On December 26 the State Department will publish a long-awaited rule amending the International Traffic in Arms Regulations (ITAR) by providing a definition of activities that are not exports, reexports, retransfers, or temporary imports at 22 CFR section 120.54. Notably, this definition provides much-needed guidance on whether and under what circumstances end-to-end encrypted technical data is controlled under the ITAR. Published as an interim final rule, the State Department will accept comments through January 25, 2020, which could result in additional changes. However, the effective date of the interim final rule is set to be March 25, 2020, ninety days after publication in the Federal Register.

In 2015, the State Department published a proposed rule with a number of possible revisions to key definitions of the ITAR. One of the main goals of these revisions was to harmonize the ITAR and the Department of Commerce’s Export Administration Regulations (EAR) as part of the Export Control Reform Initiative announced by President Obama in 2009. Several of these proposed definitions were eventually adopted in final rules, but many were not.

In 2016, the Commerce Department adopted a definition for “activities that are not exports, reexports, or retransfers,” at 15 CFR section 734.18, which it amended in December 2017. The present rule issued by the State Department adopts a similar definition for the ITAR. Additionally, the rule amends the definition of “release” (22 CFR section 120.50), adds a definition of “access information” (22 CFR section 120.55) and makes minor amendments elsewhere to reference these new sections.

As with the definition in the EAR, the ITAR lists five activities that are not considered exports or other “controlled events” that would otherwise require a license or approval. These five activities are:

  1. Launching a spacecraft, launch vehicle, payload or other item into space.
  2. Transmitting or otherwise transferring technical data to a U.S. person in the United States from a person in the United States.
  3. Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, so long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
  4. Shipping, moving, or transferring defense articles between or among the United States, defined in the regulations to include Puerto Rico, the Northern Mariana Islands and any territory or possession of the United States.
  5. Sending, taking, or storing unclassified technical data that uses end-to-end encryption subject to certain restrictions. Most important, end-to-end encryption (a) must be secured by cryptographic modules that are in accordance with certain guidance (which is more specific than that set out in the EAR with respect to the type of encryption used), and (b) cannot be sent from or be “intentionally sent to a person in or stored in” the Russian Federation or countries proscribed in 22 CFR section 126.1.

In response to a number of comments, the State Department’s interim final rule provides additional guidance and context relevant to the interpretation of these new and amended definitions in the ITAR.