Negotiators from the European Council and the Parliament have signed off on new export rules that restrict the sale of cyber-surveillance goods to worldwide regimes engaging in the repression of human rights.
However, the text of the regulation on so-called dual-use goods, brokered on Monday evening (9 November), leaves it up to member states to decide whether the new restrictions could include the export of products such as facial recognition technologies, which are currently being employed in the curtailment of human rights in certain totalitarian countries.
On Monday, Parliament and Council negotiators agreed that cyber-surveillance goods that allow for the “covert surveillance of natural persons by monitoring, extracting, collecting or analyzing data, including biometrics data” should fall under new export restrictions.
Such items that fall under this scope will fail to meet new criteria for obtaining an export license, should they be destined for locations outside of the EU where human rights violations are judged to be taking place.
In addition, the regulation also includes an EU-level coordination mechanism, allowing for better information exchange between member states concerning the export of cyber-surveillance items.
German change in position
The agreement puts an end to a four-year saga that had been dogged by delays due to the Council failing to agree on including sufficient provisions in the text that would cover the sale of cyber-surveillance products.
The proposal had originally been put forward by the Commission in 2016 with the inclusion of cyber-surveillance technologies among such ‘dual-use’ products. Parliament adopted its negotiating position in January 2018, and was waiting for the Council’s position to begin talks, until October 2019.
In mid-2019, news had transpired that the Council’s position was being held back by Germany, with rumors that the country’s opposition to the new rules may have been heavily influenced by commercial interests, owing to the fact that the nation accounts for an estimated 50 to 60% of the EU’s exports of so-called dual-use items.
However, after negotiations on the file name came under the leadership of the German presidency, which took its seat at the head of the EU Council in January this year, there was a change in tack.
The Germans had become more willing to listen to the concerns of the European Parliament. There had been speculation that this change in approach could have been influenced by the ‘FinFisher’ scandal.
In 2018, news had surfaced that the German firm FinFisher had been selling products to the Turkish government without a permit. The products were reportedly used to surveil opposition protesters in 2017, by being embedded into smartphone applications covertly. The spyware gave unimpeded access to the personal data contained on the device.
Following Monday’s agreement, Parliament rapporteur and Pirate MEP Markéta Gregorová is still concerned however that member states may take the rules into their own hands and possibly fail to live up to the commitment to restrict the sale of potentially nefarious products to dictatorial regimes worldwide.
“Our main issues regarding cyber-surveillance items and transparency have been accounted for, and even though I remain slightly skeptical about the implementation, it is a leap of faith for the European Parliament, as well as a compromise for the Member States,” Gregorová told EURACTIV on Monday evening.
“We shall therefore now observe the implementation and practice, together with civil society, and be ready to open the topic in case any new issues emerge.”
Meanwhile, a senior EU Commission source conceded on Monday that there had been ‘resistance from member states’ at various stages in the negotiations.
“Some nations needed convincing,” the source said. “But with this adoption, there is a clear signal in both the European Parliament and the Council that they are serious.”
The Commission official added that the implementation of the ‘watchlist’ of items that require additional authorization for export would remain ‘effective but flexible.’
“This watchlist is a complete novelty and has the potential to be powerful,” the source said. “We won’t prohibit the sale of cyber-surveillance, we will just keep an eye on it.”
Phillip Gruell contributed reporting