Today I submitted my amendments to the Commission proposal to update the export control system on dual-use items. For more than six years, I have been pushing for a fundamental reform of this system, to take account of the human rights and security risks of the proliferation of cyber-surveillance technologies. Too often, we have seen such technologies exported from the European Union to be used by repressive regimes to spy on and hack their own citizens, journalists or human rights defenders. Recently we also learned that these technologies can also be used to create cyber weapons to attack the digital infrastructure of EU Member States.
In my amendments to the Commission’s proposal, I have focused on a number of issues:
Differentiation between dual-use items and cyber-surveillance technologies
The Commission proposed to treat cyber-surveillance technologies as a category of dual-use items. The problem with this approach is that there is a distinction between the more ‘classic’ dual-use items, such as machine tools, and cyber-surveillance technologies in that their potential uses are very different and their potential impact on human rights as well. In order to create more legal certainty and to provide more clarity for both companies and export control authorities, it is easier to speak about dual-use items and cyber surveillance technologies. In this way, we acknowledge the difference and can identify specific criteria for human rights that are relevant for cyber-surveillance technologies, but not necessarily for other items. This new approach is comparable to what was done in the regulation to control the export of items that could be used for torture or the death penalty. Items like spiked clubs and electric chairs were taken up in the same regulation as medical products that could be used for the death penalty. Different types of product can be taken up in the same regulation, but we need to make sure it is clear they may require different treatments.
Remove encryption from the control lists
In the 21st century it does not make sense anymore to control the export of encryption products. Encryption is an essential element of our digital economies, and it is a necessary tool to protect our communications. Instead of introducing a new General Export Authorisation, which is a welcome step to facilitate trade and ensure a level playing field with other countries, I deleted these products altogether from the control-list. This would immensely reduce red tape for European tech companies, and it would facilitate the implementation of the General Data Protection regulation. If the GDPR encourages companies outside the EU to encrypt personal data, it would make no sense to create hurdles for the export of encryption technologies.
Avoid unintended consequences for security researchers
The goal of introducing controls on new cyber-surveillance tools should never have an impact on the work of security researchers. After I asked for suggestions on how to improve the current regime, and after organizing and hosting a hearing in the Parliament on the same topic, I changed key-definitions on what cyber-surveillance technologies are for the purposes of this regulation. I also changed the definition of intrusion software in the Annex, and I created a new exception for network and security research for the purposes of authorised testing or the protection of information security systems in the Annex.
Targeting and clarifying the ‘catch-all’ control
In specific cases, authorities need to be able to stop the export of items that are not on the control lists. This is already the case in the current regulation, and in multiple other export control regimes. The update from the Commission introduces the possibility to also stop an export if there is a chance the products would be used to commit serious human rights violations. This is a good proposal, but it needs to be clear what the criteria are for controlling non-listed items, to ensure legal certainty for exporters. For arms exports, European authorities already control on the basis of human rights criteria since 2008. In this context, there is already guidance on how serious human rights violations should be qualified. It should be clear which international institutions are qualified to assess whether serious human rights violations have occurred.
Specific human rights checks for cyber-surveillance technologies
Export control authorities currently control dual-use items on the basis of human rights criteria. However, with the addition of cyber-surveillance technologies to the controlled items, it makes sense to add a specific control criterion for these kinds of technologies, since their use can result in a direct interference with a number of specific human rights, including the right to privacy, the right to data protection, freedom of expression and the freedom of assembly and association. . Therefore, a ninth control criterion referring to cyber-surveillance technologies, the specific human rights they may violate and the security risk they pose will provide more clarity for authorities and companies.
Clear parameters for EU unilateral controls
The Commission has proposed that the EU should control certain cyber-surveillance items, which are currently not on the list which is agreed with other countries at the so-called Wassenaar Arrangement. The introduction of a unilateral list is a good idea. These are dangerous technologies and the EU must set a standard, also if others do not take the same steps. Given the sensitivity and technological capabilities of some of these products, it is in our own interest to make sure they do not end up in the wrong hands. However, it should be clear that the unilateral list should be limited to the most sensitive products, in order to remain as closely aligned as possible to the internationally agreed list. Therefore it should not go beyond cyber-surveillance technologies and must not contain any duplications with the other control lists, since this would create confusion and uncertainty over which product is controlled where.
Clear information on end-users and end-use
When applying for licenses, companies are required to state who the end-user and what the end-use of a product will be. It is essential that this information is as detailed as possible. In the past, we have seen sensitive products being exported to ‘the ministry of internal affairs’, where it was not clear which sub-entity would actually be the end-user. In order to make a proper assessment, authorities need to know whether a product is going to be used by the police, by an intelligence service, or by an entity which does not have a legal basis in a country’s domestic law for example. Given the sensitivity of certain cyber-surveillance technologies, these products should always have an end-use statement, whereby the client explains how the product will be used.
Sharing all information
The actual control of exports is done by national export control authorities. To create a level-playing field and a coherent interpretation of the rules that will be laid down by this regulation, it is crucial that authorities and the Commission also share all the available information on what kind of products and licences have been granted or denied and whether specific operators have violated the rules. This can also ensure that if licences are denied in one member state, the product will not be exported through another member state.
Equal and coherent penalties
A level playing field also requires that Member States have the same kind of penalty systems. It cannot be the case that a company receives a small fine in one Member State if it violates the rules, while there might be hefty prison sentences in another. While it is clear that criminal law is a Member State competence, I have proposed that the Commission assesses the penalty systems so that there is an overview and the Member States can work together towards bringing their systems into line.
Transparency and scrutiny
Some Member States already publish a lot of information on exports which fall under this regulation, while other Member States publish nothing. In the interest of transparency and public scrutiny, Member States should publish as much information as possible, without harming companies legitimate business interests and without revealing trade secrets. When it comes to arms exports, it is already common practice for Member States (and other countries) to publish detailed reports of the types and amount of weapons exported. It should not be difficult to do the same for products which in essence are less sensitive.
My amendments can be found here
I look forward to continuing this discussion on this crucial topic. In the European Parliament, we will now enter into discussions with other groups, in order to vote on our position first in July in the Trade Committee and then in September in the Plenary. After that, we will enter into negotiations with the Council and Commission to reach a final agreement.