In light of the recent high profile disclosures of cyber surveillance, there is increased political momentum in the U.S. and EU to control the export of particular cyber technology products and services. In the EU, the focus is on electronic surveillance equipment, and in the U.S., the concern is the proliferation of cyber weapons.
At an export control conference in Brussels this summer, a Dutch Member of the European Parliament, Marietje Schaake, who sits on the Parliament’s Committee of International Trade, called for EU regulation of “mass surveillance, mass censorship, tracking and tracing systems, as well as hacking tools and vulnerabilities that can be used to harm people”.
Ms. Schaake’s comments build on the European Parliament’s adoption of a number of suggested amendments to the European Commission’s proposal to amend the Dual-Use Regulation (428/2009) (the “Dual-Use Regulation”). These amendments include a proposal to include surveillance equipment within the “catch-all” provisions of the Dual-Use Regulation according to which EU Member States authorities may impose licensing requirement on items that are not listed specifically in Annex I of the Dual-Use Regulation. The European Parliament’s proposals are an extension of the current EU sanctions against Iran and Syria which prohibit the export of equipment and technology that may be used for the monitoring and interception of internet and telephone communications.
If adopted, the new catch-all clause could subject EU exporters of IT surveillance equipment to a licensing requirement. How this provision will be applied in practice, however, will depend on the exact phrasing of the final text adopted by the EU institutions. Specific licensing decisions may, for example, take into account the identity of the end-user of the equipment and/or the end-user country. Thus, exports to end-users in countries with a proven track-record of human rights violations may be more likely targeted under the new provision than exports to countries that adhere to higher human rights standards. The proposal to amend the EU Dual-Use Regulation still needs to complete its legislative procedure in the European Parliament and European Council. We will continue to monitor its progress, and report any significant developments.
The U.S. is also considering new export laws with respect to cyberspace, with a particular focus on the export of cyber weapons. On June 20, 2013, the U.S. Senate Armed Services Committee favorably reported S. 1197, the National Defense Authorization Act for Fiscal Year 2014, containing section 946 of the proposed Defense Authorization Act, which requires the President to convene an “interagency process … to control the proliferation of cyber weapons through unilateral and cooperative export controls.” The Senate Report on the proposed legislation acknowledged that there might be some difficulty distinguishing between “cyber weapons” and “dual-use, lawful intercept, and penetration testing” technologies.” We will also monitor and report any relevant developments in this area.