On June 3, 2016, the Department of Commerce, Bureau of Industry and Security (BIS), issued a final rule, and the Department of State, Directorate of Defense Trade Controls (DDTC), issued an interim final rule, making important changes to key definitions in the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), respectively. Last year, we authored an advisory on the proposed version of these rules. DDTC has decided to delay finalizing several definitions in its proposed rule until an unstated future date, including the much-anticipated definition of “defense services.” Both of these new rules have an effective date of September 1, 2016, with DDTC accepting comments on its rule until July 5, 2016. BIS has also posted new FAQs about its rule change.
One reason for these definitional changes is to align more closely the language in the EAR and ITAR in instances when both sets of regulations share the same purpose, and to reflect differences in purpose more clearly in the regulations. In addition, the rules implement significant substantive changes, including clarifying the safe-harbor provision exempting from EAR control data that is transmitted over electronic networks in encrypted form.
These rules update the definitions of “export,” “reexport,” “release,” and “retransfer” under both the EAR and the ITAR. Furthermore, the BIS final rule adds or revises the following EAR definitions: “access information,” “foreign person,” “fundamental research,” “proscribed person,” “publicly available encryption software,” “published,” “required,” “technology,” “transfer,” and “transfer (in-country).”
Technology Exemption for End-to-End Encryption
BIS finalized the safe harbor rule exempting certain encrypted data from controls. DDTC has not included this provision in its new rule, although it was part of last year’s proposed rule. Therefore, exporters only have clarity on the treatment of encrypted data under the EAR. How the ITAR will treat encrypted data will be revealed sometime in the future.
New Section 734.18 of the EAR states that BIS will not treat as an export, reexport, or transfer “sending, taking, or storing” unclassified technology or software that is secured using “end-to-end encryption.” In essence, transmission of encrypted data meeting these criteria will not be subject to regulation under the EAR. The criteria include the use of cryptographic modules that are compliant with Federal Information Processing Standards Publication (FIPS) 140–2 or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls in accordance with current US National Institute for Standards and Technology (NIST) publications.
It is noteworthy that BIS makes clear that the encryption standard described in the rule is a minimum requirement, and that there is some flexibility, as “other equally or more effective cryptographic means” will suffice. However, BIS rejected proposals to accept any commercially reasonable or commonly used commercial practice for encryption. BIS notes that, for those not adhering to the FIPS 140–2 standard, “the exporter is responsible for ensuring that the alternative approaches work as well as or better than FIPS 140–2, regardless of common commercial practices.” In its FAQs, BIS provides further guidance on the use of the FIPS standard.
BIS has modified the previous proposed rule so that, under the final rule, the encryption must only be in place between the parties’ respective security boundaries, as opposed to between the sending and receiving devices themselves. However, BIS has also specified that the security boundary must be contained within a single country and cannot include infrastructure in more than one country. Therefore, the data must be encrypted before crossing national boundaries in order to qualify for this treatment. An additional implication of this requirement, as BIS states in an FAQ, is that any release of controlled data to non-US nationals within a security boundary (e.g. a corporate intranet) will be treated as a deemed export requiring authorization. For companies employing non-US nationals, that FAQ guidance will complicate efforts to take advantage of this rule.
This final rule also removes the requirement from the proposed rule that the encryption must be in place at all times between the initial transmission and ultimate receipt. Commenters pointed out that it is common for data to be encrypted and decrypted multiple times in the course of transmission without release to any third party, for example in order to establish initial communications with a VPN server and subsequently to transmit the data among servers. BIS decided to do away with this “unnecessary and potentially disruptive burden” and replace it with the more sensible requirement that the means of decryption should not be provided to any third party, that the data not be decrypted outside the parties’ security boundaries, or access otherwise granted to the clear text data to parties outside the security boundaries. In other words, it is permissible for the data to be decrypted and re-encrypted within the security boundaries of the originator and recipient.
