Dieser Artikel stammt von Netzpolitik.org.Der Autor ist...
Die EU-Kommission kontrolliert den Export von Staatstrojanern und Überwachungstechnologien nicht, dafür sind nur die Mitgliedstaaten zuständig. Das berichtete Handelskommissar Dombrovskis im Europaparlament. Wir veröffentlichen ein inoffizielles Wortprotokoll der Anhörung.
EU- Kommissar für Justiz und Rechtsstaatlichkeit Reynders im Ausschuss. – Alle Rechte vorbehalten Europäisches ParlamentSudan ist ein autoritärer Staat, dessen Herrscher politische Freiheiten und Pressefreiheit extrem einschränken. Aktuell kämpfen rivalisierende Fraktionen des herrschenden Militärs gegeneinander. Dennoch hat der EU-Staat Griechenland den Export von Überwachungstechnologien an die Kriegspartei Rapid Support Forces genehmigt.
Der Staatstrojaner-Untersuchungsausschuss im Europaparlament untersucht, warum die EU den Handel mit Überwachungstechnologien und Staatstrojaner nicht verhindert. Am 28. März tauschten sich die Abgeordneten mit zwei EU-Kommissaren aus.
Handelskommissar Valdis Dombrovskis schob das Problem auf die Mitgliedstaaten und deren nationale Kontrollbehörden. Einzelne Ausfuhrgenehmigungen von Dual-Use-Gütern (die sowohl zivil, militärisch aber auch zur illegalen Überwachung eingesetzt werden können) müssen die Mitgliedstaaten gegenüber der Kommission nicht berichten. Diese Monitoring-Lücke führt zu Skandalen wie dem Export von Griechenland an den Sudan.
Justizkommissar Didier Reynders äußerte sich zur Frage, wie es zukünftig gelingen kann, den Einsatz von Staatstrojanern zu verbieten oder zu kontrollieren. Er stellte in Aussicht, dass die Kommission auf den anstehenden Abschlussbericht des Untersuchungsausschusses einen Gesetzentwurf folgen lässt, der die Regulierung von Staatstrojanern in den Blick nimmt.
Der Untersuchungsausschuss legt am kommenden Montag in seinem Abschlussbericht dar, wie Staaten und Unternehmen bei Produktion, Handel und Einsatz von Staatstrojanern gegen geltendes Recht verstoßen haben. Dazu kommen politische Empfehlungen für Konsequenzen, die das Parlament an Rat und Kommission überreicht.
Von der Sitzung gibt es kein Transkript, daher veröffentlichen wir ein inoffizielles Wortprotokoll der Anhörung.
Institution: European Parliament
Chair: Jeroen Lenaers
Expert 1: Valdis Dombrovskis, Executive Vice-President and Commissioner for Trade, European Commission
Expert 2: Didier Reynders, Commissioner for Justice, European Commission
Note: This transcript is automated and unofficial, it will contain errors.
Editors: Jan Lutz
Valdis Dombrovskis, European Commissioner for Trade
Jeroen Lenaers (Chair): Okay, good afternoon colleagues, good to see you all again for the continuation of our PEGA-meeting, which already started yesterday afternoon. And I welcome very much, to start the afternoon session with the executive vice President, Valdis Dombrovskis, Commissioner for Trade. In the work of the committee and in the draft report and recommendation, there has been a lot of discussion also on the trade aspects of spyware. In the amendments tabled by members, there is quite a discussion on such subjects, including on the dual use regulation, something that we have seen and we have discussed also in many of our hearings.
So it’s a good time for us all to exchange views with you, commissioner Dombrovskis, on your assessment on the way how these regulations also function at the moment and on the current drafts and the amendments that we have tabled here in the committee and how you think this trade of spyware could be regulated. So I will first pass the floor to vice president Dombrovskis. If members, who would like to participate in the Q&A afterwards, would already indicate so to us here on the podium, so we can make the speaker’s list, we can do this in an efficient way as possible. But first, once again, thank you for being here and I give you the floor to make your introduction, please.
Valdis Dombrovskis (Commissioner for Trade): Mr. Chair, honourable Members. Well, thank you for this invitation. So today I propose to explain the implementation of export control rules that fall under my responsibility. To start, allow me to [incomprehensible] you on your important work, what you are doing. It goes to the core of European values, helping to protect the dignity and freedoms of individuals and therefore our democracies and society at large. Well, as you know, I grew up under the Soviet Union, and the Soviet Union has developed a popular army of spies, people who would report on their fellow citizens to the Secret Service for any imprudent word or action. And these kind of reporters were everywhere. It could be a neighbour, a colleague, a teacher at a school, even friends or relatives. So people were fearing each other. They were afraid to speak their mind. Parents would lie to their children about their family history or political views, afraid that the children would accidentally denounce them at school.
So having lived through all this I’m personally very committed to preventing cutting edge technologies from being used to violate and restrict individual freedoms. With this in mind, I hope today’s discussion will help us clarify two things. First: Which EU rules are currently at our disposal to perform export controls on cyber surveillance items from the EU to third countries? And a second: What are the respective roles of national export control authorities and as a commission? We should also keep in mind that these rules concern export controls. They do not apply to imports of spyware such as Pegasus to any user inside the EU. As I understand later today you will exchange views with [Commissioner Reynders] in relation to certain aspects of use of cyber surveillance items within the EU.
Originally the EU export control regime reflected multilateral export control arrangements. It thus focused on non-proliferation of weapons of mass destruction and other dual use products, as well as technology used to produce conventional weapons. The EU export control regime gave an effect to measures agreed multilaterally. Then, in 2021, after five years of negotiations, we completed a comprehensive review of the EU dual use regulation, adapting it to make our export control system more efficient and effective. We also stepped up significantly the control of cyber surveillance technologies.
