JLF Navigation

July 21, 2016

Multiple Definitions Updated in Export Control Regulations

On June 3rd, as part of the Export Control Reform Initiative (ECR), the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) by revising and adding multiple definitions in the EAR, in addition to making a number of other revisions. The new EAR definitions will become effective on September 1st.  The State Department’s Directorate of Defense Trade Controls (DDTC) published a companion interim final rule making similar revisions and changes to the International Traffic in Arms Regulations (ITAR) and announced that it would accept comments on its interim final rule through July 5th. Based on the comments received, DDTC may amend its definitions again before the effective date of their rule, which is also September 1st. Both BIS and DDTC published proposed rules exactly one year prior, on June 3, 2015.

Below we provide an overview of some of the changes in the respective amendments.

BIS Amendments

BIS added and revised a number of definitions in the EAR to enhance clarity and consistency with terms found in the ITAR and also made other changes, including changes to part 734 of the EAR (which discusses the items and activities that are subject to the EAR) to update and clarify the application of controls to electronically transmitted and stored technology and software.

Activities that are Not Exports, Reexports, or Transfers under the EAR
BIS consolidated several pre-existing exclusions into new section 734.18 of the EAR. New section 734.18 also includes two additional activities that are declared not to be exports, reexports, or transfers: (i) space launches (consistent with prior BIS practice); and (ii) sending, taking, or storing certain encrypted technology or software abroad. The provision regarding the electronic transmission and storage of technology, including by way of cloud computing, is an important addition.[1] This provision states that the sending, taking, or storing of unclassified technology or software is not an export, reexport, or transfer if the technology or software is:

The section also defines ‘end-to-end encryption’ as: (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person. Due to concerns that data transmitted over the Internet may be temporarily stored on servers located in D:5 countries or Russia, unbeknownst to the sender, BIS also added a note stating that data in-transit via the Internet is not deemed to be “stored.”

Transfer of Access Information
BIS also added section 734.19 which states that to the extent an authorization would be required to transfer “technology” or “software,” a comparable authorization would also be required to transfer “access information” if done with “knowledge” that the transfer will result in the “release” of “technology” or “software” without the required authorization. “Access information” is a newly defined term in section 772.1 of the EAR, and is defined as information that allows access to encrypted technology or encrypted software in an unencrypted form. Decryption keys, network access codes, and passwords are all examples of “access information.” Because BIS excludes from EAR control certain transfers of information that have been encrypted to specified standards, it follows that providing the means to decrypt such information should be subject to control under the EAR when done with “knowledge” that the access will result in an unauthorized “release” of “technology” or “software.” All terms that are in quotations have a specific definition under the EAR and those definitions should be reviewed carefully.

BIS moved the definition of “release” from section 734.2(b)(3) of the EAR to section 734.15, revising the language for clarification purposes and to present the definition in a more organized manner. The new definition makes clear that while “technology” and “software” may be “released” through visual or other inspection by a “foreign person,” a “release” only occurs if the inspection reveals “technology” or “software” source code to the “foreign person.” In other words, BIS confirmed that a “release” does not necessarily occur because a “foreign person” merely sees a tangible controlled item such as controlled production equipment. A “release” occurs when a foreign person’s visual inspection of a controlled item reveals “technology” or “software” source code about the controlled item.

The last part of the definition states that the act of causing the “release” of “technology” or “software,” including through the use of “access information” (e.g., decryption keys, passwords, and network access codes), to a “foreign person” requires authorization to the same extent as would be required to “export” or “reexport” that “technology” or “software” to the “foreign person.” Thus, if a third party hacks into a database resulting in the “release” of technology (including to themselves), that third party is the person responsible for the unauthorized “release” rather than the person to whom the technology rightly belongs. The definition is structured so that the “unwitting victim” (the person who originally uploaded information into a database) will not be held responsible for the theft of technology, unless he or she had knowledge that an unauthorized “release” of technology would occur.

BIS also included text in the definition of “release” to clarify that “technology” or “software” can be released through written as well as oral exchanges.

Fundamental research
BIS revised section 734.8 regarding “technology” or “software” that arises during, or results from, fundamental research. The revised definition provides that information that arises during or results from fundamental research, and which is intended to be published, is not subject to the EAR. BIS also included a note to confirm that the intention to publish the information (i.e., the “technology” or “software”) is the critical aspect of whether the information resulting from fundamental research is subject to the EAR. Additionally, the revised definition includes three notes that describes three types of prepublication review that would not render the research subject to the EAR.

Transfer (in-country)
BIS revised the definition of “transfer (in-country)” and moved it from section 772.1 to new section 734.16. “Transfer (in-country)” is now defined as a change in end-use or end-user of an item within the same foreign country. BIS changed the definition to clarify that whenever there is a change in the end-use or end-user of an item within the same foreign country, an in-country transfer occurs. The new definition codifies BIS’s prior interpretation of what constitutes an in-country transfer, and parallels the definition of “retransfer” in DDTC’s interim final rule.

