This is actually a non-report, but it demonstrates where we draw the boundaries on what we can and cannot do according to our code of conduct.
On April 4 several news platforms reported personal data of 533 million Facebook users was leaked. Security Researcher Alon Gal reported the dataset was now available for free online. https://www.theverge.com/2021/4/4/22366822/facebook-personal-data-533-million-leaks-online-email-phone-numbers
On April 9, DIVD researchers were offered a dataset of 5.3 million Dutch users, containing name, place of residence and mobile phone numbers. The first idea that came up was to send all these users an SMS text message to warn them their data was leaked and be extra careful not to respond to suspicious phone calls. Aside from the legal and logistical problems, we decided not to proceed as the media was catching up on the issue, warning users and redirecting them to Have I been Pwned.
A second idea that came up was to search the dataset for phone numbers of Dutch politicians and send them an SMS to warn them and raise awareness. Some claimed to have found members of Cabinet and Parliament. Also, after the elections on the 17th of March, new Members of the Dutch Parliament were being installed, with very few among them with a background in information technology. A small awareness campaign might have been useful.
Here too, we decided not to proceed, as the exchange of such sensitive personal data is not proportional to the goal of raising awareness. According to the subsidiarity principle, this goal was already met with less intrusive means as other parties such as media and governmental bodies, were already sending general warnings.