The European Data Protection Supervisor (EDPS) Peter Hustinx regulates EU organisations' privacy practices and advises on policy and legislation. He has published an opinion on planned changes to EU waste laws.
Hustinx said that the European Commission should have considered the data protection and privacy risks of the re-use and dumping of electronic goods right from the outset of its plan to revise waste laws.
The Commission has said it will revise the Waste Electrical and Electronic Equipment (WEEE) Directive to solve technical, administrative and legal problems in the law, which forces producers and retailers of electronic goods to take more responsibility for their disposal and recycling.
Hustinx said that he should have been consulted as part of this process, and that the whole revision should take account of privacy concerns from the outset.
"In the case of inappropriate disposal, that there is an obvious increased risk of loss and dispersion of personal data stored within this type of EEE," his opinion said.
"The reuse and recycling of the WEEE, especially IT and telecommunications equipment, may present a risk, greater than in the past, that those collecting the WEEE or selling and purchasing the used or recycled devices might become aware of any personal data stored within," he said. "Such data can often be sensitive or refer to large numbers of individuals."
"The EDPS considers it urgent for all stakeholders (users and producers of EEE) to be made aware of the risks to personal data, especially in the final stage of the EEE life-cycle," said the opinion.
The opinion said that all existing data protection efforts would be wasted if they are not extended to the disposal or re-use of goods.
"It would … be inconsistent to introduce the duty to put in place (sometimes costly) security measures in the ordinary course of processing operations of personal data … and then simply omit to consider the introduction of adequate safeguards regarding the disposal of the WEEE," it said.
Hustinx said that the EU Commission should explicitly state that the Data Protection Directive applies to those operating WEEE disposal schemes or systems, and that anybody in "a situation allowing autonomous decisions regarding the data" on machines should be considered a data controller under that Directive, a designation which gives that person clearly defined responsibilities.
The opinion also demands that manufacturers change the way that machines are made. "Privacy and data protection should be integrated into the design of electrical and electronic equipment 'by default', in order to allow users to delete – using a simple means and free of charge − personal data that may be present on devices in the event of their disposal," it said.
"It is important to take into account the potentially damaging effects of WEEE disposal on the protection of personal data stored in used equipment," said Hustinx in a statement. "Respect for security measures and a 'privacy by design' approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data".