Activities that are Not Deemed Reexports
The new section 734.20 codifies BIS’s Deemed Reexport Guidance dated October 31, 2013 on BIS’s website.

BIS modified the definition of “technology” to pattern the Wassenaar Arrangement definition. “Technology” is now defined as information necessary for the “development,” “production,” “use,” operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control “technology”) of an item. The most significant change with respect to this definition is the inclusion of a new note, which provides that when an existing item is modified to create a new item, the “technology” attributable to the modified design constitutes “technology” for the “development” or “production” of the new item. According to BIS, this provision addresses a common industry question regarding how companies should classify multiple variations of a product.

In the final rule, BIS gave the example of a company that makes a 9A991.d civil aircraft switch and later modifies the switch to work in a military aircraft. The modified switch is specially designed for a military aircraft and thus controlled under ECCN 9A610.x. The technology that is common to both switches is 9E991, but the additional or different technology that is required to transform the 9A991.d switch into a 9A610.x switch will be controlled under 9E610.

License Exception TMP
The final rule revised the technology provisions of section 740.9 regarding temporary imports, exports, reexports, and transfers (in-country). Specifically, BIS clarified that the “U.S. employer” and “U.S. persons or their employees” using License Exception TMP are not foreign subsidiaries. BIS stated that because of the risks associated with securing temporary technology exports, the only foreign persons allowed to use this license exception are those employed by U.S. companies.

BIS also added the comments submitted on its proposed rule, along with its responses, to its website in the form of Frequently Asked Questions (FAQs). The FAQs provide additional interpretive guidance on the updated definitions in BIS’ final rule.

To view BIS’ final rule, please click here.

DDTC Amendments

In its interim final rule, DDTC revised the definitions of “export” and “reexport or retransfer;” created definitions for the terms “release” and “retransfer;” created new sections regarding the scope of a license and unauthorized releases of controlled information; revised the section on exports of “technical data” to U.S. persons abroad; and consolidated provisions regarding the treatment of foreign dual and third country national employees. DDTC will address the remaining definitions in its proposed rule in separate rulemakings.

DDTC revised its definition of “export” in section 120.17 of the ITAR to better align with the EAR’s revised definition and to remove certain activities that now fall within the updated definition of “reexport” or the newly defined term “retransfer.” One important change is the inclusion of a provision clarifying that disclosing technical data to a foreign person in the U.S. is deemed to be an “export” to all countries in which the foreign person holds or has held citizenship or holds permanent residency. This is a major difference between the ITAR and the EAR; under the EAR, such a release or disclosure is only deemed to be an export to the foreign person’s most recent country of citizenship or permanent residency. DDTC stated that its choice of language here furthers the purposes of the ECR by providing more stringent controls on the more sensitive, ITAR-controlled items.

Additionally, in response to concerns that the definition of “export” is too broad with respect to technical data, DDTC emphasized in the proposed rule that information is only ITAR-controlled if it is “directly related”[3] to a defense article or specifically enumerated on the USML and is not excluded from the definition of “technical data.”

The revised definition of “reexport” in section 120.19 is very similar to the revised definition of “export” except that the shipment, “release,” or transfer is between foreign countries or is to a third country national foreign person abroad. The definition also omits certain activities that are inapplicable to “reexports.”

To further harmonize with the EAR, DDTC added a definition of “release” in section 120.50 of the ITAR that is similar to BIS’s revised definition. However, DDTC’s definition omits the provision declaring that an authorization is needed for the act causing the “release” of “technology” or “software” to the same extent one would be required to “export” or “reexport” “technology” or “software” to that person. DDTC did not provide an explanation for the omission.

DDTC moved the term “retransfer” from the definition of “reexport or retransfer” in section 120.19 and added a separate definition in section 120.51. The new definition parallels the EAR’s revised definition of “transfer (in-country).” Under the ITAR, a “retransfer” occurs when there is a change of end-use or end-user within the same foreign territory.

Exemption for Exports of Technical Data to or for U.S. Persons Abroad
DDTC revised section 125.4(b)(9) to further harmonize controls on the “release” of controlled information to U.S. persons abroad. DDTC made a number of important changes to this section that:

The revised section 125.4(b)(9) clarifies that the technical data must be secured appropriately to prevent the unauthorized “release” of the information.

To view DDTC’s final rule, please click here.

The use of common terms and common definitions in the EAR and the ITAR, where appropriate, satisfies the objections of the ECR by facilitating enhanced compliance and reducing the unnecessary regulatory burden on exporters. Moreover, the harmonization of the definitions is a significant step toward the creation of a single control list and single set of export control regulations, an ultimate goal of ECR.

If you have specific questions regarding the definitions, please contact us.

[1] The Google Dictionary defines cloud computing as “the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.”
[2] The countries listed in Country Group D:5 are those that are subject to U.S. arms embargoes. See Supplement No. 1 to part 740 of the EAR.
[3] BIS stated that DDTC will eventually issue a proposed rule defining “directly related.”