By BROOKS TIGNER
BRUSSELS – After years of hesitation about how to regulate its commerce, the EU is preparing to clamp down on exports of cyber-surveillance products and other high-end digital technologies to prevent their use for repressive ends or as re-export to banned third countries. A new vote on 17 January by the European Parliament now moves the EU one step closer to this goal.
In its amendments to a Commission proposal, the EP has considerably tightened some of its terminology and thrust, while throwing its full weight behind the proposal’s inclusion of a human rights (HR) “catch-all” clause – essentially a yardstick by which the human rights credentials of the importing country must be assessed by the exporting EU member state.
“The HR clause allows each member state to define new items and, if no opposition from other [EU members], it will apply to all,” Klaus Buchner, German Green member of the European Parliament who led the amendments, told reporters prior to the vote.
However, this and other hoped-for changes approved by the EP during plenary vote suffer a potentially fatal structural flaw in that none of the changes are based on binding or standardised practices on the ground.
At issue is the European Commission’s “re-casted” proposal of September 2016 to modify the EU’s export regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items, and more specifically surveillance software or “spyware”.
The last time the EU’s dual-use exports regime was modified was in 2011. Though due for an overhaul, the Commission was reluctant to amend it due to pressure from national capitals and Europe’s business community, whose software sector has fallen far behind that of the United States and China in export markets.
The September 2016 proposal sets out new provisions to control cyber-surveillance technologies by, among other things, introducing a list of specific technologies to be subject to controls such as monitoring centres and data retention systems.
This will be complemented by the catch-all mechanism, which will also target non-listed cyber-surveillance technologies in cases where there are indications or evidence they may be misused by the end-user during armed conflicts or exploited for internal repression.
“The catch-all for cyber-surveillance was controversial because it moved away from the status quo toward something more,” one EP policy aide said on 11 January. “[The pan-European business lobbies of] Bitcom and Digital Europe were concerned about this, as was BusinessEurope but they’re come around to supporting it since the actual scope won’t be that broad. Above all, industry wants clear terms and definitions and we have tightened the terms over what the Commission originally drafted.”
The EU’s dual-use exports are worth around EUR 80 billion per year but only a fraction of this – around 10 percent – concerns cyber-surveillance software and products. Of the latter, exports from Germany account for up to 60 percent of the total, according to EP estimates.
The EP’s amendments to the proposal shift things in several ways. For example, they exclude dual-use goods specifically intended for the military, since these are covered by the 42-nation Wassenar Agreement that controls exports of armaments. For example, Wassenar covers encryption technology, so that is excluded from the EU’s re-casted proposal. However, the aide said one hoped-for impact of the proposal would be to see its list of surveillance technologies folded back into Wassenar’s list of controlled technologies.
The EP’s amendments also propose a minimum level of penalty.
“So far, we have no EU-level rules on this. In Sweden there is as fine of just 2000 krona (EUR 203) for violations whereas in Germany you can go to prison for two years,” said Buchner.
With the Parliament’s first reading now complete, the proposal now shifts to the Council where “most countries have not yet worked seriously on this proposal,” said Buchner. “It is our challenge to push the Council to get this [on the books] by 2019. We’re counting on the EU’s Austrian presidency [in the second half 2018] to take this on board, leading to trialogue [between EP, Council and Commission to reach a final text].”
However, no specific procedures are defined which leaves it each member state and exporter to find the best way of doing this. While big exporters of sensitive technology have established verification procedures for end-user certificates, exporters of surveillance technology – many of whom will likely be start-ups and other smaller players – will have to feel their way in the dark. That sounds like a recipe for mistakes, in our view.
Rectifying the differences in penalties for export violations might have a higher chance of success. While no binding rules are in the cards for this either, the proposal’s supporters are counting on the economic leverage of the EU larger member states, led by Germany, to persuade the others to implement harsher penalties. Only time will show if that works.
bt@securityeurope.info