Proposals Seek to Harmonize Military and "Dual Use" Export Controls; Would Facilitate Cloud Services and the Electronic Transmission and Storage of Data
June.11.2015
As part of the U.S. Export Control Reform initiative, the U.S. State Department and U.S. Commerce Department have published regulatory proposals that would, if implemented, reconcile a variety of inconsistencies between U.S. military and "dual use" export controls and make other important changes to defined terms that are fundamental to U.S. export controls.
Of particular importance, the proposals would exempt from export controls in specified circumstances cloud storage and uploading of most technical information to computers outside the United States. The exemption would be dependent on encrypting the information.
Two U.S. Export Control Regimes
The State Department administers the International Traffic in Arms Regulations ("ITAR"), which govern exports and temporary imports of "defense articles" and "defense services."
The Commerce Department administers the Export Administration Regulations ("EAR"), which govern exports of "dual use" goods, software and technology. Dual use items are commercial items that are considered to have important military or security-related applications.
The EAR's Commerce Control List describes items the export of which, depending on the export destination, requires a license under the EAR. In general, exports of items on the ITAR's U.S. Munitions List to all locations require a license under the ITAR.
Export Controls and Cloud Computing
Suppliers and users of cloud services have been concerned about application of export controls to cloud activity for two main reasons. First, ITAR and EAR definitions of an "export" could be interpreted to encompass movement of technical information across a border to be uploaded into a cloud server located outside the United States. Second, ITAR and EAR so-called "deemed" export provisions could be construed to extend to instances in which non-U.S. persons, such as "IT" technicians, have access to technical information in the cloud, even if the cloud server is in the United States.
The State Department and the Commerce Department have issued guidance about, respectively, the ITAR's and the EAR's application to cloud activity. This guidance has been difficult to reconcile, with State Department advice – unlike Commerce Department advice – seeming to imply broad potential application of export controls to cloud activity.
The new proposals' resolution of export controls and the cloud would be unprecedented and is long overdue given the ubiquity of electronic data transmission and storage. The proposals would establish that the electronic transmission or storage of unclassified technical information abroad generally would not constitute an "export" provided that the information is sufficiently secured to prevent unauthorized access through end-to-end encryption that meets specified standards.
Other Proposed Changes
Under both the EAR and the ITAR, the definitions of terms largely dictate the scope and content of controls. The proposed rules elaborate upon, and thereby make more complex, existing definitions. The accuracy of the Departments' claim that this will increase clarity and simplicity for exporters remains to be seen. What is clear is that exporters cannot generally rely on the natural meaning of defined terms or on an intuitive implementation of them.
The following changes merit close attention and may be worthy of the submission of comments by exporters:
- The ITAR proposal would modify the manner in which software is controlled under the ITAR. Under the proposal, software would be controlled as a separate type of defense article rather than as technical data, and, as a result, it appears that software would no longer be controlled in most U.S. Munitions List categories as technical data directly related to a defense article.
- It appears that the ITAR proposal would in some instances adjust controls on software relating to defense services, the implications of which are uncertain. The ITAR proposal may expand controls on software relating to defense services by specifying that "integration" of a defense article with any other item will generally constitute a defense service. "Integration" is defined to include the "introduction" of software to enable operation of a defense article. What constitutes the "introduction" of software is not defined.
- The ITAR proposal would seem to limit the scope of defense services in certain respects. For example, the proposed regulations would confirm that the furnishing of assistance by foreign persons outside the United States is not an ITAR-controlled defense service. They also indicate that furnishing of assistance to a foreign person in connection with certain processes relating to a defense article would be a defense service only if it is furnished in the United States by someone who has knowledge of U.S.-origin technical data directly related to the defense article.
- The ITAR proposal would amend the ITAR so that unclassified technical information would generally qualify as technical data only if it is "peculiarly responsible" for achieving or exceeding controlled performance levels, characteristics or functions. The new definition of "peculiarly responsible," like the definition of "specially designed," then imposes a complicated catch and release structure.
- The ITAR proposal would amend the ITAR definition of "public domain" so that information and software would be in the public domain if they are made available to the public without restrictions on further dissemination. Information published through the Internet on sites available to the public would be considered to be in the "public domain." The changes would clarify that U.S. government approval is required for the release of technical data or software subject to the ITAR that would make the technical data or software available in the "public domain."