Published online by Cambridge University Press: 26 March 2021
The proliferation and abuse of cyber surveillance technology is a global policy problem. The Wassenaar Arrangement is a central platform of international cooperation for regulating dual-use goods and technologies and the so-called ‘cyber’ amendments to Wassenaar have created a multilateral control mechanism for the export of cyber surveillance technology. Following criticism of the repressive use of ICT-powered surveillance tools supplied by private companies in the early 2010s, Wassenaar States revised the Arrangement to regulate certain types of surveillance. This article begins by examining key features of the cyber amendments. Based on the analysis of recent export control law reforms in the three leading State actors in the production, sales and governance of cyber surveillance technology—namely the United States, China, and the European Union—the article identifies the diminishing importance of the Wassenaar Arrangement. It also shows how approaches in the three jurisdictions diverge not only from the terms of equivalent Wassenaar controls, but also from one another. They all aim to become a stronger and more autonomous entity in the regulation of cyber surveillance technology. In the face of escalating confrontation between the G2 concerning emerging technologies, it will be interesting to see how the EU's turn to a more human rights-centred approach to governing the export of cyber surveillance technology will be received by the US and Chinese governments in the long run and how it will interact with export control reforms designed with competing geopolitical, commercial and security agendas.
I thank Damian Chalmers, Lyria Bennett Moses, and Marija Jovanovic for their comments and suggestions on earlier drafts. I also appreciate the work of two anonymous peer-reviewers and the editorial members of the ICLQ. This work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government's Cooperative Research Centres Programme. Supports from my CSCRC colleagues were essential at various stages of conducting this research. Nicholas Parker kindly provided research assistance. All errors that remain are my own.
1 UNCHR, ‘Report of the Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Surveillance and Human Rights’ (28 May 2019) UN Doc A/HRC/41/35 paras 1–6 at 3–4.
2 State-led targeted surveillance is not always ‘territorially contained’. ibid 16.
3 Bromley, M, Steenhoek, K Jan, Halink, S and Wijkstra, E, ‘ICT Surveillance Systems: Trade Policy and the Application of Human Security Concerns’ (2016) 2 Strategic Trade Review 37, 38–9Google Scholar.
4 List of Dual-Use Goods and Technologies and Munitions List, Compiled by the Wassenaar Arrangement Secretariat, Public Documents (Dec 2019) Vol II (‘Wassenaar Dual-Use List’).
5 See Section III.C for the scope and features of the cyber amendments.
6 See Bohnenberger, F, ‘The Proliferation of Cyber-Surveillance Technologies: Challenges and Prospects for Strengthened Export Controls’ (2017) 3 Strategic Trade Review 81Google Scholar; M Bromley, ‘Export Controls, Human Security and Cyber-Surveillance Technology: Examining the Proposed Changes to the EU Dual-Use Regulation’ (Stockholm International Peace Research Institute (SIPRI) December 2017); M Bromley and G Maletta, ‘The Challenge of Software and Technology Transfers to Non-Proliferation Efforts: Implementing and Complying with Export Controls’ (SIPRI April 2018); M Kanetake, ‘The EU's Export Control of Cyber Surveillance Technology: Human Rights Approaches’ (2019) 4 BHRJ 155; P Lichtembaum, DW Addis and DO Hindin, ‘Cyber-Surveillance Export Control Reform in the United States’ [2018] WorldECR 75; T Maurer, E Omanovic and B Wagner, ‘Uncontrolled Global Surveillance: Updating Export Controls to the Digital Age’ (New America Foundation, Digitale Gestellschaft and Privacy International, March 2014) 5–26; SIPRI and Ecorys, ‘Data and Information Collection for EU Dual-Use Export Control Policy Review’ (Submission, European Commission for Impact Assessment, 6 November 2015).