As you know, the dual use regulation harmonises the rules and supports the consistent application of export controls in the EU. It allows national competent authorities and all EU exporters to follow the same rulebook and to control the same list of dual use items, including software and technology. This EU framework is even more important because not all member states are members of four multilateral export control regimes and the EU itself is only a member of one of these [incomprehensible] the Australia Group on chemical substances. The EU control list complies all items controlled by these multilateral regimes. It includes cyber surveillance items such as intrusion software, telecommunication interception systems, internet surveillance systems, or communication monitoring software.
Accordingly, any such cyber surveillance item that has been identified on the EU control list cannot leave the EU territory without being granted an export authorisation or licence. That list is updated at least annually to reflect changes to multilateral regimes. Individual decisions to authorise or deny a particular export are taken by the member states. This covers items listed in the EU control list and the member states perform a serious assessment of related security or human rights concerns. This division of responsibilities between national export control authorities and the Commission applies for all dual use items, including for cyber surveillance items.
The new EU dual use regulation, adopted in 2021, enhances the EUs capacity to effectively control these items in three ways. First, it includes provisions to strengthen the possibility of new controls by member states on cyber surveillance technology independently of multilateral regimes. Second, the regulation foresees that we should develop guidelines for exporters on human rights due diligence measures that should apply before exporting unlisted cyber surveillance items. During the last year, we have worked closely with member states to finalise these guidelines. These guidelines will support exporters in application of controls of non-listed cyber surveillance items.
Non-listed items are items for which no multilateral decision has been agreed, but that may be intended to use in connection with internal repression or that [incomprehensible] of serious violations of human rights and international humanitarian law. Thus, we hold the [incomprehensible] or commitment to go beyond what is agreed and listed in multilateral export control regimes. We plan to launch a public consultation in the coming days on the draft guidelines and look forward for further input from the European Parliament as well.
As I said, improvement of a new dual use regulation is about more transparency, about licensing decisions by national authorities. Under the old dual use regulation, member states were only requested to report about cases where they refused export requests, so therefore a commission had little visibility on authorizations granted by member states competent authorities. The new regulation strengthens provisions related to annual reporting under the regulation. Specifically, member states are to report not just on denials like under the old regulation, but also on aggregate level on applications, including on concerned destinations, on authorizations granted for exports of cyber surveillance items.
Member States should provide the appropriate information for the preparation of annual report. However, they have to take into account the protection of personal information, commercially sensitive information or protected defence, foreign security or national security information. So this new approach is a step towards higher transparency, as requested by European Parliament, and it will be reflected in the forthcoming 2023 annual report to be published by the end of the year. We have just completed a public consultation on transparency about this reporting obligations and will report shortly about the comments received.
Honorable Members, the work to improve the controls of export of cyber surveillance items done over the last 18 months has been advanced probably slower one could have hoped for because it was done in parallel to extraordinary work on export control measures related to Russia’s war in Ukraine. It has overtaken most of our experts time and resources, not only in the Commission but also in the export control authorities of the member states.
So on this point, I would like to use the occasion to commend the Commission’s export control experts. They have been working day and night together with their national counterparts to design ten consecutive packages of technology sanctions. We now work to close loopholes. We also support member states in their effort to fight a sanction circumvention. This reinforced focus is on items found on battlefields in Ukraine. To conclude forward, I look forward for today’s exchange on the important work that the committee is undertaking. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much, executive vice president Dombrovskis. And very interesting to hear about the new ideas for the new regulation and of course, also all the work that the commission is doing with regard to the sanction packages on the on Russia. Thank you. Thank you very much. I open the floor to our colleagues. The first one is our rapporteur, Sophie in ’t Veld. Any other people that would like to take the floor and haven’t indicated so far? Please do so, so we can close the speakers list. Thank you.
Sophie in ’t Veld (Renew): Yes. Thank you, Chair. And thank you, Commissioner, for the opportunity for this exchange of views. The trade in and exports of spyware is a very important component of our work, of our reports. And I think we note with great concern that exports of spyware is taking place from the European Union, despite the fact that that is actually not allowed and the exports are taking place not to model democracies who would probably not need them, but to countries where spyware is being abused, you know, by repressive regimes. And that is why I think we as a European Union, we have not just the legislation in place, but we also have a moral duty.
I have a couple of questions to you in in random order. First question is, how does this work in practice? Because in one of the replies you sent me to one of my written questions, you said member states are primarily responsible. Which is true. But if you note, if you get signals, that the member states authorities are not doing their job, are not properly implementing, not properly applying, in this case the dual use regulation, then do you rely exclusively on information provided by that Member State or do you also react to signals that you get from the field, from the media, from, I don’t know, inquiries, from whatever?
Second question relating to this, and you’ve already indicated it a little bit. Simple question Does the Commission have sufficient capacity to respond adequately to that kind of signals? Do you have the capacity to actually, you know, go on a fact-finding mission and see for yourself how it works in practice.
Then, some concrete cases: In December 2022, the Greek government disclosed that it had provided [Intellexa] with two export licences in 2021. Following these revelations, the responsible minister stepped down. Now we know that one of those export licences was granted for exports to Madagascar, a country which is not exactly on the top of the list of democratic countries. How does that, in your view, correspond to the standards set by the dual use regulation?
And secondly, do you know what the second export license was for? Have you contacted the Greek authorities, and do you know what’s happened? Have you looked into the case? Because we put our written question to you about the illegal exports of surveillance technologies from Greece and Cyprus to Sudan. For these, no expert licenses were granted, as far as we know, and that makes it doubly illegal. Have you contacted the authorities of Greece and Cyprus? And if so, have you gotten a reply? And can you inform us about this? Have you contacted the authorities of Bulgaria, where we have concerns about very unclear situation when it comes to granting export licences, in particular to the NSO Group.
And a final question: The United States are a lot more determined when it comes to fighting, you know, illegitimate use of spyware, commercial spyware, an illegitimate trade in and they’ve just yesterday adopted new rules. Now that concerns mainly imports, but are you in touch with the American authorities to see if it is possible to align the policies? Because they say that they want to create an international ecosystem for the trade in in spyware. Have you contacted your counterparts in the United States to make sure that we are aligned as quickly as possible? Thank you.
