This article is part of our special report Europe’s cybersecurity agenda.
MEPs steering a controversial export control bill through the European Parliament have agreed to apply stricter human rights safeguards for technologies that can be used for online surveillance.
The European Commission proposed an update to the dual use regulation last year, which controls when companies can export products that can be used either as weapons or for civil purposes. The regulation was agreed in 2009, and the updated proposal adds new restrictions for firms that sell technology products that can be used for surveillance to countries outside the bloc.
MEPs want to restrict companies from exporting those products that can be used for online surveillance if they may harm human rights.
That marks a change from the Commission’s original proposal, which suggested applying the human rights control to a broad range of dual use items, extending beyond technology products to equipment and other products that can be damaging.
Restrictions on technology exports are a focus of the Commission’s proposal: the EU executive came under pressure to create safeguards after software from European companies were used to spy on protestors during the Arab Spring.
The MEPs’ agreement is still tentative. The Parliament’s trade committee (INTA) will vote on the bill on 23 November, and MEPs must negotiate a compromise with national governments and the Commission before the rules can go into effect.
The Parliament’s deal is a turnaround for the centre-right EPP group, which previously opposed the reference to human rights in the Commission proposal.
Christofer Fjellner, the Swedish MEP in charge of the legislation for the EPP group, said negotiators are close to hammering out a definition of human rights that his political group – the Parliament’s largest – could accept.
“All countries from time to time have issues with human rights. But the big question is: when and how do we define a serious violation? It has to be a serious violation and probably even a recurring one,” Fjellner said.
The Commission’s proposal said that companies would need to secure special authorisation from national export offices if the items they sell can be used for “serious violations of human rights or international humanitarian law in situations of armed conflict or internal repression in the country of final destination”.
The MEP leading the Parliament negotiations, German Green Klaus Buchner, wanted the human rights guarantee to apply more broadly to other kinds of exports as well. But Buchner said he accepts that “we are finding agreement on one of the most dangerous exports, which is cybersurveillance”.
Some researchers said the narrowing of the human rights control to cover only cybersurveillance technologies is a way for the file to move through negotiations with member states more quickly.
“It was always going to be a challenge to create something expansive on the catch-all in the time frame that was available,” said Mark Bromley, director of the dual use and arms trade control programme at the Stockholm International Peace Research Institute.
Industry groups have criticised the Commission’s proposal to introduce an export control rule based on potential human rights violations.
DigitalEurope, a lobby group that represents several big tech companies, is concerned about how MEPs will define human rights in the final version of the bill.
The industry group is also worried that negotiators could remove one part of the Commission’s proposal that would make it easier for firms to export encryption technologies.
Under the Commission’s proposal, it could become faster for companies to export encryption products because they would receive longer-lasting, blanket authorisation. Firms would no longer need to frequently seek approval from national agencies in order to export.
European companies have started to export a larger amount of electronics and semi-conductors since the dual use regulation was first approved in 2009, a Commission source said. Firms in countries like the US face fewer restrictions.
Looser rules affecting the export of encryption technologies under the Commission’s proposal are one element that industry groups like DigitalEurope have praised, despite their criticism of the bill’s human rights safeguard.
“It’s still very burdensome for companies to obtain authorisation in Europe. Once we have this general authorisation in place it will definitely be easier to compete with US companies,” said Diane Mievis, policy director at DigitalEurope.
Mievis said that any telecommunications network equipment, such as routers or base stations that send and receive radio signals, could become easier to export if the Commission’s proposal is approved.
The Parliament backs the Commission’s move to make export authorisation easier for encryption.
“We have a general consensus among groups to remove unnecessary red tape on exports of encryption because it’s clearly out of date,” Fjellner said.
Buchner also wants export rules for encryption technologies to be relaxed. “Encryption products are a vital tool for people from the political opposition and journalists to protect themselves from cyber surveillance,” he said.
Liberal MEPs proposed amendments to the bill that would go even further than the Commission’s suggestions–and would mean that encryption products would no longer be regulated under the EU export control rules at all.
Dutch Liberal MEP Marietje Schaake said the Commission’s rule change is “a good step in the right direction, but in the long run we must abolish controls on these products entirely”.
Cybersecurity researchers argue that export restrictions can have a negative effect on the security level of products using encryption.
The EU cybersecurity agency ENISA wrote in a note last year that requiring licences to export encryption is “a method of limiting the strength of cryptography products […] available in third country markets”.
But the Commission’s proposal to create a general authorisation measure for cryptography is likely to face more opposition when negotiations start with member states.
That has to do with their security concerns. The Commission announced last week that it will give EU police agency Europol and member states more funding to train their abilities to crack through encryption for criminal investigations involving private data.
Bromley said member states may be reluctant to approve rules that make it easier for companies to export encryption technologies because, even if they do not want to hamper trade, governments may still want “to see what’s happening in an area of technology that is a potential security concern for them”.