IT and data

Cyber-Surveillance Technology and Export Control – changes on the horizon - part 1

Published on 15th Feb 2017

A serial guide to the proposed changes to the export control regime for tech, media and comms businesses in Europe.

The European Commission (“Commission”) proposed (COD No 2016/0295) a significant modernisation of the European dual-use export control regime in the form of a recast of the European Regulation (EC) 428/2009 (“Dual Use Regulation”). The Commission suggests that the export of cyber-surveillance technology should be controlled stricter and aims to prevent “the misuse of digital surveillance and intrusion systems that results in human rights violations”. Updated legislation appears to be necessary as existing legal framework does not provide sufficient control over cyber-surveillance technologies The Commission’s clear approach to safeguard human rights has not been reflected in the current state of play for dual-use items exports. Additionally, the revision of catch-all clauses and the introduction of a new part of Annex I and a continuously updated list of controlled dual use items make it increasingly difficult for exporters to stay compliant with the rules and provisions of the Dual Use Regulation. The proposed changes primarily involve the digital industry and should create a significant awareness to the upcoming changes.

Proposal of the Commission

The Commission proposed in particular

  1. to add and clarify that “cyber-surveillance technology which can be used for the commission of serious violations of human rights or international humanitarian law, or can pose a threat to international security or the essential security interests of the Union and its Member States” is a dual-use item
  2. to define cyber-surveillance technology as “items specially designed to enable the covert intrusion into information and telecommunication system with a view to monitoring, extracting, collecting and analysing data and/or incapacitating or damaging the targeted system.”
  3. to add to Annex I of the Dual Use Regulation a list of cyber-surveillance technologies which have to be controlled in case of exporting
  4. to expand the catch-all system to not listed dual-use items, including cyber-surveillance technologies
  5. to improve the co-operation between the members of the European Union with a continuously updated list of dual-use items which have to be controlled independent of Annex I

Reasons for the proposal

The global crisis on the humanitarian and security situation is the main reason for the proposal of the Commission. The export of cyber-surveillance technology which could be misused for committing serious human rights violations, including surveillance software should be controlled stricter: A strict and comprehensive control of cyber-surveillance technologies appears to contribute to the protection of human rights globally in a more efficient manner.

The proposal is a result of a longer preceding discussion in the European Union, which found its origin in the use from cyber-surveillance technologies during the Arab Spring protests by Egypt and Morocco. Also the German Bundestag discussed in December 2015 in the Committee of Digital Agenda what role exporting cyber-surveillance technology does play in case of the abuse of human rights (for details, including expert opinions click here).

In this part 1 of our analysis, we will focus on the points 1 to 3 of the list above:

1 Cyber-surveillance technology: now clearly a Dual-use item

The legal framework for export control of dual-use items is governed by the Dual Use Regulation, which is directly applicable and takes priority over domestic law of the member states. In general, according to the Dual Use Regulation dual-use items are such items (including software and technology) which can be used for both civil and military purposes. Annex I of the Dual Use Regulation provides for a list of dual use items which are subject to export control and require an authorisation before being exported from the European Union to a non-member state. The list in Annex I is very comprehensive and provides for different categories of items. By contrast, cyber-surveillance technology as such is currently not individually defined, and, therefore, not listed as a dual-use item in Annex I. The proposal now makes clear that sensitive cyber-surveillance technology definitely is dual-use technology within the meaning of the Dual Use Regulation and lays down this principle in a new definition of dual-use items:

Article 2

For the purposes of this Regulation:

‘dual-use items’ shall mean items, including software and technology, which can be used for both civil and military purposes, and shall include:

(a) […]

(b) cyber-surveillance technology which can be used for the commission of serious violations of human rights or international humanitarian law, or can pose a threat to international security or the essential interests of the Union and its Member States.

 

Consequently, the proposal hereby reflects the continuous development of digital technology.

