MEPs want the European Commission to remove export control restrictions on technology products that use encryption.
A draft bill that will overhaul the EU’s export rules could force the Commission to get rid of restrictions on encryption exports in five to seven years, according to changes that MEPs in the European Parliament’s Trade Committee (INTA) made to the legislation.
A large majority of the committee approved its version of the bill on Thursday (23 November), with 34 MEPs in favour, one against and two abstentions.
One amendment from the lead MEP on the bill, German Green Klaus Buchner (Ökologisch-Demokratische Partei), asked the Commission to propose new legislation in five to seven years that will remove items containing cryptography from the list of so-called dual use products that need special approval before companies can sell them outside the EU. Dual use products are items that can be for either military or civilian use.
“Cryptography technology does not belong in the scope of dual use export controls. It is the task of the Commission to introduce coordinated activity of Member States in the framework of the Wassenaar Arrangement to eliminate cryptography technology from the list of controlled items,” the MEPs’ justification for the amendment reads.
The Wassenaar arrangement is a broader international agreement on export control rules.
A spokesperson for the European Commission declined to comment on the vote.
The Commission proposed the update to the EU export rules last year. The new bill extends restrictions for the first time to technology products that be used for surveillance, and prevents firms from selling products abroad if they can damage human rights.
Dual use items can be used either as weapons or for civil purposes. The Commission proposed the overhaul as a response to reports that European firms sold surveillance software to governments that spied on citizens during the Arab Spring protests.
Buchner said after Thursday’s vote that he expects lobbyists to push back against several measures in the bill, including the removal of export controls on encryption before the legislation is voted by the full Parliament.
But he pointed out that MEPs from across the political spectrum supported his draft of the legislation, and he is confident that it won’t be diluted by more amendments ahead of the plenary vote.
“Controlling cyber-surveillance with a human rights catch-all; closing down loopholes for circumvention; increasing transparency and our stance to remove the control of encryption from controls will stand strong in plenary,” he said.
MEPs must negotiate an agreement on the legislation with national governments and the Commission before it can go into effect.
The Commission’s proposal last year suggested new rules that would make it faster and easier to export encryption technologies because companies would no longer need to request approval for each product from national authorities. The Parliament wants to go a step further.
Dutch Liberal MEP Marietje Schaake pushed for the legislation to scrap all extra control rules for exporting encryption products.
“In the 21st century it does not make sense anymore to control the export of encryption products,” Schaake said on Thursday.
Not all political groups joined the call to get rid of restrictions on encryption.
Christofer Fjellner, a Swedish MEP who led negotiations on the legislation for the centre-right EPP, the Parliament’s largest political group, is skeptical of an EU-level ban on export controls on encryption.
“We need to ease (and gradually remove) some encryption controls. But for effective export control, it is essential that all countries adhere to the Wassenaar convention,” Fjellner told EURACTIV.com.
Fjellner wants the countries signed on to Wassenaar—there are 41—to agree on rolling back export restrictions on encryption products before the EU goes ahead with its own rule change.
Cybersecurity researchers argue that export restrictions can force companies to make their products less secure because they lower their standards to more easily comply with the rules.
Edin Omanovic, a research officer at the NGO Privacy International, said that “vulnerabilities introduced by stricter restrictions are still felt to this day” even after export rules on encryption were previously relaxed.
“While the controls have been liberalised, it’s now time to finish the job. The only disappointment here is that the deletion doesn’t come sooner,” he said.
Tech companies have criticised some parts of the Commission’s bill. They argue, for example, that it couldl be difficult for firms to prove their products cannot potentially harm human rights.
But industry association DigitalEurope, which represents firms including Microsoft, Cisco and IBM, has pushed for the EU executive to lift export restrictions on encryption.
A spokesman for DigitalEurope called the Commission’s proposal to make export approval processes easier a move towards more up-to-date rules.
“The next step is to challenge the controls as a whole in light of where we are today – and not 50 years ago,” he said.