European Policy, Government Surveillance
CDT Europe Sends Comments to EC on Dual Use Regulation
Below is feedback from CDT Europe to the European Commission’s consultation on guidelines for the implementation of the Dual Use Regulation
The guidelines reference the concept of ‘awareness’ in the Regulation. Although the guidelines are clear that exporters must take steps to obtain ‘sufficient and adequate knowledge’ of the intended use, they also state that a theoretical risk that items might be used in a manner to violate human rights would not be sufficient to imply they are intended for such use within the meaning of the Regulation. This guidance creates a possible loophole. Additional clarification would be necessary, such as whether the cyber-surveillance items will be used by the government.
For example, it is well-established and known that the Chinese government engages in mass surveillance on an ongoing basis and systematically targets human rights defenders and journalists. According to the guidelines as written, an exporter could rely on a claim by the government that there is a legitimate intended use, and therefore the risk is theoretical. The guidelines must therefore make a more direct link between the overall context in a given country and the concepts of awareness and intended use.
The guidelines reference facial recognition and emotion technology, stating that in order to fall within the definition of a cyber-surveillance item under the Regulation, the software would have to be specifically designed for covert surveillance. This grossly underestimates the human rights violations that can occur through overt use of such technologies, for instance, cameras and untargeted scanning in crowds or protests, where overt use can have a chilling effect on speech because people can see the cameras and deduce that they are being surveilled.
The fact that this is overt does not diminish the human rights violations. As highlighted by the current debates on the EU’s own AI Act, even in countries where there are rule of law safeguards, the use of such non-targeted surveillance by law enforcement poses an unacceptable risk to human rights. This risk is exponentially higher with regard to States that already target human rights defenders and journalists for peacefully exercising their rights to protest. The guidelines should therefore be revised to more accurately reflect that risk and more clearly make the case for the inclusion of such technologies as cyber-surveillance items.
Since the recast of the Dual Use Regulation, there have been significant normative shifts in the concept of due diligence, and the implementation of the UN Guiding Principles of Business and Human Rights. As the PEGASUS and other Spyware scandals have demonstrated, the current application of due diligence by exporters and by companies developing such technologies has not been sufficient to prevent the harms in practice.
The guidelines should insist on the inclusion of an assessment of the companies developing and/or selling the technologies with regard to their policies and practices in relation to the UN Guiding Principles and the OECD guidelines for multinational enterprises. Once the EU’s horizontal Directive on Due Diligence is agreed upon, this will also likely have an impact on the obligations of companies and so should already be referenced in the guidelines.
Whilst these guidelines shall provide important clarification and guidance to exporters, this does not preclude the need for a deeper examination of what further actions are needed in practice to halt the export of cyber surveillance equipment for the purpose of unlawful surveillance and human rights violations. To take one example, the European Parliament’s PEGA Committee has noted that ‘the Greek government admitted it has granted export licenses to Intellexa for the sale of the Predator spyware to repressive governments, such as Madagascar and Sudan’. The Greek government disclosed that it had provided Intellexa with two export licenses on November 15, 2021’, namely, the export licenses were given after the entry into force of Regulation 2021/821. It is not clear whether the guidelines alone would be adequate to prevent such exports from happening in the future.