On December 30, 2019, the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) issued an interim final rule seeking to amend the International Traffic in Arms Regulations (ITAR) with definitions more clearly explaining activities that are not considered to be exports, reexports, retransfers or temporary imports of secured and unclassified technical data. This interim final rule is part of DDTC’s ongoing effort to update the ITAR and will become effective on March 25, 2020. Before that date, DDTC is accepting public comments on the rule until January 27, 2020.
While the interim final rule addresses a number of definitions, a new definition has been proposed under a new section of the ITAR, 22 C.F.R. §120.54, covering activities that are not exports and thus not controlled and subject to the ITAR, including:
- Launching a spacecraft, launch vehicle, payload or other item into space; DDTC states that such an activity “is already excluded from the definition of an export” in other sections of the ITAR and by statute but that it has been consolidated and simplified under this section.
- Transmitting or otherwise transferring technical data to a U.S. person in the United States from a person in the United States; DDTC states that such an activity is “unequivocally not a controlled event.”
- Transmitting or otherwise transferring within the same foreign country technical data between or among only U.S. persons, as long as the transmission or transfer does not result in a release to a foreign person or transfer to a person prohibited from receiving the technical data.
- Shipping, moving or transferring defense articles between or among the United States, which includes all states, possessions and territories of the United States.
- Sending, storing or taking unclassified technical data when it is effectively encrypted using end-to-end encryption.
The proposal regarding the sending, storing or taking of unclassified technical data is intended to help address questions and concerns as to email transmissions as well as cloud computing and storage. DDTC makes clear that electronic transmissions and storage of secured unclassified technical data is not an export as long as the “technical data is encrypted prior to leaving the sender’s facilities and remains encrypted until decrypted by the intended authorized recipient or retrieved by the sender, as in the case of remote storage.” This provision contains important requirements that must be met in order to remain compliant with U.S. export control laws and to prevent an unauthorized or inadvertent export violation.
The transmission must employ end-to-end encryption, which is defined as: (i) the provision of cryptographic protection of data, such that the data is not in an unencrypted form, between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) the means of decryption are not provided to any third party. Further, the transmission and/or storage must be secured using “cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology (NIST) publications, or by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128).” Also, the sending, storing or taking of secured unclassified technical data may not involve, be stored in or be sent from the Russian Federation or a DDTC-restricted country, including Belarus, Burma, China, Cuba, Iran, North Korea, Syria, Venezuela, Afghanistan, Central African Republic, Cyprus, Democratic Republic of Congo, Eritrea, Haiti, Iraq, Lebanon, Libya, Somalia, South Sudan, Sudan and Zimbabwe.
Those interested in addressing the interim final rule before the January 27, 2020 deadline may submit comments by (i) email to [email protected] with the subject line, ‘‘Revisions to Definitions; Data Transmission and Storage’’ or (ii) using the federal rulemaking portal at www.regulations.gov and filing comments under Docket DOS–2019–0040.