Last week, a draft amendment to the EU's dual-use export regulation was "leaked" – revealing the EU's intention to create tighter rules for the export of dual-use technologies from its jurisdiction. Due to be introduced by the EU in September, the leaked proposal indicates some important changes for the cyber -technology industry, particularly, the introduction of the term and control of "cyber- surveillance technologies". The expressed rationale behind the proposed amendments is the protection of human rights; with various European parliamentarians, EU states and human organizations having campaigned for years that cyber surveillance technologies of EU companies have been used by repressive regimes and in conflict areas, in the violation of human rights.
However, if the European Parliament and Member State governments' representatives will adopt the proposed amendment, this will require cyber companies with the relevant listed dual-use items, to begin obtaining export licenses and follow additional procedural requirements.
Background to the EU Dual-Use Regulation
In 2009, the EU adopted Regulation No 428/2009 which set up a European Community regime for the control of the exports, transfer, brokering and transit of dual-use items ("the Regulation"). The Regulation has been amended various times since, including changes to keep up with technological advancements. One of the expressed desired aims of the Regulation was "to achieve a uniform and consistent application of controls throughout the EU… and to provide a level playing field for EU exporters". The Regulation outlined controlled items which can only be exported from the EU territory with an export authorization, which the Regulation stressed must be consistent throughout EU states. The Regulation is EU law (as opposed to an EU directive which can provide direction to EU states, but is not binding upon them) – and so is automatically implemented into each EU member's jurisdiction as the relevant law regulating dual-use exports. Similarly, any amendments to the Regulation are also automatically binding on each EU state.
Substance of the Current EU Regulation Amendment
The proposed amendment describes the regulation of a new defined term, "Cyber- surveillance technology", which it defines as:
"Items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analyzing data and/or incapacitating or damaging the targeted system..."
At this stage, the proposal only includes broad categories of technology and equipment; items “related to”:
- Mobile telecommunication interception equipment;
- Intrusion software;
- Monitoring centers;
- Lawful interception systems and data retention systems;
- Digital forensics;
- Location tracking devices;
- Deep package inspection (DPI) systems."
The complete control list will be contained in a new annex – however, this is not currently available. Without this list of specific items, it is difficult to assess: (i) which items will fall under these broad categories, and (ii) what are the full implications of the proposed amendment.
Nonetheless, some of the proposed broad categories appear to be more expansive than those already in existence in the international dual-use export list developed under the Wassenaar regime (e.g. intrusion software; digital forensics; and location tracking devices).
The proposal also expands the existing “catch-all” mechanism of the Regulation. Currently, the "catch-all" provision provides that EU member states may regulate additional items and technologies, even if not listed in Annex I (the section which stipulates all regulated dual-use items of the Regulation). The proposed change suggests that a Member State can ask an exporter to apply for an export license on the basis of "human rights considerations". Whilst this is an honorable reason for Member State authorities to require a license, what criteria they will use to assess such considerations and how this requirement will be implemented, still remains unclear.
The proposal also expands an existing article in the Regulation placing an obligation on exporters to request authorization if they are aware of specific end-uses (e.g. military use by countries with an arms embargo; use by persons where there is evidence that the item or a similar one has been used for violating human rights by the proposed end-user). Again, how this will be practically assessed (by both the exporter and the national regulator) currently remains unclear.
Particularly importantly for non-EU companies with EU based parent companies, the proposed amendment substantially expands the regulated brokering provisions of the Regulation, so as to require the EU parent to seek authorization for brokering activities conducted by its non-EU subsidiaries. We are currently unsure exactly how this will be implemented in practice.
Whilst the Preamble to the proposal clearly recognizes that the new control on surveillance technologies “should, in particular, not prevent the export of information and communication technology used for legitimate purposes, including law enforcement and internet security research”, and the proposal indicates that the "dual-use industry" has been involved as a key stakeholder in the proposal consultations – the amendment will undoubtedly still have a great effect on the cyber and technology community.
How the final Regulation will look in September, may of course be different from the current leaked version. Moreover, without the new annex, it is difficult to determine which exact technologies and companies will likely be affected by the changes. That being said, from the broad categories of technologies already provided – there is strong reason to believe that the cyber and technology companies based in Europe, or otherwise companies outside of Europe which use a European broker or have European parent companies, will be affected by the various proposed changes.
In addition, should this amendment go through, it will also signify a serious divergence from the current version of the Wassenaar regime. Whether or not this will result in a similar amendment to the Wassenaar arrangement remains to be seen, as such amendments are only usually announced in December.