The export of certain categories of software, and particularly encryption software, is controlled by export control regulations in the UK and the EU. Following Brexit, exporters of software (including where software is embedded in physical products) will have to consider the added dimension of export and import of controlled software between the EU and UK and vice versa.

This issue is relevant to software companies which distribute software between the UK and the EU (and vice versa). These companies will need to ensure that their software distribution arrangements are compliant with the export regulations. It is also relevant to software licensees. A great many software licences require the software licensee to comply with applicable software licensing law. A breach of the export regulations may result in a breach of the terms of a software license.

Post Brexit, both software suppliers and user companies that have operations in both the UK and EU-27 countries may need to obtain export licences or to take administration steps in order to achieve compliance.

Non-compliance with the export controls regulatory regime can result in fines being levied and individuals can be given prison sentences in some circumstances.

The Current EU Situation

Export controls generally apply to items that are specially designed or modified for military use and to all items designed for civilian use which have potential military uses (‘dual-use’ items). This Note focusse on the regime applicable to dual use items, which is the export control regime most likely to be relevant to the export commercial software.

The categories of software that are subject to EU export control on dual use products are listed in Annex 1 of Council Regulation (EC) 428/2009 (EU Dual Use Regulation) (as amended, including by Council Regulation (EU) No 1232/2011). These include cryptography for data confidentiality having in excess of 56 bits of symmetric key length and the use of an asymmetric algorithm where the factorisation of integers is in excess of 512 bits. Most commonly used encryption protocols use key lengths which exceed these levels (e.g. AES 128, 1024 RSA and 1024 DH).

Certain product categories are excluded from export control including smart cards and smart card reader/writers, cryptography equipment specially designed and limited for banking use or money transactions, portable or mobile telephones for civil usage, and cordless telephones (with a range of less than 400 metres).

There is also an exclusion from export control for certain products that are generally available to the public by being sold, without restriction, from stock at retail selling points by means of:

a. Over-the-counter transactions;

b. Mail order transactions;

c. Electronic transactions; or

d. Telephone call transactions.

The EU Commission has also introduced a number of General Export Authorisations ("GEA"), including a GEA for the export of all dual use items (including encryption software) to Australia, Canada, Japan, New Zealand, Norway, Switzerland and the USA (EU001). There is also a GEA to a wider range of countries for some but not all dual use items (including some but not all encryption software protocols) (EU002). For details of other GEAs, including a conditional GEA specifically relating to certain telecommunications products, including encryption software protocols (EU005), see UK government guidance.

"Dual use" products (such as encryption software) which circulate solely within the EU are not subject to any export controls between EU Member States, except for a small number of sensitive items.

In relation to the export of products outside the EU there are some complications due to differences in the approach to export control between the US and the EU. The US export controls include an exemption for "mass market" items (see US "Mass Market" guidance). This is less restrictive than the EU exemption for products that are generally available to the public (see EU Guidance note 1/2016). This can mean that products can be covered by the US "mass market" exemption but still be regarded as being subject to EU export control.

Following Brexit (No Deal)

Following Brexit the EU rules will continue unchanged. In the event the UK exits the EU without having agreed a withdrawal agreement with the EU (a ‘no deal’ Brexit), the UK will immediately be regarded as being a third country for the purposes of EU export control.

In the event of a no deal Brexit, the EU Dual Use Regulation will be incorporated into UK law under with European Union (Withdrawal) Act 2018 . The draft Trade etc. in Dual-Use Items, Firearms and Torture etc. Goods (Amendment) (EU Exit) Regulations 2019 (once law) will make amendments to the retained EU Dual Use Regulation so that they operate in a UK context post-Brexit. Other amendments to legislation in the field of customs and in particular in relation to export and other trade controls on military and dual-use goods are made by the Export Control (Amendment) (EU Exit) Regulations 2019, SI 2019/137.

