1. Mobile Telecommunications Interception—5.A.1.f-based Controls

Mobile telecommunications interception technology is used to track, identify, intercept and record mobile and satellite phones.Footnote ³³ Such interception equipment was added to the Wassenaar list at the 2012 Plenary Meeting. Even prior to 2012, some States had placed controls on the equipment of this kind, yet their usage and interpretation of the term varied. According to 5.A.1.f, a range of ‘mobile telecommunications interception or jamming equipment’ is subject to Wassenaar controls. One of these is IMSI (International Mobile Subscriber Identity) catchers. The second sub-provision of 5.A.1.f defines them as ‘interception equipment designed for the extraction of client device or subscriber identifiers, signaling, or other metadata transmitted over the air interface’. Typically used in a ‘Man in the Middle Attack’ by faking a legitimate cell tower or base station, IMSI catchers capture and log all the IMSI numbers of mobile phones in the nearby area as these mobiles connect to it.Footnote ³⁴ It can intercept the location and traffic information of thousands of mobile phones at the same time. More advanced versions can even intercept calls and text-messages and disrupt the availability of certain Internet services.

2. Intrusion Software-related Items—Controls based on 4.A.5, 4.D.4 and 4.E.1.c

Wassenaar controls associated with intrusion software are built upon two sets of rules: a multi-tiered structure of conceptualising the controlled items, and general exemptions. Notably, the Arrangement does not control intrusion software per se. Instead of restricting the whole class of intrusion software, it opts for targeted controls on specific equipment, software and technology that are used to generate, install and instruct intrusion software.

The initial wording of the 2013 amendment was criticised for being overly broad, and thus having (unintended) chilling effects on the security industry and security research.Footnote ³⁵ Many security experts feared that technical attributes used to define this control class would imprudently control equipment, software and expertise used for essential cyber security processes. For example, according to the initial terms, when ‘exploit’Footnote ³⁶ researchers identify vulnerability in the software platforms of foreign vendors, they are prohibited from notifying those vendors of the identified risks unless they first obtain export licenses for the export of such technology. The use of many defensive security products such as penetration testing products, auto-updating antivirus programs and forensic exploit toolkits would also be subject to Wassenaar controls. As examined below, several revisions were made to meet these concerns of the IT security community. Many US technology companies in particular lobbied their government for renegotiation of intrusion software-related controls.Footnote ³⁷

3. IP Network Communications Surveillance Systems—5.A.1.j-based Controls

Along with the (ab)use of intrusion software, IP network surveillance received a great deal of attention during the 2013 Plenary Meeting. ‘IP network communications surveillance’ was added as a new control class under Category 5, Part 2.Footnote ⁴⁵ IP network surveillance is generally conducted through Internet traffic analysis systems that classify and collect communications data flowing in and out of a network. The covered items are ‘systems or equipment, specially designed components’ that satisfy all of the conditions stipulated in 5.A.1.j. This control class carries two sub-provisions and one decontrol note.Footnote ⁴⁶ In addition, exemption provisions in the General Software and Technology Notes also apply to the class of IP network communications surveillance.

1. The US Export Control Regime and the Wassenaar Arrangement

The US export control regime consists of different statutes and operates under several licensing and enforcement bodies. The Export Administration Regulations (EAR) provide the main legal framework for controlling exports of dual-use and less sensitive military items.Footnote ⁵⁷ They contain the Commerce Control List (CCL) and implement the Export Controls Act (ECA) at a practical level regarding certain types of controlled technologies.Footnote ⁵⁸ The CCL is a list of controlled items as well as foreign persons and end-uses ‘that are determined to be a threat to the national security and foreign policy of the United States’. The Bureau of Industry and Security (BIS) in the Department of Commerce (DOC) is mandated to establish the CCL and carry out export licensing and enforcement functions based on EAR rules.

The US has been at the centre of creation, development and global implementation of international export control mechanisms such as the Wassenaar Arrangement and their multilateral approach to non-proliferation. It is a long-standing stance of the US that most items listed in the CCL are controlled in accordance with its commitments to four major multilateral control regimes including the Wassenaar Arrangement.Footnote ⁵⁹ Based on those internationally agreed lists, the relevant executive bodies have complied and updated the US control lists. The effectiveness of the EAR-based control has been enhanced by it being ‘maintained as part of [the] multilateral control arrangement’ and almost all items on Wassenaar list are incorporated in the CCL. EAR states that the US dual-use control scheme is ‘consistent with the United States’ international obligation’ as a Wassenaar member.Footnote ⁶⁰

Regarding the domestic implementation of cyber amendments, BIS has maintained the same position. Upon the adoption of amendments at Wassenaar, BIS submits its own amendment proposal along with a newly compiled control list adopting Wassenaar amendments, but occasionally with some modifications to fit within the existing CCL scheme. BIS then launches a review process inviting various stakeholders, including industry actors and civil society groups, to provide comments on the implications of the amendments for national security, economic and foreign policy interests of the US.

The implementation process for the 2012 cyber amendment (5.A.1.f) adding mobile communications interception equipment such as IMSI catchers went smoothly.Footnote ⁶¹ Under the old rules, devices for mobile communications interception used to be restricted only in two specific circumstances: when such equipment was specially designed or modified for military use or when such equipment included a cryptanalytic functionality. In implementing 5.A.1.f, new rules were introduced to control the export of interception devices that do not necessarily fit into either of those two categories. This update to BIS Rule was to ‘harmonize’ national export control practice with the Wassenaar list.Footnote ⁶²

In contrast, this was not the approach for the 2013 cyber amendment. In July 2015, BIS published the first Proposed Rule to incorporate intrusion software-related items and IP network surveillance systems into the CCL.Footnote ⁶³ It received an unprecedented number of public comments on the Proposed Rule, virtually all of which were negative. There was a strong backlash from IT industry and security experts especially about intrusion software-related items.Footnote ⁶⁴ Critics feared that the language used by Wassenaar and BIS could lead to ‘unintended capture’, with a high risk of restricting legitimate cyber defence strategies and other key security processes such as vulnerability disclosure and incident response, and that these controls would lead to an extensive financial licensing burden for security companies.Footnote ⁶⁵ The Proposed Rule was retracted. Instead, BIS followed up with a plan to introduce additional amendments to Wassenaar ‘in order to minimize the negative impact of the intrusion software-related entries would have’.Footnote ⁶⁶ This was to hold on to its commitment to regulate cyber surveillance tools through a multilaterally coordinated control mechanism.

As a result of US negotiation efforts during the 2016 and 2017 Wassenaar Plenary, a number of changes and some clarification of technical terms were made to intrusion software controls.Footnote ⁶⁷ As discussed earlier, intrusion software-related controls no longer apply to vulnerability disclosure or cyber incident response. Another decontrol rule has been added for software implementations involving certain types of software updates or upgrades. In 2018, BIS finalised a new regulation updating the CCL as part of the implementation of the remaining cyber amendments. The new version is still under review, signalling ‘a retreat by the US government from asserting control over those tools’.Footnote ⁶⁸ While BIS’ regular CCL updates have incorporated the most up-to-date version of the Wassenaar lists, the two control classes created as a result of the 2013 amendment have not been included in the CCL.

2. Leveraging export controls to win the geopolitical, economic and technology race—The advent of the ECRA era and its impact on the US Technology Export Regulation

Notwithstanding failed attempts to add intrusion software-related items and IP network surveillance systems to the CCL, it is likely that there will be a new channel of leveraging export controls to govern cyber surveillance technology (possibly) including those two control classes. As mentioned earlier, ECRA was passed under the auspices of the National Defense Authorization Act for Fiscal Year 2019 in the midst of escalating US–China competition over commercial and technological dominance in the ICT sector.Footnote ⁶⁹ This authorisation gives the President a broad range of constitutional authority to govern export control activities. Under Part I of ECRA titled ECA, an ‘interagency process’ is created to identify and regulate the new category of ‘emerging and foundational technologies’ that are not otherwise specified in the existing list.Footnote ⁷⁰ This is to update the US technology export regulation ‘without impairing national security or hampering the ability of the US commercial sector to keep pace with international advances in emerging fields’.Footnote ⁷¹

As authorised under ECRA, BIS establishes controls on ‘the export, re-export or in-country transfer’ of these emerging and foundational technologies subject to US jurisdiction, whether by US persons and corporations, or foreign entities.Footnote ⁷² BIS may also impose interim controls on relevant technologies on a case-by-case basis.Footnote ⁷³ ECRA's application is extraterritorial; regardless of their business locations, non-US companies are subject to ECRA when re-exporting US-originated goods and technologies. Even non-US made products may be subject to ECRA control if their usage of controlled technologies originating from the US exceeds a certain threshold.

