The improvements to the European Union’s export controls rules on surveillance technology are so fragile that only rigorous efforts to carry them out will prevent EU technology from landing in the hands of abusive governments, Human Rights Watch said today.
The new rules, adopted after nearly a decade of lawmaking, regulate the sale of so-called “dual use” items produced in the EU, including mass and intrusive surveillance systems, aiming at preventing their sale to abusive governments. The types of technology covered include intrusion and interception software, deep packet inspection, and biometric surveillance. While some progress was achieved, the final text falls short of some of civil society’s key recommendations. In a joint statement on March 25, 2021, Human Rights Watch together with six other groups provide an analysis of the regulation and a series of recommendations for its implementation.
“The use of EU-made surveillance technology by authoritarian governments has led to abuses against many journalists, activists, and political opponents,” said Deborah Brown, senior digital rights researcher and advocate at Human Rights Watch. “While not ambitious enough, the new regulation includes meaningful provisions on mandatory transparency and assessing human rights risks, whose impact should be maximized through expansive interpretation and rigorous application.”
The new rules require the EU Commission to publicly report on the number of export license applications for each type of surveillance technology, for each Member State, and where they were sent. This landmark mandatory reporting requirement will allow the public, civil society, journalists, and parliamentarians to scrutinize licensing decisions and provide invaluable insight into the EU trade in surveillance technology. It also adds human rights risks as a criterion to be considered in the licensing assessment.
Since the 2011 Green Paper reviewing the EU’s trade controls on dual-use products, the beginning of this process, EU-based surveillance companies have continued to export their products to repressive governments.
For example, the Toronto-based research group Citizen Lab found that the renowned Emirati human rights activist Ahmed Mansoor was targeted in 2011 with FinSpy, produced by the German company FinFisher, and in 2012 with Remote Control System (RCS), produced by the Italian company Hacking Team. UAE authorities detained Mansoor for six months in 2011. He is currently serving a 10-year sentence, issued in 2018 for “cybercrimes,” in a prison in Abu Dhabi.
The basis for one of the charges against him relies on deleted email exchanges going back to 2011 as well as WhatsApp messages between Mansoor and representatives of international human rights organizations including Human Rights Watch, Amnesty International, and the Gulf Centre for Human Rights. Citizen Lab also found evidence in 2015 that FinSpy was being used by government agencies in over 30 countries, including many with abysmal records on rights, and in 2014 traced Hacking Team’s RCS to use in 21 countries, including by repressive governments.
In a communication to Human Rights Watch in April 2020, Memento Labs, which took ownership over Hacking Team in 2019, said it cannot comment on Hacking Team’s activities and that it has new policies and procedures to assess the human rights impact of its sales. FinFisher did not respond to a request for comment in April 2020.
The final agreement failed to meet some key civil society demands. For example, groups had called for a mechanism to update the list of technology subject to licensing restrictions in a transparent and consultative manner, and for denying export control licenses for non-listed items on human rights grounds.
Under the new rules, Member States can propose that new cybersurveillance technology be subject to licensing restrictions if an export control authority or exporter is aware that an export may be intended “for use in connection with internal repression and/or the commission of serious violations of international human rights and international humanitarian law.” But, in effect, the regulation requires unanimity for such restrictions to be imposed and foresees no consultation with the public or the civil society organizations that have often been among the first to discover abusive applications of these technologies.
The joint statement with Access Now, Amnesty International, Committee to Protect Journalists, FIDH (International Federation for Human Rights), Privacy International, and Reporters Without Borders recommends that the commission, in consultation with civil society, should expeditiously develop clear guidelines to ensure adherence to the new measures and disseminate them among all national and business stakeholders. Most importantly, the commission should closely monitor Member States’ implementation of the new regulation and adopt all necessary measures under EU law to prevent, discipline, and remedy any possible breach that may occur.
The statement recommends that the term “cybersurveillance” be interpreted broadly and highlights the importance of including biometric surveillance technology, which creates unprecedented risks to privacy and other rights, in the EU control list. The statement further outlines recommendations for meaningful transparency on export licenses, such as making reporting publicly available on a regular basis, and including information on whether the license was granted or denied and why, to facilitate independent oversight.
Finally, the joint statement emphasized the need for national legislation governing the assessment of export licenses to take into account relevant European human rights standards as well as evidence from civil society. The EU is already developing rules to require companies to undertake human rights due diligence. EU-based producers of surveillance technology should be required to identify, prevent, and mitigate potential and actual adverse human rights impacts of their operations and provide access to effective remedy for people whose rights have been violated.
“The EU can’t make up for lost time,” Brown said. “But it can urgently and robustly implement the new surveillance export rules to minimize the risk that European spyware is ever again used to harm or silence critical voices.”