On September 8, 2016, the State Department’s Directorate of Defense Trade Controls (DDTC) published a final rule amending the International Traffic in Arms Regulations (ITAR) to finalize and clarify changes from a June 3, 2016 interim final rule related to the definitions of “export,” “reexport,” and “retransfer.” For additional information on the interim final rule, see our previous advisory.

A noteworthy comment from the final rule is in the preamble, where DDTC confirms “that theoretical or potential access to technical data is not a release,” and that a release occurs only “if a foreign person does actually access technical data.” That represents a significant change in a longstanding view of DDTC policy that theoretical access by a foreign person to ITAR-controlled technical data is to be treated as an export, reexport, or retransfer, and that the burden was on the data owner to show that no release actually occurred. This often came up in the context of databases, where a foreign national might have password access to the database, even though there was no evidence that the foreign national obtained and reviewed ITAR-controlled information in the database. DDTC appears now to accept that an actual release of technical data to a foreign national must occur in order to trigger an export, reexport, or retransfer.

This is an important change in policy that will have ramifications, in particular as DDTC continues to prepare a final rule on the treatment of controlled technical data in an encrypted, cloud-based environment. Given that many cloud service providers employ or contract with foreign persons, it is noteworthy that DDTC appears to have clarified how it would handle potential access to cloud-based data by foreign-person system administrators.

However, DDTC did not state when it will issue a final rule on the definitions of “activities that are not exports, reexports, or retransfers,” which includes regulations related to encrypted data in the cloud, or other areas that are still awaiting final regulatory action. Importantly, DDTC warned companies not to rely on definitions or guidance issued by the Commerce Department’s Bureau of Industry and Security (BIS), stating that “it would not be appropriate to rely on definitions outside of the ITAR or guidance provided by any entity other than [DDTC] for authoritative interpretive guidance regarding the provisions or scope of the ITAR.”

DDTC also reaffirmed its position that any release of technical data to a foreign person is a “controlled event” that requires authorization, even when technical data is inadvertently revealed to dual or third-country national (DN/TCN) employees. DDTC views the release of technical data or software to DN/TCN employees of authorized foreign parties as a deemed reexport. Acknowledging potential tension between a company’s due diligence obligations and employment discrimination laws, DDTC noted that it will “consider all circumstances surrounding any unauthorized release” and will assess responsibility “based on the relative culpability of all of the parties to the transaction.”

Finally, DDTC emphasized its broad interpretation of the term “retransfer,” stating that it includes temporary transfers of defense articles within the same country to a separate legal entity, subcontractor or intermediate consignee. This underscores that every entity must be authorized, no matter how minor its role, if it gains custody or control, even if not permanent, over a defense article abroad.