It is also important to be aware that the data, in order to qualify, cannot be “intentionally” stored in Russia or a country subject to a US arms embargo, including China. But this restriction does not apply to “data in-transit via the Internet,” a limitation that BIS added in response to comments that data may be stored temporarily on servers located in these countries without the knowledge of the sender. This appears to suggest that there is no due diligence obligation with respect to the routing of these transmissions, and that it is only a matter of affirmative intent and purposeful network structure, although that would be a useful point for BIS to clarify. Presumably, the knowledge of a company’s IT staff or contractors would be attributed to the company. Therefore, compliance personnel should be in close communication with IT staff (whether internal or outsourced) about the network’s structure before relying on this rule.
Not surprisingly, a license or other authorization will be required to provide decryption keys or other “access information,” just the same as for the underlying data itself. However, BIS has modified the structure of this requirement in the final rule, as compared with the proposed rule, to make clear that the access information itself is not being controlled as a distinct item, but rather only when transferred in a way that would lead to unauthorized access to the encrypted data. This change was prompted by concerns about unduly restricting transfers of keys and identity management information separately from the data itself. Still, companies will need to be thoughtful about how to do this without linking the keys to the data in a way that could lead to unauthorized access. Great care will have to be taken in securing, or at least segregating, “access information.”
Importantly, BIS stated that providing a decryption key or other “access information” will only require the same type of authorization as applies to the underlying data if done with “knowledge” that it will “result in” an unauthorized release. This is a helpful change from the proposed rule, which controlled knowing transfers that would “cause or permit” unauthorized access. This is consistent with BIS’s general policy that only actual exports trigger controls, and not merely potential access.
However, the use of the word “knowledge” will raise questions about where BIS will draw the line with respect to careless security practices. The preamble to the rule states that it “codifies that basic concept that the unwitting victim of, for example, a database hack is not the one responsible for the theft of technology—the hacker is the one responsible because it is that person who caused the release through the use of a password or other access information.” BIS further states that “this provision is merely an application with respect to intangibles of a concept that is basic to tangible items—the export of an item is not the cause of a third person’s later reexport of the same item. Placing technology into a database is not the cause of a third person’s later transfer of the technology through the use of access information. The third person’s use of the access information is the cause of the release to himself or others.” However, this leaves open the question of what level of responsibility a holder of access information has to keep it secure. Of course, if your security practices are top-notch, and a sophisticated hacker gains access, you are not responsible. But what if your practices are sub-par and the unauthorized release could be viewed as the result of shared culpability between your company and the exfiltrator? BIS references the EAR’s prohibition on conspiracy in this context, but again that does not address the more difficult, and more common, situation of organizations or individuals with careless or inadequate security practices.
DDTC declined to publish a similar exemption in its companion rule, but it is possible that such an exemption in the ITAR may be implemented in the future. DDTC noted in its rule that “[a] main tenet of ECR is that the ITAR will have higher walls around fewer, more sensitive items, and this aspect of the control system is an example of more stringent controls[.]” Consequently, sending or taking technical data (including software object code) out of the United States to a foreign person (regardless of encryption of the data) will remain a regulated export under revised §120.17 of the ITAR, as well as the release of such technical data to a foreign embassy (or employee of such an embassy) or its subdivisions in the United States. Additionally, a reexport may occur when a defense article, including technical data, is transmitted or shipped from one foreign country to another foreign country, “including the sending or taking of a defense article to or from such countries in any manner,” pursuant to amended §120.19.
DDTC also declined to exempt transfers to foreign subsidiaries of US companies, even where the non-US affiliate is authorized to receive the technical data. But, as discussed below, the agency did amend an exemption allowing certain transfers of technical data to US persons abroad, as long as appropriate security measures are in place.
Government Contractors and Subcontractors
Even though an encryption safe harbor rule has not been implemented in the ITAR, and the EAR contain a relatively flexible standard, virtually all government contractors and subcontractors (including those located abroad) are now being required to implement certain security controls on their information systems, irrespective of whether the systems contain export-controlled information. This is the result of a recent amendment to the FAR, effective in solicitations issued on or after June 15, 2016, on which we have previously advised, which requires that all but exclusively commercial off-the-shelf (COTS) contractors and subcontractors implement 15 security controls specified in NIST SP 800-171. This FAR requirement is in addition to other more extensive cybersecurity requirements, such as those set forth in DFARS clause 252.204-7012 on safeguarding certain types of sensitive but unclassified information (defined as “covered defense information,” which includes certain export-controlled information), under which many defense contractors and subcontractors will be required by December 2017 to implement the full set of 100+ standards set forth in NIST SP 800-171 and are currently required to report breaches within 72-hours to DoD.
