June.11.2015
As part of the U.S. Export Control Reform initiative, the U.S. State Department and U.S. Commerce Department have published regulatory proposals that would, if implemented, reconcile a variety of inconsistencies between U.S. military and "dual use" export controls and make other important changes to defined terms that are fundamental to U.S. export controls.
Of particular importance, the proposals would exempt from export controls in specified circumstances cloud storage and uploading of most technical information to computers outside the United States. The exemption would be dependent on encrypting the information.
The State Department administers the International Traffic in Arms Regulations ("ITAR"), which govern exports and temporary imports of "defense articles" and "defense services."
The Commerce Department administers the Export Administration Regulations ("EAR"), which govern exports of "dual use" goods, software and technology. Dual use items are commercial items that are considered to have important military or security-related applications.
The EAR's Commerce Control List describes items the export of which, depending on the export destination, requires a license under the EAR. In general, exports of items on the ITAR's U.S. Munitions List to all locations require a license under the ITAR.
Suppliers and users of cloud services have been concerned about application of export controls to cloud activity for two main reasons. First, ITAR and EAR definitions of an "export" could be interpreted to encompass movement of technical information across a border to be uploaded into a cloud server located outside the United States. Second, ITAR and EAR so-called "deemed" export provisions could be construed to extend to instances in which non-U.S. persons, such as "IT" technicians, have access to technical information in the cloud, even if the cloud server is in the United States.
The State Department and the Commerce Department have issued guidance about, respectively, the ITAR's and the EAR's application to cloud activity. This guidance has been difficult to reconcile, with State Department advice – unlike Commerce Department advice – seeming to imply broad potential application of export controls to cloud activity.
The new proposals' resolution of export controls and the cloud would be unprecedented and is long overdue given the ubiquity of electronic data transmission and storage. The proposals would establish that the electronic transmission or storage of unclassified technical information abroad generally would not constitute an "export" provided that the information is sufficiently secured to prevent unauthorized access through end-to-end encryption that meets specified standards.
Under both the EAR and the ITAR, the definitions of terms largely dictate the scope and content of controls. The proposed rules elaborate upon, and thereby make more complex, existing definitions. The accuracy of the Departments' claim that this will increase clarity and simplicity for exporters remains to be seen. What is clear is that exporters cannot generally rely on the natural meaning of defined terms or on an intuitive implementation of them.
The following changes merit close attention and may be worthy of the submission of comments by exporters: