BAFA: Awareness and definitions key to understanding ‘catch-all’ in Regulation 821
The German export control competent authority, BAFA has issued a document (in English) intended to assist industry to understand and comply with the key Article 5 of the EU dual-use regulation or ‘recast’, Regulation 821/2021.
Article 5 concerns the application of end use-related controls on non-listed cyber-surveillance items (i.e., ‘catch-all’) that can be used in connection with internal repression, serious violations of human rights or serious violations of international humanitarian law.
The first paragraph states:
‘An authorisation shall be required for the export of cybersurveillance items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.’
Paragraph 2 states that, ‘Where an exporter is aware, according to its due diligence findings, that cyber-surveillance items which the exporter proposes to export, not listed in Annex I, are intended, in their entirety or in part, for any of the uses referred to in paragraph 1 of this Article, the exporter shall notify the competent authority.’
The guidance notes that to meet their due diligence, exporters must, as a first step, verify whether the items they intend to export are non-listed cybersurveillance items.
Typically, it says, such items are ‘
1. specially designed to enable the covert surveillance of natural persons
2. by monitoring, extracting, collecting or analysing data
3. from information and telecommunication systems.’
Microphones and cameras, it points out, do not usually constitute a cyber-surveillance item in terms of Article 2 No. 20 Regulation 2021/821 ‘even when they can also be used for covert surveillance [because] the items in question are not items for the surveillance, extraction, collection or analysis of data from information and telecommunication systems.’
Also, while items used for purely commercial applications ‘such as billing, marketing, quality services, user satisfaction or network security’, may constitute cyber-surveillance items in terms of Art. 2 No. 20 Regulation 2021/821, ‘Recital No. 8 of Regulation 2021/821 clarifies that such items generally do not entail the risk of end use in connection with internal repression, the commission of serious violations of human rights and international humanitarian law.’
The meaning of the term ‘aware’ in the context of the regulation, it says, is ‘only fulfilled through positive knowledge or awareness which, from a criminal perspective, is to be understood in terms of direct intent.
‘Merely “to deem possible” is not sufficient, so indirect intent or even negligent ignorance do not establish a duty to inform. However, awareness also exists when the exporter is acquainted with sufficient sources of knowledge from which the exporter can acquire the knowledge in a reasonable way and without special effort.’
The document urges exporters of cyber-surveillance items to ‘familiarise themselves with the situation in the relevant destination of the items, especially with the general condition of human rights there, as this provides an important indicator of the risk of serious violations of human rights and violations against international humanitarian law connected with an export.’
Where the exporter has ‘no information on the situation on the country of destination, such as the general human rights conditions there, it is not acceptable for the exporter in the course of its due diligence to ignore information that is obtainable from accessible sources in a reasonable manner and without great effort.’
