Global Businesses Face Increased Compliance Costs as the European Union Prepares to Update Its Export Controls Regime

On September 28, 2016, the European Commission leaders will discuss important proposed changes to the EU dual-use export control regime (the Proposal), which were tabled by the Directorate-General for Trade to amend and modernize Regulation (EU) No. 428/2009 (see leaked text of the Proposal).

Unless amended or set aside and, despite simplification efforts, the anticipated changes may increase overall compliance costs for global businesses.

Key Objectives
Following the export control policy review launched by the Commission in 2014, the Proposal seeks to achieve two main objectives:

1. Simplification
The Proposal aims at reducing the administrative burden and maintaining the competitiveness of EU exporters. It does so in two ways.

First, the changes would replace individual licenses by EU General Export Authorizations, where practical.

This means that exporters may be able to rely on a set of clear rules to carry out controlled transactions, instead of applying for a license for each transaction.

Businesses have long complained about individual licensing requirements in certain situations, such as intra-company technology transfers for R&D purposes. They would also welcome streamlined processes for exports of cryptography products and low value shipments.

Second, the Proposal would introduce a new type of global authorization for “large projects” (e.g., the construction of a nuclear power plant). This new form of authorization would cover all export authorizations relating to the project for the entire duration of the project.

2. Additional Controls – Cyber-Surveillance Technologies
The most contentious aspect of the Proposal relates to the introduction of new, autonomous controls for specific cyber-surveillance technologies.

The Proposal broadly defines those cyber-surveillance technologies as “items specially designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, extracting, collecting and analyzing data and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment: a) mobile telecommunication interception; b) intrusion software; c) monitoring centers; d) lawful interception systems and data retention systems; e) biometrics; f) digital forensics; g) location tracking devices; h) probes; i) deep package inspection (DPI) systems….”

The EU autonomous list of such cyber-surveillance technologies is not yet publicly available.

Importantly, the Proposal further imposes targeted catch-all controls of cyber-surveillance technologies, which would allow control of exports of non-listed cyber-surveillance technologies in situations where serious violations of human rights can be demonstrated.

Concerns and Next Steps
The potential significant extension of the scope of Regulation (EU) No. 428/2009 has raised concerns with the business community, as it could create additional compliance costs for EU exporters and administrative burden for EU authorities.

In addition, stakeholders have called for a clarification of certain key concepts in relation to violations of human rights and public security (see, e.g., Article 8 of the Proposal), to facilitate practical implementation of the new rules by EU companies.

Provided that the College of Commissioners agrees on the Proposal, it will then go through the EU legislative process and be transmitted simultaneously to the Council of the EU and the European Parliament.

The Proposal is subject to amendments and businesses would be well-advised to voice their concerns throughout the legislative process, through active advocacy efforts supported by strong legal analysis.