7 See C Anderson, ‘Considerations on Wassenaar Arrangement Control List Additions for Surveillance Technologies’ (Access March 2015); S Bratus, DJ Capelis, M Locasto and A Shubina, ‘Why Wassenaar Arrangement's Definitions of Intrusion Software and Controlled Items Put Security Research and Defense At Risk—And How to Fix It’ (9 October 2014) <https://www.cs.dartmouth.edu/~sergey/wassenaar/wassenaar-public-comment.pdf>; Pyetranker, I, ‘An Umbrella in a Hurricane: Cyber Technology and the December 2013 Amendment to the Wassenaar Arrangement’ (2015) 13 Northwestern Journal of Technology and Intellectual Property 153Google Scholar; Ruohonen, J and Kimppa, KK, ‘Updating the Wassenaar Debate Once Again: Surveillance, Intrusion Software, and Ambiguity’ (2019) 16 Journal of Information Technology & Politics 169CrossRefGoogle Scholar.
8 M Schaake, ‘Human Rights and Technology: The Impact of Intrusion and Surveillance Systems on Human Rights in Third Countries’ (Report, 2014/2232(INI), 3 June 2015) paras 15–21; adopted as the European Parliament Resolution of 8 September 2015.
9 T Timm, ‘Spy Tech Companies & Their Authoritarian Customers: Part I: FinFisher and Amesys’ (Electronic Frontier Foundation, 16 February 2012).
10 Citizen Lab, ‘Some Devices Wander By Mistake: Planet Blue Coat Redux’ (Citizen Lab, 9 July 2013); Electronic Frontier Foundation, ‘Swedish Telcom Giant Teliasonera Caught Helping Authoritarian Regimes Spy on Their Citizens’ (Electronic Frontier Foundation, 18 May 2012); Human Rights Watch, ‘They Know Everything We Do: Telecom and Internet Surveillance in Ethiopia’ (Human Rights Watch, 25 March 2014); Penny, J, McKune, S, Gill, L and Deibert, RJ, ‘Advancing Human Rights-By-Design In the Dual-Use Technology’ (2018) 71 JIntlAff 103Google Scholar; Privacy International, ‘Open Season: Building Syria's Surveillance State’ (Privacy International 2016); V Silver and B Elgin, ‘Torture in Bahrain Becomes Routine with Help of Nokia Siemens’ Bloomberg (23 August 2011); P Sonne and M Coker, ‘Firms Aided Libyan Spies First Look Inside Security Unit Shows How Citizens Were Tracked’ Wall Street Journal (30 August 2011).
11 Citizen Lab, ‘Mapping Hacking Team's ‘‘Untraceable’ Spyware’’ (Citizen Lab, 17 February 2014).
12 Many of these countries have also signed onto China's Belt and Road Initiative and its ‘smart city’ projects including mass surveillance program. See S Feldstein, ‘The Global Expansion of AI Surveillance’ (Carnegie Endowment for International Peace, 17 September 2019) 13–15; A Shahbaz, ‘Freedom on the Net 2018: The Rise of Digital Authoritarianism’ (Freedom House, 31 October 2018) 6–9.
13 Feldstein, ibid 14; C Rolley, ‘Is Chinese-Style Surveillance Coming to the West?’ (Guardian 7 May 2019).
14 D Cave, F Ryan and VX Xu, ‘Mapping More of China's Technology Giants: AI and Surveillance’ (Issues Paper Report No 24/2019, Australian Strategic Policy Institute (ASPI), 28 November 2019) 12–14; A Gwagwa, ‘Exporting Repression? China's Artificial Intelligence Push into Africa’ (Net Politics 17 December 2018); P Mozur, JM Kessel and M Chan, ‘Made in China, Exported to the World: The Surveillance State’ (The New York Times 24 April 2019); Shahbaz (n 12) 9.
15 See Section III.C.2 and IV.A.1 for the backlash from the industry and academia.
16 Bromley (n 6) 6–10; SIPRI and Ecorys (n 6) 143.
17 The definition cannot be entirely static as new technologies are introduced to the market, and a wider variety of communications devices and networks are involved in actual surveillance operations.