Jeroen Lenaers (Chair): Thank you very much, Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you very much for those questions indeed. So quite a broad range of questions. So first of all, on what is under the competence of member states. Member states are competent for taking decisions on specific cases of experts and underlying assessment of security and human rights considerations. As I was saying, member states are obliged to report according to dual use in relation on individual denials, so transactions of concern, but they are not obliged to report on individual authorizations under a dual use regulation. We have, however, contacted member states. So Greece, Cyprus, that you asked and also France and asked them clarifications for their individual decisions under the provisions of the dual use regulation.
Greece and Cyprus have not yet responded. France has confirmed that in general it has complied with the terms of the regulation. I understand that this committee also, on its part, has invited member states to cooperate and you have received transfer from Cyprus today… That’s the information we received … Okay…
In any case, we continue to engage with member states to clarify their consistent application of regulation. And also we are discussing with member states what additional information they should report on authorizations of cyber surveillance items on view of preparation of 2023 annual report and enhanced transparency requirements of new regulations, because those are the new requirements. As I was mentioning, Member States are not obliged to report on individual transactions, but they have to provide aggregate data and we are discussing now exactly the level of, so to say, detail on the date the member states would need to provide them. So that’s on as a first element.
What data we are using? Clearly, we are ready to consider any reliable data pertaining to implementation of EU regulation, including dual use regulation. At the same time, if we look at the dual use regulation itself, it, in a sense, does not authorize European Commission to conduct in-depth investigations of individual export licenses granted by the member states. So if, however, we would see the risks of underline case to case decisions that member states are not fulfilling the requirements of regulations, there is a standard procedure of launching, well, infringement procedure on the EU law. So that’s how those different instruments interact as well.
On capacity, as mentioning obviously the focus, especially last year and also early this year, was on sanctions against Russia and export controls in this context. But one can say that this really has been exceptional year from this regard. Even so, currently we still need to focus on anti-circumvention and other aspects.
Then you asked specifically on Bulgaria. That I would need to double check and we will follow up to this committee, I would ask colleagues to provide a written answer on what outreach has been there concerning Bulgaria.
Then on US, on the specific legal act you mentioned, which was published yesterday and provisional on use by the US government of commercial spyware, that poses a risk to national security. We have taken a first look at this legal act. We do not see an export angle in this specific measure. But on your question on cooperation on export controls or indeed we are in constant discussions and contact with US authorities on export controls. That’s one area where we want to deepen the cooperation, where we have been cooperating very closely and, I would say productively, on export controls concerning Russia. We are discussing how further to align our approaches. Primarily a tool for doing this is trade and technology council, so EU-US trade and technology council, and indeed, we certainly can bring up to the discussion all sorts of questions related to export controls on spyware.
Jeroen Lenaers (Chair): Thank you very much. We first continue the round, and if there is …
Sophie in ’t Veld (Renew): Sorry, there are some fairly relevant questions that I would still like an answer to. On Madagascar, Sudan and the unexplained export license from Greece.
Jeroen Lenaers (Chair): Yes, but we’ll continue the round of speakers first. Just to point out also that we have not received anything from Cyprus to our knowledge. So we will contact the Cypriot authorities to see if maybe something got lost [incomprehensible] way. And just to point out that for the speakers list I have now: Braunsberger, Heide, Neumann, Lebreton [and Kouloglou] …if anybody else… Diana Riba. And then I will close the speakers list. Thank you. If you want to get into the Sudan. Yes. First, briefly. And then we move on?
Valdis Dombrovskis (Commissioner for Trade): Sorry there were so many questions. To come back to the question on specifically Madagascar and Sudan: Indeed, we already contacted the Greek authorities in relation to exports of spyware to Sudan and have asked clarification on this issue. Similarly, to this case, I have instructed my services to ask Greek authorities for clarifications also regarding Madagascar and keep European Parliament fully informed on this issue.
Jeroen Lenaers (Chair): Thank you then for the EPP, Karolin Braunsberger-Reinhold.
Karolin Braunsberger-Reinhold (European People’s Party): Thank you very much. Thank you, executive vice president, for being here and giving us being here and giving us an overview. And I have two questions. Do you consider the export control regulation for dual use technology to be sufficient? Why? Why not? Has the Commission conducted a comparative analysis of [incomprehensible] use technology export controls, in like-minded countries? If so, has the commission found a more robust legal framework in this regard? And how does the commission plan to better implement the export regulation that are already in place regarding this type of software? Thank you very much.
Valdis Dombrovskis (Commissioner for Trade): I am sorry, what was the last question?
Karolin Braunsberger-Reinhold (European People’s Party): How do the commission plan to better implement the export regulations that are already in place regarding this type of software? Thank you.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions. So on first question: Is a dual use regulation sufficient? Well, the amended dual use regulation is in force relatively recently, it was agreed in September 2021. So in a sense, we are still gathering also experience working with this new regulation. I was mentioning a number of guidelines which we are still working on, including on a level of detail to be provided by the member states in the annual reports also on export authorisations. So this is all a work in progress. Certainly, one can say that this new dual use regulation is a step in the right direction, but we also know that it was a difficult political compromise. It took five years to negotiate and it goes deeply in member states national security matters, for member states tend to be, so to say, very protective of their prerogatives. I would say we still need to gather experience bit on the functioning of regulation to draw conclusions and see what further enhancements would be needed.
Do we compare this dual use export frameworks with like-minded partners? As already mentioned, our cooperation with US, with export controls, where we are certainly cooperating very closely. Well, on the dual use … regulation export controls, of course, we are in a bit specific situation because we have distribution of tasks between national export control authorities and EU level, which is also reflected in our discussions with countries because sometimes their counterpart is national authorities, sometimes their counterpart is European Commission or other EU institutions.
