The 2009 EU Dual-use Regulation (Council Regulation 428/2009) creates a common legal basis for European Union (EU) member states’ controls on the trade in ‘dual-use items’ (i.e. goods, materials and technologies that may be used for both civilian and military purposes) and is a crucial component of global non-proliferation efforts. In 2011 the European Commission launched a review of the regulation and in September 2016 published a proposal for a new version of its text. The European Commission, the European Parliament and EU member states—via the Council of the EU—have an equal say in the outcome of the review process. In January 2018 the European Parliament published a set of 98 amendments that largely endorsed or expanded upon the European Commission’s proposal. In June 2019 the Council of the EU published a negotiating mandate that rejected many of the European Commission’s proposals and kept large sections of the existing text intact.
In mid-October 2019 the European Commission, the European Parliament and the Council will engage in a ‘trilogue’ before a new version of the EU Dual-use Regulation is adopted. This backgrounder is aimed at informing the trilogue process by providing a better understanding of the positions of the three parties on a selection of key issues: (a) controls on cyber-surveillance technology; (b) language on human rights and international humanitarian law (IHL); (c) harmonized interpretation of key concepts; and (d) improved information sharing. Each section concludes with ideas for how divisions between the three parties might be bridged.
Controls on cyber-surveillance technology
During and after the 2011 Arab Spring, a series of reports highlighted cases where companies based inside and outside the EU supplied cyber-surveillance technology to states in the Middle East and North Africa that used them in connection with alleged human rights violations. In the years since, controls on certain technologies—particularly mobile telecommunications interception equipment, intrusion software, and internet protocol (IP) network surveillance—were added to the control list of the Wassenaar Arrangement. They were subsequently added to the regulation’s own dual-use list, which is based on the Wassenaar control list and those of the other multilateral export control regimes.
European Commission
The European Commission’s proposal would expand on these measures by defining dual-use items as including cyber-surveillance technology and providing a definition of cyber-surveillance technology that would include items not covered by the Wassenaar controls such as monitoring centres, lawful interception systems, data retention systems and digital forensics. It would also create an ‘autonomous’ EU control list for cyber-surveillance technologies that are not covered by the Wassenaar controls. Initially, the list would cover monitoring centres and data retention systems—which were made subject to export controls in Germany in 2015—but the European Commission and EU member states would be able to add more items in the future.
European Parliament
The European Parliament’s amendments keep cyber-surveillance technology in the definition of dual-use items but alter the scope of the term, mainly to try to avoid affecting legitimate work in the field of cyber-security. They also endorse the adoption of an autonomous EU list for cyber-surveillance technologies but give the European Commission greater leeway to add or remove items.
Council of the EU
The Council’s mandate removes the reference to cyber-surveillance technology in the definition of dual-use items but acknowledges the need to control exports of these items. The mandate also takes out all references to an autonomous EU control list. During their negotiations, EU member states appear to have been divided over this issue. In January 2018 a group of 11 EU member states issued a working paper that gave qualified support for the proposal but in May 2018 a group of 9 EU member states issued a second working paper that rejected it.
Trilogue
The European Commission, the European Parliament and the Council agree that certain types of cyber-surveillance technology should be covered by the regulation. However, they differ on how to define that term and whether the coverage of controls should be limited to items adopted by the Wassenaar Arrangement. Behind these positions are divisions about whether, and to what extent, the regulation should set standards that are higher than those outside the EU or whether the regulation should simply focus on codifying measures agreed multilaterally. One way to bridge these differences would be for EU member states to convince the other members of the Wassenaar Arrangement to expand its controls on cyber-surveillance technology. Another would be to look beyond the regulation and at other steps that the EU could take to improve the regulation of the trade in and use of cyber-surveillance technology. These could include expanding the use of EU sanctions, which have already been used to restrict transfers of a wide range of surveillance technology to Iran, Myanmar, Syria and Venezuela. Other steps could include adapting the coverage of the EU Torture Regulation and developing systems of industry self-regulation such as those promoted by the Global Network Initiative.
Language on human rights and international humanitarian law
The regulation requires EU member states ‘to take into account’ the considerations covered by the recently updated EU Common Position on arms exports when deciding whether to grant an export licence. The Common Position contains eight criteria for assessing export licensing applications, which cover human rights and IHL issues. These are supported by an updated User’s Guide that accompanies the Common Position.