18 SIPRI and Ecorys (n 6) 42–54; Privacy International, ‘The Global Surveillance Industry’ (Privacy International, July 2016) 16–22 (‘Surveillance Industry Report’); PH O'Neil, ‘The Fall and Rise of a Spyware Empire’ (MIT Technology Review, 20 November 2019).
19 See the SII compiled by Privacy International at <https://privacyinternational.org/blog/54/privacy-international-launches-surveillance-industry-index-new-accompanying-report>.
20 Surveillance Industry Report (n 18) 22.
21 Cave, Ryan and Xu (n 14) 4–8; Feldstein (n 12) 6–9; Shahbaz (n 12) 13–15.
22 Meier, O, ‘Dual-Use Technology Transfers and the Legitimacy of Non-Proliferation Regimes’ in Meier, O (ed), Technology Transfers and Non-Proliferation: Between Control and Cooperation (Routledge 2014) 3Google Scholar.
23 Kanetake, M, ‘Balancing Innovation, Development, and Security: Dual-Use Concepts in Export Control Laws’ in Craik, N, Jefferies, CSG, Seck, S and Stephens, T (eds), Global Environmental Change and Innovation in International Law (Cambridge University Press 2018) 180Google Scholar; Rath, J, Ischi, M and Perkins, D, ‘Evolution of Different Dual-Use Concepts in International and National Law and Its Implications on Research Ethics and Governance’ (2014) 20 Science and Engineering Ethics 769CrossRefGoogle ScholarPubMed.
24 Joyner, DH, ‘Restructuring the Multilateral Export Control Regime System’ (2004) 9 JC&SL 181, 183Google Scholar; Meier (n 22) 3; Ruohonen and Kimppa (n 7) 3–4.
25 Surveillance Industry Report (n 18) 53; T Maurer and J Diamond, ‘Data, Interrupted: Regulating Digital Surveillance Exports’ (World Politics Review, 24 November 2015) 5.
26 Jaffer, J, ‘Strengthening the Wassenaar Export Control Regime’ (2002) 3 Chicago Journal of International Law 519, 521Google Scholar; Lipson, M, ‘The Reincarnation of COCOM: Explaining Post-Cold War Export Controls’ (1999) 6 The Nonproliferation Review 33CrossRefGoogle Scholar.
27 Dursht, KA, ‘From Containment to Cooperation: Collective Action and the Wassenaar Arrangement’ (1997) 19 CardozoLRev 1079, 1098Google Scholar; Pyetranker (n 7) 159.
28 Joyner (n 24) 190–3.
29 Dursht (n 27) 1113–14; Jaffer (n 26) 521–3; Ruohonen and Kimppa (n 7) 6–7.
30 See below Sections IV.A and IV.C; implementation of the Wassenaar lists is one of the obligations of participating States. Wassenaar Arrangement Guidelines and Procedures, including the Initial Elements, Compiled by the Wassenaar Arrangement Secretariat, Public Documents (December 2019) Vol I, 5–6.
31 Wassenaar Arrangement 2013 Plenary Meeting, ‘Export Controls for Conventional Arms and Dual-Use Goods and Technologies’ (Public Statement,4 December 2013); see also Amnesty International, Digitale Gesellschaft, FIDH, Human Rights Watch, New America Foundation, Privacy International and Reporters sans frontieres, An Open Letter to the Members of the Wassenaar Arrangement (1 December 2014) <https://www.hrw.org/news/2014/12/01/open-letter-members-wassenaar-arrangement>.
32 Wassenaar Arrangement, ‘Elements for Objective Analysis and Advice Concerning Potentially Destabilising Accumulations of Conventional Weapons’ (Explanatory Note, revised 2011) at 2.
33 The Coalition Against Unlawful Surveillance Exports (CAUSE), ‘A Critical Opportunity: Bringing Surveillance Technologies within the EU Dual-Use Regulation’ (Report, CAUSE, June 2015) 13.
34 See generally Saini, R, Khari, M and Wadhwa, M, ‘Vulnerabilities and Attacks in Global System for Mobile Communication (GSM)’ (2011) 2(3) International Journal of Advanced Research in Computer Science 139, 141Google Scholar.
