On September 20, 2016, the United States made life a little easier for companies exporting products containing certain types of encryption. The U.S. Department of Commerce, Bureau of Industry and Security ("BIS") amended the Export Administration Regulations ("EAR") to, among other things, update the rules associated with exports and re-exports of encryption items. The amendments implement changes to which the member countries of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies agreed in December 2015.
Some of the more important changes to those rules are briefly summarized below.
Changes to Category 5, Part 2
The amendments split out the various subparagraphs of the main category of encryption items (those in Export Control Classification Number ("ECCN") 5A002) into three subsections. The three new subsections are as follows: (i) items for cryptographic information security (ECCN 5A002); (ii) items for non-cryptographic information security (ECCN 5A003); and (iii) items for defeating, weakening, or bypassing information security (ECCN 5A004). Conforming changes also were made to ECCNs 5D002 and 5E002. In addition, BIS revised ECCNs 5A992 and 5D992 to include only encryption items that qualify for mass market treatment under the EAR. The amendments removed 5E992 in its entirety.
Encryption Registration No Longer Required
Companies are no longer required to submit an encryption registration and obtain an encryption registration number. This change is intended to create a more streamlined and efficient reporting process.
Companies that self-classify encryption products under Section 740.17(b)(1) must continue to file annual self-classification reports. Such reports, which are due February 1 of each year, must contain basic information regarding the company and product(s). Certain information previously provided in connection with the encryption registration process will now be part of the annual self-classification reports. Companies that receive a commodity classification determination from BIS for products that are eligible for the self-classification provisions of License Exception ENC are not required to include those products in annual self-classification reports.
Movement of Mass Market Provisions to Section 740.17 of the EAR
The encryption mass market provisions have been moved from Section 742.15 to Section 740.17 of the EAR. These changes were intended to delete duplicative text and consolidate the provisions.
Restrictions on Publicly Available Encryption Source Code Removed
Encryption source code classified under ECCN 5D002 that is made publicly available no longer is considered subject to the EAR after an email notification is submitted to BIS and the National Security Agency's ENC encryption request coordinator. This notification requirement, which is now set forth in Section 742.15(b) of the EAR, previously was under License Exception TSU (Section 740.13(e)) of the EAR.
Expansion of Authorization for Intra-Company Transfers
A new exception to Section 740.17(a)(1) authorizes exports, re-exports, and transfers (in-country) among related parties for internal use when the parent company is headquartered in a country listed in Supplement No. 3 to Part 740 of the EAR and certain other conditions are met. No classification or reporting is required for such exports, re-exports, or transfers (in-country). Previously, exports, re-exports, and transfers (in-country) authorized under Section 740.17(a)(1) were limited to the internal development or production of new products.
U.S. and non-U.S. companies that export, re-export, or manufacture encryption items subject to the EAR should analyze how these changes may affect their business and ensure that their existing policies and procedures are appropriately updated to take into account these amendments to the EAR.