European Commission
The European Commission’s proposal removes the reference to the EU Common Position but adds language on human rights and IHL to the section on export licensing criteria and mandates the creation of accompanying guidance material. The European Commission’s proposal also introduces a new ‘catch-all control’ for exports of unlisted dual-use items where the exporter has been informed—or becomes aware—that the items may be used in violation of human rights or IHL or ‘in connection with acts of terrorism’. The regulation already includes catch-alls for unlisted items but these are confined to cases where they may contribute to a programme to develop weapons of mass destruction, have a ‘military end use’ in an embargoed state, or be used as parts and components in an illegally exported military item. The European Commission’s proposal also mentions an obligation for exporters to exercise ‘due diligence’ in order to help to determine whether exports will be used in ways outlined by the existing and proposed catch-alls.
European Parliament
The European Parliament’s amendments keep the human rights- and IHL-related criteria and guidance material largely intact. The new catch-all is retained but its focus is shifted. Although the amendments limit the catch-all’s scope to unlisted cyber-surveillance items and remove the reference to terrorism, they also expand the range of human rights concerns that would trigger its application. These would include ‘the right to privacy, the right to free speech and the freedom of assembly and association’. Potential violations of these rights would also need to be considered by states when deciding whether export licences for cyber-surveillance technology should be approved. The due-diligence clause is also amended, specifically through the addition of a definition of due diligence based on the language used in the Organisation for Economic Co-operation and Development’s guidelines for businesses on human rights.
Council of the EU
The Council’s mandate reinstates the reference to the EU Common Position and removes the language on criteria and guidance material. It also removes the references to a new catch-all on human rights and due diligence obligations for the exporter. Member states appear to agree that the proposed catch-all and due diligence requirements would risk creating legally binding obligations that would be hard for companies to interpret and for authorities to enforce, particularly if the requirements expand into areas of human rights law not previously covered by export controls.
Trilogue
Although in each case the proposed format is different, there is a shared willingness among the European Commission, the European Parliament and the Council to include human rights and IHL concerns in member states’ export licensing assessments. This should hopefully make an agreement on criteria language and guidance possible. Basing this compromise on retaining the connection to the EU Common Position and expanding its User’s Guide to include language on exports of dual-use items and cyber-surveillance technology would have several advantages. In particular, it would help to strengthen links between related EU instruments in the field of export controls. Differences over a new catch-all, due-diligence obligations and language on the right to privacy and on freedom of speech and association may be harder to bridge. The European Commission and the European Parliament are effectively seeking to incorporate soft law principles into the regulation. Member states appear to view this as being both at odds with the intended purpose of the regulation and beyond the scope of what can be achieved through its implementation.
Harmonized interpretation of key concepts
There is limited clarity in the multilateral regimes and at the EU level on how certain aspects of dual-use export controls should be applied. For example, there is a lack of agreement about if and how controls apply to transfers of technology. The current language in the regulation states that controls apply when technology is transferred to ‘a destination’ outside the EU, which has created confusion about if and how controls apply when the technology is stored and shared via cloud computing. There are also differences with regard to how requirements to control technology that is ‘directly associated with’ a controlled item should be interpreted and how the exemptions for ‘basic scientific research’ and information that is ‘in the public domain’ should be implemented. One of the uncertainties this has generated is if and how export controls should apply in the field of academic publishing.
European Commission
The European Commission’s proposal creates a mandate for the creation of guidance material by the European Commission and the Council to create a more harmonized interpretation of key terms and concepts. It also seeks to bring greater clarity to the application of controls on software and technology by stating that they should only apply when the technology is ‘made available’ to ‘legal and natural persons and partnerships’ outside the EU.
European Parliament
The European Parliament’s amendments leave the European Commission’s language largely intact.
Council of the EU
The Council’s mandate leaves much of the European Commission’s language on the drafting of guidance material intact but gives member states a more central role in the process, stating that they have responsibility for its ‘provision’. However, it leaves it to the European Commission and the Council to make additional guidance available wherever appropriate. The Council’s amendments also provide more detail about the possible focus of new guidance materials, specifying that they should focus on the exceptions for ‘basic scientific research’ and ‘public domain’. However, the mandate retains language stating that controls apply when technology is transferred to ‘a destination’ outside the EU.
