In recent months, customers of the smart card industry have raised the question, whether smart cards and smart card based products (e.g. SIM cards, payment cards, electronic passports, electronic ID cards, health insurance cards) would fall under the scope of the WEEE Directives. The industry is aware of the fact, that at least some Member State authorities, i.e. national WEEE registers, have published opinions indicating that smart cards are in scope of the WEEE Directive, although different interpretations still apply in other Member States. This is raising severe objections within industry and subject matter experts, caused by strong concerns about clearly identifiable security and privacy risks.
In this paper, we discuss this subject from a legal perspective (first chapter), while also considering security and privacy (second chapter) and political aspects (third chapter).
Investigating the legal situation after the first WEEE Directive 2002/96/EC, industry states that smart cards do not fall within the scope of this directive – in line with a former FAQ of European commission. Many arguments are outlined below:
If electrical or electronic parts of smart cards or similar products are mere components of the cards or similar products and not EEE in terms of the WEEE Directive, such cards or products are not within the scope of Category 3 of Annex IA to the WEEE Directive.
· The scope of the WEEE Directive is limited to the categories set out in Annex IA to the WEEE Directive. Whereas Annex IB to the WEEE Directive contains a not exhaustive list of examples, a product is within the scope of the regulation only if it can be assigned to one of the categories according to Annex IA to the WEEE Directive.
· Thus, the scope of the categories cannot be widened by an extensive interpretation of the binding categories according to Annex IA to the WEEE Directive. (cf. German Federal Administrative Court, Ruling of 21 February 2008, Case 7 C 43.07 and Ruling of 23 September 2010, Case 7 C 20.09).
· Against this background smart cards and similar products like electronic passports or health insurance cards are not “IT and telecommunications equipment” as such products are not used for the collection, storage, processing, presentation or communication of information but for other purposes like payment or identification. Moreover, the user of these products has no direct access to the data incorporated and cannot use the card for the purposes mentioned in Annexes IA and IB to the WEEE Directive.
If electrical or electronic parts of smart cards are considered EEE themselves (e.g. chip or RFID tag), the complete smart card product would be exempted from the scope of the WEEE Directive: The card or passport provides additional functionality, which is not dependent on electric currents or electromagnetic fields (e.g. regarding information shown on the card or passport for identification or security purposes like photo, signature, name, address, validity, passport or credit card number). The card or passport therefore is not mere packaging but another product that, in general, does not fall within the scope of the WEEE Directive. EEE being part of such product is exempted from the scope according to Article 2 (1) of the WEEE Directive.
Additionally, the required current demand cannot be assigned to the card, which often acts as a passive device in a respond-functionality only, but to the reading device (ATM, handset, contactless terminal...) exclusively. Note that smart cards do not include batteries, but receive their energy from an external electromagnetic field. Also from this angle, the card is not an electronic device in the definition of EEE.
Industry is convinced that all the above legally holds at until the recast of the current directive. This is based on the assumption that the new Directive 2012/19/EU only applies to EEE that has been within the scope of former Directive 2002/96/EC, i.e. not to smart cards. Looking forward, there are—apart from pure legislation—strong arguments, why smart cards should not fall under the scope of WEEE. This should as well fit in the same manner to (contactless) chips. Following this argument, according to the WEEE Directive from 2012, if the Chip does not fall under the directive, then the smart cards as such does not fall under the Directive either, see the table below:
Smart Cards are in this sense:
|EEE||2002 WEE Directive||2012 WEEE Directive|
|Equipment which is part of another type of equipment that is excluded from or does not fall within the scope of this Directive||Excluded: “the equipment concerned is part of another type of equipment that does not fall within the scope of the Directive”.||Excluded: “Equipment which is specifically designed and installed as part of another type of equipment that is excluded from or does not fall within the scope of this Directive, which can fulfil its function only of it is part of that equipment”.|
Industry develops, produces and markets the products involved in accordance with highest standards to ensure best possible data protection and security features and prevent misuse. Industry is concerned about the idea of consumers disposing of highly sensitive products like credit cards or health cards at WEEE collection facilities.
Industry acknowledges that manufacturers and distributors could implement take-back schemes to ensure both, return of used or waste products and adequate recycling. However, take-back schemes on a one-to-one basis would not eliminate the severe risk of unlawful usage of waste cards. This especially holds true, when considering that – according to the WEEE Directive – distributors will be obliged to take-back waste products originally placed on the market by another manufacturer as long as the latter equipment is of equivalent type and has fulfilled the same functions as the cards supplied by the distributor. Even in this case, the risk of unlawful usage of waste cards cannot be excluded as sensitive waste products will be accessible for an uncontrollable number of persons.
Do we really want staff canteens (in their role as “distributor” of food payment cards) to take back credit cards (seen as an “equipment of equivalent type”)? Do we really want to see piles of health cards at public waste collection points? Data privacy is rightfully deemed as a high value, not only since recent events. The smart card industry is striving to protecting these data in the best possible manner. These efforts should not be made obsolete by opening new security and privacy gaps.
It is also worth mentioning that the inclusion of smart cards would not bring forward the initial environmental goals of WEEE. Smart cards account for a negligible amount of electronic waste only. Yet, in a realistic scenario, even this amount would not be reached by far: Following privacy considerations as mentioned in the previous paragraph, it is presumable that consumers will not return the smart cards even if obliged to protect their private data. Hence, the realistic benefit from an inclusion of smart cards in WEEE would hardly be observable. This needs to be put in comparison to—due to high security requirements—highly cumbersome (and still error-prone) take-back efforts, whose environmental harm would even offset the benefits. For these cases, the legislator might foresee the definition of a certain threshold, below which goods would not need to be registered.
With the advent of multi-application cards, it is worth mentioning that previously clearly separated product classes meanwhile dilute. For example, SIM cards more and more carry credit card functionalities, transit cards include payment functionalities, etc. Hence, a clear and consistent legislation for all smart cards should be targeted. Taking all this into consideration, industry has sought clarification on this topic from the European Commission. The smart card industry is convinced that the task to define EU-wide prerequisites for the disposal of highly sensitive products like smart cards will be carefully assessed by the European Commission taking into consideration full data protection and benefit for the environment, although an official and final feedback is still awaited. The smart card industry will continue to avoid security and privacy risks in the interest of the user—within and beyond the WEEE Directive.