International Data Brokers

The data broker ecosystem is not limited to the United States. Credit bureaus, surveillance technology firms, social media aggregators, and consumer data companies operate across every continent, often with less regulatory oversight than their American counterparts. This section covers the major international players, organized by region, along with the regulatory landscape that governs them.

Europe

Experian UK

What they are: The UK division of Experian, operating as a credit reference agency and direct marketing data broker. The ICO’s two-year investigation (2018–2020) found that Experian’s offline direct marketing business unlawfully processed the personal data of approximately 51 million UK adults, sourcing it from a variety of third parties and selling it to other organizations for marketing purposes.^[1]

Enforcement: The ICO issued an enforcement notice in October 2020, citing “significant invisible processing” affecting millions. Experian appealed to the First-tier Tribunal, which in February 2023 struck out the enforcement notice but acknowledged that Experian had failed to lawfully process data of over five million individuals obtained from public sources. The ICO appealed, but the Upper Tribunal dismissed the ICO’s appeal on April 23, 2024, finding no errors of law and ruling that Experian could rely on legitimate interest as a lawful basis for direct marketing.^[2]

Acxiom / LiveRamp UK

What they are: LiveRamp’s UK operations. The InfoBase product provides consumer data on “90% of UK Households” with more than 3,500 behavioral insights. Assigns every person a unique proprietary “universal identifier” used across the adtech industry for cross-platform tracking.

Enforcement: Privacy International filed GDPR complaints against Acxiom with the ICO and French CNIL in November 2018. In February 2024, Open Rights Group filed legal complaints against LiveRamp, alleging “indiscriminate collection and processing of personal data” that is “out of all proportion to its objectives.”^[3]

SCHUFA Holding AG (Germany)

What they are: Germany’s dominant credit scoring company. Produces credit scores used by landlords, banks, telecoms, and employers for virtually every creditworthiness check in the country.

Enforcement: On December 7, 2023, the CJEU ruled in Case C-634/21 that producing and transmitting a credit score constitutes “automated individual decision-making” under Article 22 GDPR when the score plays a “determining role” in a third party’s decision — even if the scorer does not itself make the final decision.^[4] This landmark ruling has broad implications for the entire credit scoring industry. Noyb has separately alleged that SCHUFA earns millions through unlawful customer manipulation by using score changes to pressure consumers into certain behaviors.^[5] On September 30, 2025, the Hamburg DPA fined a bank €492,000 in a case directly prompted by the CJEU SCHUFA ruling, for failing to provide meaningful information about the logic behind automated credit card application rejections.^[6]

Criteo (France)

What they are: Major French adtech company maintaining 370 million identifiers across the EU. Uses cookies and tracking technologies to profile users across partner websites for retargeted advertising.

Enforcement: CNIL fined Criteo €40 million on June 22, 2023, for five GDPR violations: failure to verify valid consent for data processing, lack of transparency, inadequate data subject access rights, failure to honor the right to withdraw consent, and failure to delete personal data upon erasure requests.^[7] The penalty was reduced from the CNIL rapporteur’s original proposal of €60 million. The case originated from complaints filed by Privacy International and noyb. Pursuant to the GDPR’s one-stop-shop mechanism, all 26 other EU supervisory authorities approved the decision.

Bertelsmann / Arvato (Germany)

What they are: Arvato AZ Direct, a Bertelsmann division, claims to provide 600 attributes on 70 million consumers in Germany. Experian acquired a 60% majority stake in Arvato Financial Solutions’ Risk Management division in July 2020 for approximately €200 million (~$253 million), combining Arvato’s German credit risk data with Experian’s analytics platforms across Germany, Austria, and Switzerland.^[8]

dunnhumby (UK)

What they are: Customer data science company processing data from Tesco Clubcard, covering over 80% of UK households (23 million of 28.3 million). Operates a 40-terabyte database sold to companies including Procter & Gamble, Coca-Cola, and U.S. retailer Kroger. Employs 2,500+ people in 30+ countries. (See Retail & Loyalty Data for full dunnhumby coverage.)

The Swedish Publication Certificate Loophole

Swedish data brokers exploit a constitutionally protected “publication certificate” (utgivningsbevis) system to exempt themselves from GDPR. Companies including Eniro, Ratsit, and Hitta.se publish personal data including telephone numbers, addresses, dates of birth, and income information for Swedish residents, claiming journalistic protection. Noyb has characterized these as “data brokers claiming journalists’ legal protection to evade EU law.”^[9] A 2024 Swedish Court of Appeal ruling indicated GDPR may be applicable despite publication certificates, and Parliamentary motion 2024/25:293 seeks to limit this practice.

IAB Europe (Belgium)

What they are: Industry body behind the Transparency and Consent Framework (TCF) for real-time bidding (RTB) — the automated auction of user profiles for ad space.