Also, it’s worth noting that it’s not always easy for the EU even to be at the table of negotiation. For example, EU is not a member at the Wassenaar multilateral agreement. So we’re not even there. Currently, just to give another concrete example, we are now trying to get in as a European Commission if you allow in a G7 export control monitoring group. Hopefully we manage, but it’s also not obvious. And also there is certain reluctance by member states just to give some examples how these different levels of competences are interacting.
Well on the third question on a better implementation. Clearly we are currently, as I think, gathering experience. I think important element will be, how we will reach agreement on level of detail of member states annual report and aggregate information they are providing on export authorisations. I think that can help also with implementation and also, well, I would say, clearly it depends also on cooperation with member states who are in a sense not … As European Commission, we are getting a quick and forthcoming responses from member states on the questions we are raising. Also our [cells], suddenly there is still scope for improvement, I would say, also within existing regulation and its implementation.
Jeroen Lenaers (Chair): Thank you very much. A quick and forthcoming information from the member states is not something we are very used to in this committee. So I hope you will have better luck for the S&D, Mr. Heide.
Hannes Heide (Socialists and Democrats): Thank you. I would like to thank the vice president of the commission for joining us for this debate. Production and trade in spyware is the business model. As we have seen, the market in the European Union is quite extensive. So how do we control this market? We’ve heard some thinking. I would be interested to know whether the Commission has a comprehensive overview of this market within the European Union. And following on from what the vice president said about information from member states, you said you don’t always receive it quickly enough or that it is comprehensive enough. And so my question is, might this be down to a lack of awareness? Or: The fact that they don’t know enough about these markets, these products.
There are many different producers within the European Union. Just to give you an example: In recent years in Australia, the authorities were made aware of a product and company only because Microsoft detected a number of security gaps in the software sold. And so the authorities in Austria carried out an investigation and then there were questions raised in the Austrian Parliament, and it emerged that there had been no authorisation given by the Finance Ministry in Austria and no export authorisation issued in the last ten years. So that could be interpreted as meaning that there is no such trade taking place. But you could also argue that there’s a lack of knowledge, lack of awareness as to the extent of this market and this particular business model. Thank you.
Jeroen Lenaers (Chair): Thank you. Hmm.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Well, thank you for those questions. So. Well, clearly, spyware and production and the sale of spyware within the EU for export, it’s clearly a business model. It has its own legitimate uses for law enforcement, for public security. So the question is, in a sense, how to ensure that it’s not abused, but it’s used for its legislative uses on how to control it within the EU market doesn’t.
And the next speaker in this committee is going to be Commissioner Reynders, who will be focusing exactly on the issues on use of spyware within the EU. So as regards this question, as you’re saying on lack of awareness, well there or well, it’s I would say they are a two part part of this. Well, first of all, we are talking about well, specific service, specific a model. And there is this EU list of goods under control. And spyware is in this EU list, including a famous Pegasus spyware is in the EU list of controlled items. So clearly member states are aware who are the producers, what is being sold because they are the ones who are granting or denying the licenses for those producers. Of course, they also may be, as you said, to certain gaps of knowledge, because software is not subject to customs duty. So it’s not controlled on the border by nature. If it’s a, it’s a software.
So they also may be assured a shortage of reliable data at our disposal. That is information which member states how from their producers or importers or exporters. But as I say, some, they say electronic transmissions of software or any other electronic transmissions are not always easy and obvious to control. So that also may be some are some information gap, as you noted.
Jeroen Lenaers (Chair): Thank you very much. For the Greens, Hannah Neumann.
Hannah Neumann (Greens): Thank you, Commissioner Dombrovskis, for being here. Yes, Here. Hi. I would have questions on on on the aspects of what you touched already. The first one goes into the current dual use regular regulation and the implementation. Well, by but by us, by your organisation and the member states. The first question is quite simple given that we see Member States misusing spyware internally against its own citizens, how can we have trust that they don’t try to circumvent and misuse it also in terms of the exports? Do you have the trust that they don’t do that? The second question, and maybe we can just pick it up from the Greece Cyprus export case to Sudan, What happens concretely if member states do not follow the dual use regulation? So what does the first step of escalation? What is the second? What is the third? What is number four and what stands in the end? I mean, are there sanctions or do you have kind of can you force them to give you information? What happens next? And I mean, in the end it should be that they are no longer allowed to export any such technology if they don’t comply. Is that really the end or are we weaker?
Question number three on this aspect, you mentioned the guidelines that are at the moment on the developments where there are discussions now happening between Member States guidelines on the specific spyware tools that haven’t been part of the first dual use regulation. For me, the question is what will what kind of capabilities or tools with these guidelines cover? Am I correct that these kind of tools and capabilities are at the moment not being exported until everyone agreed on these guidelines?
And the last questions is the human rights considerations. So you said the current dual use regulation has human rights considerations, but it’s on the member States to assess this human rights considerations for exports. Does it make sense that 27 member states individually assess these human rights considerations and maybe come to very diverse outcomes? And is that not the biggest loophole possible to circumvent by basically just making the one member states with the weakest considerations, the the place where you have your company if you want to export, or is there anything that can mitigate that?
Second question relates to the EU Emergency Trust Fund for Africa, because we had the ombudsperson here presenting a report how the European Commission assessed the human rights impact before providing support to African countries to develop surveillance capabilities, clearly saying that currently the check under the American under the EU Emergency Trust Fund for Africa is not sufficient. Are you aware of her report? What is your feedback to this report? What will you put in place to better ensure that the human rights impact assessment in the EU Emergency Trust Fund for Africa is met?
And the last question that’s a bit more of a political one. So I’m asking you as a politician on this one. When it comes to the export, at least we have a regulation in place and EU regulation in place, we expect member states to follow. You have certain oversight capacities and certain potential for you as an EU body to sanction them. You mentioned infringement yourself. So if we can have this oversight on the export dimension of spyware, why can we not have it on the internal use or misuse of spyware, especially as it infringes fundamental rights of EU citizens? Do you think this makes sense?
