Effective November 23, 2010, any company that applies for an H-1B (H-1B, H-1B1, Chile/Singapore), L-1, or O-1A visa for a foreign national through the filing of an I-129 must now certify that there are no International Traffic in Arms (ITAR) or Export Administration Regulations (EAR) limitations on the release of technical data to that foreign national, or that a license will be in place before that controlled technical data is shared. This amounts to nothing more than another layer of enforcement when it comes to the "deemed export" rule, but now compliance with export license regulations has been added to the portfolio of HR executives. It remains unclear how enforcement will be accomplished. It is possible that violations may be discovered during an I-9 audit, despite the fact the certification is given to US Citizenship and Immigration Service (USCIS). It seems most likely that Commerce and State will enforce any violations, and those agencies typically opt for criminal prosecution first and civil fines secondarily.
Protected persons are listed at 8 U.S.C. § 1324b(a)(3) and consist of any individual who is:
- a citizen or national of the United States;
- an alien who is lawfully admitted for permanent residence;
- a person granted the status of an alien lawfully admitted for temporary residence as a seasonal agriculture worker or pre-1962 lawful resident;
- a person admitted as a refugee;
- or a person granted asylum; BUT
- excludes an alien who fails to timely apply for lawful permanent residence or naturalization or is not timely granted such status.
Sharing technical data with a protected person is not controlled so long as that person is employed in the US. A different outcome likely results if that protected person is employed by a foreign affiliate. Goods and technical data subject to control by State under the Arms Export Control Act (AECA) (22 U.S.C. § 2778, et al) can be found in the U.S. Munitions List, 22 C.F.R. § 121, as information required for the design, development, production, testing, or modification of defense articles. Defense services are also regulated, including the furnishing of assistance to foreign persons in the design, development, testing or use of defense articles, whether this takes place in the US or elsewhere.
In terms of goods, technical data, and services controlled by Commerce's Bureau of Industry and Security (BIS), that list can be found at 15 C.F.R. 730, et seq. Any release of technology or source code subject to the EAR to a foreign national is deemed to be an export to the home country or countries of the foreign national (15 C.F.R. 734.2(b)(2)(ii)). BIS states technology or software is "released" for export through: (i) visual inspection by foreign nationals of US-origin equipment and facilities; (ii) oral exchanges of information in the United States or abroad; or (iii) the application to situations abroad of personal knowledge or technical experience acquired in the United States.
One of the notable differences in approach between State and Commerce remains what constitutes nationality. Commerce looks to the current country of residence or citizenship, whereas State continues to look to country of birth and citizenship. So for HR Managers, questions about personal history are permitted. To illustrate this distinction, if the applicant was born in Syria, emigrated to Canada as a 10-year-old, and became naturalized, BIS will focus on that person's Canadian citizenship, whereas State will be concerned about his/her Syrian birth.
Regardless of which agency has jurisdiction, a license will be required for North Korean, Cuban, Iranian, Syrian, and Sudanese nationals. The BIS mass market standard (symmetrical key length greater than 64 bits) remains. Put another way, it is permissible to allow a foreign national access to Oracle software for use at his or her desktop. However, if that foreign national is given access to the source code, perhaps to fix a bug, that possibility needs to be carefully reviewed to make sure an export license is in place prior to disclosure. Further, HR Managers should keep in mind the US maintains some form of embargo against Burma/Myanmar, Belarus, China, Cote d'Ivoire, Cuba, Cypress, Democratic Republic of Congo, Eritrea, Haiti, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Sierra Leone, Somalia, Sri Lanka, Sudan, Syria, Venezuela, Vietnam, Yemen, and Zimbabwe, so persons from those countries present potentially greater hurdles when it comes to export license approvals, depending on the specific circumstances.
We have in this article discussed only export licenses. There are some circumstances in which a Technical Assistance Agreement may be used instead, but that determination should be made by the company's export advisor.
To address this new responsibility, if you are an HR Manager, your checklist for compliance will now need to include a complete job description that clearly states to what the applicant will be given access and when, plus details about that person's residence history, as appropriate. You must also make sure those records are kept for the specified period of time. If your company sells goods subject to US export controls, you will want to consult with your export staff to ensure all the requirements are met. Even if your company does not, you must still make sure that you are in compliance, as exposure to source code encrypted over the 64-bit level to a foreign national is barred absent an export license, even when that release takes place in the US.