The newsletter presents the latest developments in export control relevant to research organisations. It covers the EU Commission guidance on export control compliance for research organisations, Danish FDI rules on R&D joint ventures and recent legislation penalising violations of export controls on cyber-surveillance products.
On 10 December 2021, amendments to the Danish Act on Export Control (No 2305) entered into force. They implement changes set forth in the new EU Dual-Use Regulation No 2021/821.[1] For an overview of the new Dual-Use Regulation, please see our newsletter on the topic.
The amendments to the Danish Act on Export Control introduce, most notably, a new provision penalizing breaches of rules on export of cyber-surveillance products that may be used for human rights violations, and new rules on the provision of technical assistance.
The penalty on cyber-surveillance product-related breaches should be seen in connection with the increased scrutiny of such products in the new EU Dual-Use Regulation. The Regulation introduced a new catch-all clause specifically for exports of cyber-surveillance items, which means that also non-listed cyber-surveillance items (i.e. items not found in Annex 1 to the Regulation) may need an export authorisation. Under Danish law, breaches of export control rules on cyber-surveillance items may now be sanctioned by fine or imprisonment of up to two years.
Previous Danish rules banning the provision of certain types of technical assistance have been lifted and replaced with the new, more lenient rules on technical assistance found in the EU Dual-Use Regulation. This means that technical assistance related to listed dual-use items is now prima facie lawful. However, an authorisation is needed if the provider is notified by national authorities or otherwise becomes aware that the item in question is intended for restricted uses, such as:
On 23 September 2021, the European Commission published guidance[2] on how to implement an effective dual-use internal compliance programme (ICP). The guidance is aimed at research organisations – public and private – within the EU and its Member States. It supplements the Commission’s previous dual-use ICP guidance targeted to the general industry.[3] While neither of these sets of guidelines are legally binding, they are useful instruments to ensure compliance with EU rules dual-use export.
The recent guidance aimed at research organisations presents a framework that will enable them to identify, manage and mitigate risks associated with export control. It does so by pointing out research areas and scenarios that could trigger dual-use export controls, typical red flags and by providing examples of how to structure an ICP in a research organisation.
Appendix 2 to the guidance highlights some recurring research scenarios that may trigger export controls. These include:
To facilitate compliance, the guidance suggests that research organisations implement an ICP based around 7 core elements:
For both symbolic and practical reasons, top-level management commitment and support to the ICP is important. This can be done by publishing a written statement by the management, in order to raise awareness among the staff in the organisation. For decentralised organisations, it should be considered to express commitments at a department level – especially in organisations where export control is only relevant to a small number of departments.
A well-defined set of procedures and responsibilities is key. It must be tailored to the organisation and responsibilities divided between administrative and scientific staff in an appropriate manner.
The guidance suggests to establish an overarching compliance policy for the entire organisational structure, and define specific procedures for certain departments in the organisation.
In order for an ICP to work effectively, the staff and management of the organisation should be familiar and experienced with the handling of the programme. Introductory courses, updates on new export control laws and training in dual-use export controls for both scientific and administrative staff is recommended.
The process and procedures related to the ICP must ensure that “exports” covered by the rules are caught before they are completed. The guidance cites implementation of certain mechanisms such as item classification; risk assessments; stated end-use and involved parties screening; and catch-all controls for non-listed dual-use items as useful tools to ensure compliance.
The role of this key element it to verify day-to-day compliance work within the organisation. The guidance recommends that independent audits of the organisation are carried out to check whether the ICP is correctly implemented, and to establish external and internal reporting channels.
A sound document retention policy and a searchable recordkeeping system is crucial when establishing an ICP. In addition to assisting compliance efforts, effective recordkeeping and documentation will demonstrate the course of action followed when a suspicion or case of non-compliance arises.
Lastly, the guidance recommends that an adequate security system is in place. Preferably, the system is both physical and digital. The physical security allows for protection against unauthorized access by individuals, and the digital security will hinder trespassing in the form of hacking and other informational breaches.
The guidance already takes into account the previously mentioned changes set forth in the new EU Dual-Use Regulation No 2021/821, and will be updated in accordance to relevant revisions of EU export control rules. If your organisation’s ICP needs a brush up, Gorrissen Federspiel is happy to assist.
Since 1 July 2021, a new Danish foreign direct investment (FDI) regime[4] has applied to transactions closed after 1 September 2021 within sectors and activities, which are considered sensitive in relation to national security and public order. Controlled activities include dual-use items and a wide range of critical technologies, such as biotechnology within synthetic biology. For such activities, a mandatory screening mechanism has been introduced. Under this, the Danish Business Authority is authorised to block investments or require certain commitments by the investor.
In addition to direct investments, the rules also apply to so-called “special financial agreements”, which include joint ventures regarding R&D activities within controlled sectors. Participants to such agreements must now file an FDI application to the Danish Business Authority, where the joint venture agreement implies that the foreign entity gains control of or considerable influence on enterprise affairs in the Danish entity party to the agreement.
We suggest that companies contemplating R&D joint ventures with non-Danish companies consider if an FDI filing is required in connection with the arrangement. Gorrissen Federspiel has significant experience with assisting in these assessments.
1] Council Regulation (EU) 2021/821 of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items.
[2] Commission Recommendation (EU) 2021/1700 of 15 September 2021 on internal compliance programmes for controls of research involving dual-use items under Council Regulation (EU) 2021/821. The Recommendation can be accessed through link.
[3] Commission Recommendation (EU) 2019/1318 of 30 July 2019 on internal compliance programmes for dual-use trade controls under Council Regulation (EC) No 428/2009. The Recommendation can be accessed through link.
[4] For further information on the Danish FDI rules, please see our latest newsletter on the topic.