This article was originally published in Law360

On Sept. 8, 2016, the US State Department’s Directorate of Defense Trade Controls published a final rule amending the International Traffic in Arms Regulations to finalize and clarify changes from a June 3, 2016, interim final rule related to the definitions of “export,” “re-export” and “retransfer.”

A noteworthy takeaway from the final rule is in the preamble, in which the DDTC confirms “that theoretical or potential access to technical data is not a release,” and that a release occurs only “if a foreign person does actually access technical data.” This explicit acknowledgment represents a significant change in a long-standing view of DDTC policy that theoretical access by a foreign person to ITAR-controlled technical data is to be treated as an export, re-export or retransfer, and that the burden was on the data owner to show that no release actually occurred. This issue often arose in the context of databases, file shares, or electronic transfer networks to which where a foreign national might have password access, even though there was no evidence that the foreign national actually obtained and reviewed ITAR-controlled technical data, or even accessed the electronic system itself at all. The DDTC appears now to accept that an actual release of technical data to a foreign national must occur in order to trigger an export, re-export or retransfer. Hopefully, the DDTC will only deem there to be an apparent violation going forward when there is affirmative evidence of actual l access by an unauthorized foreign person.

This is an important change in policy that will have ramifications, in particular as the DDTC continues to prepare a final rule on the treatment of controlled technical data in an encrypted, cloud-based environment. Given that many cloud service providers employ or contract with foreign persons, it is noteworthy that the DDTC appears to have clarified how it would handle potential access to cloud-based data by foreign-person system administrators, which may help lessen export-control specific compliance considerations applicable to cloud service providers

However, the DDTC did not state when it will issue a final rule on the definitions of “activities that are not exports, re-exports or retransfers,” which includes regulations related to encrypted data in the cloud, or other areas that are still awaiting final regulatory action. This is in contrast with the US Department of Commerce’s Bureau of Industry and Security, which published its own final rule on June 3, 2016, in tandem with the ITAR’s interim rule. The BIS final rule created a safe harbor exempting certain encrypted data from controls under the Export Administration Regulations. Given that DDTC has to date failed to follow suit (despite having laid the groundwork for such a rule), in the preamble to the Sept. 8 final rule, the DDTC warned companies not to rely on definitions or guidance issued by the Commerce Department’s Bureau of Industry and Security, stating that “it would not be appropriate to rely on definitions outside of the ITAR or guidance provided by any entity other than [the DDTC] for authoritative interpretive guidance regarding the provisions or scope of the ITAR.”

The DDTC also reaffirmed its position that any release of technical data to a foreign person is a “controlled event” that requires authorization, even when technical data is inadvertently revealed to dual or third-country national (DN/TCN) employees. The DDTC views the release of technical data or software to DN/TCN employees of authorized foreign parties as a deemed re-export. Acknowledging potential tension between a company’s due diligence obligations and employment discrimination laws, DDTC noted that it will “consider all circumstances surrounding any unauthorized release” and will assess responsibility “based on the relative culpability of all of the parties to the transaction.” Fortunately, the language that states that “theoretical access” is no longer considered a controlled export may diminish the number incidents that might otherwise be viewed as controlled events.

Finally, the DDTC emphasized its broad interpretation of the term “retransfer,” stating that it includes temporary transfers of defense articles within the same country to a separate legal entity, subcontractor or intermediate consignee. This underscores the DDTC’s apparent view every foreign person that may gain custody or control over a defense article generally should be authorized.

Finally, the DDTC carved out portions of the ITAR from the new definitions. To ensure that the ITAR is consistent with US treaty obligations, the DDTC created alternate definitions of reexport and retransfer that apply to the section of the ITAR specific to the defense trade cooperation treaties with Australia and the United Kingdom. This underscores the care that companies must exercise when using those provisions, because a number of the requirements, including recordkeeping, can present traps for the unwary.

Although the revisions and clarifications set forth in the Sept. 8 rule do offer companies some new relief — in particular, the relaxation of the DDTC’s long-standing theoretical access policy — they also present additional complexity and highlight the difficulty of remaining in compliance with the ITAR in a dynamic business environment. In coming months, companies should remain on the lookout for the DDTC regulations regarding encryption.

All Content © 2003-2016, Portfolio Media, Inc.