(screenshot from Flightradar24)
On 30 June 2025, Sweden’s data protection authority IMY issued a decision that may reshape the landscape of open-source flight tracking in Europe. Case DI-2021-3397 concerns Flightradar24 AB, the Stockholm-based platform used by 30 million people each month to monitor global air traffic. The ruling establishes that aircraft registration numbers can constitute personal data under the GDPR which is a legal classification with implications that extend well beyond aviation.
As a paid ADS-B exchange subscriber I had initially overlooked this case. It was only when examining Bellingcat’s brilliant Turnstone project that I revisited the available data sources and came across it. For professionals working in journalism, investigations, and due diligence, the decision deserves careful analysis. Not because its reasoning is internally inconsistent (much of it follows established CJEU case law) but because that case law itself reflects a structural deficiency in how European privacy regulation weighs competing societal interests. The GDPR, designed to protect ordinary citizens from corporate surveillance, is increasingly invoked by the wealthy and the powerful to suppress legitimate scrutiny of their movements and activities.
The decision
The case originated from four complaints by private aircraft owners in Sweden, Germany, and Denmark, handled through the GDPR’s cross-border cooperation mechanism involving 14 European supervisory authorities. The complainants objected to Flightradar24 publishing registration numbers and associated location data of their aircraft.
Flightradar24 argued that aircraft registration numbers identify aircraft, not people, that most aircraft are owned by companies, that no universal public register links registrations to individuals, and that it processes no names or addresses. IMY rejected this position. Drawing on the CJEU’s Breyer ruling on dynamic IP addresses and the Gesamtverband Autoteile-Handel judgment on vehicle identification numbers, IMY concluded that registration numbers become personal data when they can be linked to identifiable individuals through other means, such as national aircraft registers. Even company-owned aircraft qualified: a Danish CEO who was the sole pilot of his firm’s helicopter was deemed identifiable regardless of corporate ownership.
IMY fortunately upheld Flightradar24’s legitimate interest under Article 6(1)(f) as a valid legal basis, acknowledging the platform’s value in accident investigation and criminal cases. However that is not enough to avoid the GDPR being used to block legitimate scrutiny.
A flawed analogy: aircraft are not cars, and not IP addresses
IMY’s reasoning rests on the analogy between aircraft registration numbers, vehicle identification numbers, and dynamic IP addresses. This analogy is weak in several material respects, and the uncritical application of Breyer and Gesamtverband Autoteile-Handel to aviation data obscures more than it clarifies.
The most fundamental difference concerns the identifiability of users. A car has a narrow and relatively stable user base, typically one or two drivers within a household. The link between a license plate and a specific individual is, in most cases, much more direct and practical. An aircraft, by contrast, may have multiple owners, operators, leaseholders, and pilots, often across different jurisdictions and corporate structures. The chain of identification from a registration number to a natural person is substantially longer and more uncertain than for a car. The CJEU’s reasoning in Gesamtverband Autoteile-Handel, where a workshop with access to a vehicle registration certificate could readily link a VIN to a person, simply does not transpose to a flight tracking platform that possesses none of this complementary information.
The IP address analogy is even less persuasive. IP addresses, as addressed in Breyer, are transmitted within a network infrastructure between specific endpoints and can only be collected at these endpoints.
Moreover, the CJEU itself recently confirmed that personal data is a relative concept. Data may be personal for one entity while anonymous for another, depending on whether the recipient has reasonable means of re-identification. Flightradar24 processes registration numbers without access to national aircraft registers, without names, and without addresses. The platform itself cannot identify individuals from the data it holds. Whether a third party could combine this data with register information to identify someone is a different question; one that should not automatically convert the data into personal data for a platform that lacks those means.
Privacy without balance: the transparency deficit
The deeper problem, however, is not the analogy but what the analogy is in service of. The CJEU jurisprudence on which IMY relies approaches the question of personal data classification almost exclusively through the lens of privacy protection. The question it asks is: can a natural person be identified? The question it does not adequately ask is: should the data remain visible in the public interest, even in case it might be classified as personal data?
