EU companies are about to get hit with a controversial new export control law hampered by a wave of criticism this summer from technology firms, which contend that it will destroy their business abroad.
The European Commission proposed changes today (28 September) to a seven-year-old law requiring special export controls for so-called dual-use items that can be used for military or civil use. Under the new rules, surveillance technologies will fall under an EU export control law for the first time.
But the bill may be tripped up once it moves into negotiations with national governments and the European Parliament. A group of diplomats from nine EU countries – Austria, Finland, France, Germany, Poland, Slovenia, Spain, Sweden and the UK – sent the Commission a memo objecting to the new law’s restrictions on technology products that could cut into companies’ business outside the EU.
Some people will be happy about the new proposal. The bill is likely to be a hit with the European Parliament and NGOs that have argued that technology products made by European companies have been used to damage human rights. During the Arab Spring, some governments were caught using software that they bought from European firms to spy on protestors.
EurActiv.com leaked an early draft of the export control proposal in July that included a list of nine types of technology that would be subject to special approval processes.
But in the final proposal published today, that list was cut in half. Under the new rules, mobile telecommunication interception equipment, intrusion software, monitoring centers, data retention systems and digital forensics will all need approval from national export authorities.
The bill includes a clause saying companies need special licenses if they export dual-use products to a place where they can be used to damage human rights.
A broad range of companies lined up to protest the new export controls this summer. Their concerns might have been heard. In the final proposal published today, the list of technologies that need special licenses only includes half of the types that were listed in the earlier version.
Controls on biometrics, location tracking devices, probes and deep package inspection systems were dropped from the earlier list. Some tech industry lobbyists previously told EurActiv that they complained to the Commission that those categories were too broad: location tracking devices could include GPS systems or even a standard smartphone, they argued.
John Higgins, director general of DigitalEurope, a tech industry association that represents big firms including Google and Microsoft, said the bill would make it harder for European companies to compete.
“Not just the ICT sector but also all those companies that use ICT products and services in their efforts to digitally transform their operations,” Higgins commented.
Privacy advocates also had concerns with the bill, arguing that the restriction on exports of forensic tools could backfire and weaken cybersecurity technology if researchers in Europe communicate less with researchers outside the EU after security flaws in software.
“While the Commission had made positive efforts to further facilitate the export of encryption items, we can do more. It is time to ask ourselves whether products that contain cryptography still have a legitimate place on the export control list. For me, the answer is a resounding no,” said Dutch ALDE MEP Marietje Schaake (Democrats 66), who has pushed for export controls on surveillance technology.
One European Commission official admitted that discussions over the summer within DG Trade, the executive’s trade policy unit, led to those technologies being scratched out of the final version.
Since big companies and a group of EU countries signaled that they’re unhappy with the bill, several EU Commissioners, led by Günther Oettinger, the EU’s digital policy chief, even started speaking up to force changes into the proposal.
Commission President Jean-Claude Juncker delayed the proposal last week, which was originally scheduled to be approved during the previous meeting of commissioners on 21 September. But the bill was set to be approved though a written procedure, without a debate among commissioners, and was moved to today so that commissioners could talk through the contentious proposal.
The new bill will require national export control authorities to report to the executive how long it takes them to grant licenses. That information will then be shared between EU countries, which the Commission hopes will pressure authorities to approve licenses more quickly. Companies have complained that some member states take several months to approve a single license, while others approve very leniently.
NGO Privacy International has called for the executive to include a transparency clause in the new proposal that would force national authorities to disclose what companies and products they grant export licenses. That measure could help to rein in countries that previously allowed surveillance technologies to be exported to countries that abused human rights.
But the new export control measures won’t require countries to share that information with the European Commission or with each other.
“At the end of the day, it is a sensitive area. We’re not there yet where for these sensitive items we are going to put everything on the internet or force member states to do it,” one Commission official said.