Release of Technology
The new definition of “release” of technology makes clear that allowing a foreign national to inspect a controlled item only constitutes a release of the controlled technology related to the item when the inspection actually “reveals” the technology. The BIS rule states that allowing mere “theoretical or potential access” to controlled technology or software is therefore not a “release.” This is a welcome clarification that will simplify a number of common situations for US and non-US companies, such as factory visits.
The ITAR rule is similar: a release occurs when a foreign person is able to “examine” or inspect a defense article in a manner that reveals technical data, including through oral or written exchanges. DDTC declined to include recommended modifiers that a release occurs only with a “close examination,” or if the inspection “actually reveals” technical data. Therefore, it is possible that in some circumstances DDTC enforcement officials may view a “release” occurring under the ITAR in situations of merely theoretical access, which would not be controlled under the EAR. Despite the continuing uncertainty on this point, DDTC did clarify that the released information about the defense article must qualify as “technical data” under the ITAR, as opposed to mere attributes like size or weight.
Changes in End-Use and End-User
A revised definition of “transfer (in-country)” includes not only changes in the end-user, but also changes in the end-use. So it is now explicit in the EAR that a change in end-use by a foreign consignee may require a separate authorization, a requirement that has long presented headaches for US exporters unsure of their ability to learn about, let alone control, how a foreign buyer uses an exported item. This new BIS rule matches the ITAR definition of “retransfer.” BIS rejected commenters’ concerns that post-shipment changes in how an item is used are beyond the control of the original exporter. BIS “acknowledges that ‘end use’ was not explicitly included in the former definition of ‘transfer (in-country),’” which implies that BIS has always taken this position, a policy that it justifies on the grounds that a change in end-use is a “material change” to the initial authorization. While it is helpful to codify an implicit policy into the regulations, BIS has still not clarified the precise scope of an exporter’s duty to monitor changes in end-use, or the type of end-use change that will be considered “material.”
In particular, the preamble to this rule is ambiguous about the extent to which the initial exporter will be responsible for subsequent changes in end-use and end-user, as opposed to the foreign party that makes the subsequent transfer. BIS implies that the initial exporter will bear some responsibility by tying this policy to the applicability of an export authorization after subsequent transfers. But the preamble also says that “depending on the facts of the transaction, the foreign party may be responsible for obtaining authorization for the subsequent disposition of the item subject to the EAR. If a violation occurs, BIS will assess responsibility based on whether the parties involved violated any of the provisions of section 764.2 (‘violations’).” It would be useful for BIS to clarify the extent of each party’s responsibility, beyond simply saying that each party is responsible for any “violation” of the EAR. However, some insight can be gleaned from the types of violations in the EAR, which can include “causing” or “aiding and abetting,” or acting with “knowledge” of a violation, or failing to notify BIS “immediately” of any change in facts in a prior submission that a “reasonably prudent person” would consider “material.” It is clear that both the initial exporter and the foreign transferor bear some responsibility for subsequent changes in the end-user or end-use, but the precise scope of these duties remains to be defined.
The ITAR now has a new definition of “retransfer” (separate and apart from reexport) promulgated in §120.51, which, like the BIS rule, refers to changes in end-use or end-user. The substance of this definition is not new to the ITAR, but it does make DDTC’s broad retransfer restrictions more explicit. The EAR definition is narrower in that it only refers to the ultimate consignee of the items. By contrast, DDTC has made clear in the preamble to its rule – but arguably not in the text of the regulation itself – that providing a defense article to any foreign subcontractor or any foreign party that is not explicitly authorized (e.g., for additional processing, repairs, or return of the defense article to the transferor) would qualify as a retransfer. Unlike BIS, DDTC does not limit this restriction to the ultimate consignee. DDTC rejected a proposal that retransfer controls not apply to subcontractors or intermediate consignees within the same authorized country.
