The US State Department’s Directorate of Defense Trade Controls today (May 16) released a final rule amending the International Traffic in Arms Regulations (ITAR) to create a new exemption authorizing the transfer of unclassified defense articles (including technical data) to dual national and third-country national employees of approved end-users. Although the final rule contains numerous limitations, it improves upon the proposed draft rule, clarifying its scope and making this exemption an option for foreign companies whose domestic privacy/anti-discrimination laws make the use of other ITAR exemptions problematic. A copy of the new rule may be found by clicking here.

The underlying purpose behind the new ITAR section 126.18 exemption is to resolve a problem that occurs when the ITAR’s concern with the nationality of a dual national or third-country national employee conflicts with foreign laws prohibiting discrimination based on nationality. Current ITAR section 124.16 provides a retransfer authorization when a dual national or third-country national employee of a foreign licensee on an approved DDTC agreement is a national of countries that are NATO and EU member states, Australia, Japan, New Zealand, or Switzerland.


The new ITAR section 126.18 provides a license exemption to foreign entities seeking to transfer defense articles to “dual nationals or third country nationals who are bona fide regular employees, directly employed by the foreign consignee or end-user,” without the exemption being restricted to nationals of particular countries. There are, however, strict conditions on the use of this exemption:

  • The transfer must take place within the end-user’s country;
  • The transfer must be otherwise within the scope of the underlying export authorization (license or otherwise); and
  • The foreign entity must have “effective procedures” to prevent diversion for unauthorized purposes or to unauthorized users.

The “effective procedures” requirement may be satisfied by either:

  • requiring a security clearance from the host country or
  • instituting a process to screen employees and requiring them to sign non-disclosure agreements stating that they will not unlawfully transfer defense articles. Such screening must include vetting its employees for “substantive contacts” with ITAR-restricted or prohibited countries - i.e., 126.1 countries.


Because the new regulation expressly places responsibility on companies to screen their employees for substantive contacts with 126.1 countries, identifying such contacts is critical to compliance. The final rule enumerates seven types of “substantive contacts.” Interestingly, while the draft rule explicitly stated that its shorter list was non-exclusive (“including, but not limited to…”), the final rule is drafted in more exclusive terms. It states that substantive contacts include:

  • Regular travel to ITAR section 126.1 countries;
  • Recent or continuing contact with agents, brokers, and nationals of those countries;
  • Continued demonstrated allegiance to those countries;
  • Maintenance of business relationships with persons from those countries;
  • Maintenance of a residence in those countries;
  • Receiving salary or other continuing monetary compensation from those countries; or
  • Acts otherwise indicating a risk of diversion.

That being said, the final factor is potentially quite open-ended and suggests that screening should be comprehensive and holistic in approach.

Some comments DDTC made in its preamble regarding substantive contacts warrant special note:

  • Merely having an employee with a family member in a proscribed country does not automatically disqualify the employee.
  • But contacts with government officials and agents of 126.1(a) countries – family or not – require “higher scrutiny.”
  • Business or personal travel to 126.1(a) countries is not an automatic bar as long as it does not “involve contracts with foreign agents or proxies likely to lead to diversion of controlled articles or data.”
  • But full disclosure of such travel is required and requires a risk assessment.

This discussion leads naturally to the following question: what if a non-US end-user/consignee does a risk assessment and concludes in good faith that certain contacts are not “substantive” and, with the benefit of 20-20 hindsight, DDTC later disagrees? Has the non-US end-user/consignee violated the ITAR because it has provided ITAR controlled technical data to a 126.1 country employee? Or has the non-US end-user/consignee complied with the 126.18 exemption and will merely be cautioned to interpret “substantive contacts” slightly more conservatively in the future?


Although nationality alone is no longer the sole criterion for restricting access to defense articles, DDTC will presume that an employee with substantive contacts with persons from denied countries raises a risk of diversion. But DDTC also clarified that foreign companies may use this exemption to employ dual-national and third-country national employees from proscribed countries, regardless of the last sentence of ITAR section 126.1(a), which could otherwise prevent the exemption from applying.1 In any event, companies would be well-advised to document the resolution of any substantive contact issues to rebut this presumptive diversion risk.