35 Bohnenberger (n 6) 86–7; Bratus et al. (n 7) 3; T Dullien, V Iozzo and M Tam, ‘Surveillance, Software, Security and Export Controls. Reflections and Recommendations for the Wassenaar Arrangement Licensing and Enforcement Officers Meeting’ (WA-CAT Draft, 2 October 2015) 10–14; N Martin, ‘Google, the Wassenaar Arrangement, and Vulnerability Research’ (Google Online Security Blog, 20 July 2015); Microsoft Cybersecurity Policy Team, ‘Whitepaper: Rethinking Intrusion Software’ (Whitepaper, Microsoft, 2016) 3–8; Ruohonen and Kimppa (n 7) 12.
36 An exploit is a piece of code or a software solution designed to take advantage of a security flaw or vulnerability in a computer(ised) system. It is typically used to break into and gain control of the computer system with malicious purposes such as installing spyware, but also employed for non-malicious, legitimate purposes such as security testing, security analytics, and intrusion detection.
37 See Section IV.A for more discussion regarding US industry pushback against cyber amendments.
38 Wassenaar Dual-Use List (n 4) 80, 224.
39 Wassenaar Dual-Use List (n 4) 80.
40 ibid 81.
41 ibid 219.
42 Anderson (n 7) 14; CAUSE (n 33) 7.
43 Wassenaar Dual-Use List (n 4) 81, 219, 236.
44 ibid 3.
45 ibid 88.
46 According to the decontrol note to 5.A.1.j, IP network surveillance systems specially designed for marketing, Network Quality of Service (QoS) or Quality of Experience (QoE) purposes are exempted from Wassenaar controls.
47 Layer 7 manages application-specific networking requirements, identifies networking entities to facilitate networking requests from end users, synchronises communications, and identifies constraints at the application level including user authentication, privacy, and quality of service and data syntax. Some examples of the applications that operate at Layer 7 are web browsers (eg Chrome and Safari) and programs (eg Outlook and Office).
48 Anderson (n 7) 27.
49 Wassenaar Dual-Use List (n 4) 222.
50 Anderson (n 7) 23; Bohnenberger (n 6) 85; Maurer, Omanovic and Wagner (n 6) 31; Ruohonen and Kimppa (n 7) 10–11; A Weber et al., ‘IP Network Communications Surveillance Systems: Deciphering Wassenaar Arrangement Controls’ [2015] WorldECR 39.
51 The US Congress passed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) in August 2018 with bipartisan support to mandate the executive branch to counter China's growing impacts globally. As parts of 2019 NDAA, the Foreign Investment Risk Review Modernization Act (FIRRMA, Sections 1701–1728) and the ECRA (Sections 1741–1793) were enacted under Title XVII—Review of Foreign Investment and Export Controls.
52 Council Regulation (EC) 428/2009 on setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items [2009] OJ L134, Ann 1.
53 Original Chinese version and unofficial translation of Export Control Law (ECL) provided at Congressional Research Service, ‘China Issues New Export Control Law and Related Policies’ (Insight Report, Congressional Research Service, 26 October 2020).
54 Congressional Research Service, The U.S. Export Control System and the Export Control Reform Initiative (Report, 5 April 2019) 9–11.
55 Mori, S, ‘US Technological Competition with China: The Military, Industrial and Digital Network Dimensions’ (2019) 26 Asia-Pacific Review 77, 80–1CrossRefGoogle Scholar; see also Section IV.B.3 for the analysis of this new government strategy called, ‘Made in China 2025’.
56 ibid 79; European Parliamentary Research Service (EPRS), ‘Briefing, United States: Export Control Reform Act’ (22 November 2019) 2.
