Phone data privacy surveillance coverage stops at the apps on your screen: Google, Meta, TikTok. That is the visible layer. Beneath it runs an industry with no consumer-facing product at all, a supply chain of data brokers, telcos, and location aggregators that buys, enriches, and re-sells personal information without a direct relationship with anyone whose data it holds. Government agencies and mobile carriers access parts of that same data under a different legal architecture again. Together they form an industrial supply chain, connected by data flows most reporting never reaches. An Australian court found that Google had misled 1.3 million users through a single default location setting they believed they had switched off. That case is a useful way in to how the whole thing works.
The first-party layer
Google’s argument in that case was essentially that users could turn tracking off. The court’s finding was that this was not quite true. Disabling “Location History” did not stop Google collecting location data, because a separate setting, “Web & App Activity,” remained on by default. The Federal Court of Australia found that this architecture misled 1.3 million users who believed they had opted out when they had not. A $60 million penalty followed.
This is the first-party layer: the companies you actually have a relationship with. Google, Apple, Meta, your mobile carrier. You signed up. Some kind of consent was technically obtained. The terms were long and the font was small, but the legal basis is there. What the Google case illustrates is that consent’s legal existence and its practical meaning can be quite different things.
The first-party layer is also, by some distance, the largest data collector in this supply chain. Everything that flows downstream to brokers starts here. The platforms that know your search history, your location over time, your browsing patterns, your purchase behaviour: this is where phone data privacy surveillance begins, before a single data point reaches anyone else.
Default settings are not neutral. They are business decisions. When the default state of a setting means your location continues to be collected after you believe you have switched it off, the gap between technical compliance with consent requirements and what consent actually means to a person trying to protect their privacy is wide enough to notice.
The data broker ecosystem
You already know Google, Meta, and TikTok are collecting your data. The companies that aggregate and resell it at scale have no consumer-facing products and no reason to introduce themselves.
Data brokers acquire information about people, combine it with data from dozens of other sources, and sell the resulting profiles to whoever will pay. Hundreds of them operate globally. You have never agreed to their terms of service. You have never heard their names.
An app collects your location. It sells that to an analytics partner, which passes it to an aggregator, which sells it to a data broker, which combines it with your purchase history, credit behaviour, browsing patterns, and inferences about your household income, health status, and political leanings. A GPS ping becomes a consumer profile. A 2014 Federal Trade Commission study of the data broker industry found major companies holding hundreds of distinct data categories on nearly every American adult, from purchasing habits to estimated ethnicity.
Advertisers buy these profiles. So do insurers, employers, landlords, and, in some jurisdictions, government agencies. Phone data privacy surveillance is a commercial operation with revenue targets and annual reports, not a metaphor.
In South Korea, the telco-to-third-party data pipeline became politically visible in the early 2010s after a run of privacy scandals involving carriers and analytics firms. The regulatory response was real, if still incomplete. Australian and European regulators are working through the same problems a decade later, deciding how to govern an ecosystem that industry built to be hard to see from the outside.
Companies built the opacity in deliberately. Regulators are still working out how to undo it.
The government and telco layer
There is another layer beneath the broker ecosystem, one that most people never think about, partly because the companies in it have been there since before anyone was debating data privacy, and partly because the legal framework governing them was built for a different era entirely.
Telcos occupy a unique position in the phone data privacy surveillance ecosystem. They carry the signal. That means they see the metadata for every call, every message, every data session, before any app has a chance to intercept it. They know who you called, when, for how long, and approximately where you were when you did it. Not through software you downloaded. Through infrastructure you cannot opt out of.
In Australia, the 2015 mandatory data retention scheme requires telcos to store two years of customer metadata, accessible to law enforcement and intelligence agencies without a warrant in most circumstances. The stated purpose was national security and serious crime. The practical effect was to create a national metadata store that did not previously exist.
This is the layer where the consent framework collapses entirely. There is no privacy policy pop-up for your carrier’s data retention obligations. You agreed when you signed a phone plan. Whether you understood what you were agreeing to is a separate question, and an uncomfortable one.
What the 2024 reforms actually changed
Australia’s Privacy and Other Legislation Amendment Act 2024 arrived with reasonable ambition and moderate delivery. It gave the Information Commissioner stronger enforcement powers, introduced transparency requirements that should have existed a decade ago, and started the long overdue process of updating the Privacy Act 1988 for the actual internet.
What it did not do is touch the metadata retention framework. The mandatory data retention scheme introduced in 2015 requires telcos to store two years of your phone activity under law. That architecture is unchanged. The 2024 reforms addressed consent language, definitions, and penalties. The invisible layer, carrier records, government access requests, data broker pipelines, is where they ran out of road.
