In a Joint Statement published today and disseminated among policymakers in EU Council and Parliament, CoESS and Euralarm underline that they understand the value of data-driven innovation for the EU economy and support initiatives that promote the secure, free flow of non-personal data, if it benefits citizens and businesses.

However, they warn, that holding security-related data generated by security systems is subject to specific criteria and safeguards and in certain cases, legislation. CoESS and Euralarm however believe that the proposal for an EU Data Act extensively lifts barriers for the sharing of security-sensitive data that is generated by security systems and held by private entities, creating serious security risks.

Security-sensitive data generated by security systems that is covered by the scope of the proposal and held by security system manufacturers and security services includes video surveillance recordings, screening images, alarm signals, and operational data in case of an incident or ongoing alarm and crime prevention response, among others.

CoESS and Euralarm members have adequate frameworks in place to share such data with clients, including specific safeguards (e.g. legitimate interest during and after an incident, security clearances). The provisions of the proposal legally challenge these safeguards and oblige our members to share security-sensitive data on electronic request without undue delay with clients and third parties as per Chapter II.

Consequently, the proposal creates severe vulnerabilities in cyber and physical security without legitimate benefits to the client, putting at risk citizens, businesses and perimeters that we are committed to protect as outlined in use-cases listed in the Joint Statement. 

CoESS and Euralarm therefore recommend concrete amendments in their Joint Statement that would address their concerns, notably the exclusion of security-sensitive data from the proposal.

The full Joint Statement can be found here.