The long-awaited definitions rules have finally arrived as part of Export Control Reform. But wait, they’re not all there—the definitions, that is. While Commerce addressed essentially all of the items included in its last proposed rule on this topic (which dates back to June 3, 2015), State included only some of the terms and definitions in this rule that were included in its June 3, 2015 proposed rule. Among the items reserved for yet another rulemaking are the much-awaited definitions for several key terms, including “defense service,” “technical data,” and “public domain,” as well as the provisions related to controls on encrypted technical data and the internet publication of technical data. So, stay tuned for more from State.
With respect to coverage, the agencies confirmed in the June 3, 2016 rules continued differences of approach in certain areas. State has continued to extend its coverage for deemed exports to software object code, while Commerce regulates deemed exports of technology and software source code only. In addition, State codified its approach to deemed exports reaching not just the foreign person’s current status, but also covering “all countries in which the foreign person has held citizenship or holds permanent residency.” The good news here is that there is no need to change your compliance program to catch up to these definition changes; the bad news is that there is no need to change your compliance program because the rule codifies the different approach already in practice between the two agencies.
There is an opportunity for updated compliance approaches resulting from the updated definitions of “export” and the new definitions of “release” adopted by each agency. Commerce took the opportunity of this rule to state clearly in the preamble to its rule that theoretical or potential access to technology or software is not enough to constitute a release. State appears to have gotten to the same place—a notable change from its apparent position in prior years. Specifically, the preamble to the ITAR rule indicates, “while the act of providing physical access does not constitute an ‘export,’ any release of technical data to a foreign person is an ‘export,’ ‘reexport,’ or ‘retransfer’ and will require authorization from the Department.” This appears to distinguish between giving a person the ability to access something and a regulated activity occurring. The preamble in this rule continues to say, “If a foreign person views or accesses technical data as a result of being provided physical access, then an ‘export’ requiring authorization will have occurred.” Hence, it appears that State may be backing away from its historical position that treated theoretical access to technical data as an export of such technical data.
Both State and Commerce used the rules to make statements regarding enforcement. Commerce reiterated that one of the benefits of issuing the clarifications contained in these rules (including the differences between the ITAR and EAR) is to make it easier for prosecutors to prosecute violations. In response to comments about who would be held responsible for violations in certain circumstances, both State and Commerce indicated a willingness to review and assess who really did what in the transaction, with Commerce stating that “BIS will assess responsibility based on whether the parties involved violated any of the provisions of section 764.2” and State indicating that it will “assess responsibility pursuant to its civil enforcement authority based on the relative culpability of all of the parties to the transaction.”
In addition, both rules sought to provide additional clarity regarding authorizations for deemed reexports. For the ITAR, the provisions of former §124.16 of the ITAR are now included in the exemption found at §126.18, but there are no substantive changes to the scope. These same provisions have also been made available in §734.20 of the EAR as part of the changes in the Commerce rule.
With publication of these rules, increased harmonization as part of Export Control Reform continues to move forward. But these rules also highlight the ongoing need for attention to the differences that remain between the ITAR and EAR. As these rules are implemented, do take advantage of the opportunities offered by each agency to submit comments. State has issued its rule as an Interim Final Rule, with a 30-day formal comment period that runs until July 5, 2016. Commerce has issued its rule as a Final Rule, though it has indicated a willingness to accept comments on an ongoing basis. Both rules will become final on September 1, 2016, following a 90-day implementation period.