On June 3, 2015, the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) and the Department of Commerce’s Bureau of Industry and Security (BIS) published proposed rules amending the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) in an attempt to further implement the president’s Export Control Reform (ECR) initiative and refine these regulations. Under the proposed rules, certain electronic transmissions of encrypted controlled technical data across borders would no longer be considered “exports.” DDTC also proposes amending the definition of “defense services” and providing definitions for other terms that had been previously undefined. BIS also intends to codify its deemed reexport guidance. Finally, the proposed rules also align certain definitions of common terms between the ITAR and the EAR. The agencies have published a chart comparing these terms.
These proposed changes are summarized below. DDTC and BIS are soliciting comments from industry and will consider all comments submitted by August 3, 2015. Please note that none of the proposed revisions below are effective until DDTC and BIS publish a final rule implementing changes.
Highlights of the Proposed Rules
ITAR and EAR: Electronic Transmissions
The proposed rules would revise the scope of the ITAR and EAR to provide that the electronic transmission and storage of certain encrypted data and technology would not qualify as an export, reexport, transfer or retransfer subject to the ITAR or EAR. At the same time, DDTC and BIS propose to broaden the definitions of export, reexport, transfer and retransfer to include the sending or releasing of decryption keys, network access codes, passwords or similar items that would decrypt stored or transferred controlled data and technology.
The proposed Sections 734.18 of the EAR and 120.52 of the ITAR include lists of activities that are not deemed by BIS and DDTC to qualify as exports, reexports, transfers or retransfers. The proposed rules for the ITAR and EAR include almost-identical circumstances under which “sending, taking or storing” technical data or software is not considered an export. Under both the ITAR and EAR, the technical data (under the ITAR), technology (under the EAR) or software must be:
- secured using end-to-end encryption
- secured using cryptographic modules (hardware or software) compliant with the Federal Information Processing Standards Publication 140–2 (FIPS 140–2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications (Note: The proposal for the EAR also allows for “other similarly effective cryptographic means,” but the proposal for the ITAR requires compliance with the listed standards)
- not stored in a country proscribed in § 126.1 of this subchapter or the Russian Federation.
Proposed changes to Sections 120.17(6) of the ITAR and 734.13(6) of the EAR include clarification regarding when transferring information, such as decryption keys, network access codes, passwords or software, satisfies the definition of “export.” Under the ITAR, any release or transfer of such information, or “provision of physical access that would allow access to other technical data in clear text or software to a foreign person regardless of whether such data has been or will be transferred” as an “export.” Under the EAR’s proposed rule, for the release of such information to constitute an “export”, that release or transfer must be made with the ‘knowledge’ that it will cause or permit the transfer of other ‘technology’ in clear text or ‘software’ to a foreign national.
This distinction is particularly meaningful in the context of unauthorized exports of such information. Under the ITAR’s proposed rule, any unauthorized export, regardless of knowledge, would be a violation of the ITAR. Under the EAR’s proposed rule, an unauthorized export of this type of information would be a violation of the EAR, only if the person had knowledge that the export would result in the unauthorized ability to decrypt controlled information.
ITAR: Defense Services
The DDTC’s proposed rule marks the third attempt to refine the scope of the currently overbroad definition of “defense services.” In April 2011, DDTC published the first proposed revisions to the definition of “defense service” to narrow the existing definition of “defense service.” DDTC published a second proposed revised definition in May 2013, which incorporated certain comments received in response to the April 2011 proposed rule. The proposed rule further revises the current definition of “defense services” to include limiting the scope of activities that are “defense services” as follows:
- Providing technical data without providing other assistance would no longer be considered a defense service under the proposed definition. However, ITAR authorization would still be required for such activities.
- For an activity to qualify as a defense service, the person (i.e., a U.S. person located anywhere or a foreign person located in the United States) must have knowledge of U.S.-origin “technical data” directly related to the “defense article” at issue or another “defense article” described in the same United States Munitions List paragraph prior to performing the service.
- U.S. persons abroad who receive U.S.-origin technical data as a result of their activities on behalf of a foreign person are not included within the scope of the new definition and therefore cannot provide a defense service.
- Foreign-person employees located in the United States who provide defense services on behalf of their U.S. employer are covered by the U.S. employer’s authorization and need not be listed on the U.S. employer’s technical assistance agreements or receive a separate authorization to provide defense services.
- Furnishing of assistance, including training, in organizational-level (i.e., basic-level) maintenance of a defense article would not be considered to be a defense service.
ITAR: Proposed Definition of “Required”
EAR: Proposed Definition of “Peculiarly Responsible”
While the term “required” is defined in the EAR and in the Wassenaar Arrangement, it is not defined in the ITAR as it relates to technical data. The proposed rule adds the following definition of “required” in the ITAR, which aligns with the defined term in the EAR and Wassenaar Arrangement: “As applied to technical data, the term required refers to only that portion of [technical data] that is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics, or functions. Such required [technical data] may be shared by different products.”
