arXiv: Agentic AI-Powered Re-Identification: An Emerging, Scalable Threat to Mobility Microdata Privacy

This paper, published on arXiv, presents a new research finding that agentic AI systems can now re-identify individuals from anonymized mobility microdata—such as location traces from mobile phones or transport cards—with high accuracy and at scale. The authors demonstrate that these AI agents can autonomously infer personal identities by cross-referencing sparse, anonymized movement patterns with publicly available datasets, effectively breaking existing de-identification techniques. This represents a significant escalation in the privacy threat landscape, as it moves re-identification from a manual, resource-intensive process to an automated, scalable capability.

The primary affected sectors are any organizations that collect, process, or share mobility microdata, including transportation authorities, ride-sharing and delivery platforms, telecommunications providers, and smart city initiatives. Also impacted are data processors and analytics firms that handle anonymized location data for research or commercial purposes. Regulated entities under GDPR, the EU AI Act, and ePrivacy Directive must now reassess whether their anonymization methods are sufficient against this emerging AI-driven threat.

Compliance teams should immediately conduct a risk assessment of any mobility datasets they hold or share, evaluating whether current anonymization techniques (e.g., k-anonymity, differential privacy) are robust against agentic AI re-identification. They should update data protection impact assessments (DPIAs) to include this specific threat vector and consider implementing stricter access controls, data minimization, and synthetic data alternatives. Finally, teams should monitor regulatory guidance from the EDPB and national authorities, as this research may trigger new enforcement actions or updates to adequacy decisions for anonymized data.