DoD’s Proposed Rule Would Create Additional Risk and Burdens for Contractors Handling Export-Controlled Information
- On October 31, 2016, the Department of Defense (DoD) issued a proposed rule titled, “Withholding of Unclassified Technical Data and Technology from Public Disclosure” (“Proposed Rule”).
- The Proposed Rule would establish a new policy and procedure for the dissemination of certain technical data subject to the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) by DoD to qualified U.S. and Canadian defense contractors and by those contractors to their subcontractors and others.
- A contractor’s qualification to access export-controlled data and technology would be temporarily revoked upon DoD’s receipt of “substantial and credible information” of a violation of U.S. export control law by the contractor or any of its employees.
- Public comments are due on December 30, 2016.
The Proposed Rule creates a procedure for DoD to release unclassified technical data subject to EAR and ITAR to “qualified contractors,” which are defined to mean qualified U.S. and Canadian contractors. The Proposed Rule raises critical operational and legal issues for U.S. and Canadian defense contractors seeking to obtain ITAR and EAR technical data from DoD: (1) the certification requirements related to qualification, (2) the use of overlapping and confusing terminology throughout the rule regarding the type of information subject to the rule, (3) the limitations on further dissemination and (4) the possibility of disqualification for export violations. The following provides a brief summary of the process, the contractor certification requirement, the type of information subject to the rule, the disclosure limitations and the issue of disqualification.
The Proposed Rule states that the procedures for release of technical information applies to only information that meets the following three criteria: (1) the information must be on the U.S. Munitions List (USML) or Commerce Control List (CCL); (2) the information would require a license, exception, exemption or other authorization in accordance with U.S. export laws and regulations; and (3) the information is not under the control of the Nuclear Regulatory Commission pursuant to the Atomic Energy Act of 1954, as amended, and the Nuclear Non-Proliferation Act of 1978, as amended. If the information meets these criteria, DoD will authorize release of the criteria to the qualified contractor, except in three circumstances: (1) the qualification of the contractor has been temporarily revoked for one or more of several reasons described in more detail below, (2) the controlling DoD office judges the requested technical data and technology to be unrelated to the purpose for which the qualified contractor is certified, or (3) the technical data and technology is being requested for a purpose other than to permit the requester to bid or perform on a contract with the DoD or other U.S. government entity.
Contractor Certification Requirement
To become a qualified U.S. contractor, the individual or enterprise must certify and acknowledge a variety of terms, including that the person who will act as the recipient of the export-controlled technical data and technology on behalf of the U.S. contractor is a U.S. citizen or lawful permanent resident located in the United States. The certification must specify the contractor’s business activity, which will be used by the DoD controlling office as a basis for approving or disapproving specific requests for technical data and technology. An important condition that may prove troublesome is that the contractor must state that, to the best of its knowledge, no person employed by it, or acting on its behalf, with access to the data or technology has violated U.S. export control laws or a certification previously made to DoD under the provisions of this rule.
Interestingly, this provision could provide a disincentive for U.S. companies to make voluntary disclosures of ITAR and EAR violations to the departments of State and Commerce, respectively. Voluntary disclosures could be used as evidence by DoD to reject an application for qualification. Moreover, it could have a significant impact on internal investigation processes for export control issues: individuals required to make the certifications to DoD under this Proposed Rule may feel compelled to seek confirmation through their internal compliance functions about the validity of the statement that the company has not “violated U.S. export control laws.” Particularly without a time limitation on this certification, it represents an extremely high — perhaps impossible — bar for any major defense contractor.
DoD should reconsider the phrasing of the requirement in Section 250.3 under subsection five of the definition of “Qualified U.S. Contractor” in order to avoid the unintended consequences of the broad language of “violated U.S. export control laws” in its certification requirement.
Relationship to ITAR and EAR and the Ambiguity of Varying Terminology Used in the Proposed Rule
The Proposed Rule states that it does not introduce any additional controls on the dissemination of technical data and technology by private enterprises or individuals beyond those specific by export control laws and regulations or in contracts or other agreements. This is helpful because the Proposed Rule uses a series of overlapping and conflicting terms and descriptions to describe what is subject to the rule, including “technology,” “technical data” and “technical information.” The rule could be much more streamlined by reducing its use of differing terms and descriptions, as well as eliminating some altogether.
Ultimately, the Proposed Rule clarifies that it applies to only certain types of unclassified technical data, as defined in the ITAR, and certain types of technology, as defined in the EAR, that are subject to those regulations. It does this through the “procedures” section of the rule (Section 250.6). Through subsection 250.6(b)(1) in particular, DoD confirms that certain terminology used in the Proposed Rule (e.g., the phrases “technical information” and “unclassified technical data and technology that discloses technology or information with military or space application”) is ultimately irrelevant with respect to the application of the Proposed Rule to contractor requests.
