NSO Group human rights

EU member states are watering down spyware regulation

In the EU, export controls are a regulatory tool to allow government agencies to control the proliferation of “dual-use” tools and technologies. In September 2016 the EU Commission published its draft proposal for an improved export controls regime, seeking to modernise and simplify the existing system to limit the spread of technology used for surveillance. After the promising position of the European Parliament, member states are attempting to block curbs on the export of surveillance equipment to abusive regimes. The attempts of the Council to undermine the reform could threaten human rights around the world.

Looking back on the history of EU export controls, the original idea was to regulate weapons of mass destruction (and all the bits and bobs that make such weapons possible), but over time, technologies that trickled down from military use to civilian applications — like encryption — were included too. And today, a number of cyber-surveillance technologies characterized as “dual-use” have joined the list.

This raises valid questions, such as: Isn’t all technology neutral? Well, yes, we believe it is! But based on the mode of deployment, the same product that serves a legitimate and socially beneficial purpose can undermine human rights and compromise the privacy, and physical safety, of journalists, activists, dissidents, and other users at risk. This very real threat is what dual-use export controls seek to mitigate.

Of course, export controls alone do not end the proliferation of surveillance tech. They are one regulatory tool among several in the business and human rights ecosystem, and they have varying impact and importance based on the regulatory and legal framework of the country (or countries) in question.

Our work on the EU reform process

In 2016, the European Commission proposed reforms to the current system in order “to prevent human rights violations associated with certain cyber-surveillance technologies.” Together with a broad coalition of NGOs, we’ve advocated for the strengthening of several of these protections, including:

  • strengthened human rights and due-diligence standards,
  • broader scope to cover new and emerging surveillance technologies,
  • greater reporting transparency and consistency,
  • removal of export controls on encryption, and,
  • protections for security research.

Many of these reforms were reflected in the proposal adopted by the European Parliament in January 2018. Since then, however, the process has been stuck with the member states (and their ministries) who are negotiating a Council version of the text.

After that happens, the three EU institutions must then reach agreement on a final text through inter-institutional negotiations called trialogues. To complicate things, legislators are working under a tight time frame; if the revised regulation is not adopted by early 2019, it risks being delayed by at least another year due to the upcoming EU elections. As far as we know, the next round of negotiations in the Council will take place in November 2018.

What’s the hold-up at the Council?

Over the past two years, the Council has been lackadaisical about this reform, throwing their hands up and lamenting how new and complex this issue is. During that time, the Parliament concluded their legislative process (it’s been ten months since) and the problems within the Council only seem to grow…

Last week, leaked documents from the Council showed us that several EU countries, particularly the UK, Sweden, and Finland, are pushing for weaker human rights protections, a dramatically less inclusive controls list, and maintaining the existing (read: terrible) practices for transparency reporting.

In a nutshell, the member states don’t want to burden companies with responsibilities to provide for adequate safeguards to mitigate potential human rights violations. Much of the Council focus has been on deliberating what constitutes “really serious violations” of human rights and what qualifies countries as “having internal repression” — and whether that should even be a factor to consider in export controls discussions. A similar story seems to be playing out in the Council’s reluctance to establish a due diligence obligation; they believe it would create legal uncertainty for companies.

Needless to say, these are all safeguards we have repeatedly argued and asked for.

Disappointingly, the documents also show that a group of member states toppled the “catch-all clause” which we have supported as a crucial safeguard for new and emerging technologies. In simple terms, such a clause requires companies to inform their export controls authority of cases where they have identified human rights risks linked to their exports — the authority then evaluates said risk and decides whether to grant or withhold a license.

What comes next?

From what we can gather through conversations with some attending these meetings, the timeline for action is either “definitely by the end of the year,” or “definitely no time soon.” The next negotiations in the Council will take place this month, and we will make sure to keep up the pressure on legislators to strengthen export controls for surveillance technology and work with other NGOs to ensure our voices are heard.