Proposed Export Control Reform impacts cloud storage, email, and U.S. workers abroad
The Obama administration continues its attempt to implement Export Control Reform (ECR) with proposed changes to regulations governing a number of matters, including:
- Cloud computing
- Email transfer of export controlled technical data and technology
- The international defense industry
The proposed rule changes would remove existing licensing and approval requirements from the transfer and storage of technology or software in encrypted form, subject to certain conditions. In addition, the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) has proposed revising the International Traffic in Arms Regulations (ITAR) to require all U.S. persons—U.S. citizens, permanent residents (“green card” holders), refugees, asylees, or temporary residents protected under the Immigration Reform and Control Act of 1986, and any entity, organization, or group that is incorporated in the United States—who provide defense services abroad to be registered and licensed, absent an applicable exception.
Because the changes are meant to harmonize regulations administered by the DDTC and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS), both agencies have solicited public comment. Given their potential breadth and effect, if your business would be affected by these changes we strongly encourage you to carefully review the proposed regulations and provide suggestions that would positively impact your business going forward.
Below is a summary of a few of the proposed amendments.
Export controlled cloud computing and email
It may come as a surprise to you that the export control regulations administered by BIS and DDTC currently do not make any distinction between encrypted and unencrypted transfers of technology or software.
In other words, as it stands, if you send an encrypted email with export controlled technical data, technology, or software to a U.S. person in the U.S., and unbeknownst to you the email ends up being routed through a foreign server, you have arguably made an unauthorized export in violation of U.S. export control laws. Similarly, under existing regulations if you were to store encrypted export controlled technology, software, or technical data on the cloud, and the material was actually physically stored on a server in another country, you would arguably have made an unauthorized export—even if you never intended for the data to leave the country.
The regulatory revisions proposed June 3, 2015 (80 Fed. Reg. 31505, 31525), attempt to remove this risk, under the logical rationale that if the technology, software, or technical data is encrypted it is not readable, and is therefore useless to unauthorized parties unless and until it is decrypted.
However, as you might expect from the government, certain conditions are imposed on this proposed exclusion from Export Administration Regulation (EAR) and ITAR licensing requirements:
- The information cannot be classified.
- The information must be encrypted end-to-end—meaning it must be encrypted prior to leaving the sender’s facilities and remain encrypted until received by the intended recipient or retrieved by the sender.
- ITAR technical data and software must be encrypted using cryptographic hardware or software compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2), supplemented by procedures and controls that are in accordance with current U.S. National Institute for Standards and Technology (NIST) standards. EAR technology and software must be encrypted to the same standards, or other similarly effective cryptographic means.
- For foreign policy reasons, ITAR encrypted technical data or software cannot be stored in any country proscribed under 22 C.F.R. 126.1 (Belarus, Cuba, Eritrea, Iran, North Korea, Syria, Venezuela, Burma, China, and Sudan, among others) or Russia. EAR encrypted technical data or software cannot be stored in the Commerce Control List’s Country Group D:5 (which is similar, but not identical to ITAR’s Part 126.1 list), or Russia.
Although many might be heartened by this proposal, the strict standards that must be satisfied in order to fall under the exclusion may force many businesses to continue applying for export licenses simply to send an email or save a document. Here’s why:
- Third party providers—Many companies today rely on encryption provided by third party digital service providers, such as cloud software as a service provider and some email services. BIS and DDTC consider this sort of encryption to present a risk of unauthorized release, because the information transmitted may be encrypted and decrypted many times before it reaches its intended recipient. Therefore, the government insists that in order to qualify for the exclusion from licensing requirements, end-to-end encryption be adopted in order to ensure that no non-U.S. national employee of a domestic cloud service provider or foreign digital third party or cloud service provider can get access to controlled technology or software in unencrypted form.
- Certification and guidelines—Companies that use hardware and software not certified by NIST or not conforming to NIST guidelines and FIPS 140-2 standards would be unable to take advantage of the exclusion. While BIS attempts to accommodate this by permitting the use of encryption by similarly effective cryptographic means (provided the exporter takes responsibility for ensuring that such means are effective), DDTC does not permit the use of alternative encryption approaches. Therefore, under the proposed rule, in order for ITAR encrypted data to be excluded from export licensing requirements, a company’s encryption hardware and software modules must be certified by NIST, and NIST key management and other implementation standards must be used.
Revised registration and licensing requirements for U.S. persons abroad
The ITAR currently requires that any person in the U.S. who engages in manufacturing, exporting, or temporarily importing defense articles must register with DDTC. Pursuant to the proposed May 26, 2015 (80 Fed. Reg. 30001) amendments, some significant changes to the ITAR would be made, including:
- U.S. persons performing defense services abroad would be required to register with DDTC, as is currently required for U.S. persons who engage in the brokering of defense articles and defense services anywhere in the world.
- U.S. persons would be obligated to obtain an export license to provide defense services to a foreign person, unless an exemption applies or the U.S. person is a regular employee of a DDTC registered U.S. entity, or a foreign subsidiary or affiliate listed on the registration application of a registered U.S. entity, and:
- The natural U.S. person is authorized to provide defense services via a licensing agreement between the foreign subsidiary or affiliate and the U.S. registered entity; and
- The registered U.S. entity has demonstrated its capacity to ensure the U.S. persons’ compliance with the ITAR.
- Exemptions from the licensing (but not the registration) requirement would apply under certain limited circumstances where the U.S. person is an individual either:
- Employed by foreign persons who are providing defense services exclusively in North Atlantic Treaty Organization and European Union member countries as well as Australia, New Zealand, Japan, and/or Switzerland.
- Working in support of an active Foreign Military Sales contract and pursuant to an executed letter of offer and acceptance.
Note that in both cases the exemption would be subject to a number of conditions, such as the requirement that no ITAR controlled technical data may be shared in the process of providing the defense service.
The proposed rule would require a wide range of U.S. persons working abroad for foreign companies to not only register under the ITAR, but also to obtain licenses to furnish defense services. This could include U.S. persons working at the foreign branch of a U.S. company, whether as a contractor or regular employee, as well as regular U.S. person employees of foreign businesses with no U.S. affiliations, among others. If implemented as proposed, the rule would impose significant individual compliance obligations on individual U.S. persons working abroad, as well as their employers. The agency has specifically encouraged commentary from foreign persons who employ U.S. persons, as well as the U.S. persons who will be affected by the rule.
The proposed rules have many nuanced implications for U.S. and foreign businesses and their employees and contractors. McDonald Hopkins is happy to assist you and your company in analyzing the potential effects of these rules and in drafting commentary and suggested revisions for consideration by U.S. export control agencies. DDTC and BIS are accepting comments on the June 3, 2015, proposed rule changes through Aug. 3, 2015, while DDTC will accept comments on the May 26, 2015, proposed amendments until July 27, 2015.
For more information, please contact one of the professionals listed below.