Compliance with US export control laws poses crucial challenges in outsourcing deals. Failure to comply with the US export control laws can have serious consequences for companies, including substantial monetary fines, loss of export privileges, disruption of business operations and reputational damage.
To minimize liability, US companies should determine at the outset whether their outsourcing deals involve any items, such as certain dual-use products, software or technology, or defense articles or services that the United States controls for export to foreign destinations or foreign nationals. If export restrictions apply, the company may need to obtain a license before exporting any items as part of the outsourcing transaction. License applications can take several weeks to complete and, in certain instances, may significantly delay an outsourcing deal if compliance issues are not adequately addressed at the outset.
Although it is critical for a US company to resolve issues arising under US export control laws before exporting or providing access to controlled items, it is often difficult to identify such issues in complex outsourcing deals. For example, export issues may arise in the outsourcing of (i) litigation support functions, in which foreign nationals are provided access to documents containing technical data, drawings and blueprints related to the manufacture of a product at issue; (ii) back-office support functions requiring the transfer of hardware and encryption software overseas; (iii) software application support and maintenance, where foreign nationals will have access to applications; (iv) research and development to a joint venture located abroad, involving the transfer of US origin technology; (v) the preparation of patent applications when the US company provides technical data relating to its innovations to foreign nationals overseas; or (vi) the management of a data room by a non-US company for purposes of merger and acquisition due diligence, when a US company electronically transmits technical data to a server located outside the United States.
This article describes an approach companies can use to identify and resolve US export control issues in their outsourcing deals. Under this approach, the US company should first identify US export control issues during the early stages of an outsourcing deal. It should then negotiate and draft appropriate provisions in the outsourcing agreement to ensure compliance with applicable US export control laws and appropriate allocation of risk and responsibility with respect to such compliance. The article concludes with a summary of specific steps that a company can follow to help determine whether its outsourcing project raises export compliance issues and, if so, what it must do to address those issues.
Identifying US Export Control Issues in Outsourcing Deals
Is There an Export?
The first step in identifying US export control issues in an outsourcing deal is determining whether any US-origin items (which include products, software, technology and, in some cases, services) will be exported and/or re-exported within the meaning of US export control laws. The primary regulations governing the exportation of US-origin items are the International Traffic in Arms Regulations (ITAR) and the US Export Administration Regulations (EAR).
Although most people think of an export as the physical shipment of a product to a foreign destination, “export” within the meaning of the ITAR and the EAR covers a far broader range of activities and items, including:
- Hand-carrying controlled products abroad, traveling abroad with laptops loaded with controlled software and/or technology, or traveling to assist foreign customers with testing and/or repairs using controlled products.
- Shipping US-origin items from one foreign country to another (called a “re-export”).
- Sending, transmitting or disclosing software or technology via mail, email, Internet, server access, facsimile, telex, video conference, webinars and/or telephone conversations.
- Disclosing to foreign nationals located in the United States certain technology through visual inspection or verbal exchange.
- Instructing or training foreign nationals in the design, production, operation or use of controlled products.
- Transferring registration, control or ownership to a foreign person of any ITAR-controlled aircraft, vessel or satellite, whether in the United States or abroad.
- Performing a “defense service” on behalf of, or for the benefit of, a foreign person whether in the United States or abroad.
It is particularly important in the outsourcing context to determine whether any “technology” or software will be exported. As illustrated by the examples above, an export can occur even within the borders of the United States when certain controlled technology or source code is provided to a foreign national located in the United States. US export control laws provide specific definitions of “technology.” For example, under the EAR, “technology” is limited to specific information necessary for the development, production or use of a controlled product, software or technology, such as technical data (e.g., engineering designs and specifications, blueprints, plans, diagrams, models, manuals and written or recorded instructions) or technical assistance, including instruction, skills training, working knowledge and consulting services.
The release of such technology is “deemed” to be an export to the home country of the foreign national, even if such foreign national is located in the United States. In this context, a “foreign national” is an individual who is not a US citizen, lawful permanent resident, political asylee, refugee or other type of protected individual. A company “releases” technology when it (i) makes such technology available to foreign nationals for visual inspection (such as reading technical specifications, plans or blueprints); (ii) orally exchanges such technology with a foreign national; or (iii) makes such technology available to a foreign national by practice or application under the guidance of persons with knowledge of the technology.