Section 126.18 also requires end-users and consignees to maintain a technology security/clearance plan that includes the screening procedures and to maintain screening records for five years. The exemption requires that the technology security/clearance plan, screening records, and non-disclosure agreements be made available to DDTC or its agents for law enforcement purposes upon request. DDTC has published a separate Federal Register notice, 76 Fed. Reg. 27,741 (May 12, 2011) allowing the public 60 days to comment on the reporting burden of providing such information to DDTC.

This comment period will allow non-US companies who may wish to take advantage of the exemption to comment on whether the revised regulation, and the requirement that these screening records – which could contain personal information (such as an employee’s trips to visit his mother in China) – be provided to a government of another country would violate local non-discrimination and privacy laws.

DDTC seems to have already answered its question, by noting in the preamble that “the records in question are intended for use by DDTC, a governmental entity for governmental use and not for public release. DDTC’s function in this capacity is analogous to the exchange of information with cross-border law enforcement agencies that regularly receive and have a similar obligation to protect information subject to privacy laws.”


Because of the increasing tendency for companies worldwide to use contractors or temporary workers who might not be “bona fide, regular employees” as set forth in the initial draft regulation, some of the comments requested clarification on this point. DDTC appears to have taken these comments into account, but has done so by creating a demanding seven-part “regular employee” test for applicability of the licensing exemption.

The rule creates a new definition of a “regular employee” (ITAR section 120.39) that includes either: (1) a person permanently and directly employed by the company, or (2) a person meeting all the following criteria:

  • In a long term contractual relationship with the company;
  • Where the individual works at the company’s facilities;
  • Works under the company’s direction and control;
  • Works full time and exclusively for the company;
  • Who executes non-disclosure certifications for the company;
  • Whose staffing agency has no role in the work the individual performs; and
  • Whose staffing agency would have no access to controlled technology (unless specifically authorized).


Nearly a third of all comments requested that DDTC add “defense services” to the scope of the proposed section 126.18 exemption, but DDTC refused to do so. DDTC pointed out that its definition of defense articles includes by definition technical data, but argued that “defense services, on the other hand, cannot be ‘transferred’ within a company in the manner in which defense articles can,” because defense services are provided to a company, not to an individual employee. DDTC did provide some helpful clarification, however, stating that “if the contemplated defense service involves defense articles already licensed to the company, the proposed exemption would generally cover dual and third-country national employees receiving the defense service.” Therefore, even without a specific reference to defense services in the regulations, as a practical matter, it appears that DDTC would effectively treat defense services as covered under the new exemption where the original authorization to the foreign consignee covered defense articles (including technical data) and the defense services relate to those authorized defense articles.


124.16 is Not Removed

Having read the screening procedures and “substantive contacts” definition, many non-US recipients of ITAR-controlled defense articles are probably heaving a sigh of relief that the exemption provided in 124.16 has NOT been removed. As noted above, current ITAR section 124.16 provides a retransfer authorization when a dual national or third-country national employee of a foreign licensee on an approved DDTC agreement is a national of countries that are NATO and EU member states, Australia, Japan, New Zealand, or Switzerland. DDTC had planned to remove it, but was persuaded by the pleas of ten commenters not to do so.

Classified Data

DDTC clarified that the 126.18 exemption does not apply to classified technical data.

Academic Institutions

DDTC refused to apply the exemption to academic institutions. DDTC explained that the exemption is an “incremental change” in favor of foreign business entities, foreign governmental entities and international organizations, “recognizing the internal incentives for the protection of export controlled articles and data.” From this, one could infer that DDTC does not believe that foreign academic institutions have similar internal incentives to protect export controlled articles and data.


Although the revised treatment of dual and third-country nationals helps bring the ITAR into line with commercial and legal realities in foreign countries, companies should be aware that this exemption requires strict controls on its use and places heavy demands on companies to document their processes and investigate their own employees. To the extent a company is able to use the exemption in ITAR section 124.16, it likely would be simpler to do so, but new section 126.18 offers a useful new option for companies caught between access to US defense articles and the nationality of their own employees.

The new rule enters into effect on August 14, 2011.