In November 2018, BIS published an Advanced Notice of Proposed Rulemaking (ANPRM) for the ‘Review of Controls for Emerging Technologies’ and invited public comments to develop criteria for identifying 14 categories of technologies.Footnote ⁷⁴ Six of the 14 categories listed by BIS replicate some of the ten technology industries prioritised by ‘Made in China 2025’. One of these new BIS categories is ‘Advanced surveillance technologies’, and this could encompass a plethora of surveillance tools including items enumerated in the cyber amendments to Wassenaar. Most recently in January 2020, the first in a series of BIS Rules setting out licensing requirements for emerging technologies was published. This Interim Rule regulates certain types of ‘geospatial imagery software’ utilised in artificial intelligence and machine learning applications.Footnote ⁷⁵

The ECRA scheme re-conceptualises the nature of the US export control system with respect to certain types of critical technologies. A group of ‘commodity, software and technology’Footnote ⁷⁶ that would fall under ‘emerging technologies’ need to be deemed ‘essential to the national security’.Footnote ⁷⁷ There is no additional clarification about how to determine what is considered essential to national security and no proper legislative guidance on identifying specific national security concerns that the ECRA control aims to address. The class of emerging technologies seems to cover a broad range of technologies even including items that may be only remotely related to the protection of national security. According to the ANPRM list, ‘emerging technologies’ are not required to have the distinctive features of military or dual-use items that traditionally invoke export control measures. Neither would items such as brain modelling, computer vision and speech and audio processing (under the category of ‘machine learning technology’) or adaptive camouflage and functional textiles (under the category of ‘advanced materials’) be traditionally conceived as having national security implications.

There is another indication that the US export control system is going through a significant change with regard to technology exports. While ECRA does not provide a clear definition of emerging technologies, BIS and other relevant agencies involved in the ECRA's new interagency process need to consider three factors in developing the class of emerging technologies: ‘development’ of emerging technologies in foreign countries, ‘the effect export controls may have on the development’ of such technologies in the US, and ‘the effectiveness of export controls on limiting the proliferation’ of emerging technologies in foreign countries.Footnote ⁷⁸ These factors depend on where the key US industrial actors in respective sectors of emerging technologies stand in the global market as compared to their foreign competitors, especially based in China. The same administrative and legislative attempts targeting Chinese technology companies are also found in a series of EAR amendments in 2019 and 2020 that have added Huawei Technologies and nearly a hundred of its non-US affiliates to the Entity List due to ‘activities contrary to the national security or foreign policy interests’ of the US.Footnote ⁷⁹

ECRA allows the US government to define controlled technologies in a unilateral manner without seeking any multilateral alignment strategy. The US regulatory stance on dual-use export control has become more inward-looking than ever. Its concerns about losing technological and commercial dominance in the global technology market are evident in the terms of recently introduced reform regarding technology export regulation. It is also problematic that ECRA gives excessive discretion to the DOC, especially its implementation agency for export controls, BIS. BIS has an authority to unilaterally designate certain technologies for ECRA control. There are no clear standards which guide BIS in removing or revising items contained in its technology categories. Technically, BIS can remove or revise existing controls on such items ‘as appropriate’.Footnote ⁸⁰ It can even determine ‘whether national security concerns warrant continued unilateral export controls’ over the new control class of emerging technologies.Footnote ⁸¹ With the passage of ECRA, the US might show greater determination to impose export restrictions on cyber surveillance technology, albeit at the risk of a broad range of cyber surveillance items being subject to controls based on ambiguous and unpredictable standards under the ECRA scheme.