A “deemed” export, therefore, may occur in a wide range of scenarios, including where a company allows a foreign national to access technology or gives a foreign national the capability to develop or replicate an encryption item that is subject to export restrictions. Depending upon the nationality of the person receiving the technology and the type of technology involved, the outsourcing company may need to obtain an export license before releasing such technology to a foreign national. Are the Items to Be Exported Subject to Control?
Once a US company determines that its outsourcing project involves an export, the company should consider whether the items are controlled for export under the ITAR or the EAR. The ITAR, administered by the US Department of State, Directorate of Defense Trade Controls (DDTC), applies to “defense articles” and “defense services.”
Defense articles are items listed on the US Munitions List (USML), which is subject to change depending on US national security concerns and revisions to technical parameters. They may also include items that are specifically designed, developed, adapted or modified for military use. Any manufacturer or exporter of defense articles or services listed in the USML must register with DDTC.
Defense services include assisting foreign persons in the US or abroad in the design, manufacture or use of defense articles, furnishing technical data to foreign persons in the US or abroad and military training of foreign forces. Items controlled under the ITAR are described in various categories of the USML, and include firearms, weapons, satellites, military vehicles, toxicological agents, and military electronics.
The EAR, administered by the US Department of Commerce, Bureau of Industry and Security (BIS), applies to products, software and technology with both commercial and military use (commonly referred to as “dual-use” goods). Items controlled under the EAR are listed on the Commerce Control List (CCL).
The CCL contains five-digit alphanumeric Export Control Classification Numbers (ECCNs) for identification of specifically described items and their reasons for control. An EAR99 basket number is used for any items not specifically described.
The CCL includes ten product categories covering such items as materials, chemicals, electronics, computers, telecommunications, information security, navigation and avionics. Encryption items, including encryption technology and hardware and software with encryption functionality, are an important category of items on the CCL because most business software contains encryption capabilities and, therefore, outsourcing projects often involve the export of encryption items. The export controls related to encryption items are particularly complex and must be analyzed on a product-by-product basis.
What is the Destination andEnd-Use of the Items to Be Exported?
The third step a US company should take to determine whether its outsourcing project raises US export control issues is to identify the destination and end-use of controlled items outside of the United States. In addition, the company should identify any foreign nationals, including employees, consultants, contractors, guest researchers and visitors, to whom the items may be released in the United States.
Whether the export of an item controlled under the EAR requires an export license depends upon the ultimate destination and end-use of that item. If an item is controlled for export under the ITAR, it will need a license for all destinations and end-uses, unless a license exception applies. In addition, US sanctions laws prohibit US companies from any business dealings with certain countries, individuals and entities. US laws also prohibit the export of US-origin items to certain prohibited countries and parties.
Addressing Issues Relating to US Export Control Laws While Negotiating and Drafting an Outsourcing Agreement
If an outsourcing project raises US export control issues, there are generally three steps the US company should take to ensure compliance with applicable export laws. First, if the classification, destination, end-use or end-user of items that the US company will export as part of its outsourcing transaction requires an export license, and if no license exception is available, then the company must apply to the BIS or the DDTC for a license. Such a license must be obtained in advance of any exportation. License applications may take between four and twelve weeks for approval. Typically, any license that is granted will have a duration of about two years.
Second, the US company needs to create an export control policy, including a technology control plan for personnel working on the project, to ensure appropriate access to controlled items. Finally, and once work under an outsourcing agreement commences, the US company must continue to ensure compliance with all US export license obligations. It must also maintain all classification and export documentation for recordkeeping purposes, confirm the export license expiration date, and prepare necessary renewal applications.
When negotiating an outsourcing agreement that raises US export control issues, the US company should consider whether it will maintain the above obligations related to ensuring compliance with US export control laws, or if it will delegate such responsibilities to the supplier. As a general matter, the “exporter of record” is ultimately responsible for compliance with US export control laws. The exporter of record is the person in the United States who has the authority of a principal person in interest to determine and control the sending of items out of the United States. Often, each party to an outsourcing agreement assumes the export compliance obligations for any items it supplies to the project that will be exported.
