Upcoming changes to bring cyber-surveillance technology within EU export control regime
Published on 2nd Mar 2017
The European Commission has published a draft Proposal to modernise the European dual-use export control regime. The Proposal, which recasts and refreshes European Regulation (EC) 428/2009 (the Dual Use Regulation), follows mounting pressure on the Commission to:
- harmonise controls across the EU;
- simplify and upgrade the administration of dual-use exports; and
- introduce a ‘human security’ dimension to the export licensing regime, including tighter controls on cyber-surveillance technology, particularly “the misuse of digital surveillance and intrusion systems that results in human rights violations”.
Although the changes ease the regulatory headache felt by exporters in a range of areas, the Proposal increases the compliance burden faced by manufacturers and exporters of cyber surveillance technologies, who should take steps now to review their existing export compliance systems and policies against the Proposal.
Without considering the implications in further detail businesses risk exporting sensitive dual-use items without the necessary authorisations in place (which could have serious implications including financial penalties, interruption of trade and reputational damage). In this article we look at the background to the changes, review them in further detail and see what they mean for businesses.
Reasons behind the Proposal
The Commission has for several years been involved in an extensive consultation about modernising the European dual-use export control system. During this time it has become increasingly clear that the EU dual-use export control regime should be upgraded to control the export of cyber-surveillance technology which could be misused for committing serious human rights violations, including surveillance software more tightly. According to the Commission, a strict and comprehensive control of cyber-surveillance technologies will contribute to the protection of human rights globally in a more efficient manner.
The abuse of human rights in this area is a discussion that has risen to particular recent prominence as a result of the use of EU-origin cyber-surveillance technologies during the Arab Spring protests since 2010. More recently, in December 2015 the German Bundestag discussed in the Committee of Digital Agenda what role exporting cyber-surveillance technology plays in cases of human rights abuse (for details, including expert opinions, see here (in German)).
Against this background, the Commission has proposed the following key changes:
- clarify that cyber-surveillance technology is a dual-use item;
- define cyber-surveillance technology;
- add to Annex I of the Dual Use Regulation a list of cyber-surveillance technologies which have to be controlled in case of exporting;
- to expand the catch-all system to non-listed dual-use items, including cyber-surveillance technologies; and
- to improve the co-operation between the members of the European Union with a continuously updated list of dual-use items which have to be controlled independent of Annex I.
In this article, we focus on points 1 to 3 of the list above:
1. Cyber-surveillance technology: now clearly a dual-use item
The legal framework for controlling the export of dual-use items is governed by the Dual Use Regulation, which is directly applicable in EU member states, and so takes priority over local domestic law. Under the Dual Use Regulation, dual-use items are broadly defined as items (including software and technology) which can be used for both civil and military purposes. These items need to be more tightly controlled than other exports for reasons of national security, foreign policy and concerns about internal repression or other human rights violations.
Annex I of the Dual Use Regulation provides a comprehensive list of dual-use items which are subject to export control and which require an authorisation (usually in the form of an export control licence) before being exported from the European Union to a non-member state. Cyber-surveillance technology is not currently listed as a dual-use item in Annex I. The Proposal now makes clear that sensitive cyber-surveillance technology is captured within the definition of a “dual-use item”, which means that the technology is now expressly controlled by the Dual Use Regulation. The Commission’s proposed changes bring the definition in line with concerns regarding human rights violations.
Consequently, the Proposal more closely reflects the continuous development of digital technology.
2. Defining cyber-surveillance technology
To complement the expanded definition of “dual-use items”, the proposed changes to the Dual Use Regulation also provide for a detailed definition of “cyber-surveillance technology”, which includes any digital technologies and products which can be used for data monitoring, data analysing and data interception. This will include, for example, the following technology and equipment:
(a) mobile telecommunication interception equipment;
(b) intrusion software;
(c) monitoring centres;
(d) lawful interception systems and data retention systems; and
(e) digital forensics.
Although this list is non-exhaustive, it should be noted that it has been significantly shortened in comparison to a leaked draft of the Commission’s proposal earlier in 2016, which also listed biometrics, location tracking devices, probes and deep package inspection (DPI) systems.
3. Modifying Annex I
Annex I of the Dual Use Regulation is currently sub-divided into a list of 9 categories, reflecting those dual-use items which are subject to export control. The Commission has proposed to split the Annex I into two sub-divisions, A and B, with:
- A reflecting the existing categories; and
- B comprising a new category named Category 10 (to list “Other Dual-Use Items”).
The proposed Section B currently contains “Category 10 – Other Items of Cyber Surveillance Technology”, and includes items such as surveillance systems, equipment and components for ICT, monitoring centres and data retention systems. The specific surveillance items introduced by the addition of category 10 are mainly used by intelligence agencies.
Finally, software specially designed or modified for the development, production or use of equipment, functions or features specified in the above surveillance items is also listed in Category 10.
Outlook and analysis
The Proposal is significant and demonstrates the Commission’s ability to respond to rapidly changing technological, economic and political circumstances. It also signals the Commission’s intent to reduce the risk of misuse of cyber surveillance technology in the violation of human rights and the threat to digital infrastructures of individuals, entities or other organisations in the European Union.
Manufacturers and exporters of the cyber surveillance technology and its components are strongly advised to review their export compliance systems and policies against the Proposal so they have a clear view about how their supply and delivery chains may be affected. Where that review identifies that the business is responsible for exports of cyber surveillance technology from the EU that fall within the scope of any amended Dual Use Regulation, the business will need to consider applying to the relevant local regulatory authority to seek authorisations prior to export.
The Proposal now needs to make its way through the European Union’s legislative procedure, which will see it pass through the European Parliament and the Council up to three times, depending on how many (if any) changes are proposed.
The proposed changes, and their implications, are far-reaching. In future articles, we will discuss the Commission’s proposal to expand the existing system of catch-all clauses, which is of significant concern to exporters as it includes human rights criteria. We will also explain how the Proposal aims to improve cooperation between EU member states and maintain a continuously updated list of dual-use items which have to be controlled. Finally, we will give examples of how the new regime will affect existing export examples in practice.