Is your export compliance department ready for Sept. 1, 2016? The U.S. Commerce Department Bureau of Industry and Security’s (BIS) final definitions rule, effective Sept. 1, makes a number of significant revisions to the Export Administration Regulations (EAR). This rule is part of President Obama’s Export Control Reform (ECR) initiative, and it updates the EAR to make certain definitions clearer and more consistent with the International Traffic in Arms Regulations (ITAR).
The final rule clarifies certain existing terms and adds new definitions for others. For example, exporters will soon see changes in terms such as access information, technology, required, foreign person, proscribed person, published, results of fundamental research, export, reexport, release, transfer and transfer (in-country). The rule also introduces new security thresholds for electronically transmitting encrypted technology and software without causing an export.
A few highlights are:
- “Published” now includes posting on the internet and submitting papers to researchers conducting fundamental research. These changes are meaningful because technology or software that is published may not be subject to the EAR.
- “Export” now directly incorporates the deemed export rule, which includes releasing or transferring technology or source code to a foreign national in the U.S. The revised definition also clarifies BIS’ long-standing guidance to use the foreign national’s most recent country of citizenship or residency to determine the destination country.
- “Release” now specifies that technology and software are only released if the technology or software is actually revealed. So in practice, merely viewing an item without acquiring any knowledge of the technology is not a release, while an inspection that reveals information may be.
- Also, the new definition includes a provision that requires authorization for a release to occur. This clarification could relieve liability in cases of unauthorized such as hacking.
- “Transfer” now specifically includes an in-country change in either end-user or end-use. BIS indicated that the addition of end-use is because authorizations are made for specific end-uses, so any change may require additional authorization.
- Summarized below are a few examples of activities that are NOT exports, re-exports or transfers under the new rule:
- Transfers of authorized software or technology within the same foreign country between two U.S. persons, allowing no access by non-U.S. persons.
- Sending, taking, or storing software or technology using end-to-end encryption. To qualify as using end-to-end encryption, the transfer must be secured using Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors and cryptographic key management and other procedures provided in the U.S. National Institute for Standards and Technology publications or other more effective cryptographic means. The technology may not be stored in certain enumerated countries.
- Exclusions for certain releases of technology or source code by an entity outside the U.S. to a foreign national of a different country – if certain criteria are met.
- “Technology” now includes a note clarifying that technology for the development or production of a modified item is technology for the new item. This revision makes it clear that common technology for the original and modified item is not all classified as technology for the modified item.
- “Required” includes new notes clarifying the previous definition, and BIS now makes it clear that required applies generally to all technology on the Commerce Control List.
Of course, the new rule will require updates to relevant compliance procedures. At the same time, the changes present new opportunities for exporters to explore.