1. The Chinese Export Control Regime and its relationship with the Wassenaar Arrangement

Up until the mid-1990s, China imposed export restrictions on ad hoc basis without any legal parameters. It gradually adopted laws and regulations to control the export of strategically sensitive items, beginning with certain types of chemicals, biological agents, missiles and missile-related items, and nuclear-related materials and technologies.Footnote ⁸⁴ The current Chinese regime consists of a patchwork of multiple laws and administrative regulations.Footnote ⁸⁵

The Chinese government has made efforts to consolidate existing export control-related laws. Most importantly, the ECL underwent three rounds of drafting, which finally took effect from December 2020. The Ministry of Commerce (MOFCOM) submitted the first draft of the ECL in June 2017, and the second draft was released by the Standing Committee of National People's Congress (NPC) in December 2019.Footnote ⁸⁶ A third draft was passed into law by the NPC on 17 October 2020.Footnote ⁸⁷ The enacted legislation consisting of 49 provisions across five chapters revises the MOFCOM version in part and creates a more centralised system for the licensing, investigation and enforcement of export controls. State Council and the Central Military Commission (CMC) undertake the role of State Export Control Administrative Departments (SECADs).Footnote ⁸⁸ They are also empowered to designate specific government agencies for ECL implementation.Footnote ⁸⁹ The ECL is significantly shorter than the export control laws of the US and the EU, leaving many terms and conditions of the controlled items and licensing procedures to be determined by implementing regulations.

The Chinese export control regime has maintained an interesting relationship with multilateral control instruments including the Wassenaar Arrangement. Among those four key agreements, China has only joined the NSG. While it is not unprecedented for China to highlight its commitment to international non-proliferation standards,Footnote ⁹⁰ there has been no legal recognition of such commitment. Nevertheless, the Chinese lists of controlled items largely correspond with international control lists covering various nuclear, biological, chemical and missile-related items. China has largely aligned its export control measures with Wassenaar.Footnote ⁹¹ China seems to perceive that global standard-setting and cooperation to restrict controlled items is essential to (or at least not contrary to) its national security interests, yet the Chinese implementation of the Wassenaar Arrangement is superficial.

The ECL explicitly recognises China's commitment to multilateral export control regimes.Footnote ⁹² This inclusion alone will not alter its reluctance to join multilateral control agreements. Despite its ever-growing presence in the production, development, and sale of cyber surveillance technology, China remains formally outside the Wassenaar mechanism.

2. China's first omnibus Export Control Law—key features

This section focuses on the four aspects in the new Chinese rules under the ECL. Export controls are applied to items that are either enumerated in the control lists, or as unlisted items under special circumstances as defined by a ‘catch-all’ provision. The ECL identifies eight classes of items that are subject to export restrictions.Footnote ⁹³ Controlled items are characterised as ‘dual-use items, military, nuclear or other goods, technologies, services, and items relating to the maintenance of national security and national interests, and performance of anti-proliferation and other international obligations’.Footnote ⁹⁴ The ECL also clarifies that ‘technical information and other data related to the items’ fall under the definition of controlled item.Footnote ⁹⁵

The first three classes are simply defined.Footnote ⁹⁶ With respect to items under the ‘defending national security and national interests’, the government can impose an embargo, prohibit their transfers to specific destinations, individuals or entities, and apply temporary controls for up to two years.Footnote ⁹⁷ The final wording differs from prior drafting by including a specific reference to ‘national interest’, thereby allowing the furtherance of a broader political agenda and interests through the ECL. The catch-all provision extends the scope of controls to the items which are not listed, but may ‘endanger national security or national interests’, be used in the ‘design, development, production or use’ of WMDs and their means of delivery, or be used for ‘terrorist purposes’.Footnote ⁹⁸ This represents a broadening of the provision compared to original drafts, namely by offering the SECADs a practically unencumbered discretion to determine items that endanger national security, or could be used for terrorist purposes. Meanwhile, pursuant to Article 18, the ECL introduces a separate category similar to the Entity List under the US export control scheme.Footnote ⁹⁹ The SECADs can place specific ‘importers’ and ‘end users’ on this Article 18-based restriction list, if they violate ‘the management of end users and end uses,’ ‘endanger national security or national interests,’ or use controlled items ‘for terrorist purposes’.Footnote ¹⁰⁰