57 EAR, 15 CFR. 730ff.
58 ECRA contains the Export Controls Act of 2018 (ECA) and the Anti-Boycott Act of 2018.
59 ECRA, Sections 1752(2)(4)(10), 1753(b)(3), 1758(c).
60 EAR, Sections 730.6, 742.15.
61 Bureau of Industry and Security, ‘Wassenaar Arrangement 2012 Plenary Agreements Implementation: Commerce Control List, Definitions, and Reports’ (BIS Rule, Federal Register 78 FR37371, 20 June 2013).
62 ibid.
63 Bureau of Industry and Security, ‘Wassenaar Arrangement 2013 Plenary Agreements Implementation: ‘Intrusion and Surveillance Items: A Proposed Rule’ (BIS Proposed Rule, Federal Register 80 FR 28853, 20 May 2015).
64 US House of Representatives Committee on Oversight and Government Reform (Subcommittee on Information Technology) and the Committee on Homeland Security (Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies), ‘Compilation of Witness Statements, Hearings on Wassenaar: Cybersecurity and Export Control’ (12 January 2016) <https://www.hsdl.org/?view&did=795893>; see also Ruohonen and Kimppa (n 7) 14.
65 See (n 35).
66 Statement of Rob Joyce, then White House cybersecurity coordinator on US negotiating success in this regard, quoted by Lichtembaum, Addis and Hindin (n 6) 3.
67 Bromley and Maletta (n 6) 16; see Section III.C.2.
68 Lichtembaum, Addis and Hindin (n 6) 3.
69 Mori (n 55) 79.
70 ECRA, Section 1758.
71 Bureau of Industry and Security ANPRM, Review of Controls for Certain Emerging Technologies (Federal Register 83 FR58201, 19 November 2018).
72 ECRA, Section 1753.
73 ibid, Section 1758(b)(1).
74 Bureau of Industry and Security ANPRM (n 72).
75 Bureau of Industry and Security, ‘BIS Interim Rule with Request for Comments, Addition of Software Specially Designed to Automate the Analysis of Geospatial Imagery to the Export Control Classification (BIS Interim Rule, Federal Register 85 FR 459, 6 January 2020).
76 ECRA, Section 1742(7).
77 ibid, Section 1758(a).
78 ibid, Section 1758(a)(2)
79 Bureau of Industry and Security, ‘Addition of Entities to the Entity List, Federal Register’ (BIS Rule, Federal Register 84 FR 22961, 16 May 2019); Bureau of Industry and Security, ‘Addition of Entities to the Entity List and Revision of Entries on the Entity List’ (BIS Rule, Federal Register 84 FR43493, 19 August 2019).
80 ECRA, Section 1758(b)(5).
81 ibid Section 1758(b)(4).
82 Y Jing, Q Chen and B Lihui, ‘Analysis of the Latest Amendments and Highlights of the Export Control Law of the People's Republic of China (Draft)’ (China Law Insight, 2 January 2020) <https://www.chinalawinsight.com/2020/01/articles/law-popularity/《中华人民共和国出口管制法(草案)》最新修改/>.
83 PRC State Council, ‘Notice on Issuing “Made in China 2025”’ (State Council No 28, 8 May 2015) <http://english.www.gov.cn/policies/latest_releases/2015/05/19/content_281475110703534.htm>.
84 Yuan, JD, ‘The Evolution of China's Nonproliferation Policy since the 1990s: Progress, Problems, and Prospects’ (2002) 11 Journal of Contemporary China 209CrossRefGoogle Scholar; ES Medeiros, ‘Chasing the Dragon: Assessing China's System of Export Controls for WMD-Related Goods and Technologies’ (RAND Corporation, 26 September 2005) 5–19.
85 T Aoi, ‘Historical Background of Export Control Development in Selected Countries and Regions’ (CISTEC, 6 April 2016) 41–2; Foreign and Commonwealth Office Counter Proliferation Programme (FCOCPP), “Bridging the Gap”: Analysis of China's Export Controls Against International Standards (Final Project Report, April 2012) 4–5.
