A proposed amendment to the directive of the European Parliament on waste electrical and electronic equipment (WEEE) could see built-in privacy and security safeguards.
European data protection supervisor (EDPS) Peter Hustinx claimed that producers should ‘build in' privacy and security safeguards via technological solutions.
Point ten of the opinion claims that those collecting equipment, or selling and purchasing used or recycled devices may ‘become aware of any personal data stored within' and ‘such data can often be sensitive or refer to large numbers of individuals'.
Hustinx said: “For all these reasons, the EDPS considers it urgent for all stakeholders (users and producers of EEE) to be made aware of the risks to personal data, especially in the final stage of the EEE lifecycle. At this stage, although the EEE are economically less valuable, they are likely to contain a large amount of personal data and therefore likely to have a high ‘intrinsic' value for the data subject and/or others.”
Hustinx claimed that as far as possible, privacy and data protection should be integrated into the design of electrical and electronic equipment by default in order to allow users to delete – using a simple means and free of charge − personal data that may be present on devices in the event of their disposal.
Referring to the forthcoming legal framework on e-waste, he said it should not only include a specific provision regarding the wider ‘eco-design principle' of the equipment but also one regarding the principle of ‘privacy by design' or, more precisely in this area, ‘security by design'.
He further said that he regrets that the proposal does not take into account the potentially damaging effects of the WEEE disposal on the protection of personal data stored in used equipment.
He said: “This aspect was also not considered in the impact assessment made by the Commission, although experience has shown that failing to take appropriate security measures in case of WEEE disposal could jeopardise the protection of personal data.
“Due to the complexity of the issues involved (for example the multitude of legitimate methods, technologies and stakeholders in the disposal cycle of the WEEE), the EDPS considers that it would have been appropriate to carry out a ‘privacy and data protection impact assessment' on the processes related to WEEE disposal.”