This omission matters because private aviation is not a neutral domain. Private jets are, by definition, instruments of wealth. The ability to track private aircraft movements has served as a critical transparency mechanism, for journalists investigating corruption, for sanctions enforcement authorities tracing oligarch assets, for environmental accountability. When the GDPR enables individual aircraft owners to demand erasure of tracking data, it does not merely protect privacy in the abstract. It removes a tool of public accountability, disproportionately benefiting those with the resources to own or operate private aircraft.
Article 17(3) of the GDPR provides exceptions to the right of erasure, including for freedom of expression and information. Article 85 requires member states to reconcile data protection with press freedom. But these provisions have been unevenly implemented: for example, not all EU member states have (fully) legislated the journalistic exemption. The balancing act that the GDPR envisions in theory does not materialise in practice. The regulation’s enforcement architecture creates a chilling effect that operates asymmetrically: it deters platforms and journalists from publishing, but imposes no corresponding cost on data subjects who invoke privacy rights to suppress public interest information.
When privacy obstructed accountability
The consequences of this imbalance are not theoretical. When Saudi journalist Jamal Khashoggi was murdered in Istanbul in October 2018, two Gulfstream jets used by the assassination squad, belonging to Sky Prime Aviation, were central to reconstructing the timeline. Investigative researchers discovered that FlightAware displayed these aircraft as unavailable for public tracking due to European data rules, and Flightradar24 had no records. Tracking data was eventually found through smaller platforms, i.e. Plane Finder, and I believe ADS-B Exchange has the data as well. Sky Prime Aviation’s ownership had been transferred to Saudi Arabia’s Public Investment Fund via classified orders the previous year. European data rules had effectively shielded Saudi state aircraft from routine monitoring on major platforms.
The pattern extends beyond state actors. Elon Musk, after acquiring Twitter in 2022, suspended Jack Sweeney’s @ElonJet account along with trackers for multiple billionaires and Russian oligarchs. Meta followed in October 2024, removing all 38 of Sweeney’s celebrity jet-tracking accounts. Taylor Swift’s lawyers sent cease-and-desist letters calling Sweeney’s work “stalking and harassing behavior.” In none of these cases did GDPR enforcement play a direct role, but the IMY precedent now provides a legal mechanism that achieves the same result through regulatory authority rather than platform power.
GDPR as a weapon against journalism
Academic literature has documented GDPR’s emergence as a vehicle for Strategic Litigation Against Public Participation (SLAPPs). The landmark case involved Romania’s data protection authority ordering OCCRP’s Rise Project to reveal its journalistic sources under threat of a €20 million fine during a corruption investigation into Liviu Dragnea, then president of Romania’s Social Democratic Party. Fifteen digital rights organisations wrote to the EDPB demanding that the GDPR not be weaponised against media freedom.
Oxford researcher Anjuli Shere’s 2020 survey of OSINT professionals found that the GDPR had imposed notable professional constraints on investigators working with predominantly open-source intelligence. For practitioners in the field, this is not an abstract regulatory concern, it is an operational reality that shapes what can be investigated, published, and verified.
Conclusion
The IMY decision against Flightradar24 follows established CJEU jurisprudence. That is precisely the problem. The jurisprudence treats personal data classification as a binary question of identifiability, without adequate weight to the public interest in transparency. And it provides no mechanism to distinguish between a private citizen’s legitimate concern about stalking and an oligarch’s strategic interest in concealing movement patterns.
The IMF’s Finance & Development journal captured this tension long time ago, warning that privacy concerns “can fuel fierce opposition to transparency initiatives, both from well-intentioned activists and from cynical actors who may cite privacy in a disingenuous attempt to obscure questionable dealings.”
For investigation professionals, the operational implication is clear: diversify data sources across jurisdictions, maintain independent receiver capabilities, and recognise that the signals remain in the air regardless of what the law says about collecting them. The regulatory landscape is shifting. The physics of radio frequency transmission is not.