Digital Product Passports: Navigating Data Protection and Privacy

Digital Product Passports (DPPs) are digital records of data kept throughout a product’s life cycle. The EU plans to use them to illustrate a product’s sustainability, environmental, and recyclability attributes. 

Currently, DPPs are being scoped for sustainability and environmental initiatives falling under the “circular economy” umbrella. This initiative looks to transform production, consumption, and use of products to minimize. 

Here’s a look at what DPPs are and how they relate to data protection and privacy. 

The EU’s roadmap for Digital Product Passports

The EU’s roadmap for DPPs lies in several policies initiated under the European Green Deal (EGD), which aims to help Europe reach “net zero” emissions by 2050.  

The Circular Economy Action Plan (CEAP), in force since March 2020, details the EU’s circular economy strategy and contains goals for product sustainability and helping consumers make informed decisions.  

Under the CEAP, several industries will face new sustainability regulations, including: 

• The Ecodesign for Sustainable Products Regulation (ESPR), which sets guidelines and benchmarks on the durability, reusability, resource efficiency, and carbon footprints of products. 
• The EU Strategy for Sustainable and Circular Textiles, which focuses on improving the circularity of textiles by improving longevity and durability and increasing the ease of repair and recycling. 
• The Construction Products Regulation (CPR), which focuses on ensuring construction products abide by safety and environmental criteria. 
• The (New) EU Battery Regulation, which aims to ensure batteries are sustainable, safe, and recyclable. 

The EU plans to support partner countries and engage in open dialogue with other nations to ensure collaboration with DPP regulations. 

How do Digital Product Passports work?

A DPP is essentially a digital twin of a physical product that securely records sustainability-based data, events, and transactions throughout the product’s life cycle. The digital twin can be linked to the product via a QR code or barcode, making the product’s DPP accessible via an app. 

The current legislation focuses on collecting data to provide a full picture of a product’s sustainability, recyclability, and circularity. However, many other data categories can be collected and shared. 

Ultimately, DPPs could provide parties like manufacturers, consumers, and recyclers with a full audit trail of a product’s life. The technology is still developing, so as more businesses understand its potential, the opportunities and uses of DPPs will continue to grow. 

What are the requirements for a Digital Product Passport under EU law?

The ESPR outlines several requirements for DPPs: General requirements, access requirements, and data requirements. 

• General requirements include that the DPP must be provided free of charge by the manufacturer, must be interoperable with other passports, and must remain available for at least the expected lifetime of the product. 
• Access requirements require that access should be granted through a unique product identifier embedded in a data carrier. A copy of this data carrier should also be available to dealers and online marketplaces.  
• Data requirements state that the unique product identifier should be created and issued in accordance with specific standards. The DPP should also include a link to the EU digital product passport registry of all unique identifiers and a copy should be uploaded to the EU web portal. 

How will data be shared in a Digital Product Passport system?

DPPs will require flexible data-sharing solutions because a large number of stakeholders with varying needs participate in value chains. Many parties will have access to a DPP based on varying permissions and access rights. Some of these actors include: 

• Customers 
• Manufacturers 
• Importers 
• Repairers 
• Recyclers 
• Market surveillance authorities 

The EU has ensured data security and privacy are at the heart of DPP design. Current proposals categorize data stored within the DPP as public or private, and the European Commission will define permissions to access, modify, or update data. 

What are the data protection and privacy issues with Digital Product Passports?

The DPPs are intended to improve traceability and transparency, with implementation ideally involving trusted third parties. However, since consumers are the final link in the supply chain, their privacy rights must be considered. 

Consumers will be able to access information through QR codes and near-field communication. To improve customer experience, some companies might use the data to send personalized promotions. 

• Each data processing operation, from collection to storage, will require a specific legal basis under the GDPR.  
• The GDPR’s principles, particularly data minimization, must be respected.  
• The GDPR’s rules on international data transfers also continue to apply. 
• As for data security, QR codes must be encrypted, and data must only be transmitted via a secure connection. Temporary tokens could be generated to represent real data.  

The ESPR also notes that personal data of customers should not be stored in the digital product passport. Further, any processing of personal data must comply with applicable data protection rules, specifically the GDPR and Regulation (EU) 2018/1725 (the data protection law for EU institutions). 

Ultimately, ensuring GDPR compliance while leveraging the benefits of DPPs will be crucial for their success and acceptance by consumers. 

Balancing data protection, consumer protection, and sustainability

Like other developing areas of technology, like AI, policymakers and industry leaders will need to navigate the sometimes conflicting imperatives of advancing technology, ensuring sustainability, and maintaining strong data protection standards. 

But new technologies and social objectives can co-exist with data protection and privacy. DPPs are a relatively new concept, and organizations in the EU have an opportunity to build in data protection by design and by default to maximize the benefits of DPPs for consumers, businesses, and society as a whole.