing in them says "unless the data came from a broker."
That is exactly why it is dangerous. The argument proves too much.
What the warrant rule actually protects
German law does not leave phone-location tracking to a general clause. The retrospective cell-site query (Funkzellenabfrage) sits in §100g of the Strafprozessordnung, which permits collection of traffic and location data only for serious offences, under a proportionality test and a subsidiarity requirement — and, crucially, under judicial authorisation. In a January 10, 2024 ruling, the Federal Court of Justice's 2nd Criminal Senate tightened this further, restricting the triggering offences and attaching an evidence-exclusion remedy. The whole architecture exists because location data is uniquely revealing of private life.
Buying the same intelligence from a broker routes around every one of those safeguards at once. As Schmidt put it, "such a judicial-warrant requirement would be circumvented if one uses commercial location data." Professor Mark Zöller of LMU Munich was blunter: anyone doing this "acts without a legal basis," because the data was collected for advertising, not law enforcement, and repurposing it violates informational self-determination. The most telling fact in the whole investigation is the silence: of Germany's 16 state data protection authorities, none could name a concrete statutory foundation for the practice.
Not a German problem — a structural one
This is the European instance of a loophole American agencies drove a truck through years ago. After Carpenter v. United States (2018) held that obtaining seven or more days of cell-site location data is a Fourth Amendment search requiring a warrant, agencies including ICE, CBP and the Secret Service simply bought equivalent data from brokers, reasoning that an open-market purchase is not "state action." Legal scholars have catalogued the move as a deliberate end-run around Carpenter; in March 2026, NPR documented federal purchases continuing without warrants. The lesson Europe should draw is that the market in location data is not a neutral utility the state may dip into — it is a surveillance pipeline whose legality at the source is itself in doubt.
And it usually isn't legal. The trade exists because tracking firms siphon data from apps and resell it, generally without informed consent. The US Federal Trade Commission made the point concretely in December 2024 when it barred Mobilewalla and Gravy Analytics (with its subsidiary Venntel) from collecting and selling sensitive location data, ordering deletion of histories covering hundreds of millions of people. Under the EU's GDPR, precise location is special-category-adjacent personal data whose bulk commercial sale rarely meets any lawful-basis test. Police buying it are not finding a clever shortcut; they are purchasing the fruits of a likely-unlawful market and laundering it into evidence.
The proportionate fix
None of this argues against effective investigation. It argues for honest plumbing. If the state has a legitimate need to query location data, the answer is the warrant process the legislature already built — not a procurement card. The proportionate response has three parts: state interior ministries should suspend broker purchases until a court or legislature speaks; the Bundestag should clarify, as the US Fourth Amendment Is Not For Sale Act attempts, that a warrant requirement cannot be defeated by buying what you would otherwise have to subpoena; and enforcement against the brokers themselves — already overdue under GDPR — should make the underlying market smaller, not a public-sector customer base.
A pro-innovation stance is not a pro-surveillance one. The open internet depends on people trusting that the data exhaust of ordinary app use will not be quietly assembled into a dossier and handed to the police without a judge ever being asked. Mecklenburg-Vorpommern's LKA says it has stopped. The other states insisting they may continue should explain which statute they are reading — because their own data protection regulators cannot find it.