II. New Dual Use Regulation issued in the European Union
A. Overview
With Regulation (EU) 2021/821 of the European Parliament and of the Council of May 30, 2021 (the “Regulation”) the European Union has revised and set up an EU common regime for the control of exports, brokering, technical assistance, transit, and transfer of dual-use items. The Regulation both substitutes for and updates the existing prior EU legislation.
According to the Regulation, “dual-use items” means items, including software and technology which can be used for both civil and military purposes, and includes items which can be used for the design, development, production or use of nuclear, chemical, or biological weapons or their means of delivery, including all items which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.
Similar to the previous legislation, the Regulation is centered around the principle that the export outside the EU of a dual use item requires prior authorization. In light of this principle, the Regulation aims to harmonize and control a common dual used items regime through:
1. Common export control rules, including a common set of assessment criteria and common types of authorizations (individual, global, and general authorizations);
2. A common EU list of dual-use items;
3. Authorization for the export of cyber-surveillance items;
4. Controls on brokerage and technical assistance services relating to dual-use items and their transit through the EU;
5. Imposition of specific control measures and compliance to exporters, such as record-keeping and registers; and
6. Set up of a network of authorities supporting the exchange of information and the consistent implementation and enforcement of controls throughout the EU.
Dual-use items may be traded freely within the EU, except for some particularly sensitive items, whose transfer within the EU remains subject to prior authorization.
B. Dual-Use Export Authorizations
There are four types of export authorizations in place in the EU export control regime:
1. EU General Export Authorizations (EUGEAs)
According to the Regulation, EUGEAs allow exports of dual-use items to certain destinations under certain conditions. The Regulation lists the following EUGEAs:
1. Exports to Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, United Kingdom, and the United States of America;
2. Export of certain dual-use items to certain destinations;
3. Export after repair/replacement;
4. Temporary export for exhibition or fair;
5. Telecommunications;
6. Chemicals;
7. Intra-group technology transfers; and
8. Encryption.
2. National General Export Authorizations (NGEAs)
NGEAs may be issued by EU Member States if they are consistent with existing EUGEAs and do not refer to items listed in Annex IIg of the Regulation.
3. Global Licenses
Global licenses can be granted by competent authorities to one exporter and may cover multiple items to multiple countries of destination or end users.
4. Individual Licenses
Individual licenses can be granted by competent authorities to one exporter and cover exports of one or more dual-use items to one end-user or consignee in a third country.
This new Regulation has upgraded and strengthened the EU’s export control toolbox to respond effectively to evolving security risks and emerging technologies and, hopefully, will allow the EU to effectively protect its interests and values.
III. The Hague Court of Appeal Refuses to Suspend Establishment of Dutch Ultimate Beneficial Owner (UBO) Register
As described last year, the Dutch government has started establishing the UBO-register, required under Article 30 of the 4th EU Anti-Money Laundering Directive (the “Directive”). The Act implementing the Directive into Dutch law specifies that the UBO’s full name, month and year of birth, country of domicile and nationality as well as the nature and extent of the UBO’s economic interest in the legal entity concerned can be accessed by any member of the public.
This public availability is seen as a grave threat to the privacy of the individuals concerned, exposing them to all kinds of unwanted attention and far worse, such as extortion and kidnapping. For that reason, a Dutch Stitching, a foundation and non-profit corporate entity under Dutch law, called Stichting Privacy First, took the Dutch government to court in Kort Geding (Provisional Proceedings). Stitching Privacy First demanded that the State be ordered to stop the registration of UBOs or suspend it pending the answer by the Court of Justice of the European Union (CJEU) of prejudicial questions, which was to be asked by the Voorzieningenrechter (Provisional Measures Judge) on the legality of these matters.
In a March 18, 2021, decision of the Hague Voorzieningenrechter, the claims were denied. The Judge found that the Dutch State could not be ordered to breach its duties under the Directive. And although the Judge did see cause, specifically in view of the critical EDPS advice, to ask prejudicial questions, he refrained from doing so, because the Tribunal d’arrondissement of Luxembourg had already asked “largely corresponding” prejudicial questions on November 13, 2020.
Privacy First appealed to the Hague Court of Appeal. This Court gave its decision on November 16, 2021. The claims were denied yet again.