Second, the ECL introduces new concepts in defining what constitutes an ‘export’ for the Chinese regime. Importantly, the concepts of US style ‘deemed export’ and ‘re-export’ are added. Pursuant to the ECL's broad understanding of ‘export’, both Chinese and foreign nationals and entities can be the exporting parties. ‘Export’ typically means any transfer of controlled items, including cross-border supply of products and technology transfer from the territory of the People's Republic of China (PRC). Added to this definition, any provision of items to foreign organisations and individuals by Chinese citizens and legal entities will now also constitute controlled exporting activities, irrespective of where the transfer occurs.Footnote ¹⁰¹ This part is similar to a ‘deemed export’ under US law and may have a significant impact on foreign technology companies that maintain a substantial business presence in China. ‘Re-export’ controls may apply when foreign persons and legal entities export Chinese-originated controlled items or foreign-made products containing ‘a certain percentage of the value’ of Chinese-originated controlled content from one foreign jurisdiction to another.Footnote ¹⁰² Accordingly, the re-export controls expand the extraterritorial scope of ECL's application.

Third, compared to the initial draft submitted by MOFCOM, the ECL imposes heavier compliance requirements on the part of exporters and makes a significant increase in the penalty for non-compliance.Footnote ¹⁰³ It is mandatory for exporters to submit end-user statements and end-use certificates when applying for an export licence.Footnote ¹⁰⁴ They need to be issued by end users or the competent government authorities where end users are located, rather than the importing entities, as stated in the initial draft. Exporters may also maintain ‘internal export compliance review system’.Footnote ¹⁰⁵ After the issuance of a licence, exporters need to conduct a review of end users and the actual use of the exported items, and ‘immediately report’ any change to the competent authorities if they become aware there may be such a change.Footnote ¹⁰⁶ When changing the stated end-user or end-use, the end-users are required to obtain approval from the relevant Chinese government authorities. Under the 2019 draft, exporters face higher fines and enhanced penalties, and the provision for penalty mitigation in the case of voluntary disclosure of certain offences has been deleted.Footnote ¹⁰⁷ For example, fines for ‘export without licence’ have been raised tenfold from the initial sum of RMB 50,000. Exporters transacting with any entities that are blacklisted by the authority would need to pay five to ten times or ten to 20 times greater fines depending on the size and features of illegal business revenues.

Finally, one of the significant changes in the final legislation from prior drafts is the direct consideration given to ‘reciprocal’ retaliatory measures under the ECL. Pursuant to Article 48, the ECL authorises reciprocal measures in the event that the Chinese Government believes another country or region ‘abuses export control measures to endanger the national security and national interests of the PRC’.Footnote ¹⁰⁸ The addition of explicit provisions enabling such reciprocal measures shows the influence of ongoing competition between the US and China in the technology sector upon export control reform.

3. Export controls on cyber surveillance technology under the ECL scheme

Issued by State Council in 2015, the ‘Made in China 2025’ Notice sets targets for higher levels of ‘domestic production and innovation’ of high-end goods, value-added services and emerging technologies.Footnote ¹⁰⁹ It also specifies targets that Chinese companies in prioritised sectors need to achieve in terms of their domestic and international market shares.Footnote ¹¹⁰ Ramping up cyber capabilities is extensively discussed in this context as an industrial priority and a key to military modernisation.Footnote ¹¹¹

‘Made in China 2025’ has played a critical role for the development of the cyber surveillance technology industry in China. The rapid growth of this sector is a result largely of the government's military-civil fusion (MCF) strategy, which was introduced as a project to modernise military hardware in the 1990s and elevated to a national strategy as one of the initiatives pursued under the ‘Made in China 2025’ Notice.Footnote ¹¹² MCF incentivises the civilian sector to enter the defence market by supporting relevant industrial actors with tax reductions and other financial subsidies. It encourages commercial and defence sectors to combine resources to develop dual-use technologies for greater efficiency and growth, ‘with a particular emphasis on assimilating private innovation into the defense industrial base’.Footnote ¹¹³ Against this background, various Chinese technology companies have become an integral part of the defence market, and advanced surveillance technology is one of the key sectors that produces a wide variety of products and expertise having both industrial and military utility.

