Today, information is exchanged with greater efficiency than could have been imagined at the birth of the US arms export control regime. Increasing globalization coupled with the proliferation of email, the Internet and data servers that can be accessed from anywhere in the world raises new issues for regulating exports of technical data and information about controlled items. For the unwary, opportunities for unintentional export control violations abound.
A few examples demonstrate why those dealing in controlled technical data must exercise caution in this area. Consider that an email sent from one user in the United States to another user in the United States does not simply travel directly from the sender to the recipient. Rather, email traffic is commonly routed among servers – even servers located outside the United States – before it arrives at its destination. Usually the sender does not know the exact path that an email takes to its recipient, or what other countries it passes through. If an email containing protected technical data passes through a server in Canada, is there an export control violation? What about the US employee traveling in China who receives and opens an email containing technical data on a BlackBerry device or laptop computer? Are these export control violations? It is common in today’s marketplace for companies to share information with offices and subsidiaries outside the United States. If a company maintains a data server in the United States that is accessible to non-US personnel, does it violate the International Traffic in Arms Regulations (ITAR) if the server contains technical data about a defense article?
The foregoing examples demonstrate how those not familiar with the rules or without a plan for dealing with technical data in today's cyber environment might violate export controls. In any case, those subject to the arms control regulations must have at least a basic understanding of what technical data is and how export violations relating to technical data can occur.
What Is Technical Data?
Technical data is defined broadly under the ITAR as “information . . . which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles.” It is defined by nearly identical terms in the Export Administration Regulations (EAR). Technical data includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation, or models or mock-ups of defense articles or dualuse items.2
Given the broad scope of technical data covered by the ITAR and EAR, companies and individuals that deal in defenserelated and high-tech articles are likely to have significant contact with electronically stored information subject to export controls.
Rules Governing Export and Re-Export of Technical Data
The ITAR and the EAR describe several ways in which the handling of technical data can constitute an “export” and thus a violation if performed without a license or other authorization. They include disclosing (either orally or visually) technical data to a non-US person whether inside or outside the United States, and sending or taking technical data outside the United States.3 Note, it is not an export when a person whose personal knowledge includes technical data merely travels outside the United States. Thus, sending an email containing controlled technical data – even to an overseas employee with US citizenship – constitutes an export that requires a license under either the ITAR or the EAR, unless covered by a specific license exemption or exception. Were a US employee to then disclose the contents of such email to a non-US citizen, that act may constitute a separate export transaction – a re-export.
An export of technical data also occurs where a non-US citizen accesses controlled information stored on US-based servers of companies operating in the United States. General Motors and General Dynamics learned this lesson painfully in 2004 when it entered into a consent decree with the US Department of State in which the companies agreed to pay US$20 million in civil penalties to settle charges for ITAR violations. Such violations resulted from the companies’ failure to control access to technical data on their servers that related to ITAR-controlled light armored vehicles. The companies were charged with providing unauthorized access to technical data and disclosing such data without DDTC authorization. The resounding question, even after the action against General Motors and General Dynamics, is whether DDTC interprets the definition of “export” to include mere ability to access US technical data or whether an actual transfer must occur. In either case, USbased companies are advised to adopt data storage solutions that include measures to tightly control access to technical data by non-US employees and associates.
A murkier issue raised by the ITAR and EAR definitions of “export” is whether the act of sending an email that contains controlled technical data constitutes an export if the email travels to an overseas router before reaching its US recipient. Given the absence of guidance by either BIS or DDTC on this issue, one might assume that email traffic patterns are outside the scope of the regulations. Nevertheless, US companies should at least understand how their email traffic travels and, in particular, where electronic copies are stored. Failure to do so could lead to inadvertent exports.
License Requirements and Exceptions for Technical Data Relating to Defense Articles and Dual Use Items
Not all transmissions of technical data abroad require a license. In fact, license exceptions in the ITAR and EAR cover many common exchanges of technical data.
The ITAR and EAR license exemptions and exceptions that cover exports of technical data are narrow and should be considered carefully when applied to email and other electronic communications with US employees overseas. US employees should travel with laptop devices and mobile email devices that are at all times free of technical data unless exported under a license or specific license exemption or exception. In addition, an email system that allows the US-based employee to review email without creating an electronic copy on the host computer is advisable to avoid unintentional exports or disclosures to unauthorized individuals. Email messages that contain controlled technical data should be marked as such in the subject heading so that recipients can identify them without reading them, and move them to a segregated folder to minimize unnecessary or unintentional exports. This latter measure is important because to use an ITAR license exemption the exporter must certify in writing that the export is covered by an exception, mark the exported data as such and retain the certification document in its files for a period of five years – all of which would be avoided if there were no inadvertent export.4