Recast dual-use regulation - EU introduces new export controls on spyware

Amidst a general sense of unrest characteristic of the last two years, EU legislators have made praiseworthy progress towards an up-to-date harmonised regulation of information technology. In February 2021 they issued the long-awaited proposal for an e-Privacy regulation followed two months later by the draft AI regulation. On 9 September, Recast Dual-Use Regulation came into force. Unlike the draft AI regulation, the dual-use recast regulation is not a revolutionary moment in value signalling, nor does it compare to the e-Privacy regulation in the breadth of its impact on the EU ICT ecosystem. However, when it comes to international cybersecurity, it is likely to hit closest to the core.

Tailored to accommodate new technologies

The need for tightening export controls over cyber surveillance systems has been debated at the EU level for almost a decade and in the light of the recent Pegasus controversies, its practical relevance is beyond doubt. Formally, the Recast adheres to the traditional civil-military dichotomy enshrined in international dual-use export controls. The definition of dual-use items in Regulation (EC) No 428/2009 is only very marginally amended to explicitly include ‘chemical and biological weapons’. Dual-use items encompass

items, including software and technology, which can be used for both civil and military purposes, and includes items which can be used for the design, development, production or use of nuclear, chemical or biological weapons or their means of delivery, including all items which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.

As a separate category, ‘cyber-surveillance items’ are defined as dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems. To adapt to the cyber exploits market, the Recast has expanded definitions of ‘broker’ and ‘exporter’. The former term has been revised to include natural and legal persons and partnerships not resident or established in a Member State if they provide brokering services from the customs territory of the EU. Under the EU Dual-Use Regulation, the definition was limited to natural and legal persons and partnerships resident or established in a Member State. Exporter covers anyone who has the power to determine the sending of the items out of the customs territory of the Union. Controlled items can exit the Union through the transmission of software or technology by electronic media, including by fax, telephone or electronic mail, and that which can be made available on online file-sharing platforms. Any natural person carrying dual-use items in personal baggage will also fall under the notion.

The recast aims for a technology-neutral approach and includes a catch-all for non-listed cyber-surveillance tools in cases where:

the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.

This catch-all marks a shift away from the traditional dichotomies of civil and military or peace and conflict. On a similar line, the preamble emphasised that the recast was among other factors inspired by the need to ensure respect for international human rights law. Therefore, the recast seems to be better suited for the perpetual peacetime disturbances characteristic of modern cyber conflicts rather than a strictly military rationale.

More than just mitigating military risks

Cyber-surveillance technologies are anything but easily embeddable into the dichotomy of civil and military. They change shape as needed and their various modules are designed to operate both during peacetime and in conflict situations. It has been pointed out that by unambiguously making human rights law one of its founding pillars, the Recast runs contrary to the international treaties regulating arms and dual-use exports. The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, for instance, aims to ensure that dual-use goods and technologies do not contribute to the development of ‘military capabilities’ which undermine regional and international security and stability. Only a few high-risk cyber surveillance technologies can be proven to bear an immediate exclusive connection to the development of military capabilities, but many can pose human rights and security implications. By adopting a stricter regulation of cyber-surveillance technologies, EU Member States might put themselves at a competitive disadvantage. However, as the EU Member States make up the majority of signatories to the Wassenaar Arrangement, setting high standards at Union level is claimed to potentially have positive knock-on effects on global standards.

The majority of the references to the rights most likely to be affected by cyber surveillance – those connected to data protection and privacy – have been deleted from the Recast text. These considerations were, however, clearly voiced in the original proposal published in 2016.  It might become possible to interpret the Recast as it currently stands as seeing in cyber surveillance an enabler for other, arguably graver, human rights or international humanitarian law infringements. The current wording strikes the reader as an eloquently crafted compromise between openly setting up a pan-EU dual-use exports regime based not only on the potential military risks, but also human rights concerns and abiding by the deep-rooted military raison d´etre. While the 2016 proposal included a separate EU autonomous list of controlled items on cyber-surveillance technology, the Recast regulation lays out a framework for controls over ‘non-listed’ cyber-surveillance technologies. Therefore, the awareness of the exporter of the specific technology’s potential misuse is key. Human rights risk assessments rely heavily on not only mere technical data, but also the ability to forecast worst-case function creep, where states have a clear advantage over manufacturers, exporters or brokers. Timely provision of relevant information to the exporters and ultimately the decision on whether or not to impose export controls on a particular cyber-surveillance technology rests with national authorities. Exporters and national authorities are supposed to share the obligation of human rights due diligence – an obligation that has been criticised by representatives of the industry who have also referred to the better options for human rights situational awareness available to governmental actors.

Balancing harmonisation, international ambitions and member state autonomy

The Recast can indeed iron out some of the inconsistencies of member state frameworks and also mark the beginning of a journey towards a better regulated cyber-arms market. In all their fairness and necessity, these aims do come down to the establishment of a functioning information-sharing environment among manufacturers, exporters and brokers, national and EU authorities. Once controls are imposed on an item by a national authority, the Member State will notify the European Commission and other member states and information will be mediated through specific ‘EU Watch Lists’. This will launch a review procedure as a result of which all ‘essentially identical transactions’ could be subject to authorisation requirements. Thus, if one member state reports that it is to apply controls on particular cyber surveillance technology, and if all other member states confirm their willingness to act likewise within 30 working days, the details are published in the EU list. The DUeS (Dual-use e-System) will be adapted to allow member states to exchange notifications related to the creation of national control list items, list items updates and licence denials. Achieving a degree of uniformity as to which cyber-surveillance technologies should be controlled is therefore likely to become a long and complicated procedure not entirely at pace with technological developments.

A common language in talking about cyber surveillance

A common understanding of the risks acquires particularly high importance in relation to the new catch-all clause for non-listed cyber-surveillance items. The recast establishes an ‘enforcement coordination mechanism’ to enable information sharing between enforcement agencies and licensing authorities (Section III). Article 5 requires the Commission and the Council to develop guidelines for exporters on catch-all controls and reporting requirements. Regular technical expert consultations and an information-sharing framework specifically targeting the industry while also providing clarification and legal advice related to the human rights and humanitarian law concerns in question would be a worthwhile addition. The biggest obstacles in implementing the recast are likely to stem from the fundamentally different levels of technological awareness, economic dependence on the ICT sector, approaches to the privacy-security trade-off and overall readiness to combine and mediate technical, legal and political information. The Commission should therefore prioritise giving voice to technical experts and create an environment for swift information exchange. The discussions held by the Dual-use Working Party would benefit from including the knowledge contained within EU agencies such as ENISA, FRA and the Joint Research Centre. While hoping to get all 27 Member States to share a common export controls policy might subside into utopianism, a common conceptual understanding is critical to any progress towards a sound regulation of cyber surveillance, be it for the sake of military fairness or human rights.

Author: Ann Väljataga, NATO CCDCOE Law Branch

This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.