Trilogue
The fact that the European Commission, the European Parliament and the Council recognize the need for more detailed guidance material is welcome. Cloud computing could be another area of focus since uncertainties and differences seem likely to persist with regard to how controls apply in this area. That said, it may prove challenging for the European Commission and member states to reach agreement on content for some of the areas of focus that are being discussed. National guidance materials have already been produced by EU member states on the exceptions for ‘basic scientific research’, including by Belgium and Germany. These indicate national differences about how to weigh and apply the sometimes competing goals of non-proliferation and freedom of academic research, which suggest that reaching an agreed EU position may prove difficult. It also remains to be seen whether the guidance material will have legal implications for exporters, authorities and the courts. Unlike the EU’s recently produced guidance for internal compliance programmes, guidelines on ‘basic scientific research’ and information ‘in the public domain’ would potentially have direct relevance for how parts of the EU dual-use list are interpreted.
Information sharing and transparency
Under the terms of the regulation, member states exchange information on denials of export licences and meet regularly to discuss the implementation of the regulation. However, information exchanges in other areas—particularly on steps taken to prosecute violations of export controls—are more limited. Moreover, in contrast to the EU Common Position on arms exports, the regulation does not create any requirements for public reporting on issued or denied export licences.
European Commission
The European Commission’s proposal aims to significantly increase the amount of information member states share with each other about the implementation of the regulation and national enforcement efforts. In particular, states would be required to exchange ‘reports of violations, seizures and the application of other penalties’ via a ‘secure and encrypted system’. The proposal also mandates the creation of an ‘Enforcement Coordination Mechanism’ in order to establish ‘direct cooperation and exchange of information between competent authorities and enforcement agencies’.
European Parliament
The European Parliament’s amendments largely adopt and expand upon the European Commission’s proposal. They also add ambitious requirements on public reporting that would oblige member states to release quarterly information to the public with details of every export licence that has been granted or denied.
Council of the EU
The Council’s mandate keeps the proposed requirements on information sharing and enforcement coordination largely intact. The potential for expanded public reporting was mentioned in both the January 2018 and May 2018 working papers but appears to have failed to gain consensus among member states since it is not referenced anywhere in the Council’s mandate.
Trilogue
The European Commission, the European Parliament and the Council agree on the need to improve information sharing and coordination of enforcement efforts. The language could be strengthened further during the trilogue process by creating links between the information sharing and coordination mechanisms established under the regulation and those established or proposed by other EU mechanisms. For example, information could be shared with bodies such as the Customs Cooperation Working Party or under mechanisms established by the EU small arms and light weapons strategy or the EU sanctions regime. These mechanisms also create avenues for sharing information on violations of export controls and other information that could inform export licensing decision making but are under-utilized and largely separate from each other. In addition, more could be done in the field of public reporting. If it is judged that the European Parliament’s proposal would generate an undue level of regulatory burden, then member states could instead focus on the publication of decisions to issue or deny licences for exports of cyber-surveillance technology. This could have a significant impact on improving understanding of the way controls on these items operate while also strengthening and harmonizing national standards.
Looking ahead to the trilogue process
The current review and trilogue provide an opportunity to improve the structure and content of the regulation that is unlikely to be repeated for several years. However, the differences between the positions adopted by the European Commission, the European Parliament and the Council are significant and indicate that reaching an agreement will be difficult. Indeed, they point to divergent views about the overall purpose of the regulation and the extent to which the EU can and should go beyond the norms established multilaterally when determining its content and focus. At the same time, the process has also revealed certain common objectives, particularly with regard to the development of clearer guidance materials to try to standardize national controls and the exchange of more detailed information on enforcement measures. Focusing on these areas—and exploring where other EU policy instruments can be applied on some of the broader issues that the review process is seeking to address—offers the best way forward to achieving a successful conclusion to the trilogue process.
ABOUT THE AUTHOR(S)
Dr Mark Bromley is a Senior Researcher with the SIPRI Dual-Use and Arms Trade Control Programme.
