E-waste and data protection: EDPS warns against security risks and calls for "privacy by design"
Yesterday, the European Data Protection Supervisor (EDPS) adopted an opinion on the European Commission's proposal to recast the Directive on waste electrical and electronic equipment (WEEE, also referred to as "e-waste") (*),, a proposal that is intensively discussed in the European Parliament and Council, but without consideration of the data protection implications.
While supporting the proposal's objective to improve environmental-friendly policies in the area of e-waste, the EDPS points out that the initiative only focuses on the environmental risks related to the disposal of WEEE and does not take into account the data protection risks that may arise from their inappropriate disposal, reuse or recycling. These risks exist in particular when personal data relating to the users of the devices and/or third parties remain stored in IT and telecommunications equipments (e.g. personal computers, laptops) at the time of disposal.
In view of such risks, the EDPS emphasizes the importance of adopting appropriate security measures at every stage of the processing of personal data, including during the phase of disposal of devices containing personal data. The principle of "privacy by design" or, in this area, "security by design" should also be included in the proposal to ensure that privacy and security safeguards are integrated by default into the design of electrical and electronic equipment.
Peter Hustinx, EDPS, says: "It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment. Respect for security measures and a "privacy by design" approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data".
Reiterating that the Data Protection Directive 95/46/EC is applicable at the disposal stage of any WEEE containing personal data, the EDPS recommends that the legislators:
- integrate privacy and data protection into the design of electrical and electronic equipment "by default" as far as possible, in order to allow users to delete − using simple, free of charge means – personal data that may be present on devices in the event of their disposal.
- prohibit the marketing of used devices which have not previously undergone appropriate security measures, in compliance with state-of-the-art technical standards, in order to erase any personal data they may contain.
(*) Proposal of 3 December 2008 for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE).