NSO Group human rights

The European Parliament is fighting to strengthen the rules for surveillance trade

On 23 November 2017 the European Parliament’s International Trade Committee (INTA) voted to implement stronger rules for “dual-use” technology exports from the European Union to third countries under the “EU dual-use recast”. Now, the European Parliament’s plenary will have to confirm its negotiating mandate during a plenary session in Strasbourg (most likely to take place in January/February). Once the European Council also agrees upon its negotiating position, the three EU institutions will then proceed to discuss the regulation in the trialogues.

The key objective of this recast is to update the existing regulation with stronger rules for the protection of human rights. One important element of this recast (or update) is to add certain types of cyber-surveillance tools to the EU export controls list— tools and items that national export controls authorities must then approve before they are exported to non-EU countries. These rules are intended to cover primarily items that intercept mobile phones, remotely hack into computers, circumvent passwords, or identify internet users. Authoritarian regimes around the world have used these and other items to violate human rights, oppress citizens, suppress and silence political opposition, and attack human rights defenders.

Members of the European Parliament in INTA voted to:

  • remove export control restrictions on technology products that use encryption;
  • attempt to make EU export controls future-proof by introducing export controls for cyber-surveillance technologies as a separate category;
  • strengthen rules on privacy, data protection, and freedom of assembly, by adding clear-cut criteria and definitions to the regulation;
  • emphasise that the exporters of products not listed in the regulation— but which could be used for human rights violations — have to make sure that their goods don’t fall into the wrong hands, by following the OECD-based “due-diligence” guidelines;
  • have the Commission publish a handbook before the new rules apply, in order to guide EU businesses;
  • mandate proper transparency of national authorities’ export control decisions as well as baseline statistics on where the export is going and other basic qualifiers;
  • increase the role of civil society in shaping the implementation guidelines and handbook, as well as participating in the Commission’s annual report and review of this regulation.

How did we get here?

The fundamental rights of activists around the globe have been at risk due to the proliferation of certain technology which operates in an absence of adequate safeguards. For this reason, the export of “dual-use” technology from the EU — that is, sensitive products that can be used both for civilian and military purposes — must be closely controlled. This can help prevent the proliferation of dangerous items which can be used for severe human rights violations, or moreover, in many cases, to ensure that such items are used in compliance with international human rights law in the country of destination.

In 2011, the EU decided to carry out an official review of the rules for the export of dual-use items. This review was driven, in part, by human rights abuses which took place during the Arab Spring. As time went on, the global community took note of cases such as Ahmed Mansoor’s — an activist and a dissident blogger calling for democratic reform in the United Arab Emirates — who was targeted with “Pegasus” spyware designed to siphon off personal data from his computer. Pegasus spyware was developed by Israel’s infamous NSO Group and discovered to be used used against Mansoor by the staff of Citizen Lab. They raised the alarm in support of Mansoor and other activists targeted with surveillance software.  

In response to cases like this, and in order to kick-start the review process, the European Commission published a Green Paper inviting stakeholders to express their views about the existing EU export-control regime. This was followed by a report on the public consultation, adopted in January 2013.

The subsequent Commission Communication published in 2014 recognised the risk posed by “the emergence of specific ‘cybertools’ for mass surveillance, monitoring, tracking, and interception,”  and “the interlinkages between human rights, peace and security”.

In 2014, while the Commission was working on the new draft of the regulation, NGOs including Access Now, Amnesty International, Digitale Gesellschaft, Fidh, Human Right Watch, Privacy International, Reporters without Borders and the Open technology Institute published a report with a global call for action by national governments and regional institutions.

Each of these initiatives helped raise the public’s awareness about the surveillance industry and the damaging impact surveillance technologies can have on human rights. The result was the European Commission’s 2016 proposal which represents a critical opportunity to ensure that surveillance technologies are effectively brought within the purview of European dual-use export control policy.

What’s next? Parliament comes to a position, and the trialogues begin

Once the European Parliament’s plenary approves INTA’s position, the three institutions will enter the grey negotiation period known as “trialogues”. During this process, representatives in the institutions will discuss their positions and attempt to compromise between their respective adopted versions of the text. The commitments made by the Commission and the Parliament so far  indicate that we will most likely see stronger human rights safeguards in the EU dual-use regulation, the extent of which can only be limited if the Council adopts a more conservative position than what we has been made public so far.

Regardless of what happens, we will continue to update you. Stay tuned.