Security risks of new WEEE Directive?

Yesterday, the European Data Protection Supervisor (EDPS) adopted an opinion on the European Commission's proposal to recast the WEEE Directive (Directive on waste electrical and electronic equipment). This  proposal is currently discussed in the European Parliament and Council. 

According to this press release of the European Commission, the EDPS supports the proposal's objective to improve environmental-friendly policies in the area of e-waste, but does point out that the initiative only focuses on the environmental risks related to the disposal of WEEE and does not take into account the data protection risks that may arise from their inappropriate disposal, reuse or recycling.

According to the EDPS, these risks exist in particular when personal data relating to the users of the devices and/or third parties remain stored in IT and telecommunications equipments (e.g. personal computers, laptops) at the time of disposal.

In view of such risks, the EDPS emphasizes the importance of adopting appropriate security measures at every stage of the processing of personal data, including during the phase of disposal of devices containing personal data. The principle of "privacy by design" or, in this area, "security by design" should also be included in the proposal to ensure that privacy and security safeguards are integrated by default into the design of electrical and electronic equipment.

The EDPS recommends that the legislators:

  • integrate privacy and data protection into the design of electrical and electronic equipment "by default" as far as possible, in order to allow users to delete − using simple, free of charge means – personal data that may be present on devices in the event of their disposal.
  • prohibit the marketing of used devices which have not previously undergone appropriate security measures, in compliance with state-of-the-art technical standards, in order to erase any personal data they may contain.
Text of opinion (pdf) of the EDPS