The Government of Canada has announced that a new version of the Guide to Canada’s Export Controls (the “Guide”) will come into effect on August 11, 2017. The Guide lists the goods and technology subject to export and technology transfer controls. The transfer from Canada of any items listed in the Guide must be made under the authority of an export permit, including transfers via physical export, telephone discussions, email, server access, upload and download, technical assistance and services, and other forms of information transmission. Companies doing business abroad, whether in connection with sales, sourcing or research and development, should be carefully reviewing the latest changes to the Guide to ensure full compliance with Canada’s export control regime.
The new version of the Guide, referred to as the December 2015 Guide, reflects additions, deletions and clarifications regarding items subject to export control, incorporating Canada’s commitments and obligations under various multilateral export control regimes up to December 31, 2015. This latest version replaces the December 2013 Guide which had been in effect since December 5, 2014.
Background – Regulatory Context of the Guide
Canada retains a vested national interest in controlling the export and transfer of certain goods and technology to parties outside of its borders. To that end, Canada enacted the Export and Imports Permits Act (the “EIPA”), which requires that a permit be obtained by any person or entity seeking to export or transfer such goods and technology. The principal objective of export controls is to ensure that exports of certain goods and technology are consistent with Canada’s foreign and defence policies, such as national security, human rights protection and obligations not to contribute to the development of weapons of mass destruction.
The goods and technology which are so controlled are identified on the Export Control List (the “ECL”). The items on the ECL are subdivided into different groups:
- Group 1, so-called “Dual-Use” goods and technology controlled under the Wassenaar Arrangement;
- Group 2, the munitions list;
- Groups 3 and 4, goods and technology with nuclear proliferation concerns;
- Group 5, miscellaneous and strategic goods and technology (including all US-origin items);
- Group 6, missile technology and components; and
- Group 7, goods and technology subject to the chemical and biological weapons non-proliferation list.
The Guide is incorporated by reference into the ECL and provides detailed information and specifications for the items covered in each group. In addition, the Guide also contains detailed “de-control notes”, that create specific exemptions for certain exports in certain circumstances. For example, many modern aviation engines are controlled under Category 9 of Group 1 (as they can have military uses). However, under the Guide, an engine for use in a civilian aircraft which has been type-certified by a Wassenaar Arrangement country is “de-controlled”.
Overview of the Changes
While these latest changes impact every group within the Guide, it is Group 1 which is most significantly affected, with an extensive overhaul including a sizeable number of deletions from the ECL. Many of the definitions and specifications in Group 1 have been significantly refined.
Goods and technology have been added to Group 1 and are now subject to export control requirements. These include certain laser materials, technology for flight control systems, satellite and space goods and technology, and various aerospace goods and technologies.
The remaining changes have been more peripheral. Most of these have been clarification to specific items in the Guide inserting clarifications, changing cross-references to various new items or to account for removals, and to address typographical changes (such as changes to agency names). The most significant changes outside of Group 1 are the addition of certain types of rocket systems to Group 6 and a large increase in the number of viruses and other agents controlled under Group 7. Other additions include sight control equipment and technology, and the explosive mixture BTNEN.
Notably, there have been no changes to Canada’s cybersecurity export and technology transfer controls in respect of intrusion software and IP network communications surveillance systems and related software and technology. This is an important contrast from the United States where these controls are not in place.
Certain items have also been removed from the Guide. These include certain items within the following categories: marine goods and technology (marine surface-effect vehicles and associated equipment, hydrofoil vessels and associated equipment), small-waterplane-area vessels and associated equipment, seals and gaskets, hydraulic fluids, polymers made from vinylidene fluoride, unprocessed fluorinated compounds, plasma dry etching equipment, laser-based telecommunication test/inspection equipment, thermopile arrays, and mirrors for terrestrial heliostat installations.
Changes to Canada’s Crypto Controls
There have also been changes to Canada’s control of cryptographic goods, technology, and software (so-called “Crypto”) under Group 1, Category 5 – Part 2 (“Information Security”), including a restructuring of the relevant provisions. Crypto has long been a major issue in export controls, and one which surprises many Canadian exporters that suddenly find themselves unexpectedly offside the law. There are a few immediate points of interest.
First, there has been a small but important change to the “mass market” exemption under Cryptography Note 3. Previously, for the exemption to apply, the Guide required that price and information on the main functionality of the item had to be available before purchase without the need to consult the vendor or supplier. The new addition clarifies that a simple price enquiry is not considered to be a “consultation”. This small change provides more latitude to include items within the “mass market” exemption.
Second, the changes provide for exclusions for routers, switchers or relays where the information security functionality is limited to “Operations, Administration or Maintenance” (“OAM”) tasks which have been implemented using only published or commercial cryptographic standards. This liberalization is accompanied by a similar de-control for all general purpose computing equipment or servers where the information security functionality uses only commercial or published cryptographic standards and uses cryptographic equipment that is (1) subject to the mass market exemption under Note 3; (2) is integral to an operating system that would not otherwise be controlled; or (3) is limited to OAM functions.
Third, there is a clarification of controls on items, software, and equipment designed or modified to perform “cryptanalytic functions”, which now appear under a new heading, “Defeating, Weakening or Bypassing ‘Information Security’””. The Guide reorganization has added additional clarity on the definition of “cryptanalytic functions” to mean equipment designed to defeat cryptographic mechanisms in order to derive confidential variables or sensitive data, including clear text, passwords or cryptographic keys. This appears to be congruent with Canada’s changes to its copyright regime which criminalized the use of software which was designed to defeat technological protective measures.
Fourth, additional clarity has been provided to control systems, equipment, and components, for non-cryptographic “information security”. This confirms the status of such non-cryptographic items, and it remains to be seen the breadth with which this new provision will be enforced by the Canadian government.
These new changes bring Canada’s export control regime into compliance with its international obligations as of December 2015. Those engaged in cross-border activities should review the full list of changes, which can be found here to determine whether your products or technology are impacted.
As important as what is included here is what is not included. Namely, there is no further significant guidance on cloud access and cloud computing. It remains critical that anyone using controlled goods and who is in possession of controlled technology, including plans, blueprints, or any technical information or data related to such goods, be fully aware of its data storage and backup solutions and how they are impacted by export control requirements. Barring official guidance to the contrary, companies should exercise caution using any backup or storage servers or facilities that are outside of Canada. Special care should also be taken if employees or contractors can access controlled information from abroad while travelling – which may also result in an illegal export or transfer.