Cloud services in all forms are becoming widely adopted by enterprise customers. Public, private and hybrid cloud service offerings continue to grow in number and nature. Companies are migrating to Software-as-a-Service (SaaS) offerings in areas such as workforce automation, email and office productivity suites.
A key driver of the value captured by a cloud architecture, and a distinction from a set of virtualized servers, is that cloud service providers (CSPs) constantly move, and even divide, customers' processing and data to and among servers in different data centers. This is undertaken in a way that is imperceptible and unknown to users. CSPs gain efficiencies as a result of load balancing or arbitraging lower prices for input costs such as electricity prices by "following the sun" every the day, relocating processing and storage to stay in night time.
Meanwhile, the US and other countries have export control regimes to prevent the export, reexport or deemed export of sensitive "dual use" technology, data or services and other items to certain destinations or individuals for foreign policy reasons, such as national security, sanctions or boycott.
Because CSPs move customers' applications and data unilaterally and without the knowledge let alone consent, of customers, surely the CSPs will be responsible for associated export control compliance? The only dispositive answer in the US is no: the customer bears that responsibility.
The Bureau of Industry and Security (BIS) within the Department of Commerce has issued two Advisory Opinions relating to cloud services, one on January 13, 2009 (the "2009 AO") and the other on January 11, 2011 (the "2011 AO"), regarding application of the Export Administration Regulations (EAR). In the 2009 AO, BIS determined inter alia that cloud services in and of themselves are not subject to the EAR, because the CSP is "not shipping or transmitting any commodity, software or technology to the user." BIS notes, however, that if the CSP ships or transmits any controlled items or technical data, or provides controlled technical services, to a customer to facilitate use of cloud services, those items will be subject to the EAR.
Importantly, BIS also determined that CSPs are not the "exporter" of customers' applications and data when the CSPs transfer them at times and to destinations of their choosing. BIS then reasoned that this leaves only the customer to be responsible for export control compliance. BIS arrived at this conclusion because, in its view, the customer receives the "primary benefit, monetary or otherwise, of the transaction." It is clear that both CSPs and customers derive benefit from cloud services. It is not clear which derives the "primary" benefit, the customer who enjoys a percentage reduction in costs to compute and store or the CSP, all of whose cloud revenues are generated by rendering such services.
BIS did not address considerations such as who is actually transferring the items in question or who possesses the information necessary to meet compliance obligations. The answer to both would seem to be the CSPs.
In the 2011 AO, BIS addressed a related question: Who has the compliance obligation for a deemed export when a CSP employs foreign nationals to service and maintain the CSP's cloud computing systems. A deemed export occurs when an item does not exit a country but is made known or available to a foreign national from a country to which restrictions apply for the item. BIS' reasoning was that, because it had concluded in the earlier 2009 AO that the CSP is not the exporter, the CSP could not make a deemed export. The foreign national him or herself cannot be an exporter. So, again, BIS' logic was that the customer is the only one left to bear the compliance obligation.
Here again, seemingly relevant considerations such as who is the employer, who elects to employ particular foreign nationals, or who even knows who the CSPs employees and nationalities are were not addressed.
There have been calls to create a new license exception for cloud services that would relieve customers from bearing a compliance obligation they are not in the position to assess, let alone meet. In the meantime, enterprise customers should:
- Screen the applications and data they place in the cloud for export control compliance, only moving items that do not require licenses into the cloud, and seeking licenses where necessary
- Enhance or revamp their internal training, policies and procedures regarding export control to ensure compliance
- Conduct appropriate due diligence of CSPs and their operations, such as the locations of their data centers and the nationalities comprising their work force (noting that this has to be re-checked periodically as both will change)
- Seek to negotiate into their contracts with CSPs restrictions on the geographies to which they may relocate sensitive customer applications and data and restrictions on the nationality of CSP personnel who are involved in the relevant services to reflect restrictions under EAR, including rights to audit CSP compliance and obligations for CSPs to notify promptly of any known or suspected breaches
- Consider cloud offerings for sensitive applications or data that have been specifically developed to be compliant with export controls and so are designed to avoid the need for export licenses albeit possibly carrying a premium in price
- Press BIS to reconsider its positions, whether by reconsidering the 2009 AO and 2011 AO, amendment of the EAR or creation of one or more license exceptions.
Export control compliance is strict liability–inadvertence or lack of knowledge will not absolve the responsible party. Civil and criminal penalties attach for breaches. We stress that even negotiating protective restrictions into contracts or choosing "ITAR-compliant" services is not sufficient. So long as the customers are responsible, they must verify compliance.