Enforcement: The Belgian DPA fined IAB Europe €250,000, upheld by the Belgian Market Court on May 15, 2025.^[10] The CJEU confirmed on March 7, 2024 (Case C-604/22) that the TCF’s “TC String” (consent records) constitutes personal data when combined with a user’s cookie and IP address, and that IAB Europe is a joint controller for processing operations within the TCF.^[11]

Israel: Surveillance Technology Hub

Israel has become a global center for surveillance technology, with dozens of companies founded by veterans of the Israeli Defense Forces’ Unit 8200 intelligence unit.

NSO Group

What they are: Developer of Pegasus spyware, which can remotely infiltrate smartphones via “zero-click” exploits and extract messages, emails, photos, location data, call records, and activate cameras and microphones without user knowledge. Sold to government clients in dozens of countries. Used to target journalists, activists, opposition politicians, and heads of state.

Enforcement: Added to the US Entity List in November 2021. A US court ruled NSO Group liable for hacking 1,400 WhatsApp users, and in May 2025 a federal jury awarded Meta/WhatsApp $167.25 million in punitive damages plus $444,719 in compensatory damages.^[12] In October 2025, US District Judge Phyllis Hamilton reduced the punitive damages to approximately $4 million (nine times the compensatory award), ruling the original amount excessive, but issued a permanent injunction requiring NSO to cease all spyware operations targeting WhatsApp and to delete and destroy related computer code.^[13]

Cellebrite

What they are: Digital forensics company. The Universal Forensic Extraction Device (UFED) extracts data including contacts, locations, deleted messages, and calls from smartphones, tablets, and SIM cards. Founded by ex-IDF personnel, staffed with dozens of ex-Unit 8200 intelligence veterans. Over $48.6 million in ICE contracts from 2008 through April 2025, plus $6.1 million from CBP contracts (2009–2024).^[16]

Scandals: In December 2024, Amnesty International published “A Digital Prison,” reporting that Serbian police used Cellebrite tools to unlock journalist and activist devices — exploiting a zero-day vulnerability in Qualcomm chipsets affecting millions of Android devices — then installed “NoviSpy” spyware to enable remote microphone and camera activation.^[14] In February 2025, Cellebrite announced it had halted product use in Serbia following the report.^[15] Cellebrite tools have also been used to harvest data from phones of captured Palestinians during 2023–2025 operations, and rights groups have urged a UFED ban due to use by the Museveni regime in Uganda.

Intellexa / Cytrox (Predator Spyware)

What they are: Developer of Predator spyware. Created in 2019 by former Israeli military officer Tal Dilian. Targets phones via infected SMS links. Used in Greece, resulting in the resignation of the intelligence director and top government officials (2022).

Enforcement: In March 2024, the US Treasury sanctioned the Intellexa Consortium, Tal Dilian, and Sara Hamou, accusing them of enabling “the proliferation of commercial spyware and surveillance technologies” used to “covertly surveil U.S. government officials, journalists, and policy experts.”^[17] Expanded sanctions in September 2024 targeted additional executives Merom Harpaz and Andrea Gambazzi.^[18] Despite sanctions, Intellexa products remained active per the ICIJ’s “Intellexa Leaks” investigation.^[20] On December 30, 2025, the Trump administration lifted sanctions on Hamou, Gambazzi, and Harpaz, stating each had “demonstrated measures to separate themselves from the Intellexa Consortium.”^[19]

Cognyte (formerly Verint)

What they are: Spun off from Verint Systems in 2021. Provides investigative analytics and surveillance solutions to government and law enforcement agencies. In 2025 alone, secured a three-year support agreement valued at over $20 million per year with a national security customer (March 2025), a three-year subscription at $10+ million annually with another national security customer (May 2025), and a one-year $20+ million contract renewal with an EMEA national security agency (September 2025).^[21]

Verint Systems

What they are: Acquired by Thoma Bravo in a $2 billion deal ($20.50 per share, an 18% premium) announced in August 2025 and completed November 26, 2025; Verint was combined with Thoma Bravo portfolio company Calabrio.^[22] Previously built Switzerland’s wiretap infrastructure (2014). Received $35 million from the US Department of Defense (2017). Approximately 10,000 clients in 175+ countries.

Scandals: Amnesty International reported in February 2021 that a Verint subsidiary provided South Sudan’s National Security Service with communications interception equipment between 2015 and 2017, enabling surveillance of journalists, activists, and political opponents.^[23] Separately, Indonesia reportedly used Verint products to create a database of LGBT rights activists targeted for surveillance.^[24]

NICE Systems

What they are: Created in 1986 by former IDF engineers. Originally provided mass, targeted, and lawful communication interception to law enforcement, intelligence organizations, and national security agencies across 150+ countries. In July 2015, Elbit Systems acquired NICE’s Cyber and Intelligence division for up to $157.9 million ($117.9 million at closing plus up to $40 million in earn-out), reorganizing it under its Cyberbit subsidiary.^[25]

Asia-Pacific

Recruit Co. / Rikunabi Scandal (Japan)

What they are: Recruit Co. operated the Rikunabi job-seeking platform. Between March 2018 and February 2019, used cookies to record students’ browsing history and calculated algorithmic scores predicting how likely individual job applicants would decline offers.