Although the Court of Appeal agreed with Privacy First that a national court can suspend a national measure based on a European law if there is serious doubt as to the validity of that law, it refrained from doing so and cited the Zuckerfabrik and Atlanta decisions. According to the Court of Appeal, there was a simpler way to stave off the “irreparable damage” required under the decisions cited for suspension of the Dutch implementation of the Directive. Article 30, Section 9 of the Directive provides for an exemption to public access of the UBO’s data if such access “would expose the beneficial owner to disproportionate risk, risk of fraud, kidnapping, blackmail, extortion, harassment, violence, or intimidation.” Article 51b, Section 3 Handelsregisterbesluit (Trade Register Decree) stipulates that the Trade Register “immediately” blocks access to the public when a request for such an exemption is made, until the request has been judged and decided upon in the highest instance. This will presumably be long enough for the CJEU to give its decision, especially because this Hague Court of Appeal decision will probably give rise to a high number of such requests.
All eyes, or at least the Dutch and Luxembourg one, are now on the CJEU, whose decision on the legality of public access of the UBO register is awaited some time in 2022.
IV. ALI-ELI Principles for a Data Economy: Data Transactions and Data Rights
The American Law Institute (ALI) has drafted model laws since 1923, most notably the Model Penal Code (MPC) which is the standard for criminal laws throughout the United States. Its sister organization, the European Law Institute (ELI), performs a similar service for the European Union in the harmonization of laws. In 2016, these two organizations came together to begin a joint project addressing the emerging legal field of trade in a data economy. In addition to members of ALI and ELI, the project team included representation from the European Parliament, United Nations Commission on International Trade Law (UNCITRAL), and various other organizations and academic institutions.
The result was a 293-page document with forty Principles setting out a detailed framework for future legal development in the field. Similar to the MPC, the Principles for a Data Economy (Principles) include language drafted to be used in future legislation and comments on the language to provide clarity of intent. Additionally, the Principles include written illustrations in the comments to offer real world context. The Principles address four main aspects of a data economy: data contracts, data rights, third party aspects of data activities, and multi-state issues.
A. Data Contracts
In addressing contracts relating to the trade of data, the Principles address the complexities of cross border agreements as well as the difficulties of trading a changing commodity. Freedom of contract is a core principle in both the United States and European common law, with limitations imposed by the Uniform Commercial Code (UCC) and Principles of European Contract Law (PECL). The Principles provide both general guidance and sample language for data contracts. The Principles address two categories of data contracts: Contracts for the Supply or Sharing of Data and Contracts for Services with Regard to Data. In regard to Supply or Sharing of Data, five Principles are provided addressing contracts for the transfer of data, contracts for the simple access to data, contracts for the exploitation of a data source, contracts for authorization to access, and contracts for data pooling. For Contracts for Services with regard to Data, four Principles address this: contracts for the processing of data, data trust contracts, data escrow contracts, and data marketplace contracts.
B. Data Rights
The data rights addressed in the Principles are the legally protected interests as they relate to the data, but do not include the broader issue of intellectual property rights. The Principles propose the recognition of a “new data specific class of rights” known as “data rights.” This is more complex than rights assigned through contract as there may be no contract between the parties or the contract may be silent as to the rights of the data. This is primarily focused on the data collected by equipment through usage and addresses what rights, if any, the final owner or user of the equipment has to the data, referred to as Co-Generated Data. Six Principles outline the Rights with Regard to Co-Generated Data: Co-Generated Data, General Factors Determining Rights in Co-Generated Data, Access or Porting with Regard to Co-Generated Data, Desistance from Data Activities with Regard to Co-Generated Data, Correction of Co-Generated Data, and Economic Share in Profits Derived from Co-Generated Data.
An alternative approach to data rights is that of the public interest. For example, if a mechanic needs access to data for a repair, the data on the equipment would arguably be available under the above-mentioned rights; however, the mechanic would not have access to other data for training or comparative purposes. Principles twenty-four through twenty-seven outline the limited scope in which data should be shared in the public interest, as well as protecting the privacy rights and trade secrets of the data.
C. Third Party Aspects of Data Activities
While the first Part focused on data rights between parties in a contract and the second Part focused on a party with data rights’ relationship with a party controlling the data, the third Part focuses on the third parties in relation to data. Data is often passed from one controller to another. These third parties who hold, transmit, or have access to the data need protection in addition to owing a duty to the involved parties. This Part has ten Principles and divides the third party rights into three sections: Protection of Others against Data Activities, Effects of Onward Supply on the Protection of Others, and Effects of Other Data Activities on the Protection of Third Parties.
D. Multi-State Issues
The cross-border nature of data transfer and storage leads to a natural complexity on choice-of-law and forum. Principle 38 points to existing choice-of-law rules of the forum State if there is a clear rule. If there is not a clear rule, Principle 39 establishes that the State with the most significant relationship to the legal issue in question shall be the applicable law, laying out a series of factors in determining the significant relationship. Principle forty establishes that the storage location of the data is only a factor if the storage is part of the legal dispute.