The U.S. has recently made public that a number of countries have joined a pledge to implement export controls on spyware technology. This is part of a broader initiative to establish trade barriers for cyber-related items that could potentially be used in human rights abuses.
On March 18, Finland, Germany, Ireland, Japan, Poland, and South Korea became part of the commitment, joining the U.S., Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, and the U.K. The initial group of 11 countries first made the statement during the second annual Summit for Democracy under the Biden administration last year, emphasizing the need for stringent domestic and international controls on the spread and use of such technology.
During the third Summit for Democracy held in Seoul in March, as part of the updated commitment, the 17 countries pledged to work towards preventing the export of software, technology, and equipment to end-users who are likely to use them for harmful cyber activities, including unauthorized access to information systems. This will be done in line with their respective legal, regulatory, and policy approaches and suitable existing export control regimes.
While the specific legal implications for new-joiner countries off the back of these commitments are to be determined, high-level insights from our experts from Poland, Germany, South Korea and Japan on these developments are provided below:
Poland: Poland’s signing of an anti-spyware commitment has a wider dimension. The previous Polish government had purchased spyware available on the commercial market. This software was allegedly used for illegal purposes, such as eavesdropping on the opposition. Poland was subject to an investigation conducted by EU authorities into alleged contraventions and maladministration in the application of Union law with respect to the use of spyware. A debate about using spyware is currently underway in Poland, and it may result in new regulations restricting the use and sale of spyware in the future.
Germany: After initial hesitation, Germany decided to sign the nearly one-year-old agreement. This decision is in line with the German government’s coalition agreement, which aims to close IT security gaps, raise the intervention thresholds for the use of both state and commercial surveillance software and to adjust existing powers for investigators by ensuring compliance with the German Constitutional Court’s requirements for secret online searches at all times. The requirements entail inter alia strict adherence to the principle of proportionality and the preservation of an inviolable core area of private life that may not be intruded upon through secret surveillance.
South Korea: The details of how these commitments to control the export of spyware technology will be implemented appear to be under review by the government. Korea already has a robust legal framework to combat spyware within its borders, generally prohibiting distributions of spywares and requiring data controllers to protect against spywares. In contrast, Korea’s export control regime has focused primarily on end-users who plan to import strategic goods or suspected of proliferating weapons of mass destruction. There is currently no explicit legal basis for restricting the export of spyware technology on human rights grounds. However, it is expected that upcoming amendments to the Foreign Trade Act scheduled in August 2024 will provide a clear foundation for expanding the government’s authority to control technology exports following multilateral commitments that Korea has already made. This could provide the necessary framework for implementing necessary commitments including controls of spyware exports. More details on Korea’s approach are expected to be announced in the coming months.
Japan: The Japanese government has been analyzing and discussing participation in this international framework of control commitments for spyware tech and recognizing its significance from various perspective including human rights protection. However, at this moment, the Japanese government has not yet announced officially the details or background of its signing on a commitment to place export controls around spyware technology. It is likely that the details of how this agreement will be reflected in the domestic regulations are still under consideration or review. For example, the scope of the technologies to be controlled, whether there are any difference depending on the destination countries, to what extent the strength of control should be, may need further consideration from commercial perspective as well as human rights protection perspective. We will see further details to be updated by the Japanese government.
