Old computers and mobile phones that people have thrown away to be re-used or recycled are often not thought of again by their owners, but in fact they still may have very sensitive personal data on them that can often be worth a lot more to criminals than the recyclable materials contained in the device.
On Thursday, the European Data Protection Supervisor, Peter Hustinx, warned that the European Commission's current proposal to recast an old directive on e-waste - the WEEE directive, for ‘waste electrical and electronic equipment' - was focussing only on the environmental considerations of junking old equipment, and had entirely forgotten about the threat to data left on laptops and PCs by their original owners.
The commission's proposal and the existing directive "focus solely on the environmental risks related to the disposal of e-waste," said Mr Hustinx. "It does not take into account other additional risks to individuals or organisations that may arise from the operations of disposal, reuse or recycling of e-wast, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data."
The supervisor went on to say that the amount of data storeable on such devices has accelerated rapidly in recent years, and so the threat of loss of such data at the point of recycling or re-using had also accelerate
This may present a risk, greater than in the past, that those collecting the WEEE or selling and purchasing the used or recycled devices might become aware of any personal data stored within. Such data can often be sensitive or refer to large numbers of individuals."
The supervisor added that it was "urgent" that both stakeholders and the EU legislative process take into account this back-end risk to data privacy.
At the final stage of the electronic goods life-cycle while economically less valuable,they are likely to contain a large amount of personal data and therefore likely to have a high intrinsic value.
It would therefore be inconsistent to introduce the duty to put in place (sometimes costly) security measures in the ordinary course of processing operations of personal data and then simply omit to consider the introduction of adequate safeguards regarding the disposal of the e-waste.
Hard drives can easily be salvaged and then sold on to organized criminals who then access the data held on the drives, the personal files left on the computers by the original owners, from information on their sex lives to credit card numbers, and account information.
In view of such risks, the supervisor emphasises the importance of adopting appropriate security measures at every stage of the processing of personal data, including during the phase of disposal of devices.
Specifically, Mr Hustinx recommends two proposals for EU legislators.
He wants to see the new legislation integrate privacy and data protection into the design of electrical and electronic equipment "by default", in order to allow users to delete − using simple, free of charge means – personal data that may be present on devices when they want to get rid of them.
He also hopes legislators will include language prohibiting the marketing of used devices which have not previously undergone appropriate security measures in order to erase any personal data they may contain.