In early June of 2016, U.S. State Department’s Directorate of Defense Trade Controls (DDTC) and the U.S. Commerce Department’s Bureau of Industry and Security (BIS) released the long anticipated final rules revising definitions in the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). The revisions are part of the continued effort of BIS and DDTC to harmonize their regulations.
While this is a significant step towards harmonizing the EAR and ITAR, it does not represent the finalization of the harmonization process. The rules will be effective on September 1st. As the DDTC revisions are an interim final rule, stakeholders will have until July 5th to provide comments. The BIS commentary process is less formal and provides for public commentary on a continuing basis.
The most significant revisions in the BIS final rule are the changes impacting cloud computing. These revisions are designed to align the ITAR and EAR treatment of the electronic storage and transmission of data. Specifically, the BIS final rule removes from BIS control the “sending, taking or storing” of encrypted software and technology. The rule provides the following four-part test to determine circumstances under which EAR’s export control carve-out applies to “technology” or “software”:
- Secured using ‘end-to-end encryption;’
- Securing using cryptographic modules compliant with FIPS 140-2; and
- Not intentionally stored in a country listed in Country Group D: 5 or Russia
Accordingly, if one of the above actions is taken related to software or technology, this action no longer falls within BIS jurisdiction and is therefore not subject to the EAR.
BIS added the following definition of “end-to-end encryption”:
The provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary), and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.
This definition states that the transmission of encrypted software and data between countries is not an export or re-export under the EAR, provided the software or data was encrypted throughout the transmission. The final rules also provide a corresponding section which addresses the provision of “access information”, such as passwords and decryption information. Such information is subject to the same export control requirements as would apply to unencrypted data.
Another significant change is the revision of the definition of “export”. Several commenters requested the definition be revised to exclude “the provision [to foreign persons] of physical access to technical data” and the interim rules have incorporated this exclusion. However, the DDTC warns that an actual release of technical data will require authorization.
In order to further harmonize with the ITAR, BIS revisions to definitions include “access information,” “technology,” “required,” “foreign person,” “proscribed person,” “published,” results of “fundamental research,” re-export,” release,” transfer, and “transfer (in-country).”
In conclusion, the final rule revision of the EAR and ITAR provide fundamental changes to key definitions that will likely have a significant effect on those that export items controlled by the Commerce Control List or the United States Munitions List. The most significant changes are to the authorization for cloud based IT solutions subject to the EAR. For those invested in the final outcome of these rules, remember that stakeholders have until July 5th to comment on the DDTC interim final rules.