EU spyware companies export to countries limiting human rights, and it has to change

Human rights advocacy organisation Amnesty International’s recent report, Out Of Control: Failing EU Laws for Digital Surveillance Export, details “evidence of the gaps in the current European Union (EU) export regulation framework for digital surveillance technologies.”

Amnesty focuses on exports of surveillance technology from European countries to China, where the government often uses such technology to track and discriminate against dissidents and marginalized groups such as the Uyghur ethnic minority. This report comes in the context of recent evidence that the Chinese government is incarcerating Uyghurs in Xinjiang province and forcing them to work in factories that supply global supply chains, among other severe human rights abuses.

As the UN Office of the High Commissioner for Human Rights acknowledged in an August 2020 guidance paper, the rapid pace of technological evolution means that technology often has unanticipated consequences for human rights that can emerge and mutate quickly. In this context, it wrote, a “shared understanding among all stakeholders of how different technology business models might lead to human rights harms, how this plays out in reality and what is being done, or can be done, to avoid harms will create a strong foundation for multi-stakeholder dialogue and co-creating paths to improve business practices and protect human rights.” For practical guidance on this topic, also see the U.S. Department of State’s Guidance on Implementing the “UN Guiding Principles” for Transactions Linked to Foreign Government End-Users for Products or Services with Surveillance Capabilities, published in September 2020.

Amnesty International’s report was developed based on a legal review of the current EU export regulation framework, a political analysis of the ongoing process of revising the framework (‘the Recast Dual Use Regulation’), a review of Chinese public procurement databases and direct engagement with the companies who have supplied technology to China.

Overview of EU dual-use export regulations

• EU export regulations include “dual-use” requirements and restrictions around what companies can and cannot sell to foreign actors based on their potential to cause harm.
• The European Commission defines “dual-use” items as “goods, software and technology that can be used for both civilian and military applications.” These requirements are codified in the EU Dual Use Regulation No 428/2009, which is currently undergoing a process of revision.
• Restrictions apply to buyers on the EU’s list of sanctioned groups, entities and individuals, and to goods including materials that can be used to create chemical or biological weapons, radioactive material (e.g. uranium) and technology that could be used to make nuclear weapons (e.g. fuel cells, centrifuge components), and components or equipment that can be used in military technology. It also applies to certain types of technology and software that can be leveraged for cyberwarfare and surveillance (more on this below).

Background on dual-use exports and surveillance technology

• According to Amnesty, “European companies that produce spyware and wiretapping tools, in law often referred to as intrusion and interception products, occupy a significant position on the global surveillance technologies market.” For example, the UK, France and Germany rank among the top five countries with the most registered surveillance companies—in total more than 35% of the world’s surveillance companies.
• These tools have increasingly been used to crack down on political dissent, media and civil society. They especially captured global attention in 2011 when a number of governments in the Middle East and North Africa used spyware and wiretapping, as well as other technology disruption practices like shutting down telecommunications networks, to quell Arab Spring protests. According to the report, “European companies have exported intrusion and interception technologies to Egypt, Libya, Syria, Ethiopia, Saudi Arabia, and other countries with poor human rights reputations.”
• In response to increased human rights risks associated with technology, in 2014 the EU included spyware and wiretapping technologies on the control list of the EU export regulation framework.
• However, Amnesty emphasizes that, since 2014 “the framework and the accompanying control list have failed to anticipate the growing EU biometric surveillance industry that is about to further arm governments with emerging surveillance tools around the world.” China, in particular, has been documented to use biometric technology—especially facial recognition software linked to GPS location data—to track individuals and groups, identify their ethnicity, analyse their behaviour and impose wide-ranging restrictions on their movement.
• This is particularly relevant for European companies, as “Europe is the region with the second-highest revenue on the global biometrics market, and the second-largest provider of such technologies to governments worldwide.” According to the report, the biometrics industry “is forecasted to experience at least five-fold growth up to EUR 54 billion by 2025 worldwide.”

Summary of findings

• Amnesty International identifies three EU-based technology companies (French company Morpho—now called Idemia, Swedish company Axis Communications, and Dutch company Noldus Information Technology) that exported digital surveillance technology to China, including facial and emotion recognition software that is “now used by Chinese public security bureaus, criminal law enforcement agencies, and/or government-related research institutes, including in the region of Xinjiang.”
• Amnesty points to risks that this technology can be used by foreign governments to violate human rights, including freedom of movement, right to privacy, freedom of expression and non-discrimination—as well as evidence that it is already being deployed by the Chinese government to arbitrarily detain people and inhibit freedom of assembly and association.
• Despite these risks, the report argues that these companies have not conducted adequate human rights due diligence or taken adequate action to address their products’ contribution to human rights abuses in China, as required under the UN Guiding Principles on Business and Human Rights and under domestic law, e.g. the French Duty of Vigilance law.
• The report provides recommendations for digital surveillance companies to ensure that their products do not contribute to human rights (outlined below). Amnesty also calls on the EU to address gaps in its export regulations that allow European companies to sell surveillance technology to repressive governments and provides six concrete recommendations for action (outlined below).

