Listen to this post

In 2021, the EU adopted an updated version of the EU Dual-Use Regulation, which establishes common standards for the control of dual-use item exports by EU member states. Among its new provisions, Regulation (EU) 2021/821 introduced, in its Article 5, a “catch-all control” for cyber-surveillance items.

That catch all provision requires exporters to obtain approval when they know or suspect that their cyber-surveillance items could be used in connection with human rights violations, even if these items are not specifically covered by existing export controls. Items like telecommunication interception systems (5A001.f.), internet surveillance systems (5A001.j.), intrusion software (4A005, 4D004), and forensic tools (5A004.b., 5D002.a.3.b., 5D002.c.3.b.) are examples of technologies falling under these controls.

While there are increasing concerns about the misuse of spyware and other surveillance tools, the catch-all control has been rarely applied to date, and many exporters remain unclear on how to apply it. To address this, the EU published new guidelines on October 15, 2024, to help exporters navigate these requirements.

For those thinking they could fly under the radar with non-listed items, consider this your wake-up call—and let’s dive into the key takeaways from these guidelines.

Key Takeaways

Who’s Watching the Watchers?

The 14-page guidelines stress the importance of due diligence efforts conducted by exporters. For each transaction, exporters must review the capabilities of the items for potential misuse, assess the stakeholders involved in the transaction (including end-users and consignees), and develop plans to prevent and mitigate potential adverse impacts.

The guidelines specify several “red flags” that may indicate potential misuse of the cyber-surveillance items, such as marketing materials highlighting covert surveillance capabilities and any indications that similar technologies have been employed for repression in the past.

Ultimately, the EU’s message is unequivocal: exporters must remain vigilant and informed about the implications of their products. By prioritizing transparency and accountability in the trade of cyber-surveillance technologies, the EU aims to promote ethical export practices and protect human rights. Exporters are now tasked with ensuring they do not inadvertently contribute to abuses, thus reinforcing the necessity of a comprehensive compliance framework.

Non-listed Cyber-surveillance Items:

Although the guidelines note that it is impossible to provide an exhaustive list of the products that may be controlled as non-listed cyber-surveillance items, exporters should be particularly cautious about technologies that, while primarily used for commercial purposes, could be repurposed for surveillance. Items like facial recognition technologies and location tracking devices are highlighted for their dual-use potential, which could therefore fall within the scope of what the EU considers to be cyber-surveillance items.

The guidelines clarify that video-surveillance systems and cameras, including high-resolution cameras, used for the filming of people in public spaces are not covered by the definition of cyber-surveillance items, as they do not monitor or collect data from information and telecommunication systems. The guidelines also note that “items used for purely commercial applications such as billing, marketing, quality services, user satisfaction or network security are generally considered not to entail such risks” and are thus excluded from control requirements.

Significantly, the guidelines state that due diligence applies not only to exporters of finished cyber-surveillance items but also to those exporting parts that could be used in such systems, particularly if they are “specially designed” for covert surveillance. “Specially designed” means covert surveillance was the primary purpose of the product’s development, even if it has other potential uses. Covert surveillance occurs when individuals cannot reasonably expect to be under surveillance.

New Due Diligence Requirements for Exporters:

Exporters are now required to conduct detailed risk assessments before exporting any technology. This involves thorough screenings of all end-users and consignees to ensure they are not unwittingly facilitating internal repression. Specifically, exporters are required to conduct thorough transaction due diligence assessment, determining whether items might be classified as cyber-surveillance technologies based on their capabilities and intended uses by end-users and consignees involved in each transaction.

Based on these assessments, exporters are expected to take proactive measures to prevent potential adverse impacts. Specifically, the guidance now mandates exporters to notify authorities when they become aware that their products might be used for repression or rights violations. The guidelines clarify that being “aware” requires that the exporter has positive knowledge of the intended misuse. The mere possibility of such a risk is not sufficient to establish awareness.

Bottom Line: Prepare for More Discussions

In response to feedback on the first draft of the guidelines released in March 2023, stakeholders, including businesses, requested concrete examples of cyber-surveillance items that might require an export license under Article 5, along with relevant case studies. Unfortunately, these were not included in the final version of the guidelines.

While the EU does not plan to (and could not) create an exhaustive list of products that may be controlled as “non-listed items”, there is a possibility that future updates to the guidelines could include real or fictional case studies to provide clearer guidance. Such efforts could be carried out collaboratively by the European Commission, the European Parliament, Member States, and NGOs, potentially through scenario-based discussions. These would offer much-needed practical tools to help exporters better understand how to apply the catch-all controls for cyber-surveillance items.

In the meantime, exporters must ensure they collect sufficient information on their customers and the countries they are exporting to, especially when dealing with technologies that could be classified as cyber-surveillance items.