In this first post on a new series, we will discuss the most debated topic of the proposal thus far, which is the establishment of specific human rights based controls on cyber-surveillance technologies.
On 28 September 2016 the EU Commission published its proposal for a modernization of the EU export control system (see also our previous post). Although the adoption of the proposal by the Commission is the end result of an extensive consultation process, it is only the first step in the EU legislative process which not only includes the submission to the European Parliament and the Council, but also to the national parliaments and the EU advisory committees. Ultimately, this process could lead to the adoption (or rejection) of the proposal by the EU Council and Parliament. During this process, the proposal will remain open to amendments. How long the legislative process will eventually take is difficult to predict, although one could expect that ‘adoption day’ is presumably not to be expected before the end of 2017 with the Regulation entering into force Spring 2018.
The EU Commission will in the meantime continue to reach out to all stakeholders. After the publication, the Commission organized a Civil Society Dialogue to present its proposal and it will host a Dual Use Forum in December with the purpose to discuss the headlines of the proposal in more detail.
During the legislative process, we will highlight in this blog some of these key features in order to understand what is actually behind concepts like ‘human security’, ‘optimized licensing architecture’ and ‘convergence of controls’. When it is useful to this understanding, we will make links to the US export control system.
As mentioned in earlier posts (see among other the Recast of the Dual-Use Regulation series and Export Controls as a toolbox for human rights policy) by introducing these new controls, the Commission is responding to calls from the Parliament and the Commission to address concerns about the proliferation of cyber-surveillance technologies that could be misused in violation of human rights and could threaten the EU’s digital infrastructure.
The proposal tackles these concerns via a twofold approach:
- Introduction of cyber-surveillance technology as a new category of dual use items; and
- Broadening the scope of the catch-all controls.
How is cyber surveillance technology now embedded in the Proposal?
First of all, cyber surveillance technology is explicitly added to the definition of dual use items in article 2 (1) of the Proposal which states:
Dual use items shall mean items including software and technology which can be used for both civil and military purposes and shall include:
(b) cyber surveillance technology which can be used for the commission of serious violation of human rights or international humanitarian law , or can pose a threat to international security or the essential security interests of the Union and its Member States.
Furthermore a definition of cyber surveillance technology itself is inserted in article 2 (20) of the Proposal:
Cyber surveillance technology shall mean items specifically designed to enable the covert intrusion into information and telecommunication systems with a view to monitoring, collecting and analysing data and/or incapacitating or damaging the targeted system. This includes items related to the following technology and equipment:
- mobile telecommunication interception equipment
- intrusion software
- monitoring centers
- lawful interception systems and data retention systems
- digital forensics
Compared to the leaked draft (see earlier post) it should be noted here that certain technologies have been removed from this non-exhaustive list (e.g. biometrics, location tracking devices, probes and deep package inspection systems).
This insertion, as such, is not a revolution as many of those technologies are already included in Annex 1 of the Dual Use regulation as part of the EU’s adherence to the Wassenaar Arrangement (see for example intrusion software or mobile telecommunications interception equipment).
The only items which are actually added to Annex 1 in the Proposal are inserted in the brand new Category 10 (“other items of cyber-surveillance technology”). It concerns de facto
surveillance systems, equipment and components for ICT (Information and Communication Technology) for public networks where the destination lies outside the customs territory of the European Union and outside of Part 2 of Section A of Annex II to this Regulation (e.g. Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, United States of America), and namely:
a. Monitoring Centres (Law Enforcement Monitoring Facilities) for Lawful Interception Systems (LI, for example according to ETSI ES 201 158, ETSI ES 201 671 or equivalent specifications or standards) and specially designed components therefor,
b. Retention systems or devices for event data (Intercept Related Information IRI, for example, according to ETSI TS 102 656 or equivalent specifications orstandards) and specially designed components therefor. 
These new items of Category 10 (which include also specially designed software and technology) are very specific and mostly used by or destined for law enforcement agencies and intelligence agencies. As such, the addition of these items to the list of controlled dual use items, will likely not result in serious competitive disadvantages for EU exporters. The EU cyber-technology industry is more afraid of the inclusion of human rights considerations in the catch-all disposition (i.e. a license requirement for items not listed in Annex 1), but we will come back to this in detail in one of our future posts.
With respect to the cyber surveillance technologies listed in Annex 1, the question remains whether it is wise for the EU to –unilaterally- include cyber-surveillance items that are not covered by the Wassenaar Arrangement and more in general whether the imposition of controls on these technologies does not hinder their effective use. In that respect it is worth referring to the discussions that took place in the framework of the adoption of controls on intrusion software (as agreed within Wassenaar) whereby the industry indicated that license requirements would hinder the effective (and thus immediate) use of legitimate computer security technology in case of cyber-attacks. As a consequence the competent US authority BIS issued a proposed rule on the inclusion of intrusion software to implement the conclusions of the December 2013 Wassenaar Arrangements. BIS received multiple comments from the industry and has not yet implemented the rule. Despite the concept of ‘human security’ it remains at the end of the day always a policy choice between national security and human rights considerations.
 We understand that neither the Committee of the Regions nor the European and Social Committee are currently preparing an opinion on the proposal. National parliaments will have until the 25 November to raise subsidiarity concerns.
 Note that the EU Commission has inserted a decontrol note for items with the following purposes: billing; data collection functions within network elements; quality of service of the network; user satisfaction; and operation at telecommunications companies in order to exclude more common used retention systems or devices for event data.
Co-authors of this post are:
- Belgium (finally) implements sanctions for violation of the EU Blocking Regulation - June 3, 2019
- Meet OFAC in Brussels and discuss the disruption of export control & sanction regimes by new technologies on 11 June 2018 - May 4, 2018
- Opposites attract: linking HS and ECN classification - February 21, 2017