The Commerce Department’s Bureau of Industry and Security (BIS) confirmed that simply accessing from abroad software subject to the Export Administration Regulations (EAR) that is stored on a server in the United States does not constitute an export of the software, provided the user does not download a software application from the cloud. In BIS’s third advisory opinion on the export control implications of cloud computing, the agency explained that if the user abroad is only accessing a software application in the cloud – for example, through a Software as a Service (SaaS) offering – the user is “send[ing] its data to the cloud for processing, and caus[ing] its processed data to be transmitted back to it,” but no export of software has occurred. The advisory opinion is consistent with long-standing BIS guidance on accessing software on a U.S. server from outside the United States and draws upon BIS’s first cloud computing advisory opinion, published in January 2009.
The recent advisory opinion also points out that accessing software in the cloud still might involve an export of technology, a cautionary note worth considering. Although in some cases technology transferred through use of a commercial SaaS offering might be subject to minimal export restrictions or might not even be subject to the EAR, it also is possible that the SaaS software, depending on its sophistication, could generate and then lead to the export of highly controlled EAR technology. As always, cloud users should understand the export restrictions applicable to their technology flowing in and out of the cloud.