Navigating the EU’s New Catch-All Control for Cyber-Surveillance Exports

By Dr. Mark Bromley and Giovanna Maletta

In 2021, the European Union (EU) took a significant step forward in regulating the export of dual-use items with the adoption of a new iteration of the EU Dual-use Regulation. This regulation sets common standards for EU member states regarding the control of exports of items that can be used for both civilian and military purposes. Among its notable features is the introduction of a new ‘catch-all control’ specifically targeting cyber-surveillance items. This control mandates that exporters seek approval for the export of such items if they become aware that these items may be used in connection with human rights violations, even if they do not fall under existing export controls. This article delves into the implications of this catch-all control, the newly published guidelines, and the steps that can be taken to enhance its effectiveness.

Understanding Export Controls and Cyber-Surveillance Tools

Export controls are essential for regulating the transfer of sensitive technologies across borders. Traditionally, these controls rely on ‘control lists’ that specify which items require a license for export. However, the rapid evolution of technology poses a challenge in ensuring that these lists remain comprehensive. Many products that could be misused for harmful purposes may not be explicitly listed, leading to gaps in regulation.

To address these challenges, states have implemented ‘catch-all controls.’ These controls require exporters to obtain a license for non-listed items if there is a reasonable suspicion that they could be used in a prohibited manner or by unauthorized end-users. The EU’s Dual-use Regulation includes a control list based on international agreements, such as the Wassenaar Arrangement, but it has faced criticism for not adequately covering the full spectrum of cyber-surveillance tools.

The EU Cyber-Surveillance Catch-All Control

The 2021 Dual-use Regulation introduced a new catch-all control under Article 5, which applies to non-listed cyber-surveillance items that may be intended for use in connection with internal repression or serious violations of human rights and international humanitarian law. This control can be activated in two ways: either the national licensing authority notifies an exporter of the requirement for a license, or exporters must inform their licensing authority if they become aware, through due diligence, that their items are intended for prohibited uses.

This new control is particularly relevant given the increasing concerns over the misuse of cyber-surveillance tools by state actors. Examples of items that may fall under this control include mobile phone hacking services and data-retention systems, which have been proposed for inclusion in international control lists but have yet to be formally recognized.

The New Guidelines: Clarifying the Catch-All Control

In response to the complexities surrounding the catch-all control, the EU recently published a set of guidelines aimed at assisting exporters in navigating their obligations. These guidelines clarify when exporters should alert licensing authorities about potential exports and elaborate on the definition of cyber-surveillance items.

The guidelines specify that cyber-surveillance items are those ‘specially designed to enable covert surveillance’ of individuals by monitoring or analyzing data from information and telecommunication systems. This definition raises questions about the inclusion of certain technologies, such as facial recognition tools, which may have legitimate uses but can also be repurposed for surveillance.

Moreover, the guidelines emphasize the responsibility of exporters to conduct due diligence. Exporters must assess the end-use of their products on a case-by-case basis, considering whether their items could be intended for sensitive applications. This obligation extends not only to finished products but also to components that could be integrated into cyber-surveillance systems.

Addressing Prohibited Uses: Internal Repression and Human Rights Violations

The guidelines provide a framework for understanding what constitutes prohibited uses of cyber-surveillance tools. They reference the EU Common Position on arms exports, which outlines criteria for assessing the risk of internal repression and violations of human rights. However, while these references are useful, they primarily focus on military equipment and do not adequately address the unique challenges posed by dual-use items and cyber-surveillance technologies.

To enhance the guidelines, it is crucial to incorporate specific language addressing the risks associated with cyber-surveillance tools. This could involve revising the Common Position user’s guide to include detailed assessments of the potential misuse of these technologies.

Next Steps for Implementation and Improvement

As the EU embarks on the implementation of the catch-all control, several steps can be taken to improve its effectiveness:

1. Develop Case Studies: Stakeholders have expressed the need for concrete examples of cyber-surveillance items that may require an export license. Developing real or fictional case studies collaboratively could provide valuable guidance for exporters.

2. Revise the Common Position User’s Guide: The European Parliament could recommend updating the user’s guide to include specific language on assessing risks associated with cyber-surveillance tools, thereby enhancing the comprehensiveness of the guidelines.

3. Foster Coordinated Policy Responses: Addressing the proliferation of cyber-surveillance tools requires a multifaceted approach. The European Parliament could advocate for a coordinated EU strategy that encompasses not only export controls but also procurement and use of these technologies.

4. Engage with International Initiatives: The EU should align its efforts with international initiatives aimed at countering the misuse of commercial spyware, fostering a collaborative approach to regulation.

Conclusion

The introduction of the catch-all control for cyber-surveillance items represents a significant advancement in the EU’s regulatory framework. However, the successful implementation of this control hinges on clarity, consistency, and collaboration among stakeholders. By refining the guidelines and fostering a coordinated approach, the EU can better address the challenges posed by the proliferation of cyber-surveillance tools and their potential misuse in violating human rights.

About the Authors:

Dr. Mark Bromley is the Director of the SIPRI Dual-Use and Arms Trade Control Programme. Giovanna Maletta is a Senior Researcher in the SIPRI Dual-Use and Arms Trade Control Programme.

Source: This article was published by SIPRI.