Jeroen Lenaers (Chair): Thank you, Ms. Neumann. Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): So, yeah, thank you for those questions. So maybe let’s start on what happens. What happens if member states are not following as a regulation? As I was saying, a regulation is in a sense limiting the amount of information Member States are obliged to provide to the Commission, and also its limiting as a competence of authority of the Commission. As I say, we cannot, under the regulation, make some specific in-depth checks on whether or not a regulation is properly applied.
So correspondingly, indeed, if we conclude and there is evidence of Member States is not properly applying, the regulations at all, at our disposal, is an infringement procedure against that Member State for non application or non transposition or whatever. Also, well, in case of a regulation we are not talking about transposition, so let’s stick with non application. So that’s the tool which is our proposal. And as I was saying, suddenly the Commission is ready to use any reliable information. So it does not has to be limited to Member State information only. Well, you asked a good question, Do we trust the Member states? Well, I would say by default we trust member states. Of course, if we have evidence to the contrary, we are willing to look at this evidence and to take action.
So. Then as regards this point you raised well, was it it makes sense that there are 27 different member states doing the assessment on export controls, including human rights consideration. Well, this is what is a regulation forsees. So the coalition forces and its member states export control authorities, which are taking those decisions. I was giving you a bit initially as a historical overview how this export control system was developed, how it came to the EU level. And initially it came from quite a clear military uses weapons of mass destruction, conventional weapons. So we are quickly are in a domain on Member States foreign and security policy considerations. So where member states are deciding authorising or denying specific transaction, they are doing those considerations, including considerations on national security policy, human rights, other relevant considerations. So that’s just what is currently foreseen under the regulation. And as I was saying, it took five years to agree this regulation and it was a difficult political compromise. And the reason for this difficulty is that it goes often to the core of member states national security policy.
So that’s that’s the limitations which we are currently opposing. Well, on the misuse of spyware internally. Well, as you know, the commission is obviously also looking on this. The legal basis, which is applicable for internal and exports is different. Clearly, we as I said at the beginning, we should make sure that the spyware is not misused to spy on citizens, to spy on political opponents, whatever. And I personally feel quite strongly about this. So it has to be done both as regards exports and internal use while on internal use. On the specifics, I leave it to Commissioner Reynders who is dealing with those issues more specifically. Then on the question you reported or asked on the Trust Fund for Africa and (incomprehensible) findings, I’m not immediately aware of the issue. I may of course inquire to the relevant colleagues in the Commission who are working with this topic since I have some comments and observations on this matter. Thank you.
Jeroen Lenaers (Chair): Thank you very much, for the I and D, Mr. Lebreton.
Gilles Lebreton (Identity and Democracy): Thank you very much indeed for your words. It’s very interesting for us to be able to really to look at this 2021 regulation on the export of dual use goods, which includes this spyware software. Now, listening to your words, I have a strange feeling because very often we talk about foreign trade and that external trade that’s part of your portfolio. And we feel that there’s a sort of steamroller effect of the commission who is rolling over member states decisions. But this seems to be the opposite today. You’ve say that it’s quite hard to pass this. You’re facing a certain amount of resistance and certain member states. And I am pleased that, in fact, that to have a lot of leeway in this. So I have some very specific questions to you.
First of all, you said that it’s hard to get information from Cyprus and Greece. All the other 20 have the other 25 member state provided all the information you’ve asked for. Secondly, you have pointed out that the reports that you sent to on to the member States don’t talk about individual cases just aggregated. So are you planning to be able to have a really good overview of what’s happening with exports? Not all the data lumped together. And thirdly, I remind you that member States consider that we’re looking at security matters here, and therefore, in fact, is that not perhaps why you can’t have a very clear view of exactly what’s happening? Because, I mean, when we evoke national security. For obvious reasons, understandable reasons. That means that a member states all withholding information. Thank you.
Jeroen Lenaers (Chair): Thank you, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Okay. Thank you for those questions. Let me start with a broader question you raised. Well, you know, in different policy areas, there is a different legal basis and a different competences for the Commission and EU level in general. So you specifically asked about that trade. External trade is EU exclusive competence. So indeed, on many occasions the Commission is in the driving seat, including negotiating free trade agreements. Well, obviously based on the mandate of Member States and at the end of the day ratified by Member States and European Parliament, or should it be mixed agreement, also national parliaments. So even in a trade policy, we cannot help this steamroller effect, as you said, because at the end of the day it’s still member states who are deciding whether or not to ratify what the Commission has negotiated.
That the dual use regulation is much more restrictive in terms of the Commission competences. So we are not in a driving seat. It’s Member States export control authorities who are taking the decisions. Then on a question we ask on a member states. So what? What is the outreach? So if we have some specific problems, obviously we individually outreach to the member States. So we discussed specifically the outreach we are doing from to Greece and Cyprus, a related for example, Sudan. And we are working with all member states on preparation of that annual report. So we were discussing it before and indeed so on into those cases. There is a difference. Already now, member States need to report individual rejections. So if they reject export authorisation, they have to report it to individual to the Commission and other member states. It’s considered as a well transaction of concern and other member States need to take into account this when deciding their own export authorisations. So that’s already there. So Member States can learn from each other on transactions of concern on authorisations, as the regulation does not foresee obligation for Member States to inform on individual authorisations.
So correspondingly, it’s this aggregated information which you are going to get on in the annual report and that obviously as European Commission we are insisting with Member States to have as granular and as detailed information as possible, while Member States once again may be invoking some of some limitations on national security grounds, so on not disclosing commercially sensitive information. But there from the commission side, obviously we insist on to the extent granular information which we are able to get.
Jeroen Lenaers (Chair): Thank you very much. For the EC and R, Ms. Beata Kempa.
Beata Kempa (European Conservatives and Reformists): Thank you very much. Thank you, Commissioner. Thank you for your presence and for the information you have provided, you have partly answered the question I want to ask. I think if I ask two more questions, your reply would certainly be uniform and concrete. Working on the recommendations for the European Commission and the Council, the PEGA committee is considering what should be the criteria to adopt concerning the sale, imports and exports of spyware software in the European Union, to have protection against abuse in the future.
