The European Commission on October 16 released a Recommendation on guidelines to help exporters comply with Article 5 of Regulation 2021/821 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (the “Dual-Use Regulation”).
The guidelines aim to support exporters in their assessments of whether non-listed cyber-surveillance item are subject to export controls. The guidelines further include details on the due diligence exporters are expected to conduct to assess the risks related to the export of non-listed items and the need to notify the competent authorities.
The Dual-Use Regulation aimed to modernize the Union export control regime to keep pace with technological advancement and international developments. Among the significant changes it introduced is the addition of a new controlled category: cyber-surveillance items. Some of those new cyber-surveillance items are listed in Annex I to the Dual-Use Regulation, making them subject to export authorization requirements.
In view of the rapid pace of technological change in the field of cyber-surveillance, the Union also introduced a “catch-all” clause under Article 5. This provision allows Member States to control the export of non-listed cyber-surveillance items, ensuring that emerging technologies which may pose security or human rights risks are controlled.
With Article 5, the EU leaves it up to Member States to detect and control the export of non-listed cyber-surveillance items and places also part of the burden on exporters which are required to conduct thorough due diligence, assess the end-use of their item and notify the competent authorities if they are aware that their cyber-surveillance item might be misused for illegal or harmful purposes.
In essence, under Article 5, an exporter must notify the competent authorities when the exporter is aware that the non-listed cyber-surveillance item to be exported is intended, in its entirety or in part, for use in connection to internal repression and/or the commission of serious violations of human rights and international humanitarian law (non-legitimate use).
Definition and Technical Scope
In the Dual-Use Regulation, cyber-surveillance items are defined as: “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”.
Some cyber-surveillance items are listed in Annex I to the Dual-Use Regulation. For those items, exporters must request an export authorization, regardless of the legitimate nature of the use of these items.
Thus, the guidelines mainly cover the due diligence expected from exporters when dealing with non-listed cyber-surveillance items. In particular, the guidelines identify potential non-listed cyber-surveillance products which warrant particular vigilance, such as facial and emotions recognition technology, location tracking devices, and video-surveillance systems.
The guidelines provide further information to help exporters assess whether their cyber-surveillance item is one that could be problematic in view of the Dual-Use Regulation. For example, the guidelines define the term “specifically designed”, “covert surveillance”, “monitoring, extracting, collecting, or analysing data” and “from information and telecommunication systems”.
End-use of the Cyber-Surveillance Items
To determine whether the export of their cyber-surveillance items needs to be notified to the competent authorities, exporters must also assess the intended end-use for such cyber-surveillance item.
To help the exporters in their assessments, the guidelines refer explicitly to the Council Common Position 2008/944/CFSP and the User’s Guide to this Common Position, which provide the elements an exporter should take into consideration when assessing whether the exported items might be used for internal repression (e.g., torture or other cruel, inhuman and degrading treatment or punishment, summary or arbitrary executions, disappearances, arbitrary detentions or other major violations of human rights and fundamental freedoms).
When it comes to human rights violations associated with cyber-surveillance products, different aspects must be included in the exporters’ assessment, such as unlawful or arbitrary surveillance, violation of the freedom of expression, association, and assembly, or violation of fundamental freedoms. All assessments must be done on a case-by-case basis and violations under Article 5 must be “serious”. The User’s Guide includes details on categorization, as well as a non-exhaustive list of the main relevant human rights instruments (e.g., European Convention on Human Rights, Inter-American Convention on Human Rights, International Covenant on Civil and Political Rights, International Covenant on Economic, Social and Cultural Rights, Convention on the Rights of the Child, Rome Statute of the International Criminal Court, African Charter on Human and People’s Rights, Arab Charter on Human Rights).
The same ‘seriousness’ criterion applies to the violation of humanitarian law or law of armed conflict which can be found in various international treaties, the Hague Regulations, Geneva Conventions and Additional Protocols. The new guidelines also refer to the International Committee of the Red Cross (ICRC) which contains guidance for the assessment of such violation for export control purposes.
Exporter Awareness and Due Diligence
Finally, the awareness criterion requires positive knowledge of the exporter of the intended non-legitimate use. A mere possibility of such a risk is not sufficient to establish awareness. Nevertheless, the exporter may not hide behind passivity. The exporter is required to obtain sufficient and adequate knowledge of the risks associated with the export and ensure compliance with the Dual-Use Regulation.
Similarly, the intention for the use of the product must be assessed factually, on a case-by-case basis. A theoretical risk would not be sufficient to be constitute ‘intention’ of misuse.
Thus, when carrying out transaction screenings as part of their due diligence, the new guidelines encourage exporters the take the following due diligence steps:
- Review whether the non-listed item to be exported might be a “cyber-surveillance item” as per the definition detailed above;
- Review the capabilities of the item in question to determine potential for misuse in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law by foreign end-users;
- Review stakeholders involved in the transaction (including end-users and consignees such as distributors and resellers), in support of the competent authorities; and
- Use the due diligence findings to draw up plans to prevent and mitigate potential future adverse impacts.
* * *
Please do not hesitate to get in touch with Cassidy Levy Kent’s international trade team in Brussels, or your usual contact in any of Cassidy Levy Kent’s offices, with any questions.