EU Issues New Export Due Diligence Guidelines for Cyber-Surveillance Tech

New, long-awaited EU guidelines released this week outline how exporters should identify cyber-surveillance technologies that may not yet be controlled by member states but may still be subject to bloc-wide reporting rules. The guidelines, which the European Commission had been drafting for years and was aiming to issue this month (see 2409260001 and 2303310025), also list a range of customer red flags and describe due diligence expectations for companies exporting these items, including that they screen all end-users and consignees and carry out a detailed “risk assessment” for each transaction.

The 14-page guidance is designed to “raise awareness of the risks associated with misuse of cyber-surveillance technologies and provide exporters with practical tools to evaluate human rights,” the commission said Oct. 16, including by clarifying “what types of items fall under the notion of cyber-surveillance.”

The EU already controls shipments of certain technologies that can be used for surveillance purposes in its dual-use export control regulations, but these new guidelines address the various “non-listed” cyber-surveillance items that aren’t subject to specific EU license requirements but could still lead to human rights abuses. Under EU law, a company must notify their government about these non-listed exports if the company’s due diligence uncovers that the item could be used for “internal repression” or other human rights violations.

Although “it is by definition impossible to provide an exhaustive list” of these non-listed cyber-surveillance items, the guidelines offer definitions for technologies that may qualify, including items that are “specially designed” for “covert surveillance.” The EU also listed several examples of possible non-listed cyber-surveillance technologies, including:

• Certain facial and emotion recognition technologies that can be used to monitor or analyze stored video images, although the EU stressed that these technologies must be “carefully examined" to determine "whether the software is specially designed for covert surveillance”
• Certain location tracking devices, which can be used by law enforcement to collect evidence in an investigation or by commercial companies for location-based advertising, but also for “mass surveillance” of populations.

EU exporters also must track whether a product can be used as part or component of a larger system that could “result in the same violations and/or misuse,” the guidelines said. It also stressed that video-surveillance systems and cameras don’t fall under the definition of cyber-surveillance because they don’t monitor or collect data from information and telecommunication systems.

The EU said it expects exporters to carry out due diligence “through transaction-screening measures, meaning taking steps regarding item classification and transaction risk assessment.” The bloc specifically called on companies to review if their products “might be a ‘cyber-surveillance item,’” including by analyzing their “technical characteristics” to determine whether they align with EU cyber-surveillance definitions.

Exporters should also “review the capabilities” of their items to determine if they can be used for human rights violations or repression, and should monitor several red flags that may signal a customer will use the item for repression:

• if the item is marketed with information about its potential use for covert surveillance
• if there is information indicating that a similar item has been used for repression or other human rights violations
• if there is information indicating that the item has been illegally used in surveillance directed at an EU member state or an EU citizen
• if there is information indicating that the transaction includes items that “could be used to set up, customise or configure a system that is known to be” used for repression.

The guidelines also list several steps exporters should take to find out more information from a customer or another party involved in the transaction, including:

• before and during the transaction, review how the consignees and end-users plan to use the product or service, including based on their end-use statements
• learn about the “situation in the relevant destination of the items,” including about the destination country's human rights record, “as this provides an important indicator” of the transaction’s risk
• review risks that the product or service will be diverted to a different, unauthorized end-user.

An export may be at risk of being diverted to an unauthorized end-user if the authorized end-user has an “obvious relationship with a foreign government that has a record of committing internal repression,” the EU said. Companies should also watch out for end-users that have ties to a military or militant group involved in human rights violations, and they should also scrutinize end-users who have previously exported cyber-surveillance items to countries with a poor human rights record.

Exporters should “discontinue activities that cause or contribute to adverse impacts related to human rights, as well as develop and implement a corrective action plan,” the EU said. That may include updating internal guidance to help employees learn how to address transactions with human rights risks, and drawing “from the findings of the risk assessment to update and strengthen management systems to better track information and flag risks before adverse impacts occur.”

The EU said companies should also notify their governments about their “due diligence findings to facilitate information flow with regards to certain items, end-users and destinations.”