Cyber surveillance technology looks likely to become subject to EU export controls
Browse this blog post
It seems that the European Commission intends to propose stricter rules on the export of dual-use technology.
If its proposed amendments to the “Regulation for the control of exports, transfer, brokering and transit of dual use items” (which were recently leaked) are implemented, dual-use technology will face stricter licensing and trade controls.
The controls around cross-border technical assistance will be clarified and controls around brokering services (currently used by some to circumvent the existing Regulation) will be strengthened. A notable addition is that the proposed Regulation will control the export of cyber surveillance technology. The proposed expanded definition of “exporter” also looks likely to extend the Regulation’s reach. These amendments may have a big impact on certain exports which are currently unaffected by this legislation.
What is the rationale for the amendments?
It is recognised that the EU export control system cannot remain static. The expanded controls have been suggested in light of new challenges faced in the fight against terrorism and the increase in hybrid threats arising from the blurring of lines between the civilian and defence sectors. Following the use of surveillance technologies by repressive regimes to target activists and journalists, the Commission is also seeking to prevent human rights violations arising through use of exported EU products.
What technologies will be covered by the rules?
The existing EU legislation currently imposes export controls and licensing requirements on “dual-use” items. These are items that can have both civilian and military uses and/or items that can contribute to the development or production of nuclear, chemical and biological weapons. See brief summary of the current Regulation here.
The draft Regulation we have seen expands “dual-use” to include cyber-surveillance technology that can be used for the commission of serious violations of human rights or international humanitarian law, or which can pose a threat to international security. “Cyber-surveillance technology” is defined as items designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analysing data.
Increased certainty is awaited
Commentators have noted that companies will need to see clearer definitions and a more comprehensive list of the restricted technologies in order to know which of their products must be licensed. A full control list will be annexed to the Regulation but is not available in the leaked working draft.
The draft definition of “cyber-surveillance technologies” lists a number of technologies as examples. These include mobile telecommunications interception equipment, biometrics, location tracking devices and probes. The broad reach of the definition could cover technology that is widely accessible and, on the face of it, fairly innocuous. Will smartphones, due to their GPS capacity, be subject to the more stringent export controls? Will the sale of cookies-based or similar technologies be subject to licensing requirements? There is also a concern that the proposal will have a chilling effect on the use of such technologies for defensive purposes.
The draft proposal does state that the measures “should not go beyond what is proportionate… should not prevent the export of… technology used for legitimate purposes”. However this statement is included in the Recitals to the proposed Regulation, and not in the operative Articles themselves. How this will play out in practice is unclear. However, the fact that the draft proposal requires authorities and exporters to factor in the end user’s intent and human rights record may be helpful in ensuring proportionality.
The proposed draft legislation is expected in September and may undergo some significant change in the meantime. We’ll be keeping an eye on its development.
If you have any questions about this blog post please contact firstname.lastname@example.org.