On its face, ‘Made in China 2025’ is a nationwide industrial planning strategy adopted to stimulate domestic development of prioritised technology sectors, and to maintain a competitive edge over strategic competitors. Its guidelines shape the business activities of a range of industrial actors (eg producers, developers and the exporters) in these sectors. The implications of ‘Made in China 2025’ are more than industrial. This top-down industrial goal-setting statement serves to dictate the legislative and administrative narrative justifying the imposition of tighter controls on the transfer of Chinese-originated cutting-edge technologies. What China seeks to achieve through the adoption of the ECL is one of these examples. As examined above, the ECL (legally) enables the government to impose tit-for-tat export control measures, and, with ECL's extraterritorial application, implements the spirit of ‘Made in China 2025’ overseas. As with the US Entity List, the ECL also creates a formal procedure to blacklist certain importers and end-users as a result of, for example, actions against ‘endangering national security’.Footnote ¹¹⁴

Many terms in the 2018 US law are similarly used in the equivalent Chinese legislation. More than half of ten key technology sectors selected for prioritised government support in the ‘Made in China 2025’ list replicate those on the US BIS list of emerging technologies. There is a possibility that Chinese technology export regulation will become more aggressive and targeted towards users and exporters of certain origins, particularly the US.

1. Wassenaar implementation and the legislative process for the ‘Recast’ EU Dual-Use Regulation

EU Member States have maintained a common legal framework for export controls since the 1990s.Footnote ¹¹⁷ Centralising dual-use controls across the EU, Council Regulation (EC) No 428/2009 (‘Dual-Use Regulation’) was adopted under the Common Commercial Policy, one of the areas of exclusive EU competence.Footnote ¹¹⁸ It provides for the free transfer of dual-use items—with some exceptions—within the EU single market, and imposes various restrictions on the export, brokering, transit and transfer of dual-use items.

The current Dual-Use Regulation envisions several avenues for the imposition of export restrictions on cyber surveillance technology. Its dual-use control list corresponds with the lists maintained by various multilateral export control mechanisms, including the Wassenaar Arrangement.Footnote ¹¹⁹ In December 2014, the three control classes of the cyber amendment were added to Annex 1A of the Dual-use Regulation.Footnote ¹²⁰ All the subsequent updates to the initial cyber amendment have been incorporated.Footnote ¹²¹ Pursuant to Article 8, States are also allowed to restrict dual-use items not specified in the list ‘for reasons of public security or human rights considerations’. In theory, (unlisted) surveillance items may thus be controlled nationally depending upon the manner and context in which they are transferred and deployed. Currently, at the EU level, the export of certain mobile telecommunications interception equipment, intrusion software-related items, and IP network surveillance systems are controlled in uniformity across all Member States, even without assessing their impact on public security or human rights within the meaning of Article 8.

The ill-controlled use and spread of cyber surveillance technology has been a driving force of the reform proposal for the Dual-Use Regulation.Footnote ¹²² The amendment process is subject to the ordinary legislative procedure involving a ‘trilogue’ among the European Commission, Parliament and Council.Footnote ¹²³ In April 2014, the three institutions published a joint statement articulating how the EU should modernise the export control regime in order to ‘keep up with new threats and rapid technological changes’.Footnote ¹²⁴ The 2014 joint statement urged the introduction of restrictions on certain ICT equipment, software, and expertise that can be used ‘in connection with human rights violations’ and in a way that undermines the EU's ‘security interests’.Footnote ¹²⁵ The proposed reform also sought to enhance EU-wide uniformity across the application of domestic export control measures, and facilitate information sharing among Member States.

In September 2016, the European Commission published a proposal to ‘recast’ the Dual-Use Regulation.Footnote ¹²⁶ The Commission's amendment proposal was submitted to the Parliament, which appointed the Committee for International Trade (INTA) to draft a set of amendments to the Commission's proposal. Following the adoption of INTA's final report containing 98 amendments to the proposal, the Parliament voted by an overwhelming majority to adopt them during a Plenary Session in January 2018.Footnote ¹²⁷

3. Compromise reached—The prospect for the human rights-based approach to technology export regulation

Following extensive trilogue negotiations, a provisional agreement was finally reached on the ‘final compromise text’ in November 2020.Footnote ¹³⁷ Overcoming significant differences among multiple amendment proposals, the proposed Dual-Use Regulation of 2020 achieves two goals with regard to cyber surveillance technology: enhancing the EU's capacity to regulate trade flows in a wider range of cyber surveillance items, and strengthening human rights considerations in the EU export licensing architecture. The compromise text subsequently received endorsement at the Ambassadors of the Member States meeting. The Parliament is expected to vote on the adoption of the agreed text at first reading in early 2021.

This section focuses on three important amendments agreed in the compromise text.Footnote ¹³⁸ First, the term ‘cyber-surveillance items’ is now defined under dual-use items. According to Article 2(21), cyber-surveillance items means:

The new definition is simplified compared to wording suggested by the Commission's proposal and no longer defines specific manners and contexts in which the covered items may be used. The Commission also proposed to add ‘monitoring centres’ and ‘data retention systems or devices’ under a newly created group of controlled items (Annex IB). This category no longer remains in the compromise text. Except in the case of regular updates introduced in line with the EU's commitment to implementing Wassenaar, there is no change concerning cyber-surveillance items in the EU control list.

Second, Article 4a of the compromise text creates human rights-based catch-all controls for cyber-surveillance items that are not listed in the Dual-Use Regulation. Most of the proposed amendments suggested and updated by the Commission and the Parliament in this regard remain intact. The Council's position rejecting the creation of catch-all controls for cyber-surveillance items did not prevail. Relevant authorisation is required for the export of any cyber-surveillance items ‘not listed in Annex I’ to the regulation,Footnote ¹³⁹

Under Article 4a, the exporter of non-listed cyber-surveillance items needs to conduct ‘due diligence findings’, and if the exporter is aware that those items ‘are intended, in their entirety or in part, for any of the uses’ described above, the exporter bears obligations to notify the competent authority, ‘which shall decide whether or not to make the export concerned subject to authorization’.Footnote ¹⁴⁰ Due diligence obligations on the part of the exporter were among the amendment proposals rejected by the Council. This compromise not only strengthens human rights considerations in the export licensing process, but also shows a greater expectation for the role of the private sector (including commercial surveillance companies) in dealing with the risks posed by the proliferation and abuse of cyber surveillance technology. Interestingly, the amendment proposals suggested and updated by the Commission and the Parliament went further and clarified specific standards of due diligence exercise required for the exporter.Footnote ¹⁴¹

Finally, the compromise text strengthens reporting rules aimed at increasing transparency and information sharing regarding trade in dual-use items. Article 24(2) requires the Commission to produce a publicly available report detailing the actual implementation of the Dual-Use Regulation by Member States. Under the new sub-provisions introduced by the compromise text, this report has to include information on export authorisations (in particular the number and value of items by type and destination), denials, and prohibitions under the Regulation, and other information as required in Article 24(2). There is also an additional reporting requirement concerning the export of cyber-surveillance items. The report requires ‘dedicated information on authorisations, in particular on the number of applications received by items, the issuing Member State and the destinations concerned by these applications, and on the decisions taken on these applications’.

The application of human rights concerns to export controls has not been an alien concept in EU-wide practice. In fact, ‘respect for human rights’ was among the most frequently used assessment criteria when national licensing authorities of Member States denied export licenses for cyber-surveillance items.Footnote ¹⁴² Human rights-related abuse and risks are no longer a marginal consideration in regulating the export of sensitive dual-use goods and technologies.Footnote ¹⁴³ With the adoption of the 2020 compromise text, the EU goes further by placing human rights considerations at the centre of decision-making for export controls of cyber-surveillance items. The proposed Regulation makes it clear that these items exported from the EU market ‘may be misused by persons complicit in or responsible for directing or committing serious violations of human rights or international humanitarian law’.Footnote ¹⁴⁴ At different stages of export restrictions and licensing, strengthening human rights considerations is recognised as key to dealing with technological and security challenges posed by the proliferation of ICT-powered surveillance tools.