Recommendations for digital surveillance companies

1. “Commit to respect human rights and put in place robust human rights due diligence policies and processes which cover human rights risks and abuses connected with the use of company products, services and supply chain. Companies have responsibilities, independent of legal obligations imposed by home states, to identify and address the potential and actual human rights risks connected with the use of their products and services, such as digital surveillance items and related servicing contracts.”
2. “Identify, prevent, mitigate, and account for the human rights impact of company operations, products, and services, as well as supply chain, before, during and after transfer. The implementation of human rights policies and processes through due diligence needs to be on-going, proactive and dynamic, covering all aspects of the business relationship and product lifecycle (including end-use). Risks can change rapidly in countries that lack a legal framework that adequately protects human rights or countries that are experiencing conflict and internal upheaval, and digital surveillance companies must have policies and processes in place that allow them to adapt and respond to potential and emerging human rights threats.”
3. “Take action to address human rights risks and abuses. Once risks or abuses are identified, they need to be addressed through concrete actions. These could include consulting with relevant stakeholders and applying leverage to clients, e.g. refraining, threatening to suspend, suspending or ceasing supply.
4. “Publicly communicate risks that are identified and how they are being addressed in the fullest way possible. Companies should be as transparent as possible about their human rights impacts and the measures they are taking to identify and address them. This must include information on the company’s policies and processes and how it has identified and addressed specific human rights risks and abuses arising in its operations. It must also include regular updates – particularly in relation to situations of heightened risk, such as countries involved in armed conflicts or internal upheaval or countries that lack adequate human rights protection within their jurisdiction. When a company has identified significant risks to human rights and was unable to mitigate those risks, companies must notify the licensing authorities, regardless of whether the item is question is on the export control list or not.”
5. “Refrain from lobbying in favour of relaxation of licensing requirements where such a relaxation poses a risk of increased human rights abuses or against initiatives which could reduce surveillance-related abuses. In their efforts to respect human rights, companies should strive for policy coherence and not undermine states’ abilities to meet their own human rights obligations.”
6. “Enable effective remedies where necessary. If a company’s product does contribute to human rights violations or serious violations of international humanitarian law, the company must endeavour to provide or facilitate prompt and effective remedy, including through reparations such as restitution, compensation, rehabilitation, satisfaction and guarantees of non-repetition.”

Recommendations for EU policymakers

1. “Define the scope of the Recast Dual Use Regulation in a technology-neutral manner in order to ensure that present and future digital surveillance technologies can be brought under it.”
2. “Establish expeditious procedures to put new forms of digital surveillance items on the control list that can be initiated by member states, a group of member states or the institutions of the European Union, without depending on surveillance companies for flagging the human rights risks. These procedures must allow for human rights risks to be addressed swiftly and efficiently as soon as a Member State or the EU institutions become aware of the risk.”
3. “Include the obligation for licensing authorities that decide on an authorisation of exports of digital surveillance technologies to take into account the occurrence of domestic and international violations of human rights law, fundamental freedoms and international humanitarian law in the country of final destination and/or by the end-user and/or if the legal framework in the destination country fails to provide adequate safeguards against human rights abuses.”
4. “Introduce obligations for companies to identify, prevent, mitigate and account for how they address the actual and potential impacts on human rights associated with their operations, services and products, as well as the supply chain. The obligation to conduct human rights due diligence must apply equally to all exporting companies, regardless of their size, location or structure. Victims of human rights harm should have access to judicial remedy, followed by adequate sanctions.”
5. “Establish an emergency brake procedure for anticipated exports of non-listed items that pose a significant risk to human rights.”
6. “Include the obligation for licensing authorities in the EU to publicly and regularly disclose the information on authorisation decisions […].”

“The current EU exports regulation (i.e. Dual Use Regulation) fails to address the rapidly changing surveillance dynamics and fails to mitigate emerging risks that are posed by new forms of digital surveillance technologies. For example, facial recognition technologies are not on the control list of the EU export regulation framework. These technologies can be exported freely to every buyer around the globe, including Chinese public security bureaus. The export regulation framework also does not obligate the exporting companies to conduct human rights due diligence, which is unacceptable considering the human rights risk associated with digital surveillance technologies. The EU exports regulation framework needs fixing, and it needs it fast. At the time of publishing this report, the European legislature is in the legislative procedure to amend the exports regulation framework (i.e. Recast Dual Use Regulation). This is the window of opportunity that must be seized to establish a robust framework that respects, protects and promotes human rights.”                        

        Amnesty International, Out Of Control: Failing EU Laws for Digital Surveillance Export (September 2020)