As we enter 2018, Brexit and the final push for timely GDPR implementation will undoubtedly continue to be top agenda items for companies with interests in the EU. But the EU is already set to offer new challenges to keep us engaged throughout the year. Technology companies in particular should take note of proposed developments in EU export controls, set to proceed to a vote in the European Parliament plenary session in early 2018.

The EU dual-use recast, approved on November 23, 2017, by an overwhelming 34-1 vote of the European Parliament International Trade Committee, calls for updates to the 2009 Regulation (EC) No 428/2009 – the Dual-use Regulation. The regulation established a general framework for export controls on “dual-use items,” which are broadly defined as “items which can be used for both civil and military purposes,” and listed on a regularly updated annex which includes an array of items from uranium to certain types of sealants.

Though the dual-use items list is quite comprehensive, the regulation leaves administrative, substantive, and operational decisions largely to the member states, resulting in a lack of harmonization across the EU. The recast will address some harmonization issues, but will also bring additional items into the classification of dual-use items, including tools that can be used for cyber-surveillance. Companies wishing to sell covered cyber-surveillance items will be required to seek approval from national export control authorities before the items can be exported from an EU country to a non-EU country. Affected cyber-surveillance tools include items that “intercept mobile phones, remotely hack into computers, circumvent passwords, or identify internet users.”

Though the dual-use items list is quite comprehensive, the regulation leaves administrative, substantive, and operational decisions largely to the member states, resulting in a lack of harmonization across the EU.

In keeping with the EU’s Trade for All strategy, the driving force behind the recast is the EU’s commitment to fair and ethical trade and human rights. More specifically, the recast stems from a 2011 EU review of export controls on dual-use items, following human rights abuses that occurred during the Arab Spring. High profile abuses using cyber-surveillance items include the attack against Ahmed Mansoor, an activist calling for reform in the United Arab Emirates, using Israeli-sourced “Pegasus” spyware, and BAE's sale through a Danish affiliate of “mass surveillance technology to six Middle Eastern governments that have been criticised for repressing their citizens.”

The BAE sale highlights the importance of harmonization. As reported by The Guardian’s Rob Evans, “if the UK had been asked to approve the export of this technology, it would have refused on the grounds that it could damage the security of the UK and its allies. ... However, the Danish government approved the export, partly because its own intelligence service and foreign affairs advisers had not objected.” 

Though the intent behind the proposed restrictions may be noble, a 2011 European Commission Green Paper acknowledges a key weakness in the strategy: Bad actors can find cyber-surveillance tools whether or not EU companies can export them. As the European Commission noted, “[t]he issue of foreign availability of controlled items is a key element of export control considerations as it significantly influences decisions on whether or not to control certain items. If there is broad foreign availability of particular goods, the reasons behind their control are greatly diminished, as the respective export control decisions can potentially negatively influence business performance, while not achieving any security goals.”

The recast is not limited to increasing restrictions on trade. In fact, German MEP Klaus Buchner introduced an amendment that would relax restrictions on technology products that use encryption. In Buchner’s view,  “Cryptography technology does not belong in the scope of dual use export controls. It is the task of the Commission to introduce coordinated activity of Member States in the framework of the Wassenaar Arrangement to eliminate cryptography technology from the list of controlled items.”

Profit-seeking businesses are not the only parties interested in lifting trade restrictions on cryptography technology. Rights organizations, including Privacy International, have long argued that restrictions on encryption hinder cooperation and transparency in research and lead to vulnerabilities as companies reduce security features to avoid export restrictions. 

The call to remove cryptography technology from the scope of dual-use export controls is an encouraging development for technology companies and rights organizations alike, but one that will require patience. 

The call to remove cryptography technology from the scope of dual-use export controls is an encouraging development for technology companies and rights organizations alike, but one that will require patience. Buchner’s own comment defers to the framework of the Wassenaar Arrangement, one of four international export control regimes addressing suppliers of dual-use goods, and the amendment itself does not direct the removal of cryptography technology from export controls, but rather directs the European Commission to propose legislation to remove such items within the next “five to seven years.”  

Nonetheless, the measure has strong support across the political spectrum and is unlikely to be weakened as the MEPs proceed to negotiate agreement with the Commission and member state governments in the coming months.