Home / Our news and views / Draft EU proposal to control exports of dual-use surveillance software and related products now shifts to Council for debate

Draft EU proposal to control exports of dual-use surveillance software and related products now shifts to Council for debate

By BROOKS TIGNER

BRUSSELS – After years of hesitation about how to regulate its commerce, the EU is preparing to clamp down on exports of cyber-surveillance products and other high-end digital technologies to prevent their use for repressive ends or as re-export to banned third countries. A new vote on 17 January by the European Parliament now moves the EU one step closer to this goal.

In its amendments to a Commission proposal, the EP has considerably tightened some of its terminology and thrust, while throwing its full weight behind the proposal’s inclusion of a human rights (HR) “catch-all” clause – essentially a yardstick by which the human rights credentials of the importing country must be assessed by the exporting EU member state.

“The HR clause allows each member state to define new items and, if no opposition from other [EU members], it will apply to all,” Klaus Buchner, German Green member of the European Parliament who led the amendments, told reporters prior to the vote.

However, this and other hoped-for changes approved by the EP during plenary vote suffer a potentially fatal structural flaw in that none of the changes are based on binding or standardised practices on the ground.

At issue is the European Commission’s “re-casted” proposal of September 2016 to modify the EU’s export regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items, and more specifically surveillance software or “spyware”.

The last time the EU’s dual-use exports regime was modified was in 2011.  Though due for an overhaul, the Commission was reluctant to amend it due to pressure from national capitals and Europe’s business community, whose software sector has fallen far behind that of the United States and China in export markets.

The September 2016 proposal sets out new provisions to control cyber-surveillance technologies by, among other things, introducing a list of specific technologies to be subject to controls such as monitoring centres and data retention systems.

This will be complemented by the catch-all mechanism, which will also target non-listed cyber-surveillance technologies in cases where there are indications or evidence they may be misused by the end-user during armed conflicts or exploited for internal repression.

“The catch-all for cyber-surveillance was controversial because it moved away from the status quo toward something more,” one EP policy aide said on 11 January.  “[The pan-European business lobbies of] Bitcom and Digital Europe were concerned about this, as was BusinessEurope but they’re come around to supporting it since the actual scope won’t be that broad. Above all, industry wants clear terms and definitions and we have tightened the terms over what the Commission originally drafted.”

The EU’s dual-use exports are worth around EUR 80 billion per year but only a fraction of this – around 10 percent – concerns cyber-surveillance software and products. Of the latter, exports from Germany account for up to 60 percent of the total, according to EP estimates.

The EP’s amendments to the proposal shift things in several ways. For example, they exclude dual-use goods specifically intended for the military, since these are covered by the 42-nation Wassenar Agreement that controls exports of armaments. For example, Wassenar covers encryption technology, so that is excluded from the EU’s re-casted proposal. However, the aide said one hoped-for impact of the proposal would be to see its list of surveillance technologies folded back into Wassenar’s list of controlled technologies.

The EP’s amendments also propose a minimum level of penalty.

“So far, we have no EU-level rules on this.  In Sweden there is as fine of just 2000 krona (EUR 203) for violations whereas in Germany you can go to prison for two years,” said Buchner.

With the Parliament’s first reading now complete, the proposal now shifts to the Council where “most countries have not yet worked seriously on this proposal,” said Buchner. “It is our challenge to push the Council to get this [on the books] by 2019.  We’re counting on the EU’s Austrian presidency [in the second half 2018] to take this on board, leading to trialogue [between EP, Council and Commission to reach a final text].”

     THE UPSHOT: The Commission’s proposal and the EP’s amendments are motivated by good intentions. For example, the proposal’s due diligence principle regarding end-user statements would oblige exporters to inform their authorities if they have any suspicions their technology could be misused. Similarly it would also require brokers and exporters to determine the actual final destination of their exports to prevent unauthorised exports to third countries.
     However, no specific procedures are defined which leaves it each member state and exporter to find the best way of doing this. While big exporters of sensitive technology have established verification procedures for end-user certificates, exporters of surveillance technology – many of whom will likely be start-ups and other smaller players – will have to feel their way in the dark. That sounds like a recipe for mistakes, in our view.
     Rectifying the differences in penalties for export violations might have a higher chance of success. While no binding rules are in the cards for this either, the proposal’s supporters are counting on the economic leverage of the EU larger member states, led by Germany, to persuade the others to implement harsher penalties. Only time will show if that works.

     bt@securityeurope.info

Check Also

The EP pushes for international ban on the use of killer robots

By BROOKS TIGNER, with KYLE ATTAR
BRUSSELS – Members of the European Parliament (MEPs) are demanding a ban on weapons that have no “meaningful human control”.The resolution, passed overwhelmingly on 12 September by a majority of the MEPs (566)  is non-binding, however, on the 28 member states but is supported by Federica Mogherini, the EU’s policy chief for security and defence policy. She has already begun an international dialogue to try and bring the world into consensus as to the direction of autonomous warfare. The resolution notes that lethal autonomous weapons (LAWs) are machines without the ability or capacity to make human decisions and, as such, remote operators must take responsibility for life or death decisions. Much like drones, these weapons bring up strong ethical and moral dilemma regarding...