On June 3 of 2016, the Department of Commerce, Bureau of Industry and Security (BIS) issued a final rule (RIN 0694 AG32), and the Department of State, Directorate of Defense Trade Controls (DDTC), issued an intern final rule, making important changes to key definitions in the Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR), respectively. Both of these new rules have an effective date of September 1, 2016.
One of the reasons for these definitional changes is to more closely align the language in the EAR and ITAR in cases where both sets of regulations share the same purpose. In addition, the rules seek to update the EAR’s treatment of electronically transmitted and stored technology and software.
These rules update the definitions of the terms “export”, “re-export”, “release” and “retransfer” under both the EAR and the ITAR; dealing largely with controls over technology and technical data.
In addition, the BIS final rule adds or revises the following EAR definitions: “access information”, “foreign person”, “fundamental research”, “proscribed person”, “publicly available encryption software”, “published”, “required”, “technology”, “transfer”, and “transfer (in-country)”.
Transmission of encrypted data meeting the criteria of 734.18 of the EAR will not be subject to regulation under the EAR and the “sending, taking, or storing” unclassified technology or software that is secured using “end-to-end” encryption will not be treated as an export, re-export, or transfer.
The encryption standard must meet the minimum requirement of FIPS 140-2 (Federal Information Processing Standards Publication), or its successors.
Data must be encrypted before crossing national borders in order to qualify for this treatment. The means of decryption should not be provided to any third party and the data may not be decrypted outside the parties’ security boundaries.
The data cannot be stored in Russia or China, or a country subject to a US arms embargo.
A license or other authorization will be required to provide decryption keys or other access information. (What is being controlled is not the access information but rather when it is transferred in such a way that would lead to unauthorized access to the encrypted data.)
The BIS stated that providing a decryption key or other “access information” will only require the same type of authorization as applies to the underlying data if done “with knowledge” that it will result in an unauthorized release. (The BIS general policy is that only actual exports trigger controls, and not merely potential access.) This will be questionable when it comes to what level of responsibility a holder of access information has to keep it secure.
For ITAR, sending or taking technical data, including software object code, out of the United States to a foreign person regardless of encryption of the data will remain a regulated export under revised 120.17 of the ITAR. In addition, transfers to foreign subsidiaries of US companies are not exempt. Although the agency did amend an exception allowing certain transfers of technical data to US persons abroad, as long as appropriate security measures are in place.
The results of these new rules will provide a great benefit to many companies and it will also create a compliance risk because of the strict encryption requirements. As an example, the rules would require that only the exporter maintain the encryption keys, while it may be more efficient for the cloud service provider to do so.
If you have any questions about these or other customs matters, please contact Nic Arters at firstname.lastname@example.org or at (419) 281-4100.