Dieses Dokument ist Teil der Anfrage „working papers dual-use regulation

/ 6
PDF herunterladen
Brussels, 19 June 2018

                                                                     WK 7507/2018 INIT



                                        WORKING PAPER
              This is a paper intended for a specific community of recipients. Handling and
              further distribution are under the sole responsibility of community members.

 From:               BE, DE, DK, HR, HU, RO, SK, SL Delegations
 To:                 Working Party on Dual-Use Goods
 Subject:            Recast of Regulation 428/2009 - For an effective, focused and balanced control of
                     cyber-surveillance items

With a view to the Dual Use meeting of 20 + 21 June, delegations will find attached a paper by Belgium,
Croatia, Denmark, Germany, Hungary, Romania, Slovakia and Slovenia regarding proposals on how
an EU list regarding the control of cyber-surveillance items could work. It also presents compromise
considerations regarding the overall cyber-surveillance cluster. This paper should be presented under

WK 7507/2018 INIT
LIMITE                                                                                             EN

Recast of Regulation 428/2009 -
            For an effective, focused and balanced control of cyber-surveillance items

Part A

1. The recast of the EU Dual-use Regulation 428/2009 has been initiated in late 2016. Council has
   since devoted much time and efforts to the proposal put forward by the European Commission
   as well as to the amendments made by the European Parliament in early 2018. The recast is
   now at a crucial moment in time as the current legislative term is approaching its end in mid-
   2019. Council needs to keep this time line in mind and should come to a position allowing for
   the recast to be finalized in this legislative term.

2. One of the most discussed issues is the regulation of cyber-surveillance items. While it has
   become clear that all Member States agree on the goal of strengthening human rights and
   acknowledge both the legitimate uses as well as the potential of cyber-surveillance items being
   misused for human rights violations, there is still no common approach on how to best address
   the issue. However, various options have been put forward in WK 1019/2018, among them on
   the dual-use definition, list-based controls, additional end-use controls as well as art. 8 related

3. Further considerations regarding list-based controls have been developed in WK 5755/2018.
   While the concerns expressed therein are valid, no common regulatory solution by the EU
   export control system is offered. Furthermore, the concerns expressed in WK 5755/2018 refer
   to a list model in the form proposed by the European Commission which is – given the
   discussions in Council – already antiquated. The Commission’s list-model is one in the
   broadest and most unconditioned form possible. Instead, discussions have shown that any list-
   approach must be put under strict criteria and procedures in order to be focused and well-
   balanced. With this, concerns such as an ever-growing EU-autonomous list, deviation from the
   regimes or list quality could be addressed while at the same time providing for an effective

4. To facilitate the further discussion and as a contribution in finding a compromise, the following
   considerations elaborating in more detail a list-based approach, as set out in WK 1019/2018 as
   an option, are put forward. Any list-based model should incorporate the following:
   •     A limitation in scope to cyber-surveillance items. Cyber has been identified as an area of
         concern for human rights violations by the Commission’s Impact Assessment. Any list-
         model should therefore be focused on this area. Such limitation would bring the recast in
         line with the Impact Assessment (as already acknowledged and done by EP).
   •     An explanation of why the EU should act at all. Even though this should be apparent, given
         past incidents of unregulated exports of cyber-surveillance items from the EU to third
         countries and their misuses for the violation of human rights in third countries, the distinct
         motivation and reasoning to regulate the export of cyber surveillance items could be
         described in a recital. This means that even if there is no immediate military application of
         cyber-surveillance items, the EU shall be able to act because of their potential to be
         misused by police/security forces or other governmental forces for repression purposes or
         violation of certain human rights.
   •     A set of listing criteria (similar to the ones in Wassenaar, stated in document “Criteria for
         the selection of dual-use items” in WA) should be introduced. Criteria include: foreign
         availability of the item, ability to effectively control the export of the item (i.e. that no
         standard, mass-market products are controlled), ability to make a clear and objective
         specification of the item, controls by another regime (i.e. no double listing).

•     Any proposals for amendments should be subject to review by the “Surveillance
         Technology Technical Expert Group” (STEG), a sub-group of the “Dual-use Coordination
         Group”. The STEG could assess whether measures are technically sound, ensure list
         quality and that the listing criteria are met. In this regard, there is a significant difference to
         other areas of control, as the EU has built up a genuine expertise in the field of cyber-
         surveillance controls through the STEG.
   •     Controls must be interconnected with international and national controls in a breathing and
         learning system. First, this would include a call for all MS to support the listing of EU-
         controlled items in the international regimes, stating the bridge-function of EU controls to
         international controls. Second, a sunset clause would be required stipulating that whenever
         an item is later listed in the international export control regimes, it shall be transferred to
         the respective Annex. Third, it could include a trigger mechanism: if a MS decides to
         apply art. 8 for cyber-surveillance controls, this could provide an impulse for EU level.
   •     It must be regulated that any EU autonomous list shall be amended by regular procedure
         only. However, the Commission could be empowered to (re)move items by delegated act.