Therefore, my two questions one, whether the regulation of 2021, 821, fresh from May 2021: establishing the European system on control and intermediary technical control transit transfer of double use products is sufficient as the legal basis for protection against exports from Europe to countries which do not comply with the basic human rights, and what are the regulation needs any amendments or any specific executive acts. That was my first question and second question.
How do you perceive an opportunity that within the current legal system of the European Union? How can we control and the sale of spy software in the European Union? And I’m thinking about situation when such software is produced outside the EU and situations when it was produced in the single market. So for what mechanism and whether such mechanism could be available? And whether it’s possible to regulate the sale of such products. Is it feasible at all? You have partly answered, but I think you might answer quickly. Once again, thank you.
Jeroen Lenaers (Chair): Thank you, Ms. Kempa, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions, I think we partly already discussed those questions. So is the dual use regulation as now amended in 2021 sufficient? Well, we’re currently still gathering experience on the functioning of this new dual use regulation. We are preparing annual reports. We are working with Member States in relevant committees and bodies. So I think it’s too early to draw definite conclusions. Well, clearly, as we can see from our discussions, there are limitations in this regulation, but those limitations are by design because there are limits in a sense to how much competence Member States wanted to delegate to this issue at the EU level
In the case of already existing regulation obliges the Commission to carry out the evolution of regulation in five years, where we can draw all possible conclusions on possible shortcomings and reflect on the amendments. Of course, we can see whether some clarity emerges already sooner and since we need evidence based decision making. So what we do in a review also needs to be on evidence, and then we always question how much political space we will have to make next steps as regards EU level export controls and so on. Second a question on how to control and regulate the production and use of spyware. This once again comes more to the question on internal application of of controls within in the single market. The questions you will be discussing, my colleague in a short time.
Jeroen Lenaers (Chair): Thank you for the left, Mr. Kouloglou.
Stelios Kouloglou (Left): Mr. Dombrovskis, you started your intervention describing this cruel and very expanded, expanded system of spying on the citizens in the ex-Soviet Union. And I was working there as a correspondent in Moscow for five years so that I can fully corroborate and confirm what you have said. As you remember, the general secretary and the secret services were spying on journalists, but not only journalists put it all not only a political open openness, there were spying also on its own ministers, Right. Ministers of the state. This is happening in Greece with the prime minister. He was spying for the ministers.
You remember that this internal secretary was spying on the the leaders of the armed forces. And what happened in Greece is that the prime minister was spying on the leader of the chief of staff. On the chief of staff. You remember that day the general secretary was spying on his relatives, for instance, his sister and, well, the Greek prime minister was spying on his sister. You remember? He was spying on the general secretary or he owned his nephew and well, Mr. (incomprehensible) it was fine. If you remember, he was fine on his knees. And then, Mr. Mitchell, that grows pain in his knees. So you will tell me there is a difference? Of course does. Of course. But there are also aggravating circumstances in the present case, because, you know (incomprehensible)Soviet Union was a member of the European Union. Now we have here Greece being a member of the European Union, and we have two deputies of the European Parliament being inspired. And we know this case since nine months. So I have certain questions to ask you, very brief questions.
Why the commission has not made any statement about the Greek case. When it comes to the two other cases, the commission is coming out and saying, well, this current yes or no, you now nothing. Mrs. von der Leyens outlet disappeared. This the first one. Second question: The scandal is already nine months. When did you ask the the Greek government for explanations and everything about what? I don’t know what exactly what you have asked. Third, is there in your request a limit, a time limit? Are you waiting for an answer under as a kind of certain period of time? Or is it just a general question. And fourth, the last question, Mr. Dombrovskis, I would like to ask you, taking into account your personal, very painful experience living in the country, where the spying was a method of governing. You know, what is your personal opinion on the issue? This already documented. I already described you. Happening in Greece. Between us and you. What’s your personal opinion of that. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Just just to remind colleagues that, of course, Mr. Dombrovskis is here in his capacity as responsible for the trade issues. Of course, everybody is free to ask any question they want, but we have Commissioner Reynders later this afternoon also to discuss the use, etc., and the rules internally in in the European Union. So, of course, Mr. (incomprehensible) has invited us to to answer all the questions as he pleases, but in his specific portfolio is the questions of of trade and export dual use regulations. Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions, my buddy. Let me start with a specific questions on our request of information for Greece. So the requests we were sending to Greece in my area of competence were concerning the export of spyware, specifically to Sudan. So this is what we had been approaching as a Greek authorities, and we are currently awaiting that response. So clearly, yeah, when we requested colleagues will try to find the exact date, when we requested this information and to find it, we had it somewhere here and useful for okay colleagues. So try to find exact dates.
So as I was saying, by default, in dual use regulation, Member States are not obliged to report on individual authorisations of dual use items, including spyware. So that’s why we made this ad hoc request following some information which had become available. We’ll find specific dates for this. Well, on your broader question, well, clearly, as I said at the beginning, I lived myself in a system like this. I know what it means. And therefore, I’m clearly of the view that that kind of spying on fellow citizens and political opponents or whatever should not take place, that spyware has to be used strictly according to its legitimate uses. And there are legitimate uses for law enforcement, for national security. And that’s indeed the task of the National Home and Justice systems to ensure a legitimate use of this kind of tools, which indeed, as Mr. Chair already outlined, brings us to the next topic and a hearing with the Commissioner Reynders. So on a specific question on one, we reached out to Greek authorities on as our export export authorisations, 14th of February. Thank you.
Jeroen Lenaers (Chair): Thank you very much. Then Diana Riba i Giner.
