Shiva Aminian Discusses Export Controls and Cloud Computing with MCC

Akin Gump international trade partner Shiva Aminian spoke with Metropolitan Corporate Counsel for the article “Decoding the Export Controls of Cloud Computing: Identify “necessary” versus “required” data?”

Among the topics covered by Aminian:

• Challenges re: export controls in the cloud: “[One] challenge is the location of the users accessing the information on the cloud…Technology that is subject to U.S. export control regulations is uploaded in the cloud. In this example, the cloud provider has ensured that all servers are located in the U.S., and so on its face, an export is not occurring because the data is not leaving the U.S. If a user in China accesses the data on the cloud, however, an export has just occurred, even though the data and servers are all located in the U.S. Depending on the J/C [jurisdiction and classification] of the data and the location of the user (in this example, China), an export control license may be required.”
• Export Administration Regulations and the cloud: “The current definition of ‘export’ is the actual shipment or transmission of items out of the U.S. This means that the transmission of technology subject to EAR to a non-U.S. server is an export. The proposed rule includes an important carve-out from this definition. Specifically, it establishes a specific carve-out from the definition of ‘export’ for the transfer of technology and software that is encrypted in a specific manner. This means that cloud users may be able to upload encrypted technical data to the cloud and fall outside the scope of an export and the resulting licensing requirements for server locations, user locations and non-U.S. administrators.”
• Risk mitigation for companies: “Companies can mitigate risks by ensuring that they know the J/C of the data they are uploading to the cloud, and ensuring that they are only using the cloud for nontechnical information or ‘low-level’ technology. If low-level technology is involved, companies must take steps to ensure against unauthorized exports to the handful of prohibited countries. Companies can also safeguard against risks by requiring contract provisions that limit the authorized locations for servers and nationalities of IT administrators. Apart from that, companies should be active in the rulemaking process…Companies should carefully consider and weigh in on the proposed rules, and ensure that their concerns are addressed through the rulemaking process.”

To read the full interview, please click here.