On June 3, 2015, the U.S. Commerce Department’s Bureau of Industry and Security (“BIS”) and the U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”) published two proposed companion rules to revise and harmonize certain definitions in the Export Administration Regulations (“EAR”) and the International Traffic in Arms Regulations (“ITAR”) as part of the U.S. Government’s ongoing export control reform efforts (the “Proposed Rules”) (see BIS’s proposed rule here and DDTC’s proposed rule here). Most of the changes are largely technical or clarifying in nature, but there are certain key new definitions and concepts particularly relevant to technology transfers, deemed exports, and cloud computing. Both agencies are actively encouraging comments on the Proposed Rules; industry participants have 60 days from June 3, 2015 to submit comments.
The purpose of the Proposed Rules is essentially two-fold: (1) to enhance clarity and consistency of terms found in the EAR and ITAR; and (2) to update and clarify the application of controls over electronically transmitted and stored technology and software. To review a side-by-side chart of the proposed changes to the EAR and ITAR, please see here.
A few of the key proposed substantive amendments are summarized below (for a complete overview of all of the proposed changes, please refer to the Proposed Rules):
The Proposed Rules clarify that when technology/technical data or software is transmitted electronically through, or is stored electronically in, a foreign country, an export, reexport, or (re)transfer has not occurred provided the following four conditions are met:
i. The technology/technical data or software is unclassified.
ii. The technology/technical data or software is encrypted “end-to-end”, i.e., it must be encrypted prior to leaving the sender’s facilities and remain encrypted until received by the intended recipient or retrieved by the sender.
iii. The technology/technical data or software is secured using modules compliant with FIPS 140-2 (a common encryption standard used for Federal Government procurement) and supplemented by other controls consistent with the U.S. National Institute for Standards and Technology guidance. In the case of the EAR only, “similarly effective cryptographic means” are permitted as an alternative to FIPS 140-2.
iv. In the case of technical data under the ITAR, the technical data cannot be stored in a proscribed country listed in Section 126.1 of the ITAR or in Russia. In the case of controlled technology or software under the EAR, it cannot be stored in countries listed in Country Group D:5 or in Russia.
These conditions are largely reflective of the recommendations laid out in a DTAG Cloud Computing Group White Paper published in May 2013.
BIS acknowledges that the requirement for end-to-end encryption may pose compliance challenges for users of third party digital services, such as cloud SaaS (software as a service) and email services. BIS deemed end-to-end encryption necessary because, although these services might encrypt and decrypt information at various points in the process of transmitting or storing it, any instance in which the technology or software is in unencrypted form could still trigger an export or reexport that could potentially require BIS authorization. In particular, BIS identified the potential for unauthorized releases of unencrypted data to non-U.S. national employees of U.S.-based third party digital service providers or to non-U.S. third party digital service providers. While not explicitly stated in the Proposed Rules, the end-to-end encryption requirement (along with a 2009 advisory opinion from BIS) suggests that the owner of the data or software (as the original “sender”) would be responsible for any unauthorized transmission or release of controlled technology or software rather than the third party digital service provider .
The Proposed Rules would include in the definitions of “technology”/”technical data” information, such as decryption keys, network access codes, or passwords, that would allow access to other technology/technical data in clear text or to software. Similarly, the Proposed Rules would amend the definitions of “export” to include also the release or other transfer of such means of access under certain circumstances.
Under the EAR proposed rule, simply releasing or otherwise transferring to a foreign national the means of access to technology in clear text or software (e.g., cryptographic keys, passwords, network access codes, or software) will itself be an “export” when undertaken with “knowledge” that providing such means of access will cause or permit the transfer of other technology in clear text or software.
Under the ITAR proposed rule, merely releasing or otherwise transferring to a foreign national the means of access to technical data in clear text or software will be an “export” if such release or transfer would allow access to other technical data in clear text or software. The ITAR definition does not require “knowledge” that a transfer will result, nor does it require that such transfer actually occurs.
“Clear text” is intended to follow the industry standard definition, e.g., information or software that is readable without any additional processing and is not encrypted. BIS specifically encourages the industry to submit comments on whether a specific definition of “clear text” is warranted.
Under the ITAR, the term “required” in the context of technical data has been undefined to date. DDTC proposes to adopt a new definition of “required” that aligns with the definition found in the EAR and the Wassenaar Arrangement (i.e., “only that portion of technical data that is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions”) and to add three explanatory notes with illustrative examples. The EAR’s definition of “required” remains unchanged, although BIS proposes to add two consistent clarifying notes and examples.
The proposed new definition of the term “peculiarly responsible” is modeled on the catch-and-release structure, which BIS and DDTC have previously adopted for the definition of “specially designed.” Thus, under the proposed definition, an item is “peculiarly responsible” for achieving or exceeding any referenced controlled performance levels, characteristics, or functions if it is used in development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing of an item subject to the EAR/ITAR unless the item is released through specific conditions that mirror the “specially designed” releases.
BIS proposes to revise the definition of a “transfer (in-country)” to “a change in end use or end user of an item within the same foreign country” to parallel the term “retransfer” in the ITAR. This is intended to eliminate any ambiguity over whether a change in end use or end user within a foreign country is sufficient to constitute a “transfer.”
DDTC proposes to introduce a more flexible definition of “public domain” to better accommodate the continually evolving array of media through which information is presented and to more closely align with the EAR and Wassenaar Arrangement definitions. Under the proposed ITAR definition, information is in the public domain if it is made available to the public without restrictions on its further dissemination. The proposed amendments represent a significant broadening of the scope of the definition and, as such, of the universe of information that will not be subject to the ITAR because it is in the “public domain.” Notably, the definition provides that information published on the Internet on sites available to the public is in the “public domain.”
The U.S. Government would still have to approve a release of technical data or software subject to the ITAR that would make the technical data or software available in the “public domain.”
DDTC published the first proposed revisions to the definition of “defense service” on April 13, 2011 (see 76 FR 20590) to narrow the existing definition of “defense service,” which DDTC stated was overly broad. Based on industry comments, DDTC published the second proposed revised definition on May 24, 2013 (see 78 FR 31444). The ITAR proposed rule constitutes DDTC’s third round of proposed revisions to the definition of “defense service.”
The latest proposed definition provides that the furnishing of assistance in the production, assembly, testing, intermediate- or depot-level maintenance, modification, demilitarization, destruction, or processing of a defense article is only a “defense service” if it is furnished by a U.S. person or a foreign person in the United States who has knowledge of U.S.-origin technical data directly related to the defense article that is the subject of the assistance. In addition, the furnishing of technical data to a foreign person is no longer within the scope of the definition of “defense service” because it is already covered as an “export” of “technical data.”
As noted above, for a complete overview of all of the proposed changes, please refer to the Proposed Rules.