Diana Riba i Giner (Greens): Thank you. Good afternoon. I have a more general question to ask. A lot of the questions has been very specific. When we talk about this spyware, for example, when we talked to when we went to Israel mission, we talked about these programs as a weapon. There was saying this is a weapons import export issue. In listening to your presentation and when we talk within the European market of the spyware, we’re talking about something as if it were any other commodity and not a weapon. So. How how are we seeing this kind of good. Is it a weapon? Should we see it as such or. I mean, what category the spy will fall into? Because things change according to what category you put this good in. And there’s an investigation committee and we need to come up with a report. We need to know what the legal framework is that we need to use for the future of use. So this dual vision within and without the EU, I mean, where do we put these spy goods? Are they weapons or not?
And then on human rights, I have a very concrete question on the new directive. There is a new reason for denying export licenses for cyber vigilance, cyber surveillance, especially in cases of threats of human rights violations, I think is Article 4.2 and 3.8. Has any member state use this human rights clause since its introduction? It’s a bit the same question as my colleague has, but I wanted to know if this article has already been implemented through use by any member State. So have we already identified any infringement of fundamental values in the EU?
Jeroen Lenaers (Chair): Thank you very much, Mr. Dombrovskis.
Valdis Dombrovskis (Commissioner for Trade): Yeah. Thank you for those questions. So indeed, while you referred to weapons, I was telling in my introductory remarks, where is the EU export control regime originates from? And indeed it originally focussed on non-proliferation of weapons of mass destruction and other dual use products as well as technology used to produce conventional weapons. So there is sort of a link clearly with those issues and correspondingly with national security issues. So therefore, how’s the dual use regulation functions? We are having an EU watch list of goods and services which are subject to this dual use regulation and spyware. And as I was saying, also different components and related technologies are on this watchlist. So that’s the reason why it’s under the scope of dual use regulation. So we’re not treating it as any other commodity because any other commodity typically is not covered by a dual use regulation. So that is the reason why spyware is covered by dual use regulation. So so that’s on the first part of the question. On information on whether and any member states have been using the human rights clause so far as it’s something I probably would seek further information and I would come back to the committee in writing to the specific question.
Jeroen Lenaers (Chair): Thank you. Thank you very much. Executive Vice President, Dombrovskis. First of all, for for being with us today for making the time available to exchange views with the members of our committee and also to to follow up on some of the questions where we didn’t have specific answers yet in writing. Later, this much appreciated. We will, of course, continue to work on our recommendations following the leadership of our rapporteur, Sophia in ’t Veld. We also hope that you will keep a clear, a close eye on what we will recommend and we count on you for the cooperation in the face after this committee has been dismantled. And we will work on, hopefully the legislative rule out of the recommendations that we make. I see that there is a very, very brief, urgent follow up question of our rapporteur, very briefly to.
Sophie in ’t Veld (Renew): Two tiny things. Chair, Thanks for for allowing this. First of all, I understand the Commissioner asked clarification from Greece on the 14th of February, whereas the news on the Sudan flights broke on the 30th of November. That’s two and a half months earlier. Why did the Commission wait so long? And my second question is, I hear you say the commission is not authorised to conduct in-depth investigations of individual cases, even if you have indications that there’s something wrong. Plus, member states invoke national security. And in though in that giant gap, I understand it is entirely possible as it is happening today for member states to export spyware to non-democratic countries. And the European Commission has no powers to intervene because you can not intervene in individual cases. And this means that companies which have been blacklisted by the United States can freely export spyware from Europe, from the European Union, as long as national governments are willing to to cooperate, which is happening. So we’re basically helpless. Is that the conclusion?
Jeroen Lenaers (Chair): Thank you, Mr. Commissioner.
Valdis Dombrovskis (Commissioner for Trade): Yeah. So on first of a question, I was already describing the context in which we were working. For most of the last year and also beginning of this year was a clear focus on export controls related to 2010 sanctions packages against Russia and export controls on those goods, which may or may not appear on the battlefields in Ukraine. But clearly we are keeping a focus also on as a spyware related issues. And as I was saying also, we see scope for further discussion and cooperation also with the United States in this specific area.
Well, this a comparison of US. Well, we were discussing extensively, so we are not necessarily following the same legal base. So I would not describe the situation as hopeless because we have two layers of defence. We cannot completely dismiss what the member states are doing is they are export control national authorities, which has helped to implement as a regulation. As I said, the standard procedure in case of non-implementation of regulation is infringement procedure and this possibility is there if there is substantial evidence. Thank you.
Jeroen Lenaers (Chair): Thank you. Thank you very much also to all colleagues for the exchange of views. It’s 5:30, Mr. Reynders, commissioner Reynders will arrive at 5:45. So we’ll break off for 15 minutes and then we’ll have the next item on our agenda. Thank you once again, Executive Vice President for process. And we continue we look forward to continuing cooperation in the future. Thank you.
Didier Reynders, Commissioner for Justice, European Commission
Jeroen Lenaers (Chair): Dear colleagues, if everybody could take their seats, we will continue our meeting. I am very pleased to welcome Commissioner Reynders to our committee meeting. It’s a is the second time we meet in the framework of our committee work. I think the last one was in May last year, which is ten months ago. I think a lot has happened in the past ten months that that warrants a renewed exchange of views, both in terms of developments in some member states, but also developments, of course, in the work of our committee, the draft report, the amendments, the draft recommendations that are on the table now. And since, of course, the purpose of our committee is not only to adopt a report in the end and to adopt the recommendations, but to make sure there is also follow up to these recommendations and that these recommendations are implemented in practice. We count on your cooperation also after our commission ceases to exist.
So therefore, I’m very pleased that you were willing and able to meet with us again. I propose we follow the same format that we always do. We happily pass the floor to you for your introductory remarks, and then we open the room for questions and answers for the members. And of course, as always, I would also like to ask already the members who would be wanting to take the floor during the exchange of views to already indicate so now, so we can draw up the speaker’s list and keep an eye on the timing. Yes. Thank you very much. And first, the floor goes to you. Commissioner Reynders, thank you very much for being with us.
