Opinion of the European Data Protection Supervisor on the Proposal for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE).
The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001. Acting on his own initiative, the EDPS has therefore adopted the current opinion based on Article 41(2) of the same Regulation.
The EDPS has no observations on the general objective of the Proposal and fully supports the initiative taken, which is intended to improve environmental-friendly policies in the area of WEEE.
However, the Proposal, as well as the Directive, focuses solely on the environmental risks related to the disposal of WEEE. It does not take into account other additional risks to individuals and/or organisations that may arise from the operations of disposal, reuse or recycling of WEEE, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data stored in the WEEE.
Relevance of the proposal to data protection: in its opinion, the EDPS underlines that electric and electronic equipment (EEE) is a wide product group that includes a diverse set of media capable to store personal data — such as IT and telecommunications equipment (e.g. personal computers, laptops, electronic communication terminals). Developments in electronic storage media are accelerating rapidly, particularly in relation to storage capacity and size, and therefore market forces cause the turnover of EEE (containing large amounts of, often sensitive, personal data) to accelerate similarly. The results being not only that the WEEE ‘is considered the fastest growing waste stream inthe EU, but also, in the case of inappropriate disposal, that there is an obvious increased risk of loss and dispersion of personal data stored within this type of EEE.
In particular, among the various measures envisaged by the Directive, the EDPS considers it is worth highlighting those designed to reuse or recycle WEEE. These measures may place an obligation on producers to provide disposal in the manner prescribed by the Directive. These operations may present a risk, greater than in the past, that those collecting the WEEE or selling and purchasing the used or recycled devices might become aware of any personal data stored within. Such data can often be sensitive or refer to large numbers of individuals.
For all these reasons, the EDPS considers it urgent for all stakeholders (users and producers of EEE) to be made aware of the risks to personal data, especially in the final stage of the EEE life-cycle. At this stage, although the EEE are economically less valuable, they are likely to contain a largeamount of personal data and therefore likely to have a high ‘intrinsic’ value for the data subject and/or others.
Conclusions and recommendations: the EDPS recommends that data protection authorities, in particular through the Article 29 Working Party, and the EDPS are closely involved in initiatives related to the disposal of WEEE, through consultation at a sufficiently early stage before the development of relevant measures.
Considering the context in which personal data are processed, the EDPS advises that the Proposal should include specific provisions:
- stating that the Directive on WEEE applies without prejudice to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
- prohibiting the marketing of used devices which have not previously undergone appropriate securitymeasures, in compliance with state-of-the-art technical standards in order to erase any personal data they may contain;
- regarding the principle of ‘privacy by design’ or ‘security by design’: as far as possible, privacy and data protection should be integrated into the design of electrical and electronic equipment ‘by default’, in order to allow users to delete — using simple means and free of charge — personal data that may be present on devices in the event of their disposal.