In today’s interconnected world, the export of cyber-surveillance items raises privacy, human rights, and international security concerns. The European Commission (the Commission) has recently published guidelines on the export of cyber-surveillance items (the Guidelines), to support exporters in evaluating and mitigating the risks associated with the export of such items. In this blog post, we explore the Guidelines’ key aspects.
Background
As reported in our blog post, the EU regulation on the export of dual-use items (items that can be used for both civilian and military applications) was updated in May 2021 (the Regulation). Among others, the Regulation addressed the risk of cyber-surveillance items being used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. It included an annex listing the dual-use items for which an export authorization is required (Annex I). The Commission updated Annex I of the Regulation in November 2024. For the items not listed in Annex I, the Regulation introduced a ‘‘catch-all control’’ for cyber-surveillance items. Exporters must thus seek authorizations to export non-listed cyber-surveillance items if they become aware that the items are (or may be intended) for use in connection with internal repression and/or the commission of serious violations of international human rights or humanitarian law. The Regulation specified that the Commission would provide guidelines for exporters. The Guidelines were published in October 2024. They aim to ensure the efficiency of the European Union’s export control regime related to cyber-security and to ensure consistent implementation of the Regulation. Although non-binding, the Guidelines provide essential insights and recommendations for compliance with the legal framework under the Regulation.
Clarification of key terms, definitions and provisions
Cyber surveillance items: Regulation defines “cyber-surveillance items” as dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems. The Guidelines clarify that this means that the main purpose of the product’s development and design was for covert surveillance of natural persons. “Covert surveillance” is described as surveillance that is not obviously perceptible to the affected natural person. The terms "monitoring, extracting, collecting or analysing” data imply that the items used for surveillance should have precise technical data processing capabilities. For example, items used to simply monitor information systems or watch the population via video surveillance cameras are not considered cyber-surveillance items if they are not specially designed for this purpose and must work with other technologies to process data, such as artificial intelligence or big data. However, the entire system (working together with these other technologies) could potentially be considered a cyber-surveillance item under the Regulation. It is not necessary for items to have all these technical data processing capabilities to constitute cyber-surveillance items. Having one of the technical data capabilities to monitor, collect, extract or analyse data would suffice.
Exporter awareness: An exporter must notify the competent authority where the exporter is “aware that cyber-surveillance items […] are intended […] for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law”. The Guidelines clarify that ‘‘aware’’ implies that the exporter has positive knowledge of the intended misuse of cyber-surveillance items. The Guidelines address exporters of finished cyber-surveillance items but also those who export parts or components of a system that could result in the same violation or misuse. The exporter must take steps to obtain sufficient knowledge to assess risks related to the export and ensure compliance with the Regulation. The exporter should assess whether an item is “intended for” a relevant sensitive end-use on a case-by-case basis.
Internal repression, serious violations of human rights and international humanitarian law: Cyber-surveillance items can be legitimate tools for law enforcement but they can also be misused by repressive regimes or in conflict zones. The misuse of cyber surveillance items can impact a wide range of human rights. The Guidelines refer to the Council’s Common Position and Guides on governing the control of exports of military technology and equipment for further considerations on what constitutes internal repression and what violations are considered serious; and specify that cyber-surveillance items should comply with international humanitarian law when deployed in the context of armed conflict. In addition, the Guidelines call for a case-by-case assessment. Recognition of violations by bodies such as the UN, the EU, or the Council of Europe may indicate the seriousness of the issue, although such explicit recognition is not strictly necessary for a violation to be found.
Technical scope of the Guidelines
The Guidelines provide information on cyber-surveillance items listed in Annex I to help exporters identify potential non-listed items. While, as recognised by the Guidelines impossible to provide a comprehensive list of items that may fall within the scope of the Regulation, certain items warrant particular vigilance:
- Facial and emotional recognition technologies have multiple uses beyond cyber-surveillance, such as identification or authentication, and do not automatically fall within the scope of the Regulation. However, they may be within the scope if they can monitor or analyse stored video images and are specially designed for covert surveillance.
Location-tracking devices, which allow tracking of a device’s physical location over time, have evolved significantly, and are not only used by law enforcement but also by companies for various purposes. Their potential for targeted and mass surveillance has increased with advancements in technology. Such technologies also require particular attention.
Due diligence measures
The Regulation requires exporters of cybersecurity items to conduct due diligence through transaction screening measures. This includes steps like item classification and transaction risk assessment. The Guidelines assist exporters in conducting such due diligence. Practically, the Guidelines encourage the exporters to do the following:
- Determine whether the item – as a finished product or as part of a system that could result in the same violation or misuse – could be a “cyber-surveillance item”, meaning it is specially designed for covert surveillance of natural persons by monitoring, extracting, collecting, or analysing data from information and telecommunication systems.
- Assess whether the item could be misused by foreign end-users to commit internal repression, and/or serious violations of human rights and international humanitarian law. Exporters should also assess whether the item could be used as part or component of a system that results in the same violations and/or misuse. Red flags for potential misuse include: information indicating that similar items have been misused in the past or could be set up for a system known for misuse; the item is marketed for covert surveillance; and the item or a similar item is listed in the ‘’C series publications'' (publications that contain information and notices from EU institutions) in accordance with the Regulation.
- Support competent authorities by reviewing stakeholders involved in the transaction, including end-users and consignees such as distributors and sellers. This includes checking how the product will be used, understanding the human rights situation in the destination country, and assessing the risk of the product being diverted to unauthorized end-users. Red flags with respect to the end-users include: a clear connection to a foreign government known for internal repression and serious human rights violations; being part of the armed forces or a group involved in conflicts with a history of internal repression and serious human rights violations; and previous export of cyber-surveillance items to countries where such items have been used for internal repression and serious human rights violations.
- Develop plans to prevent and mitigate potential adverse effects. This includes updating policies, strengthening management systems, gathering information on sector risks, and notifying competent authorities of the findings regarding certain items, end-users, and destinations.
Comment
The Guidelines, although not legally binding, provide an important framework for exporters to navigate the landscape of cyber-surveillance items. Thus, they will help exporters comply with the Regulation and mitigate any non-compliance risks. The Guidelines emphasize the importance of due diligence, urging exporters to assess the potential misuse of their products and to remain vigilant about the end-use and end-users involved. As technology continues to evolve, the responsibility of exporters to prevent the misuse of cyber-surveillance items becomes increasingly significant, emphasizing the need to implement appropriate and robust export compliance systems.