Remote Access and Temporary Transfers of Technology for Travel Abroad
BIS is revising the “tools of the trade” provision of License Exception TMP to make it broader and more user-friendly. The change allows temporary transfers abroad of technology by or to US persons and their employees who are travelling or are on temporary assignment abroad, provided that the technology is adequately secured to prevent unauthorized release. An FAQ clarifies that this applies to remote access to US servers while abroad. In this context it is worth noting another FAQ which states that taking an encrypted device with you will be treated as an export of the device itself and of any controlled software on the device – it does not qualify either for this license exception or the end-to-end encryption safe harbor because a device is a commodity, not technology. However, there may be other applicable temporary export license exceptions, depending on the type of device and software.
BIS has simplified this portion of License Exception TMP by no longer limiting it to “usual and reasonable kinds and quantities of technology for use in a lawful enterprise or undertaking.” Any controlled technology can be transmitted under this provision, absent other applicable restrictions in the EAR. In addition, the employer is no longer required to document the reason that the technology is needed abroad by its non-US person employees who are travelling or are on temporary assignment, which will make it easier to use. Nor is the responsible US person explicitly required to “retain supervision” over the technology, although of course a company will retain some level of responsibility for transfers of its technology by or to its employees.
Furthermore, BIS has included the authority to reexport or transfer (in-country) technology under this license exception, which it had inadvertently excluded from the proposed rule. However, since BIS explicitly rejected commenters’ suggestions that this provision should be expanded to include foreign subsidiaries and affiliates of US companies, only those foreign persons who are employed by US companies can take advantage of this rule. Although BIS has removed the explicit limitation on using this license exception for transfers to Iran, North Korea, Sudan and Syria, § 740.2(a)(6) and other provisions of the EAR still limit the use of license exceptions generally for these and other sanctioned destinations.
The technical data exemption in §125.4(b)(9) of the ITAR has been revised to authorize exports of ITAR-controlled technical data to (1) US persons and (2) foreign persons employed by US persons, where such persons are traveling or on “temporary assignment” outside the United States, including for their own use, and are separately licensed to have access to the technical data. The exemption further allows such authorized individuals to make reexports or retransfers to authorized foreign persons on behalf of their employer.
As a condition to the exemption, sufficient security precautions must be undertaken by the individual to preclude unauthorized disclosure. DDTC did not specify minimum standards but did set forth illustrative examples in (b)(9)(iii), including communications through a secure/encrypted connection. Exports of classified data must comport with the National Industrial Security Program Operating Manual (NISPOM), except where there is a “direct” conflict, in which case DDTC guidance must be followed. However, ambiguity exists as to when the NISPOM and DDTC guidance would be in “direct” conflict, so if there is doubt, it would be prudent to confirm the appropriate course of action with a facility security officer or other appropriate official. Finally, while individuals outside the United States have primary responsibility for ensuring that controlled technical data in their possession is secured, the exporter is also responsible for ITAR compliance by educating individuals about the exemption’s requirements to implement and utilize appropriate security measures overseas.
Questions about whether an individual taking or sending technical data overseas on an encrypted device for personal use will be the subject of a separate rule.
Technology Transfers Among US Persons Abroad
BIS clarifies that a transfer of technology or software among US persons abroad is not an export, as long as it “does not result in a release to a foreign person or to a person prohibited from receiving [it].” Therefore, while US persons abroad will still need to be cautious about any electronic transmissions of controlled technology or software, it is now clear that, in general, they can conduct transfers among one another without any BIS authorization. This rule change will be particularly useful in the context of technical assistance by US persons for US persons abroad, and other forms of technology transfer not via electronic networks.
DDTC clarifies that, while technical data transferred to and among US persons abroad is still an export, it may qualify under the exemption discussed above. Under that exemption, the US person need not be traveling or on temporary assignment abroad in order for it to apply – that limitation only applies to foreign persons employed by US persons.
