16.10.2010   

EN

Official Journal of the European Union

C 280/16

1.

On 3 December 2008 the Commission adopted a Proposal for a Directive of the European Parliament and of the Council on waste electrical and electronic equipment (WEEE) (hereinafter ‘the Proposal’) (1). The Proposal aims to recast Directive 2002/96/EC on waste electrical and electronic equipment (WEEE) adopted on 27 January 2003 (hereinafter ‘the Directive’) (2) without changing either the drivers or the rationale for collecting and recycling WEEE.

2.

The EDPS has not been consulted as required by Article 28(2) of Regulation (EC) No 45/2001 (3). Acting on his own initiative, the EDPS has therefore adopted the current opinion based on Article 41(2) of the same Regulation. The EDPS recommends that a reference to this opinion is included in the preamble of the Proposal.

3.

The EDPS is aware that this advice comes at a late stage in the legislative process but nevertheless considers it appropriate and useful to issue this opinion, since the Proposal raises significant data protection issues not addressed in the text. This opinion is not meant to modify the main and predominant purpose and content of the Proposal, whose ‘centre of gravity’ (4) remains in the protection of the environment, but only to bring an additional dimension which is becoming increasingly important to our information society (5).

4.

The EDPS, also aware of the limited scope of the recasting procedure, nevertheless urges the legislator to take these recommendations into account in accordance with Article 8 of the Interinstitutional Agreement on the recasting procedure (which provides for the possibility of amending unchanged provisions) (6).

5.

The purpose of the Proposal is to update the existing Directive relating to the disposal, reuse and recycling of WEEE. Technical, legal and administrative problems in the first years of implementation of the Directive have led to the Proposal, as was foreseen under Article 17(5) of the Directive.

6.

Electric and electronic equipment (EEE) is a wide product group that includes a diverse set of media capable to store personal data — such as IT and telecommunications equipment (e.g. personal computers, laptops, electronic communication terminals) — characterised in the present techno-economic context by increasingly fast innovation cycles and, due to technological convergence, by the availability of multi-purpose devices. Developments in electronic storage media are accelerating rapidly, particularly in relation to storage capacity and size, and therefore market forces cause the turnover of EEE (containing large amounts of, often sensitive, personal data) to accelerate similarly. The results being not only that the WEEE ‘is considered the fastest growing waste stream in the EU’ (7), but also, in the case of inappropriate disposal, that there is an obvious increased risk of loss and dispersion of personal data stored within this type of EEE.

7.

For a long time the European Union's policies on the environment and sustainable development have been aimed at reducing waste of natural resources and introducing measures to prevent pollution.

8.

The disposal, reuse and recycling of WEEE are included within this framework. These measures seek to prevent the disposal of electrical and electronic equipment along with mixed waste, placing an obligation on producers to provide disposal in the manner prescribed by the Directive.

9.

In particular, among the various measures envisaged by the Directive, it is worth highlighting those designed to reuse (i.e. any operation by which WEEE or components thereof are used for the same purpose for which they were conceived, including the continued use of the equipment or components thereof which are returned to collection points, distributors, recyclers or manufacturers), recycle (i.e. the reprocessing in a production process of the waste materials for the original purpose or for other purposes) and find other forms of recovery of WEEE so as to reduce the disposal of waste (see Articles 1 and 3(d) and (e) of the Directive).

10.

These operations, in particular the reuse and recycling of the WEEE, especially IT and telecommunications equipment, may present a risk, greater than in the past, that those collecting the WEEE or selling and purchasing the used or recycled devices might become aware of any personal data stored within. Such data can often be sensitive or refer to large numbers of individuals.

11.

For all these reasons, the EDPS considers it urgent for all stakeholders (users and producers of EEE) to be made aware of the risks to personal data, especially in the final stage of the EEE life-cycle. At this stage, although the EEE are economically less valuable, they are likely to contain a large amount of personal data and therefore likely to have a high ‘intrinsic’ value for the data subject and/or others.

12.

The EDPS has no observations on the general objective of the Proposal and fully supports the initiative taken, which is intended to improve environmental-friendly policies in the area of WEEE.

13.

However, the Proposal, as well as the Directive, focuses solely on the environmental risks related to the disposal of WEEE. It does not take into account other additional risks to individuals and/or organisations that may arise from the operations of disposal, reuse or recycling of WEEE, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data stored in the WEEE.

14.

It is important to note that Directive 95/46/EC (8) applies to ‘any operation or set of operations which is performed upon personal data’, including their ‘erasure or destruction’ (Article 2(b)). Disposal of EEE can involve data processing operations. For this reason there is an overlap between the Proposal and the just mentioned Directive, and as such data protection rules could apply to activities covered by the Proposal.

15.

The EDPS intends to highlight the significant risks that may affect individuals and/or organisations acting as ‘data controllers’ (9) where the WEEE, particularly IT and telecommunications equipments, contain personal data relating to the users of those devices and/or third parties at the time of disposal. The unlawful access to or disclosure of such personal information, sometimes consisting of special categories of data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life (so called ‘sensitive data’) (10), are indeed capable of affecting the privacy and dignity of the persons to whom the information relates, as well as other legitimate interests of those individuals/organisations (e.g. economic ones).

16.

In general terms, the EDPS considers it necessary to emphasise the importance of the adoption of appropriate security measures at every stage (from beginning to end) of the processing of personal data, as repeatedly stated in other opinions (11). This applies a fortiori in the delicate phase in which the data controller intends to dispose of devices containing personal data.