In order to deal with the need for export approvals for exports of dual use items (including encryption software) from the EU to the UK, the European Commission has issued a Proposal for an amendment to the GEA for the export of all dual use items (including encryption software) to include exports from the EU the UK. The Commission has commented that the UK should be added to the list of countries that dual use items can be exported to under the GEA "in order to ensure a uniform and consistent application of controls throughout the Union, to promote a level playing field for Union exporters and to avoid an unnecessary administrative burden while protecting Union and international security". Exporters must notify the relevant national competent authorities of the first use of the GEA and EU Member States are entitled to require registration prior to first use of the GEA.

In order to deal with the export of dual use items from the UK to the EU, the UK has already issued an Open General Export Licence (OGEL) which will cover the export of all dual use items (including encryption software) from the UK to the EU following Brexit. The OGEL has conditions and does not apply if the exporter is aware that the dual use item is intended to be use in certain weapons systems.

In order to obtain the benefit of the OGEL, companies need to pre-register with the Department of International Trade for each OGEL that is relied on and must comply with the terms of the OGEL. A requirement has been introduced to include a note on official export documentation for the items exported that: (a) "These items are being exported under the OGEL (X)"; or (b) the SPIRE reference (in the form ‘GBOGE 20XX/XXXXX’) of the exporter’s registration in respect of the OGEL (SPIRE is the UK's online export licensing system). This requirement does not apply to items that are exported by telephone, fax or other electronic media. Once companies are registered as OGEL users, they will be subject to regular Compliance Audits. See the UK Government’s guidance Exporting controlled goods if there’s no Brexit deal.

Where specific export approvals have been granted pre-Brexit for the export of software subject to export controls outside the EU care will need to be taken post-Brexit that the approvals that have been granted have been given by the correct export authority. Post-Brexit, export licences issued by the UK will no longer be valid for exports from the EU. A new licence will be required issued by an EU member state. Similarly, an export licence issued by an EU member state will no longer be valid for exports from the UK. A new licence will be required issued by the UK.

If a Withdrawal Agreement is agreed

The draft Withdrawal Agreement agreed between the UK government and the EU (but voted against by the UK Parliament) provides for a transition period until the end of 2020. That transition period may subsequently be extended for up to two further years.

The continued application of EU law during this period will give time to national administrations and businesses to prepare for the new relationship. During the transition period, the entire EU acquis will continue to apply to and in the UK as if it were an EU Member State. This means that the UK will continue to participate in the EU Customs Union and the Single Market (with all four freedoms) and all EU policies. Any changes to the EU acquis will automatically apply to and in the UK. The direct effect and primacy of EU law will be preserved. All existing EU regulatory, budgetary, supervisory, judiciary and enforcement instruments and structures will apply, including the competence of the Court of Justice of the European Union.

The effect of the Withdrawal Agreement would appear to mean that if it were to come into force as agreed between the UK government and the EU the current situation on export licensing of dual use items (including encryption software) would continue to apply until the end of the transition period.

Practical Implications

Companies which license and companies which use software on a pan-European basis post Brexit will need to ensure that they comply with the regulatory regime for the export of software in both the UK and the EU. In particular:

  • companies that export encryption software from the UK to the EU will need to comply with the terms of the UK to EU OGEL which requires registration with the Department of International Trade, compliance with certain notice obligations and the possibility of regular audits;
  • companies that export encryption software from the EU to the UK will need to comply with the terms of the GEA for the export of all dual use items from the EU the UK, including notifying the relevant national competent authorities of the first use of the GEA and, if required by the member state, registration prior to first use of the GEA.

Companies that export encryption software from either the UK or the EU to non-EU locations on the basis of pre-Brexit specific export licences will need to take care be taken post-Brexit that approvals have been given by the correct export authority. Post-Brexit, export licences issued by the UK will no longer be valid for exports from the EU and, similarly, an export licence issued by an EU member state will no longer be valid for exports from the UK.

(This note is a development of an article originally published by LexisNexis)