Background

On July 22, 2016, a proposal by the European Commission to amend and update the European Union’s dual-use export control regime was leaked to the public, revealing a raft of changes to the current policy. Most significantly, the proposal includes new controls on the export of cyber-surveillance technologies, including intrusion software.

The proposal’s specific initiative to enhance export controls on cyber-surveillance technologies stems from a broader review process of the EU dual-use export control system which began in 2013. Along with other recommendations, the review highlighted in particular the need to develop and clarify the EU’s approach to “the use of cyber-space for proliferation activities.”[1]

Proposed Changes

The EU Dual-Use Regulation, which sets out the EU dual-use export control regime, has been amended on multiple occasions since its adoption in 2000, but the recently leaked proposal recommends the most fundamental revisions since 2009.[2] The changes proposed can be broadly grouped into two categories. First, changes that seek to simplify, clarify, and enhance the EU dual-use export control regime by adjusting the regulatory framework, and second, the introduction of a new category of controls aimed specifically at cyber-surveillance technology, as part of an effort to promote human rights and combat terrorism.

Amendments

The proposed modifications to the Dual-Use Regulation largely include administrative provisions relating to licensing, enforcement, transparency and outreach, cooperation with third countries, and clarification and extension of concepts including intangible technology transfers, technical assistance, transit, exporters, and brokering. According to the proposal, these changes have been introduced in order to “enhance the effectiveness or the consistency of the controls” and “aim at simplifying the administration of controls and reducing the burdens for operators.” Perhaps most significantly, however, is the proposed redefinition of dual-use items to include cyber-surveillance technologies directly.

Additional Controls on Cyber-Surveillance Technology

The proposal defines cyber-surveillance technology as “items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analyzing data and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment: a) mobile telecommunication interception equipment; b) intrusion software; c) monitoring centers; d) lawful interception systems and data retention systems; e) biometrics; f) digital forensics; g) location tracking devices; h) probes; i) deep package inspection (DPI) systems…”

The proposed controls on cyber-surveillance technology would include the following elements:

  1. a new “EU autonomous list” of controlled cyber-surveillance technologies presented as an annex to the regulations (which was not leaked along with the proposal), and
  2. a “targeted catch-all mechanism” that would impose controls on non-listed cyber-surveillance items in situations involving exports to end-users characterized by conflict, internal repression, or other urgent violations of human rights.[3]

Practical Implications

The new annex to the regulation which lists controlled cyber-surveillance technologies is not yet publically available, thus it is difficult to determine the full scope of the new controls. However, the revised legislation defines cyber-surveillance technology to include items related to mobile telecommunication interception equipment, monitoring centers, lawful interception systems and data retention systems, biometrics, digital forensics, location tracking devices, probes, deep package inspection systems, and intrusion software. In so doing, the proposal drastically expands the number and type of items that could fall under export control by the EU. Practically, this would mean additional licensing, reporting, and other regulatory requirements on a host of products and technologies. It will be crucial to continue to watch for the new list of controlled cyber-surveillance technologies and any other proposed revisions to the annexes.

In the proposal, the European Commission addresses concerns expressed by stakeholders regarding the control of a new set of items and technologies, including the potential for a “higher administrative burden for operators and authorities,” along with impediments to competitive trade. The European Commission argues, however, that the intended benefits to human rights and security outweigh those eventualities, stating that the new brand of controls “appears as an indispensable condition to prevent human rights violations resulting from the export of EU items to third countries and to address security risks.”

Next Steps

Although the timing is unclear, official adoption of the proposal’s recommendations is unlikely to occur imminently. It has been reported in the press that the European Commission will officially propose the changes in September 2016[4], though the legislation will have to undergo a lengthy approval process by the European Parliament and Council before it becomes law. This process could take anywhere from months to years to complete.

Throughout the review period, the European Commission conducted at least some outreach efforts to solicit stakeholder input regarding the changing scope of the dual-use export control regime. Now that the proposed legislation is nearly finalized, efforts to modify the proposal will have to be directed towards the legislators in the European Commission, Parliament, and Council.

The extent to which the EU will enact controls on intrusion software that differ from the Wassenaar Arrangement controls is unclear, but the proposed controls on intrusion software, plus the other controls on cyber-surveillance technologies, are likely to be closely reviewed by the cybersecurity industry once the annexes containing the technical language are released.