Convergence in action: ESG, data protection and AI

In my last post of 2025, I discussed Convergence - in this context, the idea that topics often dealt with in isolation are best understood and addressed together.

A call I had last week with connections in the UK alerted me to re-visit my Fibres trend radar where you can join the dots and see that the huge growth of AI is colliding with the circular economy, and the fallout is significant. A 2024 signal from MIT Technology Review warns that GenAI e-waste could reach 5 million metric tons by 2030.

Typically, we frame this as an environmental issue, in fact I did plot it in this way on my radar. But a deeper look suggests it is actually a "lifecycle data" problem and what's coming from the EU is about to change how companies will procure hardware.

The EU Digital Product Passport (DPP) is forcing a convergence between physical chips and digital accountability. The DPP is a digital record mandated by the EU's Ecodesign for Sustainable Products Regulation (ESPR) that will provide sustainability, circularity, and compliance data for physical products sold in the EU. It will become mandatory from the beginning of 2027 for priority product groups, with a full rollout expected by 2030.

The DPP will be just like our own passports when we travel - creating a history of our movements, but in this case the DPP travels with every server rack and GPU throughout its life. It will record origin, material composition, repair history, and carbon footprint, and I think it's going to have a huge impact on companies needing to demonstrate accountability. They won't be able to just dispose of old hardware when it's end-of-life. The Passport will create a permanent, auditable chain of custody. By 2030, if your hardware doesn't have a clean digital record of where it's been, it potentially becomes a toxic liability on your company's balance sheet. This image is GenAI's impression of how the DPP works for a blade server:

How will companies survive in a world where every piece of hardware waste will be tracked? Well, they might want to consider stop creating the waste!

There's been quite a bit of coverage (such as this article from last month) saying that 3-year-old AI chips are obsolete. Hyperscalers refresh their hardware every 3 years in order to train the next model. And in this respect, there's a technology trend on the radar that reveals that a GPU that is too slow for training say, GPT-5, is still powerful enough for inferencing (running) enterprise apps.

The EU's DPP incentivises companies to recognise and exploit this compute power, so instead of disposing of the asset (and detailing the waste disposal in the Passport), there are opportunities to resell it to the mid-market.

I mentioned above that e-waste is not just an environmental issue, companies need to be mindful of data obligations because the DPP requires granular, hardware lifecycle data. You can't just claim you are sustainable - the Passport requires you to prove this.

• How much embodied carbon was saved by refurbishing this rack?

• What is the exact material recovery rate?

The call I had last week with Ren and his team at InformU was an eye-opener, because I got the impression that they were making headway to tackling this very challenge. They have an ESG tool capable of quantifying these carbon impacts, and it's not just another "nice-to-have" reporting utility. It can generate the data that allows the Passport to be stamped "verified." It's no longer about talking a good ESG game with nothing to back it up.

There are some friction points though, in particular data security. It's common these days for CISOs to stipulate physically shredding functional drives because of concerns around wiping, but you can’t verify the circularity of a shredded drive in a Digital Passport. This "shred-first" mentality is an issue because in order to make the Passport work, the industry must converge on certified data sanitisation, i.e. proving that a device is secure and clean so it can be re-used. And in case you want to know the right terms to use, especially if you interchange deletion and erasure, take a look at this infographic I made last year:

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.