Export controls restrict the commercial access to goods, which could serve certain actors to build and proliferate weapons of mass destruction (WMD). Some of these goods have dual-use properties, that is they can be used for either civil or military purposes. For these controls to work effectively, states have agreed to cooperate in several international non-proliferation regimes and institutions. Non-proliferation only works if the collaborating states limit the access to restricted goods by establishing one regulatory standard. Nowhere is this necessity more apparent – and often challenging – than in the Wassenaar-Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
Wassenaar’s procedure is straightforward: experts gather information about goods. Threat scenarios are analyzed. In the end, member states agree on additions or withdrawals from the common list of controlled items. The European Union (EU) transfers these changes into Annex 1 of its dual-use regulation. Equipped with this information, companies can, more or less, identify the goods for which they will need an export license – or in which cases application for an export license has no reasonable chance of success.
Adapting Export Controls to a New Security Environment
With its reform draft, the European Commission (COM) proposed to adapt dual-use controls to a changed security environment in which cyber surveillance technologies (CST) play an increasingly prominent role. This is a direct reaction to the massive human rights violations during the Arab Spring in 2010. CST served to access and monitor social media networks. Authorities identified protesters which resulted in systemic kidnappings, torture, and targeted killings.
Europe is united in its aim to prevent such abuses in the future. However, disagreement persists on how to reach this goal. Leveraging export controls to protect human rights involves a paradigm change. With international export controls so far committed to WMD non-proliferation, protecting people from illegitimate cyber surveillance entails a shift from national to human security principles. In substance, this would establish a security imperative focused on individual rights, such as freedom of speech and freedom of assembly.
In the beginning, the COM and the European Parliament (EP) proposed to control certain CST by employing so-called catch-all controls, should these CST pose a potential threat to fundamental human rights. These controls were to filter out all potentially threatening items not currently listed. However, this is not how catch-all controls work.
How Catch-All Controls Work
The concept was first introduced in Germany and directly translates into “application-centered transfer controls”. Catch-all controls leverage the technical expertise of exporting companies. Through this self-regulatory procedure, economic operators assess and verify end user as well as end use. This is possible, as manufacturers of chemical products, electrical engineering or machinery, for example, can deduce the intended purpose of a purchase from the parameters of the order .
However, a human security approach would overwhelm companies. To effectively protect freedom of speech or freedom of assembly would require economic operators to integrate expertise on human rights into their compliance strategy. More importantly, companies would also have to rely on information gathering and intelligence reporting that falls squarely within the responsibility of states. An essential act of sovereign power would be privatized.
EU Autonomous List Would Undermine International Regimes
As a compromise, the EP proposed to list specific CST. However, German industry rejects this unilateral approach as it would undermine international regimes. When Wassenaar’s 42 member states agree by consensus on a listing, their combined market power represents a significant obstacle for unwanted proliferation. Furthermore, this multilateral approach prevents a race-to-the-bottom, in which free-riding states would reap economic benefits by misregarding the majority’s security interests.
Wassenaar and EU Members Accept Their Responsibility
After the dual-use reform failed to pass during the EP’s previous legislative session, the European Council agreed on a renewed mandate for trialogue negotiations between COM, EP, and Council. German industry has welcomed the mandate and actively engages with all parties to the trialogue. In December 2019, the Wassenaar Arrangement listed certain dual-use CST. Certain software specially designed or modified for monitoring or analysis by law enforcement, particular systems for defeating, weakening or bypassing information security, and items to extract raw data or circumvent authentication protocols are now clearly identified by the international community as dual-use goods.
It remains to be seen whether the EP will voice more far-reaching demands in the remaining trialogue negotiations. In light of this multilateral success, however, German industry calls for a swift completion of the EU’s dual-use reform with no separate human rights protections.