The U.S. Department of State, Directorate of Defense Trade Controls ("DDTC") recently published proposed revisions to the International Traffic in Arms Regulations ("ITAR") to add or change a number of key definitions. In so doing, DDTC is seeking to harmonize certain definitions under the ITAR with definitions under the Export Administration Regulations, consistent with the goals of the Export Control Reform initiative. Because compliance requirements and potential violations may turn on the definition of a single word, manufacturers and exporters of ITAR-controlled items should review these proposed revisions carefully to determine their impact on operations and compliance obligations. DDTC has invited comments to the proposed revisions by August 3, 2015.
Below are brief discussions of what we believe are the three most significant proposed revisions.
Electronic Transmission and Storage of Technical Data and Software
Perhaps the most important proposed change, DDTC has proposed definitions that would allow companies to make more efficient use of the internet and the cloud in transmitting and storing ITAR-controlled technical data and software, as long as the data is encrypted end-to-end and the servers are not located in a Section 126.1 prohibited country or Russia. The encryption will have to meet certain standards. The proposed revisions also may enable companies to increase use of Software as a Service (SaaS) solutions, as long as the application service provider cannot access ITAR-controlled data.
The proposed revision to the definition of "public domain" is particularly important because, under the proposed revision, information and software in the public domain is not considered ITAR-controlled technical data. Although DDTC has indicated that the proposed revision creates more versatility than the current list-based approach of identifying public domain sources, it comes with a significant qualification. To be considered public domain, release of the materials must be approved, in advance, by certain identified U.S. government agencies or officials. Failure to obtain that approval prior to the "release" (which is a proposed new defined term) will be considered an export violation.
The proposed revision of "defense service" has the potential to simplify compliance requirements for many U.S. persons working abroad in the defense industry. Under the current ITAR, any defense service provided by a U.S. person abroad requires DDTC authorization. Under the new definition, if it becomes final, providing to a foreign person certain assistance and training related to defense articles will be a defense service only if the U.S. person "has knowledge of U.S.-origin technical data directly related to the defense article that is the subject of the assistance prior to performing the assistance." The proposal makes clear that U.S. persons abroad who do not have access to U.S.-origin technical data are not in a position to provide defense services covered by the ITAR.
The discussion above highlights only the three most significant proposed revisions. We encourage all ITAR registrants and companies that obtain or retain ITAR-controlled information to review each of the 14 proposed revisions to determine how the changes may affect their operations and obligations.
The ITAR Notice of Proposed Rulemaking may be found at 80 Fed. Reg. 31525 (June 3, 2015). The corresponding Export Administration Regulations notice may be found at 80 Fed. Reg. 31505 (June 3, 2015). A side-by-side comparison of the regulatory texts of the proposed definitions may be found here.