By: Riley Phillips
Abstract
Amidst the ever-evolving landscape of cyberspace, policies seeking to regulate and maintain digital rights at the state and supranational levels remain largely the same. The European Union’s approach to data and surveillance presents two different regulatory approaches to cyber capabilities. The General Data Protection Regulation (GDPR) regulates its consumers through data protection standards.[1] The EU preserves digital rights by providing safeguards from companies looking to exploit personal data.[2] Another cybersecurity is mercenary spyware, contributing to illegitimate surveillance of journalists, politicians, law enforcement officials, diplomats, lawyers, businesspeople, civil society actors, and other actors.”[3] Spyware is categorized as a dual-use good under the European Union Dual-Use Regulations (EUDUR). When compared, these regulations and what they seek to regulate hold intrinsic differences, but both hold implications for the future of digital rights. GDPR regulates the consumer rather than the market to ensure corporate compliance whereas EUDUR regulates surveillance technology as a product leaving its marketplace and applications self-regulated by member states. The need to pivot alongside technological development reveals a more nuanced conversation surrounding how legislation lags in its protection of digital and human rights. This work will compare the approaches that the EU policy takes towards cybersecurity to glean a greater understanding of the elasticity needed to keep pace with technological advancements.
Technological advancement holds implications for digital rights varying from disinformation, unlawful surveillance, and the safeguarding of fundamental rights.[4] The GDPR and EUDUR seek to uphold digital rights through legislative regulatory power. Digital rights express the transfer of human rights to the digital space. Digital rights include freedom of expression, access to the internet, and data protection.[5] While cyberspace is not a “law-free zone” there isn’t much consensus on international law and jurisdictions.[6] As a result, new technological developments like sophisticated algorithms, blockchain technology, and quantum computing raise concerns for the limited capacity of policy to account for loopholes and hacking techniques.[7] Therefore, the EU’s response to mass data processing threats resulted in the GDPR. Whereas mercenary spyware’s threat of unlawful surveillance resulted in its categorization as a dual-use good under [8] Dual-use goods are used for both “military” and “civil” purposes[9] GDPR regulates consumer data whereas EUDUR regulates technology as a good and service. Regulating ever-changing cyberspace has proven difficult, creating loopholes within legislation as technology evolves. The assurance of digital rights coincides with elastic policies with a capacity to respond to new threats but requires specificity to prevent the further formation of loopholes.
GDPR
The GDPR came into effect on May 25th, 2018. It consists of legislation that puts the control of data sharing into the hands of the consumer. GDPR regulations apply to anything that can be used to identify someone.[10] For example, one’s “social security number, IP addresses, telephone numbers, location data, birth dates as well as other information related to genetic, economic, cultural or social identity.”[11] The robustness of GDPR efficacy rests in its “inelastic regulatory targets.”[12] GDPR leverages the permanence of the consumer to be the target of regulations so that targets cannot be moved to different jurisdictions creating a loophole to EU regulatory power.[13] Companies like Google, Apple and Microsoft are eligible to receive significant fines if found in violation of GDPR.[14] The European Commission displays cohesion and capacity to build the legal institutions necessary for holding corporations accountable through sanctioning authority.[15]
The pace at which technological advancements occur creates a volatile landscape for bureaucracy on two fronts. First, GDPR’s policy can inhibit technological applications and increase the cost of producing new technologies to align with GDPR’s security-by-design standards.[16] Thus, creating an incentive for policy to remain limited to data and vague in its application. Technical practices like the use of “Bitcoins and other cryptocurrencies” provide a potential risk to the “‘right to anonymity’” in Article 17 of the GDPR.[17] Blockchains make it difficult to identify data controllers requiring each node to adhere to “strict obligations.”[18] Data from each node of a blockchain contributes to a record. Adherence to Articles 16 and 17 would require blockchain users to be able to correct or delete data rendering the efficiency and effectiveness of a blockchain obsolete.[19] Artificial Intelligence (AI) can also interfere with GDPR rights through the “right to data portability, the right to erasure..., and the right not to be subjected to automated decisions.”[20] GDPR creates operational standards that while not explicit to developing technologies can hinder the potential of technological applications. The second front is the legal uncertainty of how these laws apply to new software. Technology has “develop[ed] faster than the body of case law.”[21] Specifically international human rights laws like the European Commission for Human Rights (ECHR) are only imposed on state and state actors, but AI and other new technology threats reside within the interactions of private institutions with state actors.[22] Member states are dependent “almost exclusively on data protection frameworks” that protect rights to privacy but not violations of other human rights.[23] In the absence of case law additional digital rights need to be articulated in congruence with the development of new technologies.
