Friday June 3, 2016 the U.S. Departments of Commerce and State released their
latest rulemakings in the Export Control Reform Initiative - this time,
revising the definitions of "export" and several other terms relating
to technology transfers. These rules are the long-awaited follow-on to proposed
rules issued by each agency exactly one year ago on June 3, 2015. The Commerce Department's
Bureau of Industry and Security ("BIS") published a final rule to
complete the process, and the State Department's Directorate of Defense Trade
Controls ("DDTC") published an interim final rule with another
request for comments due July 5, 2016. (BIS still welcomes public comments on
its final rule on a continuing basis.) Both rules will become effective on
September 1, 2016.
stated purpose of this rulemaking was to enhance clarity and consistency in how
technology transfers and other export activities are treated between the Export
Administration Regulations ("EAR") administered by BIS and the
International Traffic in Arms Regulations ("ITAR") administered by
DDTC. Many concepts are now harmonized. For example, the ITAR now incorporates
the EAR "deemed export" rule regarding technology transfers to
foreign nationals in the United States, and the EAR now includes a similar
authorization framework as the ITAR for technology transfers by foreign entities
to their dual and third country national employees. However, significant
differences remain between the EAR and the ITAR, with the ITAR remaining the
more restrictive regulatory regime.
is a brief summary of key features in these rulemakings. Both agencies' rules
encompass several detailed changes across many definitions; these are a few
highlights that may be of interest to companies whose business involves
the context of cloud computing, the proposed 2015 rules for both agencies would
have excluded the transfer of technical data through foreign servers from
regulation as an export, if the data is encrypted end-to-end.
BIS adopted a final rule with respect to end-to-end encryption and cloud services.
DDTC stated that it will address this topic in a separate rulemaking.
new BIS rule exempting transfers of technical data through end-to end encryption
does not apply if the data are intentionally stored in so-called "D:5 countries"
(countries that are subject to a U.S. arms embargo) or the Russian Federation.
the new BIS rule exempts routing of technical data through foreign servers from
the definition of "export," the ultimate transfer to a foreign
location at the end of the transmission would still be an export of the
transmitted data to that location.
the EAR now provides more certainty to cloud service providers and their customers,
parties dealing in ITAR controlled technical data may not assume that encryption
will prevent their data from being exported if it is hosted on a foreign server
or accessed by a foreign national network administrator.
the EAR and the ITAR have been amended to clarify that an in-country transfer, which
could require additional authorization, occurs when there is a change in end use or end user within the same foreign country.
This means that, even if a licensed article never changes possession to another party, further U.S. government authorization could be required if the same authorized end user decides to apply the article towards a different end use than that originally stated in the license application.
This requires heightened vigilance by exporters to know their customers, understand their intended end uses, properly structure licenses, and obtain the necessary end use assurances.
Deemed Exports and Reexport
The ITAR now formally incorporates the deemed export/reexport concept that was already explicitly set forth in the EAR (relating to technical data transfers to a foreign persons within the United States or transfers to dual/third country nationals outside the United States).
The ITAR continues to take a more restrictive approach; DDTC will consider all citizenships held by, and any permanent residency status of, a foreign national.
By contrast, BIS has now codified its long-standing policy that in evaluating deemed exports, it will only consider the foreign national's most recent country of
citizenship or permanent residency.
of Technical Data
regard to technology transfers, the EAR now clarifies that, in order for technology
or software source code to be released to a foreign person such that it is exported,
controlled information has to be actually revealed. In other words, merely seeing
an item briefly, or providing a foreign person with theoretical or potential access
alone, is not necessarily sufficient to constitute an export.
adopted a similar approach, thereby changing its prior policy that theoretical access
to technical data was alone sufficient to constitute an export. DDTC has added
a new definition for the term "release," which includes inspection of
a defense article in a way that reveals technical data. DDTC also clarified in
its rulemaking comments that information that is simply an attribute of a
defense article (such as size or weight) is not technical data.
and Third Country National Employed by Foreign Entities
codified its previous interagency-cleared "Deemed Reexport Guidance" previously
posted on the BIS website on October 31, 2013. The purpose of that guidance,
and now this rule, is to harmonize the way dual and third country nationals are
treated between the EAR and the ITAR, for deemed reexport purposes, where an
individual is employed by a foreign entity that is authorized to have the
also made changes to consolidate into a single exemption its existing regulations
authorizing certain dual or third country national employees to receive technical
data already licensed to their foreign employers.
net effect of these changes is to establish consistency of treatment between
the EAR and the ITAR, and to make these provisions easier to use.
Exports for Individual Use
the EAR and the ITAR have been amended to clarify the circumstances under which U.S. persons, and foreign employees of U.S. companies travelling abroad on a temporary assignment, are permitted to receive technical data without a license.
BIS revised its TMP license for temporary exports, and DDTC has revised its technical data license exemption, to take a harmonized approach. To qualify under these regulations, the foreign person must be abroad on a temporary assignment (this caveat does not apply to U.S. persons abroad, who may be on a permanent assignment). Also, sufficient security precautions must be taken (which can include encryption,
use of virtual private networks, passwords, and firewalls) to prevent unauthorized
takeaway from this rulemaking is that, while companies dealing in both EAR and
ITAR controlled technical data now will be able to take a more straightforward
and consistent approach in implementing compliance measures to address both
regulatory regimes, there are still some differences in how technology is
treated, with DDTC continuing to take a more restrictive approach. Companies
dealing with export controlled data should take this opportunity to update
their technology control plans, review their foreign national vetting and
access procedures, and revisit the terms and conditions of their technology
licenses. Additionally, companies that have an interest in offering or using
ITAR compliant cloud services might consider providing comments to DDTC and
should stay alert to future developments in this area, given DDTC's plans to
revisit that aspect of the rulemaking.
See Department of Commerce, "Revisions to Definitions in the Export
Administration Regulations," 81 Fed. Reg. 35586 (June 3, 2016); see also
Department of State, "International Traffic in Arms: Revisions to
Definition of Export and Related Definitions," 81 Fed. Reg. 35611 (June 3,