On 3 June 2016, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) published a Final Rule (the “BIS Final Rule”) revising a number of definitions in the Export Administration Regulations (“EAR”). BIS also posted new Frequently Asked Questions related to this rule. Concurrently, the U.S. Department of State published an Interim Final Rule (the “State Interim Rule” and, collectively with the BIS Final Rule, the “June 2016 Rules”) revising several definitions in the International Traffic in Arms Regulations (“ITAR”). The June 2016 Rules will go into effect on 1 September 2016. The State Department will accept comments on the State Interim Rule until 5 July 2016.
Most of the changes in the June 2016 Rules are technical or clarifying in nature. Many of these changes were first presented in two proposed rules issued by BIS and the State Department in June 2015 (collectively, the “June 2015 Proposed Rules”). More information about the June 2015 Proposed Rules is available in our 6 June 2015 blog post. It is important to note, however, that the State Interim Rule includes only a fraction of the changes proposed in the State Department’s June 2015 Proposed Rule. Comments in the State Interim Rule suggest that the proposed regulatory changes that were not included in this rule will be addressed by the State Department in a subsequent rulemaking.
The most significant example of this divergence between the changes made to the EAR and ITAR in the June 2016 Rules relates to provisions in the June 2015 Proposed Rules that would “carve-out” the storage of encrypted technology and software in locations outside the United States—provisions with direct implications for the use of cloud computing services to store controlled information and software. This carve-out for encrypted data (the “Encrypted Data Carve-Out”) is included (with slight modifications) in the BIS Final Rule, but the State Interim Rule does not include equivalent revisions to the ITAR. Again, we understand that the State Department will ultimately issue a separate rule to implement this carve-out in the ITAR as well.
Below, we provide additional information about the Encrypted Data Carve-Out as presented in the BIS Final Rule as well as other notable regulatory revisions that will go into effect on 1 September 2016 pursuant to the June 2016 Rules.
1. The EAR’s Encrypted Data Carve-Out
The BIS Final Rule includes the provisions in BIS’s June 2015 Proposed Rule providing that technology or software that is encrypted in accordance with certain specified criteria is not considered to be exported, reexported, or transferred even when the technology or software leaves one country for another. As published in the BIS Final Rule, this Encrypted Data Carve-Out will apply to the sending, taking, or storing of technology or software outside of the United States that is:
- unclassified;
- secured using “end-to-end encryption”;
- secured using modules compliant with (or equally or more effective than) FIPS 140-2 (a common encryption standard used for Federal Government procurement) and supplemented by other controls consistent with the U.S. National Institute for Standards and Technology guidance; and
- not intentionally stored in a country listed in Country Group D:5 or in the Russian Federation.
BIS made a number of revisions to the Encrypted Data Carve-Out to address public comments on BIS’s June 2015 Proposed Rule, the most substantial of which were to the definition of “end-to-end encryption.” The definition of this term that was proposed in 2015 specified that data could not be decrypted at any point between the initiation of the transmission and its receipt. BIS relaxed that requirement in the BIS Final Rule because commenters noted that, in many circumstances, companies encrypt and decrypt data multiple times in the course of transmission between originator and recipient without release to any third party. The BIS Final Rule’s definition of “end-to-end encryption” instead requires that:
- the technology or software will not be in unencrypted form while between the originator and recipient or these parties’ respective “in-country security boundaries”; and
- the means of decryption will not be provided to a third party.
BIS explains in the BIS Final Rule that the term “in-country security boundaries” reflects a requirement that these boundaries cannot be defined to include infrastructure resources encompassing multiple countries. Put another way, the originator and recipient may decrypt and re-encrypt technology or software within their security boundaries without exceeding the scope of the Encrypted Data Carve-Out, provided that: (a) the controlled technology or software is encrypted while outside the originator’s and recipient’s security boundaries and while crossing borders and (b) no third parties have the ability to access the data in clear text.
As noted above, the State Interim Rule does not revise the ITAR to include an equivalent carve-out for encrypted technical data. The State Department noted in the State Interim Rule that this issue will be addressed in a separate rulemaking. As it stands now, companies will need to differentiate between their treatment of ITAR- and EAR-controlled technical data/technology and software for purposes of cloud storage after the June 2016 Rules go into effect until the State Department issues a new rule implementing this carve-out.
2. EAR Controls on Transfers of Access Information
As a corollary to the addition of the Encrypted Data Carve-Out to the EAR, the BIS Final Rule revises the EAR to create a new positive authorization requirement that applies to so-called “access information”—e.g., decryption keys, network access codes, passwords, and other information allowing access to encrypted technology or software. Specifically, the BIS Final Rule amends the EAR to state that, if authorization would be required to transfer technology or software, a comparable authorization is required to transfer access information with knowledge that such a transfer would result in the release of technology or software without authorization. This new authorization requirement replaces provisions in BIS’s June 2015 Proposed Rule that some commenters viewed as imposing controls on access information that were distinct from the underlying data—i.e., as treating access information as a separate form of controlled technology under the EAR.
3. Revised EAR Definition of “Transfer (In-Country)”
The BIS Final Rule revises the EAR’s definition of “transfer (in-country)” to include any instance where there is a change of end-use or end-user within the same foreign territory. As a result of this revision, the definition of “transfer (in-country)” is consistent with the ITAR definition of “retransfer”—a term that was previously incorporated in the ITAR definition of “reexport” but is now set out as a standalone term in the ITAR pursuant to the State Interim Rule. This change to the EAR also eliminates any ambiguity over whether a change in end-use within a foreign country is sufficient to constitute a “transfer” under the EAR.
4. Revised ITAR Exemption for Exports of Technical Data to U.S. and Foreign Persons Abroad
The State Interim Rule expands on ITAR § 125.4(b)(9), which authorizes U.S. person employees of U.S. companies to send or take data outside of the United States in certain circumstances. Pursuant to these changes, which were modified based on comments on the State Department’s June 2015 Proposed Rule, foreign persons employed by a U.S. person that are authorized under an ITAR license or other approval to receive technical data in the United States may receive this same data abroad while on temporary assignment on behalf of their employer. The State Interim Rule also clarifies that U.S. persons or authorized foreign persons located outside of the United States may rely on this exemption when accessing technical data stored on U.S. servers. In order to be eligible for this exemption, the technical data must be secured while abroad to prevent an unauthorized release.