5. Under these conditions, a list-based model could become an effective and workable instrument
   that at the same time is strict and flexible enough. Many concerns, such as a soaring expansion
   of controlled items over time, would be unfounded.

6. On the other hand, and in return for limiting the list-based model significantly, concessions on
   other aspects of the cyber-surveillance cluster should be made in order to find an overall
   acceptable approach. This includes to renounce the distinction between dual-use items and
   cyber-surveillance items. Along the lines of proposals already made in Council, it would be
   acceptable to leave the dual-use definition as it is and not have a separate cyber-surveillance
   definition. This would qualify cyber-surveillance items as dual-use items in the dual-use domain,
   but not internationally controlled. Furthermore, it would be acceptable to keep the reference to
   the assessment criteria from 2008/944/CFSP in art. 14 (ex art. 12) in its current form as in force
   today, and highlight human rights as one of the relevant existing criteria. Then there would be no
   confusion about different assessment criteria for listed items, while at the same time making sure
   that there is a possibility for Member States to assess the human rights aspect as well as the other
   relevant criteria. Finally, art. 4.1.d) should be removed as discussions have shown that there is
   almost no support for this provision.

Part B
In the following, specific text proposals for recitals, articles and the Annex are made
implementing the considerations under Part A.

   Proposal for recitals
   (A) In a joint statement issued on 16 April 2014, the European Parliament, the
   Council and the Commission acknowledged the issues regarding the export of
   certain information and communication technologies that can be used in
   connection with human rights violations as well as to undermine the EU’s security,
   particularly for technologies used for mass-surveillance, monitoring, tracking,
   tracing and censoring, as well as for software vulnerabilities. The three institutions
   asked for options to be explored to address these issues in the context of the
   review of the EU dual-use export control policy. The Council, in its conclusions of
   21 November 2014, confirmed this acknowledgment and called upon Member States
   to assess whether further controls are necessary to prevent internal repression by
   certain information and communication technologies. Based on this political


mandate, the EU shall act to address the issues of exports of cyber-surveillance
items as part of the EU dual-use export control policy.

(B) While cyber-surveillance items have legitimate and regulated law enforcement
applications, they can also be misused for internal repression and other human
rights violations by authoritarian or repressive regimes. In recent years there have
been numerous reports of cyber-surveillance items being exported from the Union
to repressive regimes and/or into conflict areas and being misused in violation of
human rights. As demonstrated by those reports, the export of cyber-surveillance
items under such conditions poses a risk to the security of those persons and to
the protection of fundamental human rights, such as the right to privacy and the
protection of personal data, freedom of expression, freedom of association, as well
as, indirectly, freedom from arbitrary arrest and detention, or the right to life. It is
therefore appropriate to control the export of those items in order to protect public
security as well as public morals.

(C) At the same time, it is important to underline that the four international export
control regimes are and must remain the essential fora for the identification and
regulation of dual-use items. It shall, however, also be noted that the EU through
the Anti-Torture-Regulation as well as the Member States through national lists
have already introduced additional export controls beyond the item lists of the
international export control regimes, as have many other countries which are
members of the international export control regimes. Regarding the control of
cyber-surveillance items, in particular the Wassenaar regime is a forum addressing
such controls. Some cyber-surveillance items are already regulated in the
Wassenaar regime because of their military relevance. Other cyber-surveillance
items are not regulated at an international level. While that might change in the
future, given the potential use of cyber-surveillance items in unconventional, hybrid
conflict scenarios, it remains the political mandate of the Union to act when cyber-
surveillance items shall be controlled even if there is no immediate military
application, but because they can be misused by police/security forces or other
governmental forces for internal repression purposes or violation of certain human
rights. Within the scope of this mandate, and given the importance of the
international export control regimes, any EU controls should be limited in scope to
cyber-surveillance items and not contain any duplications with items already listed
in the international export control regimes.

(D) Any controls should be based on clearly defined criteria. These measures
should not go beyond what is necessary and proportionate. They should, in
particular, not prevent the export of information and communication technology
used for legitimate purposes, including law enforcement and network and internet

Proposal for an article […]

1. An authorisation shall be required for the export of the dual-use items listed in
   Annex […].

2. The list of dual-use items in Annex […] shall be limited in scope to cyber-
   surveillance items, i.e. hardware, software and technology specially designed
   to enable the monitoring, exfiltrating, collecting and analysing of data and the
   covert intrusion into information and telecommunication systems or the
   incapacitating or damaging the targeted system without the specific, informed
   and unambiguous authorisation of the owner of the data.


