The European Union is once again showing its commitment to privacy — this time for people outside of its borders.

In 2021, the European Union enacted new rules that intend to curb the use of cybersurveillance technology in scenarios that violate human rights. The regulation requires EU companies that sell surveillance technology to foreign governments to report licensing details. In order to use public institutions as an accountability mechanism, the EU also decided to make this information publicly available.

While this is the EU’s latest attempt to reign in their surveillance industry, it’s not the first. In 2014, the union enacted regulation that required companies to receive a license from their member state in order to export surveillance technology outside of the EU. However, the law’s vague nature led to inconsistent implementation. Some countries in the EU like Denmark continue to export surveillance technology to the United Arab Emirates, while the Netherlands refuses to on human rights grounds.

Countries that take the spirit of the EU’s regulation to heart put their companies at a disadvantage in comparison to member states that choose to exploit loopholes. “That betrays the entire purpose of the European Union,” according to security expert Collin Anderson.

The EU’s newest regulation is betting on the idea that transparency will lead to informed citizens that pressure their national governments to be more selective with export authorizations.

Human rights violations via EU surveillance tech

The new regulation comes on the tails of incidents in which European technology companies have enabled oppressive surveillance by authoritarian regimes. Member states approved 317 exports of surveillance technology and denied only 14 from 2014 to 2017, according to an investigation by international consortium Security for Sale. A third of approved exports were to countries considered “not free” by the American democracy watchdog group Freedom House, while 52% of the exports were to countries considered “partially free” such as Turkey. Only 17% of the exports were to “free” countries.

Under oppressive regimes, journalists, minority groups, opposition parties, and human rights advocates are often the main targets of government surveillance. For example, a platform from Spanish company Mollitiam was used by the Colombian Army to spy on judges, politicians and journalists. During a protest in Turkey, spyware from FinFisher, a German company, was used to surveil the opposition party. French, Swedish, and Dutch companies have also helped China create a more robust surveillance state by selling them facial recognition technology and network cameras.

Criticisms from interest groups

Many human rights organizations welcome the EU’s efforts but believe the new regulation falls short of significantly reducing human rights abuses. These groups want the EU to more clearly define the kinds of cybersurveillance technology subject to new regulation. Amnesty International listed the technologies they believe should fall under that definition, including products like wiretapping equipment, surveillance drones, hacking tools, and monitoring software used by law enforcement.

Human rights advocates also want the EU to take a more hands-on role in how their member states implement the new regulation. Some member states like Italy and France used more lenient standards in earlier dual-use legislation for what constitutes an unacceptable human rights abuse. To combat inconsistency, advocates recommend the EU require all member states to use criteria for human rights abuses laid out in the EU Charter of Fundamental Rights and developed by European human rights courts.

On the other side of the debate, industry groups like DigitalEurope and EuroCommerce don’t believe this kind of regulation will be effective enough to justify the level of resources need to maintain compliance. DigitalEurope also argues that since most countries in the world aren’t trying to curb the use of cybersurveillance exports in human rights abuses, Europe’s attempts to do so are in vain. Also, opponents argue that transparency reporting could create business confidentiality issues.

The WTO and dual-use export controls

Because of international trade commitments, WTO members need to tread carefully when creating regulation around export controls.

In 1995, the General Agreement on Tariffs and Trade (GATT) instituted the “most-favored-nation” clause, which required WTO members to treat all trading partners like the one the member favors the most. Many dual-use export controls are covered under the national security exception and often restrict the sale of goods that would likely be used in warfare.

However, a foreign government surveilling their own civilians in their borders doesn’t fit neatly within the national security exception. While GATT doesn’t explicitly mention human rights, it does have exception provisions in cases “necessary to protect public morals” and “necessary to protect human, animal or plant life or health.” The General Agreement on Trade in Services (GATS) goes even further, providing exceptions in cases “relating to … the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.”

That said, the EU’s targeted approach in their cybersurveillance regulations can likely hold up against scrutiny within the WTO. These export controls and their transparency requirements fall cleanly within the bounds of the privacy exception in GATS.

An alternative to economic sanctions

The EU’s attempt to disrupt trade in order to prevent human rights violations is more strategically targeted than traditional economic sanctions. Instead of using general market power to cut human rights abusers off from the world economy, the EU’s new regulation ensures that companies do not directly enable innovative approaches to human rights abuses. These export controls are more likely to hit their intended target — oppressive regimes — than the general civilian population most often impacted by economic sanctions.

Many human rights experts argue export controls act as a more humane approach as well. In 2009, the UN General Assembly adopted a resolution condemning unilateral economic sanctions, claiming that sanctions add to the human rights issues that proponents claim they help solve. The vote breakdown saw members of the Global North more in favor of sanctions, while members of the Global South were more opposed.

Exporting values through trade policy

The EU’s stance on dual-use surveillance technology is just one of several instances in which they’ve promoted privacy through conditioned trade. For example, the union does not allow countries outside of it to store data of EU citizens unless a country’s data privacy regulations matches the EU’s rigor. Additionally, in its ongoing technology trade talks with the United States, the EU has dedicated a working group to tackle issues of technology misuse that leads to unlawful surveillance and human rights abuses. While the EU is not a world superpower, it’s using the market power of its nearly 450 million residents and close friendship with the United States to punch above its weight.

Time will tell if the EU’s attempts significantly impact the use of surveillance tech worldwide. However, the EU is undoubtably a global leader when it comes to crafting a vision for a privacy-driven technology market.