Didier Reynders (Commissioner for Justice and Rule of Law): Thank you, Chair and honourable members, of course, the normal way to try to discuss with you before the adoption of your work of operations. And then, of course, we will see how it’s possible to organise the follow up recommendations. But as I have already highlighted, when I came to your committee last year and in various written replies, the Commission recognises the important work you are doing to investigate the use of spyware and European Union. We are closely following the preparation of your report and the resolution and we are waiting for the adoption. We know that your report will cover several aspects of the use of spyware by the Member States, including compliance with privacy and data protection rules, but also the functioning of the spyware industry or export and import of spyware.
As the Commission has stated on numerous occasions, including before the European Parliament, we strongly condemn any illegal access to interpersonal communications. Those be very clear. Spyware is a particularly intrusive technology, and we have seen the consequences of its use through the various testimonies of individuals that appeared before your committee. It is paramount that the fundamental rights to privacy and data protection as enshrined in EU law are fully respected all over the Union. The legal framework governing the use of spyware can differ depending on whether its use falls under EU law or national law.
Now, use of spyware, confidentiality of communication and privacy of data protected by GDPR. So the enforcement directive and private life electronic communication or e-privacy directive. Surveillance authorities in national jurisdictions are competent under these tools to guarantee compliance with the legislative framework. EU law on data protection applies when it comes to processing personal data by private entities, even where such processing is required for security national security reasons. EU law is also applicable when public authorities process personal data for criminal or repressive purposes, in the case of spyware. In such cases, individuals must be in a position to exercise their rights when it comes to data protection under EU law. That includes the right to information an effective legal recourse. The right of information and access to personal data is key in the EU judicial system. It is a prerequisite to enjoy other rights, including the right to take legal action if said rights are breached. The commission stresses that it is important for supervisory, supervisory and judicial authorities to have sufficient powers here and to enforce these rights. These authorities need to make full use of their powers to take an in-depth look at any breach of rights in this area.
EU law does not apply to cases where public authorities directly access the data, so not the telecom operator and process them for genuine national security purposes, which is a different issue than law enforcement. An important question is in this debate is therefore the delegation between the application of EU law and national rules on national security. It is for the member States to define their national security interests and to adopt appropriate measures to ensure their internal and external security. Nevertheless, the European Court of Justice made clear that Member States must be able to demonstrate that national security would be compromised in the case as issue. The Court of Justice also held that threats relating to national security are the ones that are capable of seriously destabilising the fundamental constitutional, political, economic or social structures of a country such as terrorist activities.
Therefore, based on the court case law, Member States cannot merely refer to national security in a general way to exclude the application of EU law in cases reported by the press, the real issue seems to be whether the use of such a spyware is generally justified by national security when such a restriction to the right to privacy and personal observation protection cannot be justified as fighting and national security, EU law must apply with all the safeguards it provides. Where there is a dose on the interpretation of EU law, national courts can make a reference for a preliminary ruling to the Court of Justice. It is also important to bear in mind that where EU law is not applicable, the European Convention on Human Rights still applies as well as national constitutional law safeguards.
In this context, it is also important to consider the following points: Whether Member States have in place a national legislation framing the use of tools such as spyware for national security purposes. Whether the national legislation foresees specific and sufficient safeguards given the high level of intrusiveness of the use of spyware. Recently, my services have requested information from all the member States about the national legal framework governing the use of spyware from a data protection perspective. We ask the member states several questions, including the purposes under which spyware is permitted under the national law for law enforcement purposes, for national security or other purposes. The safeguards that are applicable when spyware is used for law enforcement purposes and for national security purposes.
The large majority of the member states are ready, replied, But we are still in the process of collecting the member State responses to this mapping exercise. We will assess carefully these replies. I have also discussed the matter with Minister in some Member States to give. To example, in the travels I have made in Spain or more recently in Greece. Before concluding, I must underline that the Commission is no investigative powers in this field, so we are not in a position to assess individual situations. We cannot therefore assess whether the conditions for the national security exceptions are met in the specific case. We do not have the ability to go on the ground to hear testimonies or to seize documentation, for example.
In conclusion, based on your final report and on our own fact gathering will decide on the most appropriate way forward. I want to say that in the last discussions I have had with some that opposition authorities or independent authorities in relation with this kind of situation in some member States and on the basis of the response that we have received from Member States, I am sure that we will have to examine if it’s needed to come with a legislative proposal at the EU level. We will see also on the basis of your recommendations. And in such a kind of framework, the questions that we have, of course, is to see what kind of legislation is needed at a national level to organise the process. What kind of safeguards are in place to protect individual rights and to give some example, who will be in charge to authorise the use to give an (incomprehensible) of the spyware of spyware for national security purposes.
In some member state I received of remarks, this may be enough to do that with one judges, one judge, able to decide about the authorisation. In others, it’s maybe more important to have a college of judges to do that. And so to organise a process. But then what would be in charge to control the full respect of the safeguards and the real access to a possible redress for the individuals? Having seen such a kind of access to their own data, so again will have to take into account your recommendations in your resolution and will take into account the actions of the Member State. Of course, when I’m speaking about a possible legislative initiative. You know that we need to work with two co-legislators. So the Parliament, of course, and you will video resolutions, but also the member states and, you know, the sensitivity of the national security issue at the level of the member states. But it’s not a reason why we don’t have to to continue to work on this. I thank you for your attention. And I’m, of course, looking forward to listen to your interventions that may be modern, that read your recommendations when you will have had your body to adopt your resolution.
Jeroen Lenaers (Chair): Thank you very much, Commissioner, and thank you for taking our recommendations into account. And of course, of course, in order to adopt any legislative proposal, we need to co-legislators that is clear to launch a legislative proposal. Of course, the commission has the the full right of initiative. So taking our considerations into account, I hope it will also make use of that of that initiative. We have on the list at the moment. Sophie in ’t Veld, for the EPP Braunsberger, López Aguilar, Cañas, Solé, Lebreton, Kempa, (incomprehensible), Neumann, Riba i Giner. I just want to underline that we have one hour ant then our interpretation will finish or I would really ask for it