On May 10, 2021, the EU adopted its new, revised version of Regulation (EC) No 428/2009 (the “Regulation”). It is widely acknowledged to be the first major reform to the structure of the EU’s export control regime since 2009.
The text of the Regulation was approved by the European Parliament on March 26, 2021. In November 2020, the Council and European Parliament representatives reached a provisional political agreement on the Regulation. The reform of EU export controls had initially been proposed by the European Commission in September 2016.
Highlights of the Regulation
The Regulation introduces, inter alia:
- Stricter controls on cyber-surveillance items that may be used in violation of human rights outside the territory of the EU;
- An EU-level coordination mechanism which allows for greater exchange between the Member States concerning the export of cyber-surveillance items;
- Two new general export authorisations (EU GEAs), covering:
- intra-company group exports of software and technology on specified conditions to certain listed countries (notably not including China) (EU007), and
- exports of controlled encryption items to all but a small number of listed countries (once again China, including Hong Kong and Macau, does not qualify) (EU008).
- A new provision on so-called “transmissible controls”, which will allow export licensing authorities of a Member State to impose new export controls on the basis of national legislation adopted by another Member State;
- New controls on technical assistance concerning dual-use items for military purposes, which will extend to technical assistance delivered within the EU to non-EU nationals (hence a type of “deemed export” control);
- An expansion of brokering regulation to cover legal persons and partnerships not resident or established in a Member State that provide brokering services from the customs territory of the Union; and
- New public reporting rules aimed to increase transparency on movement of dual-use items.
We comment below on a number of these highlights.
Enhanced controls, cooperation and transparency around cyber-surveillance items
The main feature of the Regulation concerns the area of human rights, dealing with such things as surveillance and facial recognition software.
The Regulation does not add specific cyber-surveillance items to the Dual-Use Control List in Annex I. Rather, it sets out new Articles 5(1) and 5(2) creating a “catch-all” prohibition of any unlicensed export of cyber-surveillance items (whether or not listed) if:
- “the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law” (Article 5(1));
- “an exporter is aware, according to its due diligence findings, that cyber-surveillance items which the exporter proposes to export, not listed in Annex I [the Dual-Use Control List], are intended, in their entirety or in part, for any of the uses referred to in paragraph 1 of this Article [e., internal repression and/or the commission of serious violations of human rights and international humanitarian law]” (Article 5(2)).
In the latter case, the exporter is required to notify its competent authority (understood to be its Member State export licensing authority), which will then decide whether or not to make the export subject to an authorisation requirement. Article 26(1) provides that the European Commission and the Council of the European Union, as well as Member States, will publish guidelines for exporters to apply in doing their due diligence.
Article 5(3) allows individual Member States to impose their own additional export license requirements for cyber-surveillance items not on the Dual-Use Control List.
Articles 5(4) and 5(6) create an EU-level coordination mechanism providing for notification of other Member States when one Member State decides to impose a licensing requirement under Article 5(1), 5(2) or 5(3).
Article 26(2) requires the European Commission to prepare and release to the public an annual report detailing for each Member State information about the applications received for each cyber-surveillance item, the destinations involved, and the granting or denial of the applications. Civil society groups have called this new transparency rule “a landmark development which will allow the public, civil society, journalists, and parliamentarians to scrutinize licensing decisions to ensure they are in accordance with law and provide an invaluable insight into the EU trade in surveillance technology.”
Under Article 9, a Member State is authorised to prohibit or impose an authorisation requirement on exports of items not on the Dual-Use Control List for reasons of “public security, including the prevention of acts of terrorism, or for human rights considerations.” These Member State measures are to be notified to and published by the European Commission. Pursuant to a new Article 10, exporters in other Member States are then prohibited from making unlicensed exports of the items from the EU if they have been informed by their respective competent authorities (understood to be their own Member State export licensing authorities) that the items in question “are or may be intended for uses of concern with respect to public security or to human rights considerations.”
The end result of Article 10 is that when one Member State prohibits or imposes a licensing requirement for an item not already on the Dual-Use Control List, the export licensing authorities of other Member States will have the legal authority by virtue of the Regulation to impose the same prohibition or licensing requirement. This provision is consistent, at least to some degree, with the aim of harmonisation intended by the Regulation. In Member States whose legislation does not empower their licensing authorities unilaterally to impose export licensing requirements on new items, the Regulation effectively transfers legislative authority from one organ of Member State government (the legislature) to another (the export licensing authority). When enforcement cases arise under new Article 10, we may see exporters in some Member States raise constitutional questions about the validity of this transfer of law-making power from the legislature to the export licensing agency. By exercising their power under Article 10(1), however, the export licensing agency would presumably be acting under the Regulation pursuant to the authority conferred by Article 207(2) of the Treaty on the Functioning of the European Union (TFEU), which confers exclusive jurisdiction on the EU to legislate on matters affecting the Union’s common commercial policy. Such constitutional questions under Member State law may, therefore, be quickly overcome by Article 207(2) and resolved on the basis of the primacy of EU law over national law.
Article 8 of the revised Regulation sets out notification and authorisation requirements for a “provider of technical assistance” related to items on the Dual-Use Control List, if the provider is aware that the assistance is intended for use in connection with weapons of mass destruction or other specified military uses. Member States may also extend the application of this article to items not on the Dual-Use Control List.
The definition of “provider of technical assistance” is found in Article 2(10) and is very broad. It includes:
(1) natural or legal persons that provide technical assistance from the EU to the territory of a third country;
(2) natural or legal persons resident or established in the EU that provide technical assistance within the territory of a third country; and
(3) natural or legal persons resident or established in the EU that provide technical assistance to a resident of a third country temporarily present in the EU.
The coverage in item (3) above of “technical assistance to a resident of a third country temporarily present in the customs territory of the Union” is revolutionary for the EU, because it effectively creates a new “deemed export” control (the term used in the U.S. export control system for disclosures of technical data within the United States to non-U.S. persons). Is one “temporarily present” in the EU for purposes of this new rule whenever one does not have permanent residence status in an EU Member State? If so, this new EU rule will operate very much like its U.S. counterpart.
Entry into force
Once the European Parliament and the Council sign the adopted regulation, it will be published in the Official Journal of the European Union and will enter into force 90 days later. We expect the revised Regulation to be published this month or next and enter into force as soon as September 2021.
We will closely monitor activity around the revised Regulation and provide ongoing updates at our blog here.
 New EU Dual Use Regulation agreement ‘a missed opportunity’ to stop exports of surveillance tools to repressive regimes, published on March 25, 2021 and available here.