Paul Gerharz was an intern in SIPRI’s Dual-Use and Arms Trade Control Programme.
The 2009 EU Dual-use Regulation (Council Regulation 428/2009) creates a common legal basis for European Union (EU) member states’ controls on the trade in ‘dual-use items’ (i.e. goods, materials and technologies that may be used for both civilian and military purposes) and is a crucial component of global non-proliferation efforts. In 2011 the European Commission launched a review of the regulation and in September 2016 published a proposal for a new version of its text. The European Commission, the European Parliament and EU member states—via the Council of the EU—have an equal say in the outcome of the review process. In January 2018 the European Parliament published a set of 98 amendments that largely endorsed or expanded upon the European Commission’s proposal. In June 2019 the Council of the EU published a negotiating mandate that rejected many of the European Commission’s proposals and kept large sections of the existing text intact.
In mid-October 2019 the European Commission, the European Parliament and the Council will engage in a ‘trilogue’ before a new version of the EU Dual-use Regulation is adopted. This backgrounder is aimed at informing the trilogue process by providing a better understanding of the positions of the three parties on a selection of key issues: (a) controls on cyber-surveillance technology; (b) language on human rights and international humanitarian law (IHL); (c) harmonized interpretation of key concepts; and (d) improved information sharing. Each section concludes with ideas for how divisions between the three parties might be bridged.
Controls on cyber-surveillance technology
During and after the 2011 Arab Spring, a series of reports highlighted cases where companies based inside and outside the EU supplied cyber-surveillance technology to states in the Middle East and North Africa that used them in connection with alleged human rights violations. In the years since, controls on certain technologies—particularly mobile telecommunications interception equipment, intrusion software, and internet protocol (IP) network surveillance—were added to the control list of the Wassenaar Arrangement. They were subsequently added to the regulation’s own dual-use list, which is based on the Wassenaar control list and those of the other multilateral export control regimes.
European Commission
The European Commission’s proposal would expand on these measures by defining dual-use items as including cyber-surveillance technology and providing a definition of cyber-surveillance technology that would include items not covered by the Wassenaar controls such as monitoring centres, lawful interception systems, data retention systems and digital forensics. It would also create an ‘autonomous’ EU control list for cyber-surveillance technologies that are not covered by the Wassenaar controls. Initially, the list would cover monitoring centres and data retention systems—which were made subject to export controls in Germany in 2015—but the European Commission and EU member states would be able to add more items in the future.
European Parliament
The European Parliament’s amendments keep cyber-surveillance technology in the definition of dual-use items but alter the scope of the term, mainly to try to avoid affecting legitimate work in the field of cyber-security. They also endorse the adoption of an autonomous EU list for cyber-surveillance technologies but give the European Commission greater leeway to add or remove items.
Council of the EU
The Council’s mandate removes the reference to cyber-surveillance technology in the definition of dual-use items but acknowledges the need to control exports of these items. The mandate also takes out all references to an autonomous EU control list. During their negotiations, EU member states appear to have been divided over this issue. In January 2018 a group of 11 EU member states issued a working paper that gave qualified support for the proposal but in May 2018 a group of 9 EU member states issued a second working paper that rejected it.
Trilogue
The European Commission, the European Parliament and the Council agree that certain types of cyber-surveillance technology should be covered by the regulation. However, they differ on how to define that term and whether the coverage of controls should be limited to items adopted by the Wassenaar Arrangement. Behind these positions are divisions about whether, and to what extent, the regulation should set standards that are higher than those outside the EU or whether the regulation should simply focus on codifying measures agreed multilaterally. One way to bridge these differences would be for EU member states to convince the other members of the Wassenaar Arrangement to expand its controls on cyber-surveillance technology. Another would be to look beyond the regulation and at other steps that the EU could take to improve the regulation of the trade in and use of cyber-surveillance technology. These could include expanding the use of EU sanctions, which have already been used to restrict transfers of a wide range of surveillance technology to Iran, Myanmar, Syria and Venezuela. Other steps could include adapting the coverage of the EU Torture Regulation and developing systems of industry self-regulation such as those promoted by the Global Network Initiative.