EUDUR
The EUDUR is a control list that classifies goods as possessing both military and commercial applications.[24]The purpose of the EUDUR is to provide access to goods in the private and public sectors while regulating potentially harmful goods that could be used as weapons. Dual-use characterization despite being a supranational regulation maintains member state sovereignty through a self-regulatory approach to the application of dual-use goods. EUDUR determines legitimacy in regulation of goods by whether the “end-use of the technology by the end-user is lawful in the importing.”[25] It does not, however, require that member states assess the ability of their “legal frameworks” when “exporting spyware to countries destination” thereby nullifying the consideration of whether “the end-use by the end-user is lawful in the importing jurisdiction.”[26] The UN High Commissioner for Human Rights identifies illegitimate surveillance as “'[27] Digital surveillance like mercenary spyware is categorized as a dual-use good. NSO Group’s Pegasus and Intellexa Alliance’s Predator are forms of mercenary spyware. To infect a target’s phone, the software only requires the target's phone number. As revealed through the 2023 PEGA Committee Draft Recommendations and 2023 Predator Files, there has been a stream of abuse including blackmailing, doxing, harassment, imprisonment, and death of “[28] Digital and fundamental human rights are at risk through the classification of spyware as a dual-use good.
Spyware has developed significantly both as software and as a good. As software, spyware no longer requires interaction from the target to infect a device. “Zero-click” infection means that a phone can be infected with spyware and leave with no interaction of the target and with little to no trace.[29] As a good, spyware is no longer being sold as hardware to obtain but rather “hacking as a service” of “'active cyber intelligence.’” [30] Current EUDUR provide no oversight for the companies executing surveillance operations and the data that they aggregate during the process.[31]Despite the EUDUR making no mention of human, EU Council Regulations No. 428/2009 expanded dual-use controls to align with national security goals, economic security, and human rights concerns.[32] According to Sophie in ‘t Veld, the rapporteur for the 2023 European Parliament’s PEGA Committee, there abundance of abuse throughout EU countries using “Pegasus and equivalent software.” [33] Due to the self-regulatory nature of the EUDUR subsidiary surveillance companies are in member states where regulations are known to be lax. [34] Similar to GDPR’s lack of case law required to effectively uphold human rights, spyware regulations lack legal basis.[35] For example, In the case of spyware infecting a device followed by data collection through mobile service free roaming within the Union results in a person having mobile contracts other than they reside.[36] There is no legal basis in Union Law for the collection of data in other member states through the use of spyware. [37] Data does not adhere to international boundaries of mass surveillance risking the right to privacy but also more fundamental rights like “the freedom of expression, freedom of assembly, and freedom of association.”[38] This points to a double standard of transparency practices when compared to GDPR regulations. Another gap within legislation is through the exchange of knowledge as transferred through brokers and non-state actors for member state acquisition of spyware technology which remains unregulated under the EUDUR. Digital and human rights are at risk due to the absence of legal structure to effectively protect those at risk of unlawful surveillance and potential abuse.
Conclusion
Assuming technology continues to change and develop its interaction with human experience, policies regulating technology must be able to pivot towards including digital and human rights. EU statements concerning human rights don’t speak to the legitimate or illegitimate use of technologies at the supranational level nor hold consequences through legal structures.[39] The European Declaration on Digital Rights and Principles for the Digital Decade consists of generalized statements of intent without legal weight.[40] The upholding of digital and human rights depends on its inclusion within import-export regulations. In the case of spyware, regulatory ambiguity allows the complexity of algorithms and software to act as arms of authoritarian control through the exploitation of EUDUR loopholes.[41]Considering the gaps within regulations discussed above, lack of articulation within regulations and case law on how digital and human rights are to be protected facilitates abuse. Digital and human rights advancement in cyberspace faces institutional barriers when excluded from import and export regulations. Despite what regulations do provide there remains obscurity in the face of new technologies. EUDUR applies to state actors whilst GDPR regulates data from the consumer. GDPR effectively places sanctions and fines on corporations like Google whereas NSO group isn’t regulated since EUDUR delegates member states sovereignty to self-regulate.[42] GDPR inelastic targets facilitate execution of regulatory power neither, however, articulate how legal accountability is upheld when import and export of data and surveillance technologies are proliferated. Additionally, there are no laws regulating brokers and criminal organizations regarding unlawful surveillance technology.[43] Ambiguous regulations become vulnerable as the line between jurisdictions begins to blur. Malware technologies act through software but its repercussions are applied through physical means like arbitrary arrests.[44] The EU's differing regulatory approaches display the ability for regulatory power to have instrumental effects in safeguarding digital and fundamental human rights. When policy excludes digital and human rights it fails to pivot alongside developing risks that accompany advancements in technology and their applications.