17.

Indeed, the respect of security measures is often a pre-condition in order to effectively guarantee the right to the protection of personal data.

18.

It would therefore be inconsistent to introduce the duty to put in place (sometimes costly) security measures in the ordinary course of processing operations of personal data (as envisaged by Article 17 of Directive 95/46/EC, when applicable (12)) and then simply omit to consider the introduction of adequate safeguards regarding the disposal of the WEEE.

19.

It would be similarly inconsistent to give importance to the issue of data security to the extent that data breach notification had to be introduced via Article 3 of Directive 2009/136/EC (13) and then not provide any guarantee or safeguard during the disposal of WEEE as well as in the event of WEEE reuse or recycling.

20.

The EDPS regrets that the Proposal does not take into account the potentially damaging effects of the WEEE disposal on the protection of personal data stored in ‘used’ equipment.

21.

This aspect was also not considered in the impact assessment made by the Commission (14) although experience has shown that failing to take appropriate security measures in case of WEEE disposal could jeopardise the protection of personal data (15). Due to the complexity of the issues involved (for example the multitude of legitimate methods, technologies and stakeholders in the disposal cycle of the WEEE), the EDPS considers that it would have been appropriate to carry out a ‘privacy and data protection impact assessment’ on the processes related to WEEE disposal.

22.

Nevertheless, the EDPS strongly advises that ‘Best Available Techniques’ for privacy, data protection and security in this area should be developed.

23.

As further evidence, during the public consultation prior to the recast of the Directive, issues relating to the security and protection of personal data have sometimes been raised by stakeholders, particularly IT and electronic communications companies (16).

24.

Finally, it is worth highlighting that some national data protection authorities have published guidelines to minimise the risks which may result from failure to take the necessary security measures, particularly at the disposal of materials subject to the application of the Directive (17).

25.

The EDPS reiterates that Directive 95/46/EC is applicable at the disposal stage of the WEEE containing personal data. Data controllers — in particular those using IT and communications devices — are therefore required to comply with their security obligations to prevent the improper disclosure or dissemination of personal data. To this end and in order not to be held liable for the breach of security measures, the data controller in the public or private sector, with the cooperation of the data protection officers (where present), should adopt appropriate policies for disposal of WEEE containing personal data.

26.

Where data controllers disposing of EEE do not have the required skills and/or technical know-how to erase the personal data concerned, they could entrust this task to qualified processors (e.g. assistance centres, equipment manufacturers and distributors) under the conditions provided in Article 17(2), (3) and (4) of Directive 95/46/EC. These processors will in turn certify the performance of the operations in question and/or undertake them.

27.

Due to these considerations, the EDPS comes to the conclusion that the recast of the Directive should add data protection principles to the provisions dedicated to the protection of the environment.

28.

The EDPS therefore recommends the Council and the European Parliament to include a specific provision in the current Proposal stating that the Directive applies to the disposal of WEEE without prejudice to Directive 95/46/EC.

29.

Being in a situation allowing autonomous decisions regarding the data held on the EEE, those in charge of disposal operations could be considered as ‘data controllers’ (18). They must therefore adopt internal procedures to avoid unnecessary processing operations on any personal data stored in the WEEE, namely other operations than those strictly necessary to verify the effective elimination of the data contained therein.

30.

Moreover, they must not allow unauthorised individuals to gain knowledge of or process data stored on EEE. In particular, when storage media are recycled or reused, and thus re-enter the market, there is an increased risk of improper disclosure or dissemination of personal data, as well as a need to prevent unauthorised access to personal data.

31.

The EDPS therefore recommends that the Council and the European Parliament include a specific provision in the current Proposal to prohibit the marketing of used devices which have not previously undergone appropriate security measures, in compliance with state-of-the-art technical standards (for example multi-pass overwriting), in order to erase any personal data they may contain.

32.

The forthcoming legal framework on e-waste should not only include a specific provision regarding the wider ‘eco-design principle’ of the equipment (see Article 4 of the Proposal regarding ‘Product design’) but also — as previously stated in other EDPS’ opinions (19) — one regarding the principle of ‘Privacy by design’ (20) or, more precisely in this area, ‘security by design’ (21). As far as possible, privacy and data protection should be integrated into the design of electrical and electronic equipment ‘by default’, in order to allow users to delete — using a simple means and free of charge — personal data that may be present on devices in the event of their disposal (22).

33.

This approach is clearly supported by Article 3.3(c) of Directive 1999/5/EC (23) concerning the design of radio and telecommunications terminal equipment and by Article 14(3) of the Directive 2002/58/EC (24).

34.

Therefore, producers should ‘build in’ privacy and security safeguards via technological solutions (25). In this framework, initiatives aimed at advising those concerned of the need to erase any personal data before the disposal of WEEE (including producers making free software available for this purpose) should also be fostered and supported (26).

35.

In consideration of the above, the EDPS recommends that data protection authorities, in particular through the Article 29 Working Party, and the EDPS are closely involved in initiatives related to the disposal of WEEE, through consultation at a sufficiently early stage before the development of relevant measures.

36.

Considering the context in which personal data are processed, the EDPS advises that the Proposal should include specific provisions:

37.

The EDPS strongly recommends, therefore, that the Proposal is amended, in line with Directive 95/46/EC, as follows:

—   recital 11:

—   Article 2(3):

38.

In addition, the EDPS considers it appropriate that the following amendments should be taken into consideration:

—   Article 4(2):

—   Article 8(7):

—   Article 14(6):