On September 21, 2016, the Bureau of Industry and Security (“BIS”) announced various and wide-ranging amendments to the encryption rules in the Export Administration Regulations (“EAR”). Some of the changes in the amended rules loosen encryption controls for certain items, although the control regime remains complex and parties engaging in encryption related exports, reexports and in-country transfers should update their compliance materials. These changes include the following:
(1) A significant number of items that were once 5A992 are now EAR99. The exclusion note to 5A002 lists a number of items that are excluded from that category, such as home Wi-Fi routers, banking equipment and smart cards. Prior to the amendment, all the items listed in the exclusion note were 5A992; now they are categorized as EAR99.
(2) The amendments create a new kind of government end user — “less sensitive government end users.” These are government agencies that are less likely to use encryption in ways that create concerns, like museums, water treatment plants and census bureaus (as opposed to military bases and nuclear power plants). The reason for identifying “less sensitive government end users” is that high performance network and other equipment described in section 740.17(b)(2) of the EAR, so-called ENC Restricted items, used to require a license to go to any government end user in any country not on the Supplement No. 3 favorable treatment list, regardless whether that government end user was a low-risk museum or a high-risk military or nuclear installation. Now an “ENC Restricted” item can be exported to a less sensitive government end user 30 days after a review request is filed.
(3) The performance parameters for “ENC Restricted” items have been updated and increased. ENC Restricted items, described in section 740.17(b)(2), will in certain instances require licenses or review requests prior to export. The amendments update the technical parameters for the items falling within that category. For example, the aggregate encrypted throughput parameter has now been increased from 90 Mbps to 250 Mbps. Parties engaging in encryption related exports, reexports and in-country transfers should incorporate these new parameter changes in internal encryption questionnaires and processes used for self-classification of items eligible for self-classification.
(4) These amendments deleted the requirement for an encryption registration. That means no more encryption registration applications, significantly reducing the administrative burden on the industry. According to the BIS announcement, the encryption registration requirement added to the EAR in 2010, “is being deleted to create a more streamlined and efficient reporting processes.” Annual self-classification reports must still be filed; and the new format for the report, which is detailed in an amended Supplement No. 8 to Part 742, incorporates some of the information that used to be required by the encryption registration application.
(5) Annual self-classification reports have been streamlined. If an exporter has submitted a review request for an item that is then determined to be eligible for self-classification, that item now does not have to be included on subsequent self-classification reports.
A helpful listing of these and other changes effected by the new amendments to the encryption rules was published by BIS and can be found here.