On September 8, 2016, the US Department of State’s Directorate of Defense Trade Controls published a final rule to amend the International Traffic in Arms Regulations. This rule clarifies and finalizes changes from a June 3, 2016, interim final rule related to the definitions of “export,” “re-export” and “retransfer.”

The preamble of the final rule includes an important takeaway where DDTC confirms “that theoretical or potential access to technical data is not a release,” and that a release occurs only “if a foreign person does actually access technical data.” Such an explicit acknowledgment represents a notable change in a long-standing interpretation of DDTC policy that theoretical access by a foreign person to ITAR-controlled technical data is to be treated as an export, re-export, or retransfer, and that it was up to the data owner to show that no release actually occurred. This issue often arose with databases, file shares, or electronic transfer networks to which a foreign national might have password access, even if there was no evidence the foreign national actually obtained and reviewed ITAR-controlled technical data, or accessed the electronic system at all. Now, it appears the DDTC accepts that an actual release of technical data to a foreign national must occur in order to qualify as an export, re-export, or retransfer. Going forward, we hope the DDTC will only declare an apparent violation when there is affirmative evidence of actual access by an unauthorized foreign person. For more information, please see our advisory.