What happened: Sold predictive scores to 35 companies without user consent, including Toyota Motor Corporation and Mitsubishi Electric.^[26] Japan’s Personal Information Protection Commission ruled that cookies constituted “person-related information” requiring consent. Recruit Career’s data sharing also violated the Employment Security Law.^[27] The scandal directly led to amendments strengthening Japan’s privacy framework.

Alibaba Group (China)

What they are: Collects vast amounts of consumer purchase behavior, financial data, location data, and browsing habits through Taobao, Tmall, and Alipay. Alipay’s biometric (facial recognition) data used for electronic ID cards in at least three Chinese provinces. Has shared algorithm details with the Cyberspace Administration of China as required under China’s 2021 algorithm registration rules.

Tencent (China)

What they are: Collects data through WeChat (1+ billion users), QQ, and other platforms including messaging content, social connections, payment data, and location data. WeChat’s facial recognition used for government electronic ID cards. Has shared algorithm details with the Cyberspace Administration of China.

TransUnion CIBIL (India)

What they are: Founded in 2000 as the Credit Information Bureau (India) Limited, following recommendations from the RBI’s Siddiqui Committee. Maintains credit files on 600 million individuals and 32 million businesses in India. The CIBIL score (300–900 range) is the most widely used credit score in India. Licensed by the Reserve Bank of India as one of four credit information companies in the country.^[28]

The Aadhaar Data Ecosystem (India)

What happened: On October 9, 2023, a threat actor using the alias “pwn0001” posted on Breach Forums offering Aadhaar and passport data of 815 million Indians — approximately 60% of the country’s population — for $80,000. Security researchers at Resecurity traced the data to records submitted to the Indian Council of Medical Research (ICMR) during COVID-19 testing, though no official confirmation of the breach source has been provided.^[29] In a separate earlier incident (2018), an anonymous group sold “agent” access to the UIDAI database via WhatsApp. The Comptroller and Auditor General found UIDAI had not effectively regulated client vendors or safeguarded data vaults.

Quantium (Australia)

What they are: 80.4% owned by Woolworths, which paid A$223 million in April 2021 to increase its stake to 75%, subsequently rising to 80.4%.^[30] Processes Woolworths Rewards loyalty card data covering millions of Australian households. The ACCC named Quantium as participating in exchange of loyalty scheme data, “often without consumers’ explicit consent.”^[31]

illion / Experian Australia

What they are: illion operated as a consumer and commercial credit bureau in Australia and New Zealand, with heritage tracing to 1887. Digital infrastructure relied upon by over 15,000 corporate and government clients. Experian completed an A$820 million (approximately US$532 million) acquisition of illion on September 30, 2024, approved by the ACCC despite merging two of Australia’s three main credit reporting bodies.^[32]

Americas (Outside US)

Pelmorex Corp. / The Weather Network (Canada)

What they are: Owns The Weather Network and MeteoMedia. Collects geolocation data from weather app users through its mobile apps. Location data was provided to BlueDot, which supplied it to the Public Health Agency of Canada (PHAC) for COVID-19 pandemic tracking between March 2020 and March 2022. PHAC obtained detailed movement insights including trips to pharmacies, liquor stores, and interprovincial travel — all without informing Canadians their movements were being monitored.^[33]

Serasa Experian (Brazil)

What they are: Brazil’s leading credit-scoring bureau, a subsidiary of Experian. Alleged to sell personal profile information in packages starting at R$1 per person. On January 20, 2021, a dataset exposing 223 million individuals’ data — a number exceeding Brazil’s living population because it included deceased persons — surfaced on a dark web forum. The approximately 1 TB of compressed files contained names, CPF (tax ID) numbers, dates of birth, facial images, salary data, and credit scores. Serasa denied it was the source.^[34]

Enforcement: A Brazilian Federal District Court ordered Serasa to stop selling personal consumer data.^[35] Federal Police launched “Operation Deepwater,” which evolved into “Operation Data Breach” in 2024, leading to arrests of suspected data brokers involved in selling fragments of the leaked archive internationally.

Buro de Credito (Mexico)

What they are: Mexico’s primary credit bureau (Trans Union de Mexico, S.A.). Exempt from oversight by INAI (Mexico’s privacy agency) due to institutional design favoring credit information societies over privacy rights.

