A review of the EU’s Recast Regulation on dual-use items shows rising concern for the misuse of cyber-surveillance technologies (e.g., artificial intelligence, emerging technologies) by third countries, while also recognising the need to promote R&D competitiveness. This policy Brief analyses the balance struck between the economy, technological innovation, and human rights in the Recast, focusing on its potential for promoting human rights in export controls.
Dual-use items encompass a wide range of products – goods, software, and technologies – which have both civilian and military purposes. Ranging from nuclear materials to electronics, passing through aero-marine equipment and robotics, the applications of these items are endless. While harmless in their civilian declinations, when employed for military uses, they can contribute to the proliferation of warfare and of nuclear, chemical, and biological weapons.
It has long been recognised that there is a need to prevent misuse of these items. In the European Union (EU), regulation has taken the form of controlling their export, transit, transfer, and brokering. The first legal framework on this topic was introduced in 2000, and then structurally recast in 2009. However, the existing Regulation has not been efficient in preventing dual-use goods from being misused and repurposed in ways that violate human rights in third countries. Authorised EU exports of dual-use items – particularly in the form of cyber-surveillance technologies – have directly contributed to human rights violations in China, Turkey, the United Arab Emirates, Bahrain, Egypt, Ethiopia, Qatar, and many more[1].
In addition to these considerations related to the protection of human rights, various trends — such as the technological advances of China and the USA, the broadening expanse of dual-use goods (particularly artificial intelligence, facial recognition, and other emerging technologies), and the growing number of Europe’s own high-tech firms — have also changed the EU’s approach to technology and national security. This shifting landscape led to the introduction, in September 2021, of a Recast Regulation on dual-use items, with the aim of modernising the 2009 framework[2].
The Recast Regulation attempts to draw a delicate balance between these different interests. On one hand, the need to protect human rights globally. On the other, recognising that dual-use items are a fairly sizable source of economic income, worth about 3% of the EU’s total exports[3]. Additionally, they have proven to have an increasing strategic and industrial importance, especially in China and the USA. It is essential to ensure that the EU’s research and development sector – particularly its innovativeness – is not stifled, so that it can compete in the international market.
How to take into consideration these elements has been a point of contention between the different EU institutions, Member States, businesses, and civil society during legislative negotiations. This Brief analyses the balance struck in the proposal, with a particular focus on the role of human rights and their protection.
What’s New in the Recast?
The Recast Regulation contains several changes in the sphere of human security, especially concerning cyber-surveillance technologies. With these, the Commission aimed to give human rights and counterterrorism a more central role in export controls. This comprehensive framework update includes changes to concepts in export controls and definitions, to the general licencing architecture for exports, and an overall strengthening of trade controls in the internal market.
Firstly, the scope of the proposal has changed, with the definitions of ‘dual-use goods’ and ‘exporter’ being expanded. In practice, however, these changes have a limited impact on the human rights’ dimension of the proposal.
More interesting from this perspective is the expansion of the previous ‘catch-all’ clause in Article 4. The general starting point of the Regulation is that only the items listed under one of the categories in Annex I of the Regulation are subject to export authorisations. This approach helps with legal certainty, but can become problematic when it comes to ensuring that legislation keeps up with technological developments.
The catch-all clause ensures that, even when dual-use items are unlisted under Annex I, they may still be subject to export prohibitions or an authorisation requirement. As it was already the case under the 2009 Regulation (and is retained in the Recast), these unlisted items require prior licence authorisation from authorities where they could be intended for use in connection with chemical, biological or nuclear weapons or for a military end-use in a country subject to an arms embargo.
The Recast also introduces a new catch-all that specifically targets cyber surveillance items, which are defined in this context as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”[4]. While there is no separate category of items in Annex I which regulates cyber-surveillance items, many of these are included under the categories of information security and electronics. Article 5 allows for the prohibition of any export of cyber-surveillance items (both listed and unlisted in Annex I). If the authorities have informed the exporter that the items are or may be intended for use in connection with internal repression or the commission of serious violations of human rights and international humanitarian law (Article 5(1)) or if the exporter, after having conducted its own due diligence process, believes that they could be intended for these purposes (Article 5(2)), then the items are subject to an authorisation requirement. Additionally, Article 5(3) allows Member States to impose additional export licence requirements for unlisted cyber-surveillance items.
These catch-all clauses are complemented by additional national control lists (Article 9). Member States may prohibit exports or add authorisation requirements on other dual-use items not listed in Annex I for reasons of public security – i.e. preventing of acts of terrorism and human rights considerations. In turn, export licencing authorities in other Member States are also authorised to impose that same prohibition or licencing requirement on their national exporters (Article 10). This provides some degree of harmonisation between Member States regarding national control lists.
These legislative changes reflect concerns about the potential for misuse of dual-use items, especially cyber-surveillance items. The Recast does not however explain what ‘internal repression’ or ‘serious violations’ of international human rights/humanitarian law mean. This may result in an incoherent application and interpretation of the Regulation at the national level.