Deemed Exports and Reexports
New Section 734.20 of the EAR codifies BIS’s October 31, 2013 Deemed Reexport Guidance, which has been posted for years on the BIS website and adds provisions reflective of ITAR §§ 124.16 and 126.18. While codifying these rules is not a substantive change, it is helpful for BIS to include the rules in the regulations.
However, BIS did make one important modification to prior guidance by replacing the requirement that a company be “certain” of a foreign person’s most recent country of citizenship or permanent residency with language that it only needs to have “knowledge” of that status – a helpful change because a “certainty” standard is often unrealistic in this context. This change was made in the provision allowing deemed reexports to third country nationals of a country to which the export would be authorized or for which no license would be required. However, BIS has left these situations a bit unclear still, by appearing to retain the “certainty” standard in its FAQs, which state that “if the status of a foreign national is not certain, exporters can request the assistance of BIS to determine where the stronger ties lie, based on the facts of the specific case.” BIS should clarify whether exporters are required to seek guidance in the absence of “certainty.”
The ITAR now explicitly includes the concept of deemed exports within the definition of export (§120.17(a)(2)), and includes deemed reexports within the definition of reexport (§120.19(a)(2)). Thus, releasing or otherwise transferring ITAR-controlled technical data to any foreign person in the United States is a deemed export, and releasing or transferring such controlled technical data to a foreign person “who is a citizen or permanent resident of a country other than the foreign country where the release or transfer takes place” constitutes a deemed reexport. DDTC declined to adopt a rule, which is BIS standard practice, that only the last country of citizenship or permanent residency need be considered. Consequently, under the ITAR, the now-codified rule continues to be that a foreign person may be treated as a national of those countries for which he or she has held or holds citizenship or holds permanent residency. DDTC indicated it considers permanent residency to confer a right to reside in the country indefinitely, make unlimited entry and exit without a visa, and vote or hold office. DDTC did not explicitly address the issue of whether country of birth alone would give rise to a particular nationality for ITAR purposes. Nonetheless, it does not appear that the fact that somebody was born in a particular country will necessarily cause DDTC to view them as a national of that country, unless the person actually holds citizenship or permanent residency status in the country of their birth.
Additionally, the §124.16 authorization applicable to dual and third country national, bona fide employees of North American Treaty Organization countries, the European Union, Australia, Japan, New Zealand, and Switzerland has been converted into an exemption, and moved to subsection (d) of §126.18. The transfers must take place entirely within those territories, and the approved individual must sign an ITAR Non-Disclosure Agreement, unless his or her employer is a signatory or sublicensee to an agreement under §124.1.
BIS appears to have added a new requirement in §750.7(a) of the EAR for license applicants to inform all other parties identified on a license about the scope of the license and the specific conditions applicable to them. If implemented as written, that would be a significantly more onerous mandate than the current requirement to include a standard Destination Control Statement (DCS) on invoices, bills of lading, etc., because this new provision appears to require a unique statement for each type of transaction rather than just stamping the boilerplate DCS on documents. It will be useful for BIS to clarify the intent of this new language.
DDTC added subsection (e) to §124.1 of the ITAR to make clear that it relies on information supplied by the applicant in a proposed agreement, letter of explanation or other documents, along with equivalent language for licenses in § 123.28. Therefore, while a false statement or material omission as part of the application can be the basis of an ITAR violation under §127.2(a), it can also serve as the basis for DDTC to deny, revoke, suspend, or amend the license or other approval under §126.7(a).
Educational and Public Domain Information
BIS has reversed course on its proposed revision to the definition of educational information. The proposed rule had sought to harmonize this language with that used in the ITAR. However, BIS agreed with commenters that limiting educational information, which is not subject to the EAR, to that which concerns “general” principles that are “commonly” taught in schools would improperly exclude more advanced or obscure information, and would unintentionally narrow the scope of this EAR exclusion. BIS therefore agreed to maintain the existing language.
DDTC did not address revisions to the definition of public domain information, which apparently will be addressed by a subsequent rulemaking.