Alternatively, the US company may consider delegating to the supplier the responsibility to comply with applicable export restrictions, but that will not completely relieve the US company of its legal obligations under the EAR or the ITAR. The advantages of this approach include short-term cost savings for the US company, such as elimination of the need to classify items, to determine whether an export license is needed, or to apply for a license prior to commencement of work under an outsourcing agreement. Another reason to require the supplier to handle this responsibility is that it will be easier for the supplier to maintain the technology control plan mentioned above, as the supplier is in control of supplier personnel who access and use the technology.
However, the US company will face significant risks in the event that the supplier fails to fulfill its obligations with respect to ensuring compliance with US export control laws. The company may be able to recover from the supplier the amount of monetary fines imposed by the US government. But adequate remedies for the company’s potential loss of export privileges, disruption of business operations and reputational damage stemming from its failure to comply with export control laws are difficult to ascertain and recover from the supplier.
In the event that, after weighing these considerations, the US company prefers to impose on the supplier the burden of ensuring compliance with US export control laws, the relevant contract provision should reflect certain key understandings. These include:
- Certain items or transactions under the outsourcing agreement may be subject to US export controls and/or sanctions.
- Neither party to an outsourcing transaction will directly or indirectly export or re-export any items in violation of applicable US export control laws.
- The supplier will identify the specific export control status of, and will be responsible for obtaining all necessary export authorizations for, the export or re-export of any items under the outsourcing agreement.
- The supplier will ensure that its subcontractors obtain all necessary export authorizations and maintain the necessary internal compliance controls.
- The supplier will agree not to subcontract any portion of the outsourcing services to prohibited countries or entities and will not employ nationals of such prohibited countries to provide services to the US company.
- The supplier will be responsible for implementing all necessary internal compliance controls, including the technology control plan.
- The supplier will provide the US company, at the company’s request and at least annually, a certification of compliance with US export control laws.
If the US company decides, either at the outset of negotiations or as a result of a compromise with the supplier, to maintain primary responsibility for ensuring compliance with US export control laws, the company should nevertheless draft the relevant provisions of the outsourcing agreement with care. For example, it is crucial for the US company to secure a commitment from the supplier to provide all information necessary for the company to achieve and maintain compliance with US export control laws. This information should include the countries of citizenship for all supplier personnel who may be performing services under an outsourcing agreement, whether in the United State or from abroad.
Steps to Determine Whether Your Outsourcing Project Raises Export Concerns
The checklist below will help US companies to identify and resolve US export control issues in an outsourcing deal:
- Determine whether the outsourcing project involves an export of products, source code, software, technology, defense articles or defense services.
- Classify each item with the appropriate ECCN or USML Category.
- Determine the item’s export destination and end-use.
- Determine whether any controlled technology, source code, defense articles or defense services will be released to foreign nationals in the United States.
- Screen all parties to the transaction against the list of prohibited persons maintained by the US government.
- Determine whether an export license is required. If so, confirm whether a license exception applies.
- Ensure that contractual language adequately covers the responsibilities of the parties, given applicable export controls and licensing requirements.
- Obtain an export license when necessary.
- Create, design and implement a US export control policy with procedures specific to technology, security, record-keeping, training and reporting.
- Create a technology control plan for personnel working on the project to ensure appropriate access to controlled items, including separate work areas with restricted access control and separately controlled technology within the server network, password protection for individual documents, protected databases and other computer security measures.
- Train all relevant persons in compliance with US export control laws.
- Comply with all export license conditions.
- Ensure that the exporter or its agent adequately completes and submits all required shipping documentation and Automated Export Sytem (AES) records.
- Maintain all classification and export documenta14. tion for record-keeping purposes.
- Confirm the export license expiration date and 15. prepare necessary export license renewal applications.
The specific nature of export restrictions arising in a complex outsourcing project drives the overall strategy and the time necessary for the resolution of such issues. Issues can arise with any company employing or interacting with foreign nationals wherever located, or engaging in business activities outside the United States. Early identification of challenges arising from US export control laws and effective allocation of responsibility for resolving compliance-related concerns will help the company select the most appropriate supplier for a particular outsourcing need. Proactive consideration of the laws will also help the company reach early internal alignment on this important issue, set up necessary internal controls to ensure compliance with US export control laws, and avoid delays in the negotiation of an outsourcing agreement and commencement of work under the agreement.