Unfortunately, subsection 250.6(b)(1) leaves a significant gap that must be addressed before the final rule or else it will result in ambiguity in the application of the Proposed Rule by DoD. Specifically, subsection 250.6(b)(1)(ii) states that only information requiring a license, exception, exemption, or other export authorization under export control laws and regulations will be subject to the Proposed Rule. The problem is that a determination as to whether a license, exception, exemption or other export authorization is required depends on information about the country of destination, end use and end user with respect to information subject to EAR, but there is no requirement in this subsection that links the analysis to any particular end user, end use, or country (e.g., countries identified in the contractor’s release request).
For example, certain space technology may require a license for certain countries and not for others. Similarly, there are highly restrictive licensing requirements for low-level technology for countries subject to antiterrorism controls and sanctions laws (e.g., North Korea, Iran). DoD must modify subsection 250.6(b)(1)(ii) to provide better guidance on how to apply the test in that provision, or it will result in inconsistent approaches by DoD entities.
The Proposed Rule authorizes DoD to provide technical data and technology to “qualified U.S. contractors” for only “legitimate business purposes,” which are limited to support of U.S. government approved sales to foreign governments, purchases of surplus property, sales or production for domestic and foreign commercial marketplaces (with appropriate export authorization), engaging in scientific research in a professional capacity and acting as a subcontractor to a qualified contractor. In turn, a qualified U.S. contractor may further disseminate technical data and technology, without additional DoD approval, to only:
- employees and persons working on its behalf who meet citizenship and residency requirements
- foreign recipients with an export license
- other qualified U.S. contractors within the scope of the legitimate business purpose
- the Department of State or Department of Commerce to apply for export licenses, which must be accompanied by a statement that the technical data and technology is controlled by DoD or
- Congress or any federal, state or local government agency as required by law.
In contrast, DoD may provide technical data and technology to only a “certified Canadian contractor” where a “legitimate business relationship” exists between the contractor and the government. The existence of a “legitimate business relationship” is solely within the discretion of DoD and requires that a need exist to acquire, share, exchange or disseminate DoD technical information to anyone other than a DoD employee for the support of a DoD mission. Such a relationship may be established by a memorandum of understanding, agreement, contract or grant. Importantly, the Proposed Rule provides no parallel provision allowing certified Canadian contractors to further disseminate export-controlled information without DoD approval. Thus, it appears that, in addition to any authorizations required under U.S. export controls, certified Canadian contractors must also seek DoD approval to share technical information subject to the Proposed Rule with any party, including other qualified contractors.
The likely most controversial aspect of this regulation is that, “[u]pon receipt of substantial and credible information” under the following circumstances, a DoD Component will temporarily revoke the U.S. or Canadian contractor’s qualification if the contractor or its employees:
- violated U.S. export control law
- violated its certification
- made a certification in bad faith or
- omitted or misstated a material fact.
As written, this revocation is mandatory, but the Proposed Rule does include a caveat that, if the temporary revocation would compromise a U.S. government investigation, the revocation may be delayed. In addition to the revocation, the DoD Component “must notify the appropriate law enforcement agency.” In the context of export-controlled information, those agencies could include DOJ, the FBI, the State Department and Department of Commerce.
Upon a temporary revocation, the DoD Component is to notify the contractor and the Undersecretary of Defense for Acquisition, Technology and Logistics (USD (AT&L)), and the contractor will have an opportunity to respond in writing before being disqualified. If the basis for the temporary revocation cannot be removed within 20 working days, the DoD Component will recommend to the USD (AT&L) that the contractor be disqualified from receiving export-controlled information. The rule allows a U.S. contractor whose qualifications have been temporarily revoked to present information “showing that the basis for revocation was in error or has been remedied” and be reinstated.
The Proposed Rule could clearly benefit from clarification about the “substantial and credible information” standard. As noted above, to the extent that DoD uses voluntary disclosures as a basis for this determination, it would create a mandatory trigger based on a contractor’s decision to follow long-standing policy that has been encouraged and fostered by the departments of State and Commerce to come forward to report violations of the ITAR and EAR. This is not the calculation that DoD should be injecting into the export compliance process within the contracting community.
Companies that are involved in DoD procurement are encouraged to closely read the Proposed Rule and critically examine the practical effects it may pose on their business activities and export control compliance programs. The public-comment period ends on December 30, 2016.
If you have any questions concerning this alert, please contact:
|Rebekah M. Jones