In 2021, the EU passed an updated version of the EU Dual-Use Regulation, setting common standards for export control of dual-use items by EU member states. Among its new provisions, Regulation (EU) 2021/821 introduces “comprehensive controls” on network monitoring projects in its Article 5.
This catch-all provision requires exporters to obtain approval if they know or suspect that their cyber surveillance programs may be used to commit human rights violations, even if the programs are not specifically subject to existing export controls. Telecom interception systems (5A001.f.), Internet surveillance systems (5A001.j.), intrusion software (4A005, 4D004), and forensic tools (5A004.b., 5D002.a.3.b., 5D002.b.) etc. items. c.3.b.) are examples of technologies subject to these controls.
Despite growing concerns about the misuse of spyware and other surveillance tools, such comprehensive controls have so far been rarely applied, and many exporters remain unclear about how to apply it. To address this issue, the EU published new guidance on October 15, 2024 to help exporters meet these requirements.
For those of you who thought you could fly under the radar with items not listed, consider this your wake-up call and let’s dive into the key takeaways of these guidelines.
Main points
Who is watching the Watchers?
The 14-page guide emphasizes the importance of due diligence by exporters. For each transaction, exporters must review the item for potential misuse, evaluate the stakeholders involved in the transaction (including end users and consignees), and develop a plan to prevent and mitigate potential adverse impacts.
The guidance specifies several “red flags” that may indicate a cyber surveillance program could be abused, such as marketing materials emphasizing covert surveillance capabilities and any indication that similar techniques have been used for repression in the past.
Ultimately, the EU’s message is clear: exporters must remain vigilant and understand the impacts of their products. By prioritizing transparency and accountability in trade in cyber surveillance technology, the EU aims to promote ethical export practices and protect human rights. Exporters are now tasked with ensuring they do not inadvertently contribute to abuse, reinforcing the need for a comprehensive compliance framework.
Network monitoring items not listed:
Although the guidance states that it is not possible to provide an exhaustive list of products that may be controlled as unlisted network surveillance items, exporters should be particularly cautious about technologies that are used primarily for commercial purposes and may be repurposed for surveillance. Items such as facial recognition technology and location tracking devices have come under scrutiny for their dual-use potential and therefore may fall within the scope of what the EU considers cyber surveillance projects.
The guidance clarifies that video surveillance systems and cameras (including high-resolution cameras) used to film people in public places do not fall within the definition of network surveillance projects because they do not monitor or collect information and telecommunications data. system. The guidance also states that “items used for purely commercial applications, such as billing, marketing, quality service, user satisfaction or network security, are generally not considered to pose such risks” and are therefore excluded from the control requirements .
Notably, the guidance states that due diligence applies not only to exporters of finished network surveillance products, but also to those exporting components that can be used in such systems, particularly if they are “specially designed” for covert surveillance of. “Specially designed” means that covert surveillance was the primary purpose for which the product was developed, even if it has other potential uses. Covert surveillance occurs when an individual cannot reasonably expect to be monitored.
New due diligence requirements for exporters:
Exporters are now required to conduct a detailed risk assessment before exporting any technology. This involves thorough screening of all end users and consignees to ensure they are not inadvertently contributing to internal repression. Specifically, exporters are required to conduct a thorough transaction due diligence assessment to determine whether items can be classified as cyber surveillance technology based on the capabilities and intended uses of the end users and consignees involved in each transaction.
Based on these assessments, exporters should take proactive steps to prevent potential adverse impacts. Specifically, the guidance now requires exporters to notify authorities if they become aware that their products may be used to repress or violate rights. The guidance makes clear that “knowledge” requires the exporter to have clear understanding of the intended abuse. The mere possibility of such a risk is not enough to create awareness.
Bottom line: Be prepared for more discussion
In response to feedback on the first draft of the guidance published in March 2023, stakeholders, including businesses, requested specific examples of network surveillance projects that may require an export license under Article 5, as well as relevant case studies. Unfortunately, these were not included in the final version of the guide.
While the EU does not intend (and cannot) create an exhaustive list of products that may be controlled as “off-list items”, it is possible that future updates to the guidance will include real or fictional case studies to provide greater clarity. guide. These efforts could be carried out by the European Commission, the European Parliament, Member States and NGOs in partnership, possibly through scenario-based discussions. These will provide much-needed practical tools to help exporters better understand how to apply comprehensive controls to network monitoring programs.
At the same time, exporters must ensure that sufficient information is collected about customers and exporting countries, especially when dealing with technologies that may be classified as cyber surveillance items.
Leave a Reply Cancel reply
You must be logged in to post a comment.