Skip to Content

Dual Use Tech Regulation


Dual Use Tech Regulation

An important perspective for us at Data Rights is to be tech-agnostic when long-term solutions are needed. Technologies change, democratic values stay. We see the temptation to reinvent the wheel every time there is a new technology hatching. Often, this temptation needs to be fought. Otherwise civil society and researchers will always be reactive, trying to catch up with the private sector. It is exhausting and frankly, where is our added value in that dynamic?


We particularly feel this regarding dual use technologies. According to the European Commission, dual use items are “goods, software and technology that can be used for both civilian and military applications”. Because these technologies and software have military advantages, States have incentives to push investments and limit regulation for their industry to be ahead of the curve. 


Examples of the dual use technologies or software:

  • Biometric recognition
  • Artificial intelligence (AI)
  • Spyware
  • Satellite visualisation


Why is this important?

Another way to see dual use technology is to picture it as a powerful technology that is wonderful in times of democratic stability, but is extremely potent if a government decides to use it against its population. Extremely potent in the sense that it can harm a high number of people, quickly (unlike for instance, a knife). Put simply, these are technologies that are amazing, but can quickly become surveillance technology in hands of powerful players. These technologies are often deployed with public money to make the population safer, to avoid fraud, or just to make things simpler. A few examples:


Methods

Primary means of action for this programme are advocacy and strategic litigation where we can be useful, for instance with third party intervention and/or involvement with litigation strategy. 


Status of work

Data Rights' first employee started work a few months ago! Building blocks of this programme are being fleshed out as we write. 

Projects

We helped set up a spyware litigation and advocacy coalition; the PEGA coalition. The coalition was officially launched on June 18th 2025, from EDRi's offices. As part of this coalition we already intervened in a Polish case that reached the European Court of Human Rights, the Brezja case. This case's stakes are high as it involves a Pegasus target whose phone communications were extracted, including 10 years of text messages that were later reorganised to rebuild a new narrative. This is a powerful illustration that spyware is a powerful tool to support the tampering with evidence by authorities. Here is our joint intervention

Still, a past project may be relevant to mention. In 2019 Data Rights' Director, Lori Roussey, was granted the right to intervene in Privacy International's proceedings against the use of hacking by the UK's intelligence, security and cyber agency (the GCHQ). More details in the resources section below, and here.

 Resources




  • Spyware
    • Data Rights
      • CPDP 2025, panel of spyware and cybersecurity with GFF, Data Rights, cybersecurity expert Sven Herping, former MEP Sophie in 't Veld and Mme Buchta, Closing the Digital Backdoor: Strengthening Vulnerability Management to Combat Spyware, May 21st, 2025
      • Data Rights Founder intervention, Privacy International and other vs GCHQ, 2019
      • PEGA Coalition (Data Rights, HCLU, Iridia, Panoptikon, Homo Digitalis, GFF and Share). 2025. Intervention in the Brejza case before the European Court of Human Rights.
        • This case is the Polish Pegasus case currently before the European Court of Human Right (ECtHR). This case’s stakes are high as the previous spyware case before the ECtHR was dismissed by the court. The Brezja case is a case bringing multiple Pegasus targets who were infected on instructions of Polish authorities. Mr Brezja was infected due to his belonging to the political opposition to the far right. Pegasus was used to collect huge amounts of data sets from his phone, including 10 years of texts. Once extracted, this data was rearranged and/or merged by authorities to create a new narrative, and then sent to the press. The goal was to destroy his reputation. Mme Brezja, his attorney, was also infected. This case is a robust illustration of how much powerful spyware in the hand of authorities can lead to egregious abuses of power focussed on tampering with facts to manipulate the public and elections. Last but not least, it is noteworthy that Pegasus was sent on Mr Brezja based on the excuse of the fight against corruption, not the protection of national security. Since then Polish authorities have found that how Pegasus was used violated Polish laws. Although this is a positive development, we see that the Polish government is pushing against the review of the ECtHR of the Polish cases. Pushing back on human rights accountability is not the way forward.
    • Exégètes Amateurs, French litigation coalition created by H. Roy and where several members of Data Rights met before creating Data Rights
      • Exegetes Amateurs, Brief challenging the Intelligence Laws of France, 2027
        • In the context of the Exégètes litigation coalition (French Data Network, Quadrature du net, and FFDN - the federation of non-profit ISPs of France), Data Rights founder Lori Roussey, with the support of Data Rights advisor Hugo Roy, developed in 2017 the coalition’s sections on hacking rules of France’s intelligence services. This work formed part of the case against the entirety of France intelligence rules. This brief of 2017 came one year afer the Exegetes referred the reform of intelligence powers to the French Constitutional Council and won the closure of a surveillance loophole on all wireless communications. Soon after this 2017 brief was sent to the Conseil d’État the case was referred to the EU’s top court, the CJEU. Before the CJEU Privacy International intervened in our case, and this led to the 2020 ruling Quadrature du net et alia. Read Data Rights’ take on the CJEU ruling.
        • Read the 2017 brief [FR] to France’s top administrative court, the Conseil d’État, about hacking powers of intelligence services in France. The document is long, you might want to search for keywords: Budapest; Cybercrime; Stuxnet; Wannacry.
    • External