On September 28, 2015 the European Commission (the Commission) released its proposal to “modernize and strengthen” the European Union’s (EU) dual-use export control regime as laid out by Regulation (EC) No. 428/2009 (the Regulation). As Steptoe has previously advised, a version of the Commission’s proposal was leaked in July, prompting concern from industry and other stakeholders. The official release of the proposal triggers the process toward adoption of a slew of amendments to the current dual-use export control regime, including, most significantly, broad controls on the export of cybertechnology.
Controls on Cybertechnology
The Commission’s proposal endeavors to implement its “initiative to control exports of cyber-surveillance technologies” in three major ways. First, the proposal amends the Regulation’s current definition of dual-use items to include cyber-surveillance technology that can be used to violate human rights or threaten the security of the EU. The proposal also introduces a definition of cyber-surveillance technology for the first time:
“cyber-surveillance technology” shall mean items specifically designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analyzing data and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment:
(a) mobile telecommunication interception equipment
(b) intrusion software
(c) monitoring centers
(d) lawful interception systems and data retention systems
(e) digital forensics
Second, the proposal adds a new list-based control category (Category 10), for specified types of cyber-surveillance technology. Category 10, “Other Items of Cyber-Surveillance Technology,” contains three subcategories (10A001, 10D001, 10E001).
- Category 10A001 would control, for export to certain countries, “surveillance systems, equipment and components for ICT (Information and Communication Technology) for public networks,” defined to include the following:
a. Monitoring Centers (Law Enforcement Monitoring Facilities) for Lawful Interception Systems (LI, for example according to ETSI ES 201 158, ETSI ES 201 671 or equivalent specifications or standards) and specially designed components therefor,
b. Retention systems or devices for event data (Intercept Related Information IRI, for example, according to ETSI TS 102 656 or equivalent specifications or standards) and specially designed components therefor.
A technical note states that “event data includes signalling information, origin, and destination (e.g., phone numbers, IP or MAC addresses, etc.), date and time and geographical origin of Communication.” There is a carve-out for systems or devices specially designed for any of the following stated purposes: billing, data collection functions within network elements (e.g., Exchange or HLR), quality of service of the network [QoS] or user satisfaction [QoE], or operation at telecommunications companies (service providers).
- Category 10D001 would control “software specially designed or modified for the development, production or use of the equipment, functions or features” controlled by 10A001, as well as “software specially designed or modified to provide characteristics, functions or features of equipment” controlled by 10A001.
- Category 10E001 would control technology for the development, production or use of equipment, functions or features controlled by 10A001 or software controlled by 10D001.
Third, the proposal introduces a “catch-all control” intended to supplement the control categories above by imposing export licensing requirements on non-listed “cyber-surveillance technology” items under certain circumstances. As noted above, the proposal includes a new definition of cyber-surveillance technology, which broadens the range of potentially controlled items far beyond just the items listed in Category 10 under 10A001, 10D001, and 10E001. The definition covers items related to mobile telecommunications interception equipment, intrusion software, monitoring centers, lawful interception systems and data retention systems, and digital forensics. These catch-all controls will result in a licensing requirement for such items if there is evidence to suggest that they are to be used for specific end-uses of concern, as highlighted by the updated Regulation (for weapons of mass destruction purposes, for certain military purposes by certain countries, as parts or components for controlled military items that have been exported without proper authorization, for use by persons complicit in or responsible for directing or committing serious violations of human rights or international humanitarian law in situations of armed conflict in the country of final destination, or for use in connection with acts of terrorism).
The addition of a new category of controlled items stems from concerns within the EU regarding the use of certain types of cybertechnologies, such as intrusion software, by oppressive regimes and other malicious actors to violate human rights and compromise global security. However, the proposed definition of such technology casts a potentially wide net, prompting concerns by some that the additional controls could hinder, rather than advance, cybersecurity.
The proposal introduces controls on the provision of technical assistance related to dual-use items. Technical assistance is defined to cover technical support including repairs, development, manufacture, assembly, testing, maintenance, “or any other technical service.” In addition, the controls could cover “instruction, advice, training, transmission of working knowledge or skills or consulting services, including verbal forms of assistance.”
The controls on technical assistance would apply to any person or entity resident or established in the EU, any subsidiary of an EU company located outside of the EU, and non-EU nationals supplying technical assistance from within the EU. The controls apply to any dual-use item in situations where such a person or entity supplying technical assistance has been informed by authorities that the item may be used in any of the end-use circumstances which trigger catch-all controls, as listed above. In addition, suppliers of technical assistance have a responsibility to inform relevant authorities if they are aware that the dual-use items in question are to be used for any such purposes.
