Main Image Credit Small drone in flight. Courtesy of Denis Rozhnovsky/Adobe Stock
The EU is close to agreement on expanding the list of dual-use cyber-surveillance technology to be banned from sale to autocratic regimes. The move would strengthen the EU’s human rights advocacy and bolster the European Commission’s geopolitical ambitions.
In a rapidly changing technological environment, the EU’s export controls have been lagging behind. Last updated in 2009, the EU’s regulation has excluded emerging surveillance technologies, including spyware and facial recognition tools, while human rights concerns have played an insignificant role in authorisation processes. The recent provisional agreement to update the list of dual-use goods will attest to the EU’s commitment to defend human rights globally and will maximise the deterrent effect of its cyber and human rights sanctions.
The urgent need to revise the EU export control regime became clear almost a decade ago during the Arab uprising, the wave of popular movements which gripped the Middle East and North Africa. In 2011, some regimes in the Middle East and North Africa actively used digital surveillance technologies produced by European companies to crack down on public protests. Since then, EU member states have sought to put intrusion and interception technologies on the list, but to no avail. The revision was impeded by irreconcilable positions over different interpretations of emerging technologies and divergent interests. The opposition to including digital surveillance technologies was primarily driven by commercial interests. Almost one third of the approved licences were destined for countries, such as the UAE, Vietnam or Iran, that Freedom House has marked ‘not free’. The UK, France and Germany account for approximately 35% of the world’s surveillance companies. Other member states raised objections to due diligence obligations and sought to water down the current provisional agreement.
The change in the German position appears to have been a decisive factor. Reports about the misuse of German surveillance technology by the Turkish government may have swayed Berlin’s previously opposing position. The German government has indicated that the updated export control regime should be finalised within its presidency’s term at the EU Council. Currently, it is up to the Permanent Representatives Committee (Coreper), the EU Parliament and the EU Council to decide on the adoption of the regulation. By adopting a human rights-focused approach, the EU follows the US, whose Department of State has already released guidance encouraging US businesses to integrate human rights due diligence into their compliance programmes.
Export Controls Meet Cyber and Human Rights Sanctions
If the current proposal is accepted, the revised EU framework, known as Recast Dual Use Regulation, will result in a fundamental deviation from international regimes. Currently, the EU’s control list represents a compilation of the export controls from the multilateral export control regimes, including the Wassenaar Agreement, the Nuclear Suppliers Group, the Australia Group and the Missile Technology Control Regime. With the update, the EU’s dual-use goods list would go beyond that internationally agreed scope and include such items as facial recognition and spyware.
The enforcement of export controls is within the competence of national governments, but its implementation has been weak and patchy. Many member states are not obliged to report issued licences and have often disregarded the human rights concerns in their export compliance programmes. The revised regulation proposes to include an EU-level coordination mechanism for greater exchange of information between member states and improved cooperation between licensing and customs authorities. The revision will not fix all the problems with dual-use exports to autocratic regimes, but it will increase transparency obligations for governments, strengthen the regulation’s human security focus and emphasise a value-based approach of the EU trade policy. Ensuring proper implementation on the national level will continue to be the key.
By expanding the scope of export controls to emerging technologies, the EU will achieve greater coherence with other EU policy tools. In particular, it will bolster its human rights sanctions currently in the works. By toughening export regulation, the EU will increase compliance costs for digital surveillance companies and will introduce greater safeguards to minimise the risk of human rights violations. One of the recent examples of the EU’s incongruous decisions is the sale of surveillance drones to Belarusian authorities in the middle of a brutal police crackdown. The updated law will also be consistent with the objectives of the EU’s nascent cyber sanctions, as it will deprive autocratic regimes of access to advanced cyber-surveillance technologies that can be later used for nefarious activities, including cyber attacks. Stricter regulations for export controls will have a signalling effect that may shape more responsible behaviour in cyberspace among the private actors.
Weaponising Export Controls
Over the last few years, Washington has weaponised export controls to shield US technology and critical infrastructure from Chinese investors and vendors. President Donald Trump’s administration gradually added export restrictions on the transfer of emerging technologies to Chinese firms, with Huawei and ZTE carrying the brunt. Caught in the crossfire, the EU was at risk of becoming a playground for US–China confrontation, while European companies were under the threat of US extraterritorial sanctions. Feeling the heat from the US–China technology war, a growing number of Western allies – Japan, Australia, the UK, France and now Sweden – have followed the US and banned or de facto excluded Huawei and ZTE from participating in their 5G networks and gaining access to their critical national infrastructure.
The EU’s move to close the gap in export controls is the right step towards strengthening its mandate and bolstering its geopolitical ambitions. The move ultimately complements the EU’s earlier decisions on investment screening and 5G technology, which are part of the same trade–security nexus. With the expanded list of emerging technologies, the EU is set to give export controls a central stage in economic statecraft and to raise its stakes in building strategic autonomy. By merging trade and security policy, the EU is to ensure a consistent and transparent process of licence applications at a time when the distinction between military and civilian items is progressively blurred and tech supply chains are becoming increasingly politicised.
As China passes its own export control law, US–China relations are set to harden under US President-elect Joe Biden’s administration. The EU’s adoption of stricter export controls will provide Brussels with a geostrategic instrument to defend its security interests and could serve as a way back to a coordinated transatlantic relationship.
Maria Shagina is a Postdoctoral Fellow at the Centre for Eastern European Studies (CEES) at the University of Zurich and a member of the Geneva International Sanctions Network at the Graduate Institute of International and Development Studies (IHEID), Geneva.
The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.