Enforcement: In February 2023, the CNBV publicly confirmed that a Buro de Credito customer database — dating from 2016 — had been stolen and sold on the dark web. The incident was first reported to the CNBV in December 2022. The CNBV launched a formal cybersecurity inspection but did not require Buro de Credito to alert affected consumers.^[36]

Africa

TransUnion South Africa

What they are: Consumer credit data and analytics for South African individuals and businesses.

Breach: In March 2022, a Brazilian hacking group called N4aughtysecTU breached TransUnion South Africa’s SFTP server — reportedly protected by the password “Password” — and claimed to have stolen approximately 54 million records across four terabytes of data.^[37] The hackers demanded R223 million ($15 million) in cryptocurrency ransom; TransUnion refused to pay. TransUnion disputed the 54 million figure, stating its investigation found data relating to approximately 5 million consumers was potentially affected, with a further 5.2 million having only ID numbers exposed.^[38] In a separate November 2023 incident, hackers demanded R1.1 billion ($60 million) from both TransUnion and Experian, threatening to leak personal data of South Africans.

Experian South Africa

Breach: In August 2020, an individual fraudulently claimed to represent an Experian client and requested consumer data, resulting in the exposure of personal information of approximately 24 million South Africans and nearly 793,000 local businesses. The leaked data included names, ID numbers, addresses, and occupations, though Experian stated no credit or financial information was exposed.^[39]

XDS (Xpert Decision Systems)

What they are: Largest locally owned (100% black-owned) credit information bureau in South Africa, with subsidiaries in Ghana and Zimbabwe.

CRC Credit Bureau (Nigeria)

What they are: Nigeria’s leading credit bureau, covering over 95% of the Nigerian credit industry. Established by a consortium of eleven leading financial institutions and Dun & Bradstreet.

Regulatory landscape: In 2024, the Nigeria Data Protection Commission (NDPC) issued compliance notices to 1,368 organizations including 795 financial institutions.^[40] Separately, the Federal Competition and Consumer Protection Commission (FCCPC), working with the NDPC, fined Meta $220 million in July 2024 for unauthorized data sharing, lacking proper user consent mechanisms, and discriminating against Nigerian users compared to users in other jurisdictions. The Competition and Consumer Protection Tribunal upheld the fine in April 2025.^[41]

Middle East

DarkMatter Group (UAE)

What they are: Founded in the UAE in 2014–2015. Describes itself as a defensive cybersecurity company, but became a contractor for “Project Raven” — a confidential initiative staffed by more than a dozen former US NSA and CIA employees to surveil governments, militants, and human rights activists on behalf of the UAE. Project Raven hacked phones and computers of hundreds of human rights activists and political opponents across the Middle East and Europe (2016–2019), as revealed by a Reuters investigation in January 2019.^[42]

Enforcement: In September 2021, three former US intelligence operatives — Marc Baier, Ryan Adams, and Daniel Gericke — entered a deferred prosecution agreement with the DOJ, admitting to violations of the International Traffic in Arms Regulations (ITAR). They forfeited a combined $1.68 million and surrendered their security clearances, marking the first time hacking was prosecuted as an ITAR violation.^[43]

SDAIA (Saudi Arabia)

What they are: The Saudi Data and Artificial Intelligence Authority, established by royal decree (August 2019). National regulator for data governance and personal data protection. Saudi Arabia’s Personal Data Protection Law (PDPL) came into effect September 2023, with enforcement commencing September 2024. Tight restrictions on cross-border data transfers require organizations to keep personal data within national borders unless explicitly approved.

Russia

Probiv (Illicit Data Market)

What it is: A vast illicit data market — estimated at approximately 15 billion rubles (~$141 million) annually — where personal information from restricted government and corporate databases is bought and sold through networks of corrupt officials and insiders.^[44] Data available includes passport numbers, addresses, travel histories, vehicle registrations, telecom records, and police records. Prices range from $10 to several hundred dollars.

Scale: The CEO of state telecom giant Rostelecom has stated that “the personal data of all Russian citizens has been compromised.” Sberbank estimates approximately 90% of Russian users’ data has been affected by leaks.^[45]

Crackdown: Article 272.1 of the Russian Criminal Code (effective late 2024) introduced penalties of up to 10 years in prison for organized data trafficking and fines up to 15 million rubles ($141,000) for illegal transfers of personal data.^[44] In July 2025, Moscow’s Tverskoy District Court remanded in custody individuals with alleged ties to the Federal Security Service in a case targeting the prominent probiv service Solaris. However, the crackdown backfired: leading data brokers relocated operations abroad, where they now operate without restrictions and dump sensitive leaks without previous informal restraints.^[46]

Global Regulatory Landscape

The regulatory framework for data brokers varies dramatically by region:

Sources & References