Language on human rights and international humanitarian law
The regulation requires EU member states ‘to take into account’ the considerations covered by the recently updated EU Common Position on arms exports when deciding whether to grant an export licence. The Common Position contains eight criteria for assessing export licensing applications, which cover human rights and IHL issues. These are supported by an updated User’s Guide that accompanies the Common Position.
European Commission
The European Commission’s proposal removes the reference to the EU Common Position but adds language on human rights and IHL to the section on export licensing criteria and mandates the creation of accompanying guidance material. The European Commission’s proposal also introduces a new ‘catch-all control’ for exports of unlisted dual-use items where the exporter has been informed—or becomes aware—that the items may be used in violation of human rights or IHL or ‘in connection with acts of terrorism’. The regulation already includes catch-alls for unlisted items but these are confined to cases where they may contribute to a programme to develop weapons of mass destruction, have a ‘military end use’ in an embargoed state, or be used as parts and components in an illegally exported military item. The European Commission’s proposal also mentions an obligation for exporters to exercise ‘due diligence’ in order to help to determine whether exports will be used in ways outlined by the existing and proposed catch-alls.
European Parliament
The European Parliament’s amendments keep the human rights- and IHL-related criteria and guidance material largely intact. The new catch-all is retained but its focus is shifted. Although the amendments limit the catch-all’s scope to unlisted cyber-surveillance items and remove the reference to terrorism, they also expand the range of human rights concerns that would trigger its application. These would include ‘the right to privacy, the right to free speech and the freedom of assembly and association’. Potential violations of these rights would also need to be considered by states when deciding whether export licences for cyber-surveillance technology should be approved. The due-diligence clause is also amended, specifically through the addition of a definition of due diligence based on the language used in the Organisation for Economic Co-operation and Development’s guidelines for businesses on human rights.
Council of the EU
The Council’s mandate reinstates the reference to the EU Common Position and removes the language on criteria and guidance material. It also removes the references to a new catch-all on human rights and due diligence obligations for the exporter. Member states appear to agree that the proposed catch-all and due diligence requirements would risk creating legally binding obligations that would be hard for companies to interpret and for authorities to enforce, particularly if the requirements expand into areas of human rights law not previously covered by export controls.
Trilogue
Although in each case the proposed format is different, there is a shared willingness among the European Commission, the European Parliament and the Council to include human rights and IHL concerns in member states’ export licensing assessments. This should hopefully make an agreement on criteria language and guidance possible. Basing this compromise on retaining the connection to the EU Common Position and expanding its User’s Guide to include language on exports of dual-use items and cyber-surveillance technology would have several advantages. In particular, it would help to strengthen links between related EU instruments in the field of export controls. Differences over a new catch-all, due-diligence obligations and language on the right to privacy and on freedom of speech and association may be harder to bridge. The European Commission and the European Parliament are effectively seeking to incorporate soft law principles into the regulation. Member states appear to view this as being both at odds with the intended purpose of the regulation and beyond the scope of what can be achieved through its implementation.
Harmonized interpretation of key concepts
There is limited clarity in the multilateral regimes and at the EU level on how certain aspects of dual-use export controls should be applied. For example, there is a lack of agreement about if and how controls apply to transfers of technology. The current language in the regulation states that controls apply when technology is transferred to ‘a destination’ outside the EU, which has created confusion about if and how controls apply when the technology is stored and shared via cloud computing. There are also differences with regard to how requirements to control technology that is ‘directly associated with’ a controlled item should be interpreted and how the exemptions for ‘basic scientific research’ and information that is ‘in the public domain’ should be implemented. One of the uncertainties this has generated is if and how export controls should apply in the field of academic publishing.
European Commission
The European Commission’s proposal creates a mandate for the creation of guidance material by the European Commission and the Council to create a more harmonized interpretation of key terms and concepts. It also seeks to bring greater clarity to the application of controls on software and technology by stating that they should only apply when the technology is ‘made available’ to ‘legal and natural persons and partnerships’ outside the EU.
European Parliament
The European Parliament’s amendments leave the European Commission’s language largely intact.