Expanded Brokering Controls
The proposal also increases the scope of EU brokering controls by updating the definition of “broker” and expanding the type of items subject to authorization. If the proposed amendments to the Regulation go forward, subsidiaries of EU companies located outside of the EU, and non-EU nationals carrying out brokering services from within the EU, will become subject to brokering controls.
Further, controls on brokering services of dual-use items would be amended in two ways. First, the proposal would amend the current Regulation by requiring authorization for brokering services of any dual-use item (not just those explicitly listed in Annex 1), intended for certain end-uses. This amendment would include any items falling within the definition of “cyber-surveillance technology” – even those not specifically listed in the newly proposed Category 10. Second, the proposal lists three new circumstances to which those controls apply. In addition to the currently controlled circumstances (i.e., use related to weapons of mass destruction, or as parts or components for controlled military items that have been exported without proper authorization), the proposal adds: (1) military end-use in certain destinations, (2) use by persons complicit in human rights violations, and (3) use in connection with terrorism as end-use circumstances subject to brokering controls.
In addition to introducing a new category of controlled items related to cyber-surveillance technology, proposing controls on technical assistance, and expanding controls on brokering, the proposal outlines a series of other amendments to the Regulation which, according to the proposal, aim to improve and simplify export control procedures and administration. Among the amendments are provisions relating to the following:
- redefinition of key terms including “export,” “exporter” and “broker”
- simplification of controls on intangible technology transfers (ITT)
- strengthening of transit controls
- enhanced provisions aiming to tackle illicit trade
- additional licensing elements to improve consistency within the EU, including the introduction of a new authorization for large projects and new EU General Export Authorizations related to encryption, low value shipments, intra-company transmission of software and technology, and other dual-use items
- expanded powers of the Commission to “modify destinations or items on EUGEAs” through delegated act
- expansion of end-use circumstances triggering catch-all controls
- revision of intra-EU controls
- increased cooperation between Member States regarding implementation and enforcement
- improved transparency and outreach through the publication of guidance and annual reports
- increased dialogue and cooperation with third countries
Internal Compliance Programs
While each of the amendments to the current Regulation may bring changed or increased responsibilities for exporters, there is one new administrative requirement that should be brought to particular attention. As part of the Commission’s stated goal to increase licensing consistency within the EU Member States, the proposal introduces conditions for use of certain licenses. In particular, use of a global license will now require an exporter to maintain an Internal Compliance Program. The proposal defines a compliance program as follows:
“… effective, appropriate and proportionate means and procedures, including the development, implementation, and adherence to standardized operational compliance policies, procedures, standards of conduct, and safeguards, developed by exporters to ensure compliance with the provisions and with the terms and conditions of authorizations set out in this Regulation …”
In addition, the proposal notes that exporters have an “obligation to exercise due diligence” when exporting dual-use items.
Publication of the draft Regulation marks the end of a lengthy consultation period, initiated in 2011. During this period, stakeholders raised multiple concerns, including the competition for dual-use goods that they face from third countries without multilateral export control regimes or with markedly different regimes, and the burden of management and compliance programs. Although the proposal is a Regulation, and so will be directly applicable across the EU 28 Member States if adopted, there are key implementing measures for Member States to put in place which have the potential to cause asymmetric implementation across the EU.
Now that the Commission’s proposal has been published, it must be examined by the Council and European Parliament. All three must agree before the Regulation is adopted, and the legislative process could take at least a year. The Regulation will apply on the ninetieth day following publication in the Official Journal. However, this implementation is unlikely to occur before spring 2018. The European Parliament’s Think Tank recently published a helpful summary containing an overview of the proposed changes and outlining its path to implementation, which can be found here.
The Council has begun its work, meeting initially on a monthly basis. The European Parliament has appointed an MEP rapporteur, Klaus Buchner (a member of the Ökologisch-Demokratische Partei, the German Green Party) to draft the Parliament’s position and coordinate views from other members. In addition to the initial consultation period, the legislative process will provide opportunities for interested representatives to discuss the impact of the proposal on their sector(s), either in meetings or in writing, to all three institutions.
During the consultation period Member States and Members of the European Parliament (MEPs) repeatedly raised concerns about the export of cybertools and other IT and telecoms surveillance, particularly in the context of human rights violations. There is clear support across the Commission, Council, and European Parliament to address this concern, but, as ever, the devil will be in the details of the finalized Regulation.
We will continue to keep you apprised of regulatory developments in the export control and cyber areas.