EU Data Act: CoESS calls for exclusion of private security services

Earlier this year, the European Commission proposed a Regulation for an EU Data Act. It shall open opportunities for data-driven innovation and make data more accessible for all. Importantly, companies will have to be able to share data they collect through their services and products with their customers in real-time on a continuous basis. While CoESS welcomes EU initiatives that promote the data economy, the EU association of the private security services is wary of the Data Act’s impact in public and private security, and calls for an exclusion of both private and public security activities from the scope of the future EU law.

While there is manifold potential in empowering businesses and citizens of the data they produce, it can also be highly detrimental to the legitimate need to protect citizens, infrastructure, and information from organised crime.

Putting the proposal of the EU Data Act in practice, private security companies would have to be able to share all kinds of visual and audio data with their clients in real-time on a continuous basis – a provision that would come with substantial risks to the security of citizens.

The private security industry provides a wide range of services, both for private and public clients, ranging from Critical Infrastructure to public spaces, supply chains and government facilities. While supplying these services, security companies handle different data, which are covered by the EU Data Act, and which are hence subject to the proposal’s data sharing obligations – including alarm signals, sound, visual recording or audio-visual recording.

Lifting barriers for sharing such sensitive data, as foreseen by the EU Data Act proposal with the client and, upon request, with third parties, can lead to considerable security threats, including insider threats, organised crime and terrorism. It can put at risk the security and safety of the persons, organisations and infrastructure, supply chains and the general public:

  • In aviation security, the data sharing provisions of the EU Data Act could reveal to criminals security check procedures and crime prevention tactics.
  • In Critical Infrastructure Protection, security companies would have to broadly share video surveillance records of protected perimeters, alarm signals, and biometric data of employees for the verification of their identity at access control – coming with considerable risks, such as insider threats.
  • Similar risks exist in monitoring and remote surveillance, which would further qualify as “data processing services” as per the EU Data Act, for which even stricter data sharing obligations exist.

For security reasons, the proposal by the European Commission already excludes all data that serves law enforcement purposes from the scope of the future law – which would however not apply to data that private security collect, process and analyse for private clients.

In a position paper published today, CoESS therefore calls for the exclusion of private security services from the future law, similar to public security.

For more information, you can find the position paper here.