Council of the EU
The Council’s mandate leaves much of the European Commission’s language on the drafting of guidance material intact but gives member states a more central role in the process, stating that they have responsibility for its ‘provision’. However, it leaves it to the European Commission and the Council to make additional guidance available wherever appropriate. The Council’s amendments also provide more detail about the possible focus of new guidance materials, specifying that they should focus on the exceptions for ‘basic scientific research’ and ‘public domain’. However, the mandate retains language stating that controls apply when technology is transferred to ‘a destination’ outside the EU.
Trilogue
The fact that the European Commission, the European Parliament and the Council recognize the need for more detailed guidance material is welcome. Cloud computing could be another area of focus since uncertainties and differences seem likely to persist with regard to how controls apply in this area. That said, it may prove challenging for the European Commission and member states to reach agreement on content for some of the areas of focus that are being discussed. National guidance materials have already been produced by EU member states on the exceptions for ‘basic scientific research’, including by Belgium and Germany. These indicate national differences about how to weigh and apply the sometimes competing goals of non-proliferation and freedom of academic research, which suggest that reaching an agreed EU position may prove difficult. It also remains to be seen whether the guidance material will have legal implications for exporters, authorities and the courts. Unlike the EU’s recently produced guidance for internal compliance programmes, guidelines on ‘basic scientific research’ and information ‘in the public domain’ would potentially have direct relevance for how parts of the EU dual-use list are interpreted.
Information sharing and transparency
Under the terms of the regulation, member states exchange information on denials of export licences and meet regularly to discuss the implementation of the regulation. However, information exchanges in other areas—particularly on steps taken to prosecute violations of export controls—are more limited. Moreover, in contrast to the EU Common Position on arms exports, the regulation does not create any requirements for public reporting on issued or denied export licences.
European Commission
The European Commission’s proposal aims to significantly increase the amount of information member states share with each other about the implementation of the regulation and national enforcement efforts. In particular, states would be required to exchange ‘reports of violations, seizures and the application of other penalties’ via a ‘secure and encrypted system’. The proposal also mandates the creation of an ‘Enforcement Coordination Mechanism’ in order to establish ‘direct cooperation and exchange of information between competent authorities and enforcement agencies’.
European Parliament
The European Parliament’s amendments largely adopt and expand upon the European Commission’s proposal. They also add ambitious requirements on public reporting that would oblige member states to release quarterly information to the public with details of every export licence that has been granted or denied.
Council of the EU
The Council’s mandate keeps the proposed requirements on information sharing and enforcement coordination largely intact. The potential for expanded public reporting was mentioned in both the January 2018 and May 2018 working papers but appears to have failed to gain consensus among member states since it is not referenced anywhere in the Council’s mandate.
Trilogue
The European Commission, the European Parliament and the Council agree on the need to improve information sharing and coordination of enforcement efforts. The language could be strengthened further during the trilogue process by creating links between the information sharing and coordination mechanisms established under the regulation and those established or proposed by other EU mechanisms. For example, information could be shared with bodies such as the Customs Cooperation Working Party or under mechanisms established by the EU small arms and light weapons strategy or the EU sanctions regime. These mechanisms also create avenues for sharing information on violations of export controls and other information that could inform export licensing decision making but are under-utilized and largely separate from each other. In addition, more could be done in the field of public reporting. If it is judged that the European Parliament’s proposal would generate an undue level of regulatory burden, then member states could instead focus on the publication of decisions to issue or deny licences for exports of cyber-surveillance technology. This could have a significant impact on improving understanding of the way controls on these items operate while also strengthening and harmonizing national standards.
Looking ahead to the trilogue process
The current review and trilogue provide an opportunity to improve the structure and content of the regulation that is unlikely to be repeated for several years. However, the differences between the positions adopted by the European Commission, the European Parliament and the Council are significant and indicate that reaching an agreement will be difficult. Indeed, they point to divergent views about the overall purpose of the regulation and the extent to which the EU can and should go beyond the norms established multilaterally when determining its content and focus. At the same time, the process has also revealed certain common objectives, particularly with regard to the development of clearer guidance materials to try to standardize national controls and the exchange of more detailed information on enforcement measures. Focusing on these areas—and exploring where other EU policy instruments can be applied on some of the broader issues that the review process is seeking to address—offers the best way forward to achieving a successful conclusion to the trilogue process.
ABOUT THE AUTHOR(S)