South Korea began grappling with exactly this problem in the early 2010s, when smartphone penetration outpaced the legal frameworks designed to govern it. The regulatory lag there was not a failure of intent. It was a failure of pace. Australia is navigating the same structural gap, roughly a decade later, with the added complication of a phone data privacy and surveillance ecosystem that has grown considerably more sophisticated in the intervening years.
The 2024 reforms matter. So does what they left in place. Holding both of those things at once is a more accurate picture than either the critics or the government’s press releases suggest.
Practical steps worth taking
The broker ecosystem operates in a layer most people never see, but your interaction with it is not fixed. A few targeted changes reduce the surface area.
Start with location permissions. On both iOS and Android, set every app to “while using” rather than “always.” Most apps requesting “always” do not need it. Mapping and fitness tracking are genuine exceptions. Everything else is harvesting data it has no operational reason to collect.
On Android, delete your advertising ID. On iPhone, go to Settings, Privacy and Security, Tracking, and switch off “Allow Apps to Request to Track.” Fingerprinting techniques can reconstruct a profile without relying on device identifiers, so neither step is airtight. But you are shrinking the dataset.
Check your telco’s privacy settings. Most Australian carriers offer a data-sharing opt-out that is not switched off by default. You have to find it. That is not an accident.
The data broker layer is harder to address. Under the 2024 reforms, you can request deletion of data held by companies with no direct relationship with you. This is a real right. Few people know it exists. Fewer use it.
None of this solves the structural problem. Phone data privacy and surveillance operates at industrial scale, and individual opt-outs are friction rather than a fix. But friction is real. It accumulates. Start with the location settings.
Closing / key takeaways
You are dealing with an industry. Most of it carries no name you would recognise.
Three things worth acting on:
- Start with location. Precise location is the most valuable data point you hand over. Audit which apps have access. Revoke what they don’t need.
- Use your deletion rights. The 2024 Privacy Act reforms give Australians the right to request deletion from brokers they have never dealt with. Few people know this. Fewer use it.
- Expect friction, not a fix. Phone data privacy and surveillance operates at industrial scale. Your opt-outs chip away at that. Genuine structural change requires regulation that takes the broker ecosystem seriously.
Frequently Asked Questions
I haven't installed anything suspicious. How is my data still being collected?
The apps you recognise are only part of the story. Your phone's operating system sends data to your carrier. Your carrier sells network-derived location data to brokers you have never heard of. Those brokers aggregate signals from loyalty programmes, weather apps, and mapping tools, then build profiles they license to advertisers, insurers, and political campaigns. None of those brokers asked for your permission because none of them has a direct relationship with you. That is the point. The supply chain runs behind the consumer-facing layer, and careful app selection does not reach it.
Who actually buys this data, and what for?
Advertisers buy the most. Insurers use aggregated location and behavioural data to refine risk models. Employers run background enrichment on candidates. Political campaigns target undecided voters at the neighbourhood level. In several countries, law enforcement agencies buy location histories rather than applying for warrants. The broker market faces no unified regulation in most jurisdictions, so the same dataset moves from broker to broker, reaching buyers whose purposes nobody disclosed when you first set up your phone.
Does my privacy policy cover all of this?
The policy you agreed to covers the direct relationship with the app you downloaded. The broker who bought your data from a data co-op that aggregated it from dozens of apps has no privacy policy relationship with you at all. That is the consent gap. The Australian Federal Court's finding against Google is useful here: a default setting that most users never changed had misled 1.3 million Australians about what Google was doing with their location data. Default settings are not consent. Real consent would require knowing where your data goes after it leaves the first app. Nobody designed the system to tell you that.
Are the new privacy laws making a difference?
In places, yes. GDPR gave European users enforceable rights and imposed fines large enough to change corporate behaviour. Australia's Privacy Act is undergoing its most significant reform in decades, and the changes to consent requirements are substantive. But the broker ecosystem operates globally while regulators work jurisdiction by jurisdiction. A broker incorporated in a permissive country, processing data sourced from an app you downloaded in Sydney, occupies complicated legal ground. Mandatory data minimisation and broker registration, the two reforms that would matter most, remain contested in most markets. The direction is right, but the gap between intention and enforcement is still wide.
What can I actually do?
Some things help at the margin. Restricting precise location access to apps that do not need it cuts one data stream. Resetting your advertising ID periodically disrupts some behavioural profiles. A reputable VPN limits what your carrier can see about your browsing. None of this reaches the broker layer, because by the time a broker holds your data, someone upstream has already collected it. South Korea introduced data portability and broker transparency requirements years before most Western regulators engaged with the problem at all. The supply chain did not disappear, but it became more visible. That is roughly where the rest of the world is heading.
