¾«Æ·¹ú²ú×ÔÏßÎçÒ¹¸£Àû

---

Secret keeper

The new Private Security Authority licence for safe suppliers faces scrutiny over EU-law compliance. Alan Donohoe Redd cracks the combination

A new licensing requirement for ‘suppliers or installers of safes’ from Ireland’s Private Security Authority (PSA) has come under scrutiny as European industry experts argue it infringes upon fundamental principles of EU law, including the free movement of goods and the GDPR.

PSA 94:2024 requires all suppliers of safes in Ireland to undergo regular audits in order to obtain a PSA licence.

This introduces a new administrative and regulatory burden on anyone selling safes to end-users here, which experts argue amounts to a form of pre-market authorisation and risks delaying or deterring intra-community trade.

Such a move poses a direct challenge to articles 34-36 of the Treaty on the Functioning of the European Union (TFEU), which prohibits rules hindering the free movement of goods.

Articles 34-36 mandate that goods lawfully marketed in one member state should be freely sold across the EU without such additional authorisation requirements and, while exceptions can apply, they must be necessary, proportionate, and are only allowed if there is a genuine and sufficiently serious threat to a fundamental interest of society.

Burglar alarm

Certified safes are already subject to accredited European burglary-resistance testing and certification compliant with , so it is difficult to see how the PSA’s imposition of additional licensing fees and barriers to market entry for such products in Ireland can be justified.

As established under EU law by (Case 8/74), “all trading rules capable of hindering, directly or indirectly, actually or potentially, intracommunity trade are to be considered as measures having an effect equivalent to quantitative restrictions” and are therefore prohibited by article 34 of the TFEU.

The European Security Systems Association (ESSA), representing the largest consortium of safe manufacturers and suppliers in Europe, has already written to the Minister for Justice and criticised the PSA’s licensing standard as a “market barrier”, warning that “if such national licensing standards proliferate, the EU’s integrated market for safes could fragment into 27 localised markets, each with its own licensing requirements”.

In addition, a formal complaint is also active with the European Commission, not only in respect of the contravention of articles 34- 36 of the TFEU, but also core principles of the GDPR.

Inside job

As regards the GDPR, sections 3 and 8 of the PSA 94:2024 licensing standard mandate licensed safe suppliers to gather and store highly sensitive personal and security-related data during a ‘planning and design’ phase and in an ‘as fitted document’.

This data includes the location of the safe in the premises, the contents and value of items to be stored, existing security measures, operational procedures, and personal details, including address and telephone numbers of clients and installers.

This extensive data collection is problematic for multiple reasons under the GDPR:

• Violation of data minimisation principle: GDPR mandates that personal data collected must be limited to what is necessary for the specified purpose. Recording and retaining detailed security profiles of clients, existing security measures, and operational procedures appear excessive and disproportionate to the task of supplying a safe.
• Lack of legal basis and consent: there is no clear lawful basis under the GDPR for such comprehensive data collection by safe suppliers. Moreover, the right to refuse consent and to request erasure of personal data is not mentioned anywhere in PSA 94:2024.
• Data processing and sharing risks: PSA 94:2024 fails to consider that the party supplying a safe might differ from the installer, necessitating the sharing of sensitive data between unrelated entities, raising profound concerns about data handling, accountability, and GDPR compliance.
• Security implications: compiling detailed security blueprints of private and commercial premises, client profiles and operational procedures, particularly with the potential of distributing them to multiple parties, poses significant cybersecurity and physical-data handling risks. Additionally, industry experts and insurers have warned that such practices introduce unnecessary real-world risks for the end user, a concern aptly underscored by press reports that a known ‘tiger kidnapper’ and armed robber was working under a PSA locksmith licence until quite recently.

Re-set the combination

As PSA 94:2024 stands under scrutiny for compliance with EU law, consumer safety, and data security in more ways than have been mentioned, it has to be noticed that these and other issues could have easily been avoided through structured consultation with European subject-matter experts and engagement with European-standards bodies for the sector.

Instead, it seems PSA 94:2024 was developed without a working group and with minimal consultation with the industry and relevant European standards bodies.

The result not only threatens Ireland’s compliance with EU law – and an industry that has always had confidentiality in respect to specifications, electronics integration, existing security measures, and end users as a cornerstone – but Ireland’s reputational commitment to fair trade and fundamental principles of consumer privacy and safety.

Alan Donohoe Redd is managing director of Certified Safes Ireland and serves both on the European CEN Technical Committee and US Underwriters Laboratories Technical Panel for safes and physical data-protection standards.