2 Defining cyber-surveillance technology

In addition to the revised definition of dual-use items, the proposed Dual Use Regulation also provides for a detailed definition of cyber-surveillance technology itself. Cyber-surveillance technologies are all digital technologies and products which can be used for data monitoring, data analysing and data interception systems. In detail:

Article 2

For the purposes of this Regulation:

[…]

‘cyber-surveillance technology’ shall mean items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analysing data and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment:

(a) mobile telecommunication interception equipment;

(b) intrusion software;

(c) monitoring centers;

(d) lawful interception systems and data retention systems;

(e) digital forensics.

Although this list is non-exhaustive it has to be noted that it has been significantly shortened in comparison to a leaked draft of the Commission’s proposal for the re-cast of the Dual Use Regulation, which at the time listed also biometrics, location tracking devices, probes and deep package inspection (DPI) systems.

3 Modifying Annex I

Currently, Annex I of the Dual Use Regulation provides for a list sub-divided into 9 categories reflecting such dual-use items which are subject to export control. Cyber-surveillance technology has not been listed yet, neither was it a separate category imposed to catch those items. Consequently, the Commission now proposed to split the Annex I into two sub-divisions A and B, of which A reflects the existing categories, whereas the Commission added in B a new category named Category 10 (“other items of cyber-surveillance technology”). This category is supposed to include surveillance systems, equipment and components for Information and Communication Technology (ICT), for public networks and software which is suitable for creating and using those surveillance systems, equipment and components. By addition of Category 10 the Commission inserted specific surveillance items, which are mainly used by intelligence agencies, in particular:

surveillance systems, equipment and components for ICT (Information and Communication Technology) for public networks where the destination lies outside the customs territory of the European Union and outside of Part 2 of Section A of Annex II to this Regulation (e.g. Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, United States of America), and namely:

a) Monitoring Centres (Law Enforcement Monitoring Facilities) for Lawful Interception Systems (LI, for example according to ETSI ES 201 158, ETSI ES 201 671 or equivalent specifications or standards) and specially designed components therefor,

b) Retention systems or devices for event data (Intercept Related Information IRI, for example, according to ETSI TS 102 656 or equivalent specifications or standards) and specially designed components therefor.

Finally, software specially designed or modified for the development, production or use of equipment, functions or features specified in the above is listed in Category 10. The items in Category 10 are unlike the items caught by the definition of Cyber Surveillance Technology not covered by other exported related agreements such as the Wassenaar Arrangement. Therefore, they have been introduced as new items.

Outlook

The next step during the legislative procedure is serving the proposal on the European Parliament and on the European Council. After that, both the European Parliament and the European Council make the final decision together whether the Regulation will be amended. It is expected that the changes would not be realised as legislation prior to the beginning of 2018.

The changes to the Dual Use Regulation in the Commission’s proposal are significant and demonstrate a step forward in the reflection of new technologies in the export sector. The risk of a misuse of cyber surveillance technology in violation of human rights and threatening the digital infrastructure of individuals, entities or other organisations in the European Union is likely to be controlled by a much stricter system of export control.

Manufacturers and exporters of the cyber surveillance technology and its components are strongly advised to review their export compliance systems as to the proposed changes and also have a clear view on their supply and delivery chains. Although a period of almost two years for the proposed changes to come into legislation – if not amended during the legislative process – seems to be long, it is yet a short period to review, amend and implement process changes in a larger organisation.

In the second part of our analysis, we will discuss the Commission’s proposal to expand the existing system of catch-all clauses, which revision is of significant concern to exporters as it includes human rights criteria. In itself one of the main aspects of the modernization of the Dual Use Regulation, however, is a risk to create legal uncertainties for exporters. Further, we will explain the Commission’s proposal for an improved co-operation between the member states and maintaining a continuously updated list of dual-use items which have to be controlled. Finally, we will give examples how the new regime would treat existing exporter’s cases.

Follow
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up
Related articles
Dutch Data Protection Authority issues new guidance and steps up cookie-banner supervision
15/02/2024 4 mins
Data protection law challenges in Europe when using AI services
06/02/2024 3 mins
DORA – New EU cybersecurity law for Crypto
31/01/2024 5 mins
UK Binding Corporate Rules: are updates a reason to reconsider the 'gold standard' transfer tool?
24/01/2024 5 mins

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Connect with one of our experts

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up