On September 1, 2016 new rules previously published by the U.S. Department of Commerce, Bureau of Industry and Security (BIS)1 and the U.S. Department of State, Directorate of Defense Trade Controls (DDTC)2 will become effective. These rule changes will revise key definitions in both the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR). Following is an overview of takeaways from the final rules and how they may impact companies moving forward.
Takeaway 1 – EAR-controlled transmissions through the Cloud generally will no longer be considered an “export” where encrypted end-to-end, but a similar change has not yet occurred in the ITAR.
Building off of rules proposed in June 2015, the final rules stand to positively affect cloud services and other encrypted technology and software. For example, companies can store EAR-controlled software and technology on cloud servers based in most countries without “exporting” the data to those countries.
BIS redefined “export , reexport, or transfers” to exclude sending, taking, or storing technology or software so long as it is:
- Secured using “end-to-end” encryption; that is, the data must be encrypted before crossing a national boundary and stay encrypted while being transmitted from one security boundary to another, so long as no third party has the ability to access the data in clear text;4
- The encryption is at least as effective as that compliant with Federal Information Processing Standards Publication (FIPS) 140-2 supplemented by procedures and controls according to National Institute for Standard and Technology publications; and
- Not intentionally stored in a D:5 arms embargo country or in Russia.5
Importantly, this carve-out does not currently apply in the ITAR context. DDTC has stated that it will address analogous controls on encrypted technical data in a separate rulemaking. As a result, companies with both ITAR and EAR items should not assume they can apply the same compliance procedures for cloud services in both contexts.
Takeaway 2 – Alternative security may be used for encrypted transmissions, but the burden is on the sender to ensure effectiveness.
With respect to the new EAR rule for transmissions through the Cloud, exporters can use third-party or internally developed cryptography that is not NIST-certified, because the final rule allows for encryption “at least as effective” as FIPS 140-2. On the other hand, BIS’s FAQs make clear that the onus is on companies to ensure that whatever security means they use are effective in the context the company operates.6 Transmissions lacking adequate security could therefore be treated as exports, with the associated export liability.
Takeaway 3 – An export requires a “release” that actually reveals technology or technical data to a foreign person.
Companies whose procedures allow “theoretical access” by foreign persons to EAR-controlled items requiring authorization are not necessarily in violation. The BIS final rule clarifies that a foreign person’s having theoretical or potential access to technology or software is similarly not a “release” because such access, by definition, does not reveal technology or software.7 In other words, under the EAR the fact that persons have access to a computer system in general does not automatically mean that they will be deemed to have received controlled data stored in a file in the computer system.
In addition, inspection (visual, aural or tactile) of an item must actually reveal technology or source code subject to the EAR to constitute a “release.” Therefore, merely seeing an item briefly is not necessarily sufficient to constitute a release of the technology required to develop or produce it.8
Separately, DDTC stated in its final rule that to constitute a “release” under the ITAR, information about the defense article must be technical data and not simply attributes, such as size or weight.9