On Friday June 3, 2016 the U.S. Departments of Commerce and State released their latest rulemakings in the Export Control Reform Initiative - this time, revising the definitions of "export" and several other terms relating to technology transfers.[1] These rules are the long-awaited follow-on to proposed rules issued by each agency exactly one year ago on June 3, 2015. The Commerce Department's Bureau of Industry and Security ("BIS") published a final rule to complete the process, and the State Department's Directorate of Defense Trade Controls ("DDTC") published an interim final rule with another request for comments due July 5, 2016. (BIS still welcomes public comments on its final rule on a continuing basis.) Both rules will become effective on September 1, 2016.

The stated purpose of this rulemaking was to enhance clarity and consistency in how technology transfers and other export activities are treated between the Export Administration Regulations ("EAR") administered by BIS and the International Traffic in Arms Regulations ("ITAR") administered by DDTC. Many concepts are now harmonized. For example, the ITAR now incorporates the EAR "deemed export" rule regarding technology transfers to foreign nationals in the United States, and the EAR now includes a similar authorization framework as the ITAR for technology transfers by foreign entities to their dual and third country national employees. However, significant differences remain between the EAR and the ITAR, with the ITAR remaining the more restrictive regulatory regime.

Below is a brief summary of key features in these rulemakings. Both agencies' rules encompass several detailed changes across many definitions; these are a few highlights that may be of interest to companies whose business involves technology transfers.

Cloud Computing

  • In the context of cloud computing, the proposed 2015 rules for both agencies would have excluded the transfer of technical data through foreign servers from regulation as an export, if the data is encrypted end-to-end.
  • Only BIS adopted a final rule with respect to end-to-end encryption and cloud services. DDTC stated that it will address this topic in a separate rulemaking.
  • The new BIS rule exempting transfers of technical data through end-to end encryption does not apply if the data are intentionally stored in so-called "D:5 countries" (countries that are subject to a U.S. arms embargo) or the Russian Federation.
  • While the new BIS rule exempts routing of technical data through foreign servers from the definition of "export," the ultimate transfer to a foreign location at the end of the transmission would still be an export of the transmitted data to that location.
  • While the EAR now provides more certainty to cloud service providers and their customers, parties dealing in ITAR controlled technical data may not assume that encryption will prevent their data from being exported if it is hosted on a foreign server or accessed by a foreign national network administrator.

In-Country Transfers

  • Both the EAR and the ITAR have been amended to clarify that an in-country transfer, which could require additional authorization, occurs when there is a change in end use or end user within the same foreign country.
  • This means that, even if a licensed article never changes possession to another party, further U.S. government authorization could be required if the same authorized end user decides to apply the article towards a different end use than that originally stated in the license application.
  • This requires heightened vigilance by exporters to know their customers, understand their intended end uses, properly structure licenses, and obtain the necessary end use assurances.

Deemed Exports and Reexport

  • The ITAR now formally incorporates the deemed export/reexport concept that was already explicitly set forth in the EAR (relating to technical data transfers to a foreign persons within the United States or transfers to dual/third country nationals outside the United States).
  • The ITAR continues to take a more restrictive approach; DDTC will consider all citizenships held by, and any permanent residency status of, a foreign national.
  •  By contrast, BIS has now codified its long-standing policy that in evaluating deemed exports, it will only consider the foreign national's most recent country of citizenship or permanent residency.

Release of Technical Data

  • With regard to technology transfers, the EAR now clarifies that, in order for technology or software source code to be released to a foreign person such that it is exported, controlled information has to be actually revealed. In other words, merely seeing an item briefly, or providing a foreign person with theoretical or potential access alone, is not necessarily sufficient to constitute an export.
  • DDTC adopted a similar approach, thereby changing its prior policy that theoretical access to technical data was alone sufficient to constitute an export. DDTC has added a new definition for the term "release," which includes inspection of a defense article in a way that reveals technical data. DDTC also clarified in its rulemaking comments that information that is simply an attribute of a defense article (such as size or weight) is not technical data.

Dual and Third Country National Employed by Foreign Entities

  • BIS codified its previous interagency-cleared "Deemed Reexport Guidance" previously posted on the BIS website on October 31, 2013. The purpose of that guidance, and now this rule, is to harmonize the way dual and third country nationals are treated between the EAR and the ITAR, for deemed reexport purposes, where an individual is employed by a foreign entity that is authorized to have the technical data.
  • DDTC also made changes to consolidate into a single exemption its existing regulations authorizing certain dual or third country national employees to receive technical data already licensed to their foreign employers.
  • The net effect of these changes is to establish consistency of treatment between the EAR and the ITAR, and to make these provisions easier to use.

Temporary Exports for Individual Use

  • Both the EAR and the ITAR have been amended to clarify the circumstances under which U.S. persons, and foreign employees of U.S. companies travelling abroad on a temporary assignment, are permitted to receive technical data without a license.
  • BIS revised its TMP license for temporary exports, and DDTC has revised its technical data license exemption, to take a harmonized approach. To qualify under these regulations, the foreign person must be abroad on a temporary assignment (this caveat does not apply to U.S. persons abroad, who may be on a permanent assignment). Also, sufficient security precautions must be taken (which can include encryption, use of virtual private networks, passwords, and firewalls) to prevent unauthorized release.

The takeaway from this rulemaking is that, while companies dealing in both EAR and ITAR controlled technical data now will be able to take a more straightforward and consistent approach in implementing compliance measures to address both regulatory regimes, there are still some differences in how technology is treated, with DDTC continuing to take a more restrictive approach. Companies dealing with export controlled data should take this opportunity to update their technology control plans, review their foreign national vetting and access procedures, and revisit the terms and conditions of their technology licenses. Additionally, companies that have an interest in offering or using ITAR compliant cloud services might consider providing comments to DDTC and should stay alert to future developments in this area, given DDTC's plans to revisit that aspect of the rulemaking.

_____________________________

[1] See Department of Commerce, "Revisions to Definitions in the Export Administration Regulations," 81 Fed. Reg. 35586 (June 3, 2016); see also Department of State, "International Traffic in Arms: Revisions to Definition of Export and Related Definitions," 81 Fed. Reg. 35611 (June 3, 2016).