3. The list of dual-use items in Annex […] shall be amended in accordance with
   art. 294 TFEU if this is necessary due to risks that the export of such items may
   pose as regards the commission of serious violations of human rights or
   international humanitarian law, in particular due to their potential to be misused
   by police/security forces or other governmental forces for internal repression
   purposes or violation of certain human rights such as the right to privacy, the
   right to data protection, freedom of speech and freedom of assembly and

4. (1) Any amendments of Annex […] shall be based on the following criteria:
       a. foreign availability of the items outside of the Union,
       b. the ability to control effectively the export of the items,
       c. the ability to make a clear and objective specification of the item,
       d. controls by the international export control regimes (no double listing).
   (2) Proposals for amendments shall be subject to review by the Surveillance
   Technology Technical Expert Group (STEG), a sub-group of the Dual-use
   Coordination Group. The STEG shall review whether the proposal is technically
   sound, ensure list quality and that the listing criteria under a)-d) above are met.
   It shall provide a technical assessment of the proposal and a recommendation
   regarding its adoption to Council, Commission and European Parliament.

5. In case a Member State has applied national controls for cyber-surveillance
   items, it shall notify the Commission, the STEG and the other Member States of
   such controls. The STEG shall carry out a review in accordance with paragraph
   4.2 to assess whether such national controls are also suitable for amendment
   of Annex […].

6. Amendments may also concern decisions to delist items from Annex […]. In
   particular if an item becomes listed in one of the international export control
   regimes, it shall be delisted from Annex […]. The Commission shall be
   empowered to adopt delegated acts in order to delist items of Annex […].

7. The Member States and, where appropriate, the Commission shall engage in
   relevant international organizations, in particular the international export
   control regimes in which they participate, to promote international adherence to
   the list of items subject to export controls in the Union under Annex […]. The
   Commission and the Member States shall, where appropriate, maintain regular
   and reciprocal exchange of information with third countries and engage in
   capacity-building with the aim of promoting upward convergence of the items
   in Annex [..] becoming listed in the international export control regimes.

Proposal for Annex […]

Explanatory note: The following annex includes the items as foreseen in the Commission’s
proposal. However, since the beginning of the proposal technical discussions have taken place
among Member States. As a result, the annex will have to be revised from a merely technical
point of view. It shall be updated to the then current stage of play at the time of adoption.


"Technology" "required" for the "development", "production" or "use" of goods under control
        remains under control even when applicable to non-controlled goods.
Controls do not apply to that "technology" which is the minimum necessary for the installation,
        operation, maintenance (checking) or repair of those goods which are not controlled or
        whose export has been authorised.
Controls on "technology" transfers do not apply to information "in the public domain", to "basic
        scientific research" or to the minimum necessary information for patent applications.

10A001 Surveillance systems, equipment and components for ICT (Information and
       Communication Technology) for public networks where the destination lies outside the
       customs territory of the European Union and outside of Part 2 of Section A of Annex II to
       this Regulation, as follows:
        a.    Monitoring Centres (Law Enforcement Monitoring Facilities) for Lawful
              Interception Systems (LI, for example according to ETSI ES 201 158, ETSI ES 201
              671 or equivalent specifications or standards) and specially designed
              components therefor,
        b.    Retention systems or devices for event data (Intercept Related Information IRI, for
              example, according to ETSI TS 102 656 or equivalent specifications or standards)
              and specially designed components therefor.’
              Technical note:
              Event data includes signalling information, origin and destination (e.g. phone
              numbers, IP or MAC addresses, etc.), date and time and geographical origin
              of Communication.
              Note: 10A001 does not control systems, or devices that are specially designed for
              any of the following purposes:
              a)    billing
              b)    data collection functions within network elements (e.g., Exchange or HLR)
              c)    quality of service of the network (Quality of Service - QoS) or
              d)    User satisfaction (Quality of Experience - QoE)
              e)    operation at telecommunications companies (service providers)’.
10D001 “Software” as follows:
        a.    “Software" specially designed or modified for the "development", "production" or
              "use" of equipment, functions or features, specified by 10A001;
        b.    "Software" specially designed or modified to provide characteristics, functions or
              features of equipment, specified by 10A001.
10E001 “Technology” according to the General Technology Note for the "development",
       "production" or "use" of equipment, functions or features specified by 10A001 or
       "software" specified by 10D001.