Anu, Bradford. “Globalizing European Digital Rights through Regulatory Power.” In Digital Empires: The Global Battle to Regulate Technology, by Bradford Anu, 324-. Oxford Academic, 2023. https://doi-org.ezproxy.lib.vt.edu/10.1093/oso/9780197649268.003.0010.
Chan, Anna W. “The Need for A Shared Responsibility Regime Between State and Non-State Actors to Prevent Human Rights Violations Caused by Cyber-Surveillance Spyware.” Brooklyn Journal of International Law, January 2, 2019, 795–830. https://heinonline.org/HOL/P?h=hein.journals/bjil44&i=809.
Custers, Bart. “New Digital Rights: Imagining Additional Fundamental Rights for the Digital Era.” Computer Law & Security Review 44 (2022): 105636. https://doi.org/10.1016/j.clsr.2021.105636.
Europe, Council of. “Human Rights by Design Future-Proofing Human Rights Protection in the Era of AI.” Commissioner for Human Rights, September 5, 2023. https://rm.coe.int/-human-rights-by-design-future-proofing-human-rights-protection-in-the/1680ab2279.
“European Declaration on Digital Rights and Principles for the Digital Decade,” April 5, 2024. https://digital-strategy.ec.europa.eu/en/library/european-declaration-digital-rights-and-principles.
Feldstein, Steven. “Distinguishing Between Legitimate and Unlawful Surveillance.” The Global Expansion of AI Surveillance, September 1, 2019. https://www.jstor.org/stable/resrep20995.6.
Feldstein, Steven, and Brian Kot. “Explaining the Resilience of the Global Spyware and Digital Forensics Industry.” Carnegie Endowment for International Peace 137, no. 3476 (March 1, 2023): 980–980. https://doi.org/10.1038/137980d0.
Lu, He, Lu Yu, and Wu He. “The Impact of GDPR on Global Technology Development.” JOURNAL OF GLOBAL INFORMATION TECHNOLOGY MANAGEMENT 22, no. 1 (June 13, 2019). https://doi.org/10.1080/1097198X.2019.1569186.
Puukko, Outi. “Rethinking Digital Rights through Systemic Problems of Communication.” Revista Latina de Comunicación Social, no. 82 (June 1, 2024): 1–19. https://doi.org/10.4185/rlcs-2024-2044.
Veld, Sophie in ‘t. “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware,” May 22, 2023. https://www.europarl.europa.eu/doceo/document/B-9-2023-0260_EN.html.
Whang, Cindy. “Trade and Emerging Technologies.” Security and Human Rights 31, no. 1–4 (2021): 11–34. https://doi.org/10.1163/18750230-31010007.
[1] Sophie in ‘t Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware,” May 22, 2023, https://www.europarl.europa.eu/doceo/document/B-9-2023-0260_EN.html.
[2] Bradford Anu, “Globalizing European Digital Rights through Regulatory Power,” in Digital Empires: The Global Battle to Regulate Technology, by Bradford Anu (Oxford Academic, 2023), 324-, https://doi-org.ezproxy.lib.vt.edu/10.1093/oso/9780197649268.003.0010.
[3] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[4] Outi Puukko, “Rethinking Digital Rights through Systemic Problems of Communication,” Revista Latina de Comunicación Social, no. 82 (June 1, 2024): 1–19, https://doi.org/10.4185/rlcs-2024-2044.
[5] Rosamond Hutt, “What Are Your Digital Rights?,” World Economic Forum, November 13, 2015, https://www.weforum.org/agenda/2015/11/what-are-your-digital-rights-explainer/.