One final change improving the human rights dimension of the proposal is the transparency requirement under Article 26(2). The Commission will have to release a public annual report detailing the number of licences applied for, granted, and their destination countries for dual-use items in each Member State. Civil society organisations (CSOs) have welcomed such a rule, hailing it as a landmark development which allows for the public scrutiny of licencing decisions, and ensures oversight over EU trade in cyber-surveillance technologies[5].
Watered-Down Ambitions
When the review of the 2009 framework began in 2011, it immediately became apparent that the proposal would face resistance from businesses, States, and civil society alike. While international businesses rejected the idea of further red tape requirements such as additional due diligence and notification obligations, CSOs pressed for stronger measures to protect human rights. At the same time, Member States wished to retain control over the process of imposing export control measures.
The impact of these conflicting interests is very visible when looking at the development of the Commission’s proposal. While the original proposal introduced ambitious scope changes, the Recast is much more reserved, particularly regarding its human rights’ aspects. Many of the human security considerations contained in the original 2016 proposal were removed or watered down during the (over) five years of negotiations between the Parliament and the Council.
For example, the initial proposal by the Commission contained, in Annex I, a separate category detailing specific controlled cyber-surveillance technology. This covered a broad spectrum of goods, ranging from surveillance systems to equipment and components for ICT, to different types of software and technology[6]. The adopted text removes this separate category, reflecting Member States’ reluctance towards the unilateral introduction of an autonomous EU-level control list. It further highlights concerns that such an all-encompassing definition would incapacitate and slow down the development of technology in the EU. The remaining ‘cyber-surveillance items’ definition, as contained in Article 2(20), is significantly scaled down in its ambitions. To make up for the lack of unilateral EU measures, Article 5 of the Recast maintains the possibility for Member States to introduce unilateral measures in cases of concerns about human rights violations in the destination country.
Moreover, the catch-all clause in Article 4 was also restricted. Originally, the Commission had proposed expanding the authorisation requirement for dual-use items not listed in Annex I if the end-user was suspected to be a person complicit in human rights or international humanitarian law violations, and in connection with acts of terrorism. This proposal failed to make the cut, and the scope of Article 4 was kept the same as in the 2009 Regulation. The mandatory authorisation regime in cases of human rights concerns was only introduced for cyber-surveillance items (Article 5), thus diluting the proposal.
Finally, the Commission also proposed a circumvention prohibition, aimed at forbidding any knowing and intentional participation in activities which had the goal or effect of circumventing any applicable export rules in the Recast Regulation. However, the adopted text does not contain this article, opening the door for forum shopping and creating loopholes in the EU’s protection framework.
These changes during the legislative process have been heavily criticised by non-governmental organisations and civil society, which consider this recast a failure in effectively addressing the human rights’ situation in third countries, and minimising the role played in these violations by EU exports of dual-use items.
At the same time, the Recast is not much more favourable to international businesses. While the amount of red tape has not increased significantly, which was the primary aim of the industrial lobby during negotiations, the Recast may impede legal clarity for businesses by leaving space for diverging national practices. Through the national control lists in Article 9, Member States may unilaterally adopt different measures, thus creating additional national requirements for businesses. This may further result in an uneven playing field due to differences in national interpretation, application, and/or enforcement of the Recast.
Conclusion
In many respects, CSOs are correct to call the Recast a ‘missed opportunity’[7]. At best, it can be viewed as a modest update. At worst, by failing to address the human security elements of export controls and emerging technologies, it has outsourced the actual implementation of controls on emerging technologies and national security to other pieces of legislation and external actors.
It remains to be seen whether the cautious new measures introduced by this Recast will be able to ensure that the EU does not fall behind in technology research and development, while at the same time ensuring that the risks coming from emerging (cyber) technologies are sufficiently addressed.
[1] See e.g., Amnesty International (2020), “Out of Control: Failing EU Laws for Digital Surveillance Export”, Report.
[2] European Union (2021), Regulation of the European Parliament and of the Council Setting Up a Union Regime for the Control of Exports, Brokering, Technical Assistance, Transit and Transfer of Dual-use Items, COM(2021) 42 final, 3 February 2021.
[3] European Commission (2021), Report from the Commission to the European Parliament and the Council on the implementation of Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items, COM(2021) 42 final, 3 February 2021.
[4] European Union (2021), Regulation of the European Parliament and of the Council Setting Up a Union Regime for the Control of Exports, Brokering, Technical Assistance, Transit and Transfer of Dual-use Items PE-CONS 54/20, 21 April 2021, Article 2(20).
[5] Human Rights Watch (2021), “EU: Robustly Carry Out New Surveillance Tech Rules: Updated Regulations Aim to Restrict Sales to Abusive Governments”, 25 March 2021.
[6] European Commission (2016), Proposal for a Regulation of the European Parliament and of the Council setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast), SWD(2016) 314 final, 28 September 2016, Annex I.
[7] Amnesty International (2021), New EU Dual Use Regulation agreement ‘a missed opportunity’ to stop exports of surveillance tools to repressive regimes, 25 March 2021.