Both the ITAR’s and EAR’s proposed rules would also implement a catch-and-release test for determining whether information is “peculiarly responsible” for meeting or achieving the controlled performance levels, characteristics or functions of an item, and therefore controlled, because it is “required” information. The catch-and-release test is analogous to the specially designed test. It has a broad catch function, catching technology if it is used in or for use in the development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing of an item subject to the EAR or ITAR and then offers four options for release: (a) the technology is the subject of an agency determination, (b) the identical technology is used in or with a non defense article (ITAR) or an EAR99 or AT-controlled only item (EAR) that is in production, (c) the technology was developed for a general purpose, or (d) the technology was developed for dual use (ITAR) or was developed with the knowledge that it would be used in EAR99 and/or AT-controlled only item (EAR).
ITAR: Revised Exemption for the Export of Technical Data for U.S. Persons Abroad
ITAR 125.4(b)(9) currently authorizes U.S. person employees of a U.S. corporation or U.S. government agency to export or receive technical data from the U.S. company or U.S. government agency overseas without an export license as long as the data is for use only by a U.S. person overseas. The proposed rule expands this exemption to allow foreign-person permanent employees of a U.S. corporation or U.S. government agency who are authorized to receive “technical data” in the United States to also be eligible to export or receive that same “technical data” abroad, when on temporary assignment on behalf of the foreign person’s U.S. corporation or U.S. government employer.
EAR: Codification of Deemed Reexport Guidance
The proposed BIS rule would codify the current version of the BIS-deemed reexport guidance published by BIS in October 2013 (see link). That guidance set forth BIS’s legacy position with respect to deemed reexports and also described exceptions to the deemed reexport rule that aligned with ITAR provisions 124.16 and 126.18. The current guidance would be codified in two sections: 750.7 and 734.20.
Section 750.7 would be amended to, among other things, state that a BIS license authorizing the release of technology to an entity also authorizes the release of that same technology to its dual and third-country nationals (DTCN) who are bona fide regular employees of the entity, unless specifically limited by a license condition. That is, the proposed rule would confirm that additional authorization is not required for transfers of EAR-controlled technology to DTCN bona fide regular employees where a BIS technology license is in place.
Section 734.20 would be amended to, among other things, codify (1) BIS’s longstanding position that an individual’s DTCN status is determined based on his/her most recent country of citizenship or permanent residency, (2) an exemption equivalent to ITAR 124.16 and (3) an exemption equivalent to ITAR 126.18. A noteworthy difference between the BIS exception in proposed Section 734.20(b), which aligns with the authorization in ITAR 124.16, is that the country group of eligible citizenships in proposed Section 734.20(b) is BIS Country Group A:5, whereas the ITAR allows exports to member states of NATO and the European Union, Australia, Japan, New Zealand and Switzerland. The country lists are very similar, with a few notable differences. For example, South Korea and Argentina are included in Country Group A:5, but do not appear under ITAR 124.16. Also, Malta, Albania, and Cyprus are included under ITAR 124.16 but do not appear in Country Group A:5.
Additional New and Revised Definitions
In addition to the above changes, the proposed rules also seek to align various terms between the ITAR and EAR, including definitions of “technical data,” “technology,” “published,” results of “fundamental research,” “export,” “release” and “transfer (in-country).” For example, the ITAR’s proposed rule includes a revised definition of “technical data” under the ITAR that includes information that is required for the development, production, operation, installation, maintenance, repair, overhaul or refurbishing of a defense article, as well as classified information for the development, production, operation, installation, maintenance, repair, overhaul or refurbishing of a defense article or a 600 series item subject to the EAR. The ITAR proposed rule defines “required,” a previously undefined term, to align more closely with the EAR definition and clarifies that “required” technical data is only the portion of technical data that is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions.
Additionally, the rules include revised definitions of “public domain” and “published.” The proposed ITAR definition of “public domain” provides that further dissemination of ITAR-controlled technical data or software that was made available to the public without authorization is a violation of the ITAR if, and only if, it is done with knowledge that the ITAR-controlled technical data or software was made publicly available without appropriate authorization. The EAR’s revised definition of “published” clarifies that, in cases not involving an exception, ‘‘technology’’ or ‘‘software’’ is ‘‘published’’ and is thus not ‘‘technology’’ or ‘‘software’’ subject to the EAR when it is not classified national security information and has been made available to the public without restrictions upon its further dissemination.
The proposed changes should result in greater clarity for parties operating under these regulations. However, affected parties, including both U.S. and non-U.S. entities that operate under the ITAR or EAR, should carefully review and consider the proposed changes in light of their current business practices. Many parties have implemented running rules, policies and practices that are reasonable based on the current regulations and interpretations but that may not align completely with the proposed revisions. Companies should carefully review and consider the proposed revisions and provide comments to the agencies where the proposed changes would be problematic.
Additionally, parties may wish to consult with internal and external information technology service providers regarding the practicability of the provisions related to electronic transfers, balancing the need to protect against unauthorized access with the need to utilize off shore IT service providers. Similarly, parties should consider the workability of the proposed revisions to the definition of defense services and whether the proposed rule sufficiently narrows and defines the activities qualifying as defense services.
With that in mind, the agencies will accept comments on the proposed rules until August 3, 2015, although comments received after the deadline may also be considered.