86 The Federation of German Industries (BDI), ‘Beijing Recasts Its Draft for an Export Control Law’ (2 April 2020); Covington & Burling, ‘China Releases Second Draft of Export Control Law for Public Comments’ (14 January 2020); Global Compliance News, ‘2019 Updates to China's Draft Export Control Law’ (11 January 2020); the US-China Business Council, ‘Comments on the Export Control Law’ (26 January 2020) 1–11; J Xie, ‘China Revises Draft of Its Export Control Law’ [2020] WorldECR 86.
87 Xie (n 86)
88 ECL, art 5.
89 ibid art 5.
90 Medeiros (n 84) 19, 77–80.
91 FCOCPP (n 85) 10–11; Medeiros (n 84) 19, 44, 60.
92 ECL, arts 1 and 2.
93 ibid art 2.
94 ibid.
95 ibid.
96 ibid.
97 The decisions are subject to approval of the State Council and the CMC. ECL, art 10.
98 ibid art 12.
99 See (n 80).
100 ECL, art 18.
101 ibid art 2.
102 ibid art 45.
103 Xie (n 86); see also for the table of revised penalties, Covington & Burling (n 86) 5–6; ECL, Ch 4.
104 ECL, art 15; these documents contain end-user's commitment to stick to the stated end-use and not to transfer covered items to third parties without permission. Previously this process was not compulsory. Covington & Burling (n 86) 4.
105 ECL, art 14.
106 ibid art 16.
107 ibid Ch 4.
108 ibid art 48.
109 Office of the Secretary of Defense, ‘Annual Report to Congress: Military and Security Developments Involving the People's Republic of China 2019, A Report to Congress Pursuant to the National Defense Authorization Act’ (2 May 2019) 9–11.
110 The US-China Business Council, ‘Unofficial USCBC Chart of Localization Targets by Sector Set in the Made in China 2025 Key Technology Roadmap’ (2015) 1–8.
111 Mori (n 55) 82–4.
112 Office of the Secretary of Defense (n 109) 21.
113 ibid 96; see also Mori (n 55) 82–3.
114 ECL, art 18.
115 Parliament Resolution (EP) 2011/2113(INI) of 10 May 2012 trade for change: the EU trade and investment strategy for the Southern Mediterranean following the Arab Spring revolutions [2012] OJ C261E; Schaake (n 8) paras 13–34.
116 See Kanetake (n 6); Rath et al. (n 23); Schaake (n 8); EU-wide efforts to incorporate human rights was acknowledged by many NGOs. Accessnow, ‘Shared Statement on the Update of the EU Dual-Use Regulation’ (May 2017) <https://www.accessnow.org/cms/assets/uploads/2017/05/NGO_Sharedstatement_dualuse_May2017.pdf>.
117 Davis, I, The Regulation of Arms and Dual-Use Exports: Germany, Sweden and the UK (Oxford University Press, 2002) 45Google Scholar; Micara, AG, ‘Current Features of the European Union Regime for Export Control of Dual-Use Goods’ (2012) 50 JCommonMktStud 578, 581Google Scholar.
118 Micara (n 117) 579.
119 Atlas, R, ‘Toward Global Harmonization for Control of Dual-Use Biothreat Agents’ (2008) 35 Science and Public Policy 21CrossRefGoogle Scholar; SIPRI and Ecorys (n 6) 142.
120 Commission Delegated Regulation (COM)1382/2014 of 22 October 2014 amending Council Regulation (EC No 428/2009) setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items [2014] OJ L371.
121 Commission, ‘Report from the Commission to the European Parliament and the Council on the implementation of Regulation (EC) No 428/2009’ COM (2019) 562 final (2019) 2.
122 Statement of Cecilia Malmström, EU Commissioner for Trade, Debate at European Parliament in Strasbourg on 24 November 2014, quoted by Bromley et al. (n 3) 39.
123 EPRS, ‘Briefing: EU Legislation in Progress, Review of Dual-Use Export Controls’ (November 2019) 1.
124 Commission, ‘Joint Statement by the European Parliament, the Council and the Commission on the Review of the Dual-use Export Control System’ COM (2014) 151 final.
