Following the Council of the European Union’s (Council) adoption of an updated regulation on May 10, 2021 (Updated Regulation), the European Union (EU) is set to expand its Dual-Use Regulation (Council Regulation (EC) No 428/2009, as amended) to authorize restrictions on exports of items that could be used to support human rights abuses, with a focus on “cyber-surveillance items,” among other changes.
The regulation is expected to be published in the EU Official Journal shortly and will enter into force 90 days thereafter.
The Updated Regulation targets “cyber-surveillance items,” defined as dual-use items “specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analyzing data from information and telecommunication systems.” (DefinitionArt.2(20)) Such items already may be listed in Annex I of the Dual-Use Regulation, in which case they already are subject to an export licensing requirement. However, with respect to unlisted cyber-surveillance items (i.e., items that are the equivalent of “EAR99” under the U.S. rules), under the Updated Regulation such items can be subject to a licensing requirement under the following circumstances:
- There will be a licensing requirement if the company is informed by a Member State that the items are or may be intended for use in connection with human rights violations and/or internal repression. (Art5(1))
- Exporters that become aware that cyber-surveillance items may be intended for such purposes will be required to notify the relevant authority, which then will decide whether to impose a licensing requirement. (Art.5(2))
- The Updated Regulation allows individual Member States to impose a licensing requirement for unlisted cyber-surveillance items if the exporter has “grounds for suspecting” that these are or may be intended for any use in human rights violations and/or internal repression. (Art.(53))
- Exports to subsidiaries and affiliates: Union General Export Authorization EU007 allows exports of controlled software and technology to the exporter’s subsidiaries and affiliates based in Argentina, Brazil, Chile, India, Indonesia, Israel, Jordan, Malaysia, Mexico, Morocco, the Philippines, Singapore, South Africa, South Korea, Thailand, and Tunisia. (AnnexIIG.). (Notably, preexisting authorizations already broadly authorize exports to core EU allies such as the United States, Canada, Australia, and Japan, among others.) Certain specified sensitive items, however, are not eligible for export under the general authorization.
- Encryption items: Union General Export Authorization EU008 allows export of certain encryption and cryptographic items to all destinations, excluding certain listed countries and subject to certain conditions, unless the exporter has been informed that the items are or may be intended for use in connection with chemical, biological, or nuclear weapons; a military, police, or surveillance end-use; or violations of human rights, democratic principles, or freedom of expression. (AnnexIIH.Encryption,Part3. conditions). Excluded countries include China (including Hong Kong), Russia, Israel, Iran, Syria, Belarus, and the United Arab Emirates, among others. The promulgation of this general authorization is a notable step towards the sort of broad authorization for encryption exports set out in the U.S. License Exception “ENC.”