On 4 September 2019, the U.S. Department of State (“DoS”) published draft ‘Guidance for the Export of Hardware, Software and Technology with Surveillance Capabilities and/or Parts/Know-How’ (the “Guidance”). The DoS invited public comment on the draft Guidance until 4 October 2019, after which they will publish finalised guidance.

Goal: Preventing Human Rights Abuse

While noting the vast potential economic, defence and societal contributions of technological development, the text acknowledges that, in the hands of government, or government-aligned authorities, relevant technology can lead to potential and actual adverse human rights impacts, for example, advanced surveillance technologies can be used to adversely impact the rights to privacy, freedom of expression, religion and belief, and association and peaceful assembly.

The Guidance is intended to assist relevant companies with the implementation of the UN Guiding Principles on Business and Human Rights (“UNGPs”) in order to mitigate potential human rights risks associated with the export of technology.

Scope: Exporters of Items with Surveillance Capabilities

The Guidance broadly applies to U.S. exporters (“Exporters”) of hardware, software and other technologies which have surveillance capabilities (“Items”). The Guidance will not be, and is not intended to be, comprehensive or mandatory. Rather, it provides “considerations to weigh prior to exporting”, best practices for Exporters, and actions they might take to mitigate the risk that their Items will be linked to adverse human rights impacts.

It is unclear to what extent, if any, that this Guidance will be incorporated into the regulatory or licensing process.

Target: Items with Surveillance Capabilities

The Guidance includes a non-exclusive list of examples of Items, covering both obvious “surveillance” technology (e.g. spyware, location tracking products, facial recognition technology, cameras and drones) as well as technology with more peripheral surveillance capabilities (e.g. social media analytics software, rapid DNA testing, crypto-analysis products, penetration-testing tools, information technology products with deep packet inspection functions, and automatic license-plate readers). Technology might be caught by the Guidance regardless of the Exporter’s intended use for their products.

Key Takeaways from the draft Guidance

The Guidance is organised under eight broad considerations for Exporters before, during and after an export transaction and can be summarised as follows:

Consider the Item

  1. In general, tailor the [Item] to minimise the likelihood that it will be misused to commit human rights violations or abuses.
  2. Review the capabilities of the [Item] to determine the potential for misuse by government end users and private end-users that have a close relationship with a foreign government.

Before a transaction, Exporters should consider what the Item is capable of, and how it could be used or misused by authorities. Exporters might consider integrating safety and ‘privacy by design’ features that enable them to track the Item’s deployment and alert them to misuse, strip certain capabilities from the Item, auto-delete data and even provide a kill-switch.

Conduct Third Party Due Diligence

  1. Review the human rights record of the government agency end-user of the country intended to receive the [Item].
  2. Review whether the government end-user’s laws, regulations, and practices that implicate [Item] are consistent with the International Covenant on Civil and Political Rights.
  3. Review stakeholder entities involved in the transaction, including end-user and intermediaries such as distributors and resellers.

Exporters should review credible reports of the human rights records of end-users, and reach out to stakeholders such as NGOs for first-hand knowledge of the country and the deployment of technology. The Guidance lists a number of potential “Red Flags” for Exporters. Besides obvious reports of human rights violations, the Guidance suggests that evidence of political turmoil, a non-independent judiciary, or laws and government practices which “unduly restrict civic space” should raise alarm. The Guidance also suggest that Exporters should investigate whether their buyers might subsequently export the Item to other countries where there is a potential for human rights abuse.

Mitigate risk of misuse

  1. Strive to mitigate human rights risks through contractual and procedural safeguards, and strong grievance mechanisms.
  2. After export, strive to mitigate human rights risks through contractual and procedural safeguards, and strong grievance mechanisms.

The Guidance also addresses business responsibility with respect to “downstream” human rights risks potentially linked to their Items and suggests that the Exporter’s responsibility does not end once an Item has been shipped. Exporters should consider contractual and procedural human rights safeguards (e.g. sales contracts could enshrine an Exporter’s right to impose limitations on the use of Items, and to unilaterally terminate the contract, deny software updates, and even remotely disable Items if the technology is misused). Exporters should commit to ongoing monitoring and evaluation of the use of their Items. Grievance mechanisms should be secure, accessible and responsive communication channels for reporting of possible misuse of Items.

Report in Public

  1. Publicly report on the transaction.

Finally, Exporters are expected to assume public accountability for compliance with the Guidance and should publish an annual report on the human rights due diligence they have undertaken, and how any credible complaints about misuse of their Items were resolved.

This guidance is part of a myriad of national and international regulation and guidance surrounding business obligations to conduct human rights due diligence on their global supply chains and operations. See here for our recent update on further regulatory developments in the field of business and human rights.