![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
Manufacturers of electronic equipment should be forced to integrate into their devices an easy and free way to delete all personal data, says the European Data Protection Supervisor (EDPS). In addition, the sale of used devices that have not been properly wiped should be prohibited.
On December 3, 2008, the European Commission adopted a proposal aimed at amending the EC Directive of January 27, 2003 on waste electrical and electronic equipment (WEEE). On April 14, 2010, the EDPS, Peter Hustinx,
on the proposed changes to the WEEE Directive.
According to the EDPS, the commission proposal focuses solely on environmental risks and does not take into account other additional risks to individuals and organisations associated with the disposal, reuse or recycling of WEEE. The EDPS refers, in particular, to the likelihood of improper acquisition, disclosure and dissemination of personal data stored in the electrical and electronic equipment (EEE), such as personal computers, laptops, and cell phones.
In view of such risks, the EDPS emphasizes the importance of adopting appropriate security measures at every stage of the processing of personal data, including during the phase of disposal or recycling. “It would be inconsistent to introduce the duty to put in place (sometimes costly) security measures in the ordinary course of processing operations of personal data…and then simply omit to consider the introduction of adequate safeguards regarding the disposal of the WEEE.“
Those in charge of WEEE disposal operations are in a situation allowing them to make autonomous decisions regarding the data held on the EEE and could be considered data controllers under the applicable data privacy laws. They are therefore required to comply with security obligations to prevent improper disclosure of personal data and should adopt appropriate policies for disposal of WEEE containing such data. Where data controllers disposing of WEEE would not have the required skills and/or technical know-how to erase the personal data, they should entrust this task to qualified third-party processors (e.g. assistance centers, manufacturers, or distributors).
In addition, the EDPS recommends that manufacturers of EEE be forced by law to integrate privacy and data protection into the design of electrical and electronic equipment “by default,“ in order to allow users to delete—using simple, free of charge means—personal data that may be present on devices, in the event of their disposal.
Finally, the EDPS recommends that legislators prohibit the marketing of used devices which have not previously undergone appropriate security measures in compliance with state-of-the-art technical standards, in order to erase any personal data they may contain.
