Changes to the Department of Commerce’s definition of an “export” were finalized this past fall and published in the Bureau of Industry and Security’s Export Administration Regulations (EAR). The revisions were completed in order to further harmonize the EAR with the Department of State’s International Traffic in Arms Regulations (ITAR). The EAR and ITAR are the two main export control laws for technology. The EAR covers “dual use” items – commercial products that could have military applications. ITAR covers defense articles that are on the United States Munitions List (USML). There were several takeaways from these revisions that may apply to North Dakota companies and institutions, and are overviewed as follows.
The most significant revision is what constitutes an export when transferring or storing technology on cloud servers. Transmissions through the cloud will no longer be considered an export when the transmissions are encrypted all the way from the originator to the intended receiver, using encryption services “at least as effective” as FIPS 140-2, and not intentionally stored on a server in a country listed in Country Group D:5 (U.S. arms embargoed countries) or Russia. The information must also be “unclassified” to not be an export in this case.
It is now also considered an export, subject to export control requirements, if “access information” is not encrypted from originator to the intended recipient. Access information includes decryption keys, passwords, or other information that allows access to encrypted data.
In this way, U.S. companies can use cloud technology and other electronic transmission means, such as email, to store and transfer unclassified technology subject to EAR without it being considered an export as long as they meet the encryption requirements. Furthermore, the BIS FAQ’s clarify that a U.S. national may remotely access secure data on a U.S. server while outside the U.S. and not have to declare it as an export. These cloud computing provisions are not yet included in ITAR, but are to be included in the future.
A second important change to the EAR is that technology or technical data must be “released” to a foreign person to be considered an export. As such, a foreign person having theoretical or potential access to technology or software is not considered to be a release because such speculative access does not by definition reveal information. Also a foreign person merely observing an item does not constitute an export. Visual, aural or tactile inspection must actually reveal technology or source code to be considered a “release” of technology by the EAR, and thus an export.
ITAR’s rules have separately been revised to specify a “release” only if technical data is revealed and not simply attributes such as size and weight.
For additional assistance on defining an export, please contact NDTO’s Sharon May at (701) 231-1158 or at sharon@ndto.com.