EU Council approves new guidelines on cyber-surveillance export controls

The Council of the European Union has approved comprehensive guidelines to help exporters comply with controls on cyber-surveillance technology that could be used for human rights violations or internal repression.

The guidelines, approved during the Council’s meeting on 15 October, clarify the EU’s export control framework established by Regulation (EU) 2021/821, particularly focusing on ‘non-listed’ cyber-surveillance items.

The document provides specific definitions of what constitutes a cyber-surveillance item, defining it as ‘dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.’

‘Items used for purely commercial applications such as billing, marketing, quality services, user satisfaction or network security are generally considered not to entail such risks,’ the guidelines note,  excluding these from control requirements.

The guidelines specifically address emerging technologies like facial recognition systems. While such technologies have multiple legitimate uses, the document notes that ‘facial and emotion recognition technologies that can be used to monitor or analyse stored video images could fall within the scope of the definition of cyber-surveillance item.’

The framework reflects what the document calls ‘the Union’s commitment to effectively address the risk of cyber-surveillance items being used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.’

Exporters must now notify authorities when they become aware their products might be used for repression or rights violations. The guidelines clarify, ‘Being “aware” implies that the exporter has positive knowledge of the intended misuse. The mere possibility of such a risk is not sufficient to establish awareness.’

The Council adds: ‘Arbitrary or unlawful surveillance may also violate other human rights, such as the right to freedom of expression, association and assembly, freedom of thought, conscience and religion, as well as the right to equal treatment or prohibition of discrimination, and the right to free, equal and secret elections.’

It advises: ‘In particular cases, the surveillance, including monitoring or collecting of information of the natural persons, such as human rights defenders, activists, political figures, vulnerable populations and journalists, may lead to intimidation, suppression, arbitrary detention, torture or even extrajudicial killings. Therefore, exporters should include these aspects relating to serious violations of human rights in their assessments.’

The guidelines provide detailed due diligence requirements for exporters, including the need to review capabilities of items for potential misuse, assess stakeholders involved in transactions, and develop plans to prevent and mitigate potential adverse impacts.

They also provide an appendix listing specific types of controlled cyber-surveillance items, including telecommunication interception systems, internet surveillance systems, intrusion software and forensic/investigative tools.

https://data.consilium.europa.eu/doc/document/ST-14507-2024-INIT/en/pdf