125 ibid.
126 Commission, ‘Proposal for a Regulation of the European Parliament and of the Council Setting up a Union Regime for the Control of Exports, Transfer, Brokering, Technical Assistance and transit of Dual-Use Items (Recast)’ COM (2016) 616 final (‘Commission Proposal’).
127 Draft European Parliament Legislative Resolution in: European Parliament, ‘Report on the Proposal for a Regulation of the European Parliament and of the Council Setting up a Union Regime for the Control of Exports, Transfer, Brokering, Technical Assistance (COM(2016)0616 – C8-0393/2016 – 2016/0295(COD)), European Parliament, Committee on International Trade, A8-0390/2017’ (Report 2016/0295(COD), 19 December 2017) (‘Parliament Proposal’); see for a detailed account of this process, Bromley (n 6) 16.
128 The Parliament changed the term from cyber surveillance technology to ‘cyber surveillance items’. Parliament Proposal (n 128) Amendment 26 on art 2(1).
129 The Commission is in charge of adding and removing such items to Annex 1B. Parliament Proposal (n 128) Amendment 64 on art 16(2)(ba).
130 Commission Proposal (n 126) 5.
131 Parliament Proposal (n 128) Amendment 56 on art 14(1)(ba).
132 Parliament Proposal (n 128) Amendment 60 on art 14(1)(f).
133 EPRS (n 123) 9–10.
134 Council Common Position (EC) 2008/944/CFSP on Defining Common Rules Governing the Control of Exports of Military Technology and equipment, [2008] OJ L335/99.
135 Various Delegations, ‘Working Paper: EU Export Control – Recast of Regulation 428/2009’ (29 January 2018) Working Party on Dual-Use Goods WK 1019/2018 INIT, 2–3; Various Delegations, ‘Working Paper: Paper for Discussion – For Adoption of an Improved EU Export Control Regulation 428/2009 for Cyber Surveillance Controls Promoting Human Rights and International Humanitarian Law Globally’ (15 May 2018) Working Party on Dual-Use Goods WK 5755/2018 INIT, 4.
136 Various Delegations Paper of 29 January 2018, (n 135), 2.
137 EPRS, ‘Review of Dual-Use Export Controls (January 2021) 1; see also Commission, ‘Report from the Commission to the European Parliament and the Council on the implementation of Regulation (EC) No 428/2009’ COM (2021) 42 final.
138 European Council, ‘Proposal for a Regulation of the European Parliament and of the Council setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast) (Proposal 2016/0295 (COD) 13 November 2020) (‘Compromise Text’).
139 Compromise Text (n 138) art 4a(1).
140 Compromise Text (n 138) art 4a(2).
141 See Parliament Proposal (n 128) Amendment 31 on art 2(1)(23a).
142 SIPRI and Ecorys (n 6) 181.
143 Kanetake (n 6) 157–8.
144 Compromise Text (n 138) Recital 5.
145 Comment of Valdis Dombrovskis, current Executive Vice President of the European Commission and Commissioner for Trade, quoted in Press Release, ‘Commission welcomes agreement on the modernization of EU export controls’ (9 November 2020).
146 States with stricter licensing requirements may have to risk the fleeing of surveillance companies that generate a huge amount of revenue every year, and this potentially leads to a ‘race to the bottom’. See S Boazman, ‘How We Revealed the Surveillance World's Illegal Trades’ Al Jazeera (10 April 2017); Bromley (n 6) 12; CAUSE (n 33) 14; Maurer and Diamond (n 25) 6; Privacy International, ‘Surveillance Companies Ditch Switzerland, but Further Action Needed’ (5 March 2014).
147 Citizen Lab, ‘Litigation and Other Formal Complaints Concerning Targeted Digital Surveillance and the Digital Surveillance Industry’ (Last updated 4 November 2020) <https://citizenlab.ca/2018/12/litigation-and-other-formal-complaints-concerning-targeted-digital-surveillance-and-the-digital-surveillance-industry/>.