[6] Adam L. Silow, “Bubbles over Barriers: Amending the Foreign Sovereign Immunities Act for Cyber Accountability,” Journal of National Security Law & Policy 12, no. 3 (June 2, 2022): 659–84, http://login.ezproxy.lib.vt.edu/login?url=https://www.proquest.com/scholarly-journals/bubbles-over-barriers-amending-foreign-sovereign/docview/2692267056/se-2.
[7] Bart Custers, “New Digital Rights: Imagining Additional Fundamental Rights for the Digital Era,” Computer Law & Security Review44 (2022): 105636, https://doi.org/10.1016/j.clsr.2021.105636.
[8] Cindy Whang, “Trade and Emerging Technologies,” Security and Human Rights 31, no. 1–4 (2021): 11–34, https://doi.org/10.1163/18750230-31010007.
[9] Ibid.
[10] He Lu, Lu Yu, and Wu He, “The Impact of GDPR on Global Technology Development,” JOURNAL OF GLOBAL INFORMATION TECHNOLOGY MANAGEMENT 22, no. 1 (June 13, 2019), https://doi.org/10.1080/1097198X.2019.1569186.
[11] Ibid.
[12] Anu, “Globalizing European Digital Rights through Regulatory Power.”
[13] Ibid.
[14] Ibid.
[15] Ibid.
[16] Lu, Yu, and He, “The Impact of GDPR on Global Technology Development.”
[17] Bart Custers, “New Digital Rights: Imagining Additional Fundamental Rights for the Digital Era,” Computer Law & Security Review 44 (2022): 105636, https://doi.org/10.1016/j.clsr.2021.105636.
[18] Lu, Yu, and He, “The Impact of GDPR on Global Technology Development.”
[19] Ibid.
[20] Custers, “New Digital Rights: Imagining Additional Fundamental Rights for the Digital Era.”
[21] Ibid.
[22] Anna W. Chan, “The Need for A Shared Responsibility Regime Between State and Non-State Actors to Prevent Human Rights Violations Caused by Cyber-Surveillance Spyware,” Brooklyn Journal of International Law, January 2, 2019, 795–830, https://heinonline.org/HOL/P?h=hein.journals/bjil44&i=809.
[23] Council of Europe, “Human Rights by Design Future-Proofing Human Rights Protection in the Era of AI,” Commissioner for Human Rights, September 5, 2023, https://rm.coe.int/-human-rights-by-design-future-proofing-human-rights-protection-in-the/1680ab2279.
[24] Whang, “Trade and Emerging Technologies.”
[25] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[26] Steven Feldstein and Brian Kot, “Explaining the Resilience of the Global Spyware and Digital Forensics Industry,” Carnegie Endowment for International Peace 137, no. 3476 (March 1, 2023): 980–980, https://doi.org/10.1038/137980d0.
[27] Steven Feldstein, “Distinguishing Between Legitimate and Unlawful Surveillance,” The Global Expansion of AI Surveillance, September 1, 2019, https://www.jstor.org/stable/resrep20995.6.
[28] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[29] Ibid.
[30] Ibid.
[31] Whang, “Trade and Emerging Technologies.”
[32] Ibid.
[33] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[34] Feldstein and Kot, “Explaining the Resilience of the Global Spyware and Digital Forensics Industry.”
[35] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[36] Ibid.
[37] Ibid.
[38] Chan, “The Need for A Shared Responsibility Regime Between State and Non-State Actors to Prevent Human Rights Violations Caused by Cyber-Surveillance Spyware.”
[39] Feldstein, “Distinguishing Between Legitimate and Unlawful Surveillance.”
[40] “European Declaration on Digital Rights and Principles for the Digital Decade,” April 5, 2024, https://digital-strategy.ec.europa.eu/en/library/european-declaration-digital-rights-and-principles.
[42] Anu, “Globalizing European Digital Rights through Regulatory Power.”
[43] Veld, “EUROPEAN PARLIAMENT DRAFT RECOMMENDATION TO THE COUNCIL AND THE COMMISSION Following the Investigation of Alleged Contraventions and Maladministration in the Application of Union Law in Relation to the Use of Pegasus and Equivalent Surveillance Spyware.”
[44] Chan, “The Need for A Shared Responsibility Regime Between State and Non-State Actors to Prevent Human Rights Violations Caused by Cyber-Surveillance Spyware.”