A series of new rules have recently been proposed by the export agencies as part of the ongoing export reform process with the objective of furthering the harmonization of the Export Administration Regulations (EAR), and the International Traffic in Arms Regulations (ITAR). As a former DTAG member, I participated in the working group tasked with analyzing the impacts of export reform initiatives, and it pleases me to see that the agencies have now issued new proposed rules echoing some of the concerns we had expressed. If you are having a difficult time keeping track of the numerous recent Federal Registers and proposed rules, this article will provide you with a broad overview and major deadlines for public comments.
Category XIV (Toxicological Agents) or Category XVIII (Directed Energy Weapons)
On June 17, the State Department and Commerce published parallel Federal Registers proposing to shift certain items from the United States Munitions List to the Commerce Control List. The affected Category XIV articles consist primarily of dissemination, detection and protection "equipment" and related articles, and would be controlled under new Export Control Classification Numbers (ECCNs) 1A607, 1B607, 1C607, 1D607, and 1E607.
The relevant Category XVIII articles include tooling, production "equipment," test and evaluation equipment, test models and related articles, and would be controlled under new ECCNs 6B619, 6D619, and 6E619.
The public comment period closes on August 17, 2015.
Revisions to Definitions in the EAR
On June 3, 2015, the State Department and Commerce published parallel proposed rules with changes to key definitions in the ITAR and EAR, respectively. Major key proposed changes include clarifying and harmonizing certain definitions such as: defense article, technical data, public domain, fundamental research, export, re-export and retransfer.
A major proposed change seeks to exclude encrypted technical data from the controls of the ITAR, as excluded from the definitions of export, re-export, and retransfer for the electronic transmission and storage of data as long as the encryption meets the FIPS 140-2 standard, and are not stored in proscribed countries or Russia. Under the EAR proposed rule, BIS would allow encryption that meets the FIPS 140-2 standard, or "similarly effective cryptographic means." Thus, BIS is showing a bit more flexibility than DDTC. Like the ITAR definition, EAR-controlled information cannot be stored in a Country Group D:5 or Russia. This proposed rule would greatly alleviate compliance burdens for cloud computing providers and companies seeking to store their information on servers around the world.
Thus, the definitions of export and re-export will not include properly encrypted data, but providing the decryption key, password, or other means of accessing data would result in licensable exports.
A major difference between the ITAR and EAR remains and is that the BIS rule states that a deemed export to a foreign national is an export to their most recent country of citizenship or permanent residency, while the DDTC still takes into consideration all countries of nationality or permanent residency. DDTC's approach has not changed, but ITAR section §126.18 remains to alleviate some of the discrimination and employment concerns that had been raised in the past.
The regulations continue using different terms for technology under the EAR and technical data under the ITAR in an effort to make things easier for exporters. When people refer to technology then you will automatically know that the controls that apply are those of the EAR. These definitions have been revised to clarify the term "required." They also attempt to clarify the term "peculiarly responsible."
Further, the term "release" was introduced to the ITAR in an attempt to harmonize these regulations with the EAR. Similarly, both sets of regulations have introduced definitions to outline activities that are not exports, re-exports or transfers. The proposed rules also attempt to streamline the provisions on patents, public domain, and fundamental research.
Public comments will be accepted until August 3, 2015. Note that the final rule will become effective 30 days after its day of publishing.
Revisions to Destination Control Statements
On May 21, 2015, the export agencies published a proposed rule requesting public comment regarding revisions to the DCS in the EAR and ITAR to harmonize both sets of regulations. This will be extremely helpful as many exporters ship both ITAR and EAR items in the same shipment, and this has caused confusion regarding what DCS to include on such mixed shipments, with many exporters opting to include both. The proposed notice would limit the amount of documents that require the DCS. It would no longer be required on the air waybill, bill of lading, or other export control documents and would instead focus the requirement to the commercial invoice and contractual documentation. The new DCS would read as follows:
"These items are controlled and authorized by the U.S. Government for export only to the specified country of ultimate destination for use by the end-user herein identified. They may not be resold, transferred, or otherwise disposed of, to any other country or to any person other than the authorized end-user or consignee(s), either in their original form or after being incorporated into other items, without first obtaining approval from the U.S. government or as otherwise authorized by U.S. law and regulations."
Public comments will be accepted until July 6, 2015.
Additional Improvements and Harmonization of Export Clearance Provisions
In this advance notice of proposed rule making, BIS is seeking comments for how the requirements under part 758 (export clearance) of the EAR can be improved, including how the EAR export clearance provisions can be harmonized with the ITAR.
Among the proposed changes BIS would now require:
- ECCNs to be identified on export control documents for all items on the Commerce control list, not just for 9x515 and 600 series.
- The country of ultimate destination be identified on export control documents, mirroring the ITAR requirement.
- License number, license exception code or no license required or export authorization symbol on export control documents.
- AES filing for exports to Canada for items controlled for National Security, Missile Technology, Non-proliferation, and Chemical Biological Weapons reasons regardless of license requirements.
Any comments or suggestions where additional harmonization should be considered should be submitted by July 6, 2015.
BIS Proposed Cybersecurity Rule
Finally, BIS also recently proposed a rule impacting exports of intrusion software, surveillance and related systems equipment, software and components. If your company develops or uses cybersecurity technologies to protect your own or your client's intellectual property, pay close attention to this proposed rule.
This proposed rule would add new ECCNs (4A005 and 4D004) controlling new cybersecurity items, resulting in new licensing and reporting requirements. These ECCNs include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network capable devices. As a result of the new proposed National Security (NS), Regional Stability (RS) and Anti-terrorism (AT) controls, most destinations with the exception of Canada would now require a license for export of these items, and there are no applicable license exceptions except GOV i.e., exports to, or on behalf of, the U.S. Government. This proposed rule would also amend existing ECCNS 4D001 and 4E001 (also not eligible for the use of license exceptions).
The proposed rule would also impact network communications surveillance systems by adding Internet Protocol network communication surveillance systems as "cybersecurity systems" in ECCN 5A001.j. These systems would include those that intercept and analyze messages to produce personal, human, and social information from network communications traffic. Cybersecurity items would not be eligible for license exception ENC, but the relevant ECCNs would continue requiring registration, review, and reporting of the current sections §740.17, §742.15(b), and §748.3(d), including with BIS and ENC Encryption Request Coordinator.
BIS also proposes to add the definition of "intrusion software" to the EAR. Intrusion software would include software specially designed, or modified, to avoid detection by monitoring tools or to defeat protective countermeasures, of a computer or network-capable device, and performing any of the following:
- The extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or
- The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.
Intrusion software would not include:
- Hypervisors, debuggers or software reverse engineering (SRE) tools;
- Digital Rights Management (DRM) software;
- Software designed to be installed by manufacturers, administrators or users, for the purpose of asset tracking recovery.
Public comments must be submitted by July 20, 2015.
If you would like to receive additional information or clarification regarding any of the above referenced proposed rules or notices, please do not hesitate to contact me at firstname.lastname@example.org. We can also assist you in preparing or reviewing your public comments for submission to the government.