On 3 June 2016, the US Commerce Department’s Bureau of Industry and Security (“BIS”) published a Final Rule (the “Final Rule”) affecting the application of the Export Administration Regulation (“EAR”) to certain uses of cloud computing for the storage of controlled technology and software. Specifically, the Final Rule carves out of the EAR licensing requirement cross-border transfers of encrypted technical data. This rule goes into effect on 1 September 2016.
By way of background, BIS has traditionally advised that the transmission and storage outside of the United States of technology or software controlled under the EAR constitutes an export or reexport that could potentially trigger a licensing requirement. Accordingly, prior to the Final Rule, companies with controlled technology and software could only use domestic hosted cloud solutions without having to address possible license requirements under the EAR.
The Final Rule is significant because it provides that technology or software that is encrypted in accordance with certain specified criteria is not exported or reexported even when the technology or software leaves one country for another. Thus, so long as the applicable requirements are met, the Final Rule would allow such technology or software to be hosted outside the United States without obtaining the export or reexport licenses that would otherwise be required under the EAR.
As published in the Final Rule, this carve-out will apply to the sending, taking, or storing of technology or software outside of the United States that is:
- secured using “end-to-end encryption”;
- secured using modules compliant with (or equally or more effective than) FIPS 140-2 (a common encryption standard used for Federal Government procurement) and supplemented by other controls consistent with the US National Institute for Standards and Technology guidance; and
- not intentionally stored in a country listed in Country Group D:5 or in the Russian Federation.
The Final Rule’s definition of “end-to-end encryption” requires that:
- the technology or software will not be in unencrypted form while between the originator and recipient or these parties’ respective “in-country security boundaries,” and
- the means of decryption will not be provided to a third party.
BIS explains in its rule that the term “in-country security boundaries” reflects a requirement that these boundaries cannot be defined to include infrastructure resources encompassing multiple countries.
We note an important caveat to consider. Although the State Department published a proposed rule in June 2015 that contemplated a similar carve-out for cross-border transfers of encrypted technical data controlled under the International Traffic in Arms Regulations (“ITAR”), the State Department has not issued a final rule to implement that change in the ITAR. The State Department has advised that this issue will be addressed in a separate rulemaking. Until such a rule is issued by the State Department, companies will need to differentiate between their treatment of ITAR- and EAR-controlled data for purposes of cloud storage.