July 21, 2016
On June 3rd, as part of the Export Control Reform Initiative (ECR), the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) by revising and adding multiple definitions in the EAR, in addition to making a number of other revisions. The new EAR definitions will become effective on September 1st. The State Department’s Directorate of Defense Trade Controls (DDTC) published a companion interim final rule making similar revisions and changes to the International Traffic in Arms Regulations (ITAR) and announced that it would accept comments on its interim final rule through July 5th. Based on the comments received, DDTC may amend its definitions again before the effective date of their rule, which is also September 1st. Both BIS and DDTC published proposed rules exactly one year prior, on June 3, 2015.
Below we provide an overview of some of the changes in the respective amendments.
The section also defines ‘end-to-end encryption’ as: (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator’s in-country security boundary) and an intended recipient (or the recipient’s in-country security boundary); and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person. Due to concerns that data transmitted over the Internet may be temporarily stored on servers located in D:5 countries or Russia, unbeknownst to the sender, BIS also added a note stating that data in-transit via the Internet is not deemed to be “stored.”
Transfer of Access Information
BIS also added section 734.19 which states that to the extent an authorization would be required to transfer “technology” or “software,” a comparable authorization would also be required to transfer “access information” if done with “knowledge” that the transfer will result in the “release” of “technology” or “software” without the required authorization. “Access information” is a newly defined term in section 772.1 of the EAR, and is defined as information that allows access to encrypted technology or encrypted software in an unencrypted form. Decryption keys, network access codes, and passwords are all examples of “access information.” Because BIS excludes from EAR control certain transfers of information that have been encrypted to specified standards, it follows that providing the means to decrypt such information should be subject to control under the EAR when done with “knowledge” that the access will result in an unauthorized “release” of “technology” or “software.” All terms that are in quotations have a specific definition under the EAR and those definitions should be reviewed carefully.
BIS moved the definition of “release” from section 734.2(b)(3) of the EAR to section 734.15, revising the language for clarification purposes and to present the definition in a more organized manner. The new definition makes clear that while “technology” and “software” may be “released” through visual or other inspection by a “foreign person,” a “release” only occurs if the inspection reveals “technology” or “software” source code to the “foreign person.” In other words, BIS confirmed that a “release” does not necessarily occur because a “foreign person” merely sees a tangible controlled item such as controlled production equipment. A “release” occurs when a foreign person’s visual inspection of a controlled item reveals “technology” or “software” source code about the controlled item.
The last part of the definition states that the act of causing the “release” of “technology” or “software,” including through the use of “access information” (e.g., decryption keys, passwords, and network access codes), to a “foreign person” requires authorization to the same extent as would be required to “export” or “reexport” that “technology” or “software” to the “foreign person.” Thus, if a third party hacks into a database resulting in the “release” of technology (including to themselves), that third party is the person responsible for the unauthorized “release” rather than the person to whom the technology rightly belongs. The definition is structured so that the “unwitting victim” (the person who originally uploaded information into a database) will not be held responsible for the theft of technology, unless he or she had knowledge that an unauthorized “release” of technology would occur.
BIS also included text in the definition of “release” to clarify that “technology” or “software” can be released through written as well as oral exchanges.
BIS revised section 734.8 regarding “technology” or “software” that arises during, or results from, fundamental research. The revised definition provides that information that arises during or results from fundamental research, and which is intended to be published, is not subject to the EAR. BIS also included a note to confirm that the intention to publish the information (i.e., the “technology” or “software”) is the critical aspect of whether the information resulting from fundamental research is subject to the EAR. Additionally, the revised definition includes three notes that describes three types of prepublication review that would not render the research subject to the EAR.
BIS revised the definition of “transfer (in-country)” and moved it from section 772.1 to new section 734.16. “Transfer (in-country)” is now defined as a change in end-use or end-user of an item within the same foreign country. BIS changed the definition to clarify that whenever there is a change in the end-use or end-user of an item within the same foreign country, an in-country transfer occurs. The new definition codifies BIS’s prior interpretation of what constitutes an in-country transfer, and parallels the definition of “retransfer” in DDTC’s interim final rule.
Activities that are Not Deemed Reexports
The new section 734.20 codifies BIS’s Deemed Reexport Guidance dated October 31, 2013 on BIS’s website.
BIS modified the definition of “technology” to pattern the Wassenaar Arrangement definition. “Technology” is now defined as information necessary for the “development,” “production,” “use,” operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control “technology”) of an item. The most significant change with respect to this definition is the inclusion of a new note, which provides that when an existing item is modified to create a new item, the “technology” attributable to the modified design constitutes “technology” for the “development” or “production” of the new item. According to BIS, this provision addresses a common industry question regarding how companies should classify multiple variations of a product.
In the final rule, BIS gave the example of a company that makes a 9A991.d civil aircraft switch and later modifies the switch to work in a military aircraft. The modified switch is specially designed for a military aircraft and thus controlled under ECCN 9A610.x. The technology that is common to both switches is 9E991, but the additional or different technology that is required to transform the 9A991.d switch into a 9A610.x switch will be controlled under 9E610.
License Exception TMP
The final rule revised the technology provisions of section 740.9 regarding temporary imports, exports, reexports, and transfers (in-country). Specifically, BIS clarified that the “U.S. employer” and “U.S. persons or their employees” using License Exception TMP are not foreign subsidiaries. BIS stated that because of the risks associated with securing temporary technology exports, the only foreign persons allowed to use this license exception are those employed by U.S. companies.
BIS also added the comments submitted on its proposed rule, along with its responses, to its website in the form of Frequently Asked Questions (FAQs). The FAQs provide additional interpretive guidance on the updated definitions in BIS’ final rule.
To view BIS’ final rule, please click here.
The revised section 125.4(b)(9) clarifies that the technical data must be secured appropriately to prevent the unauthorized “release” of the information.
To view DDTC’s final rule, please click here.
The use of common terms and common definitions in the EAR and the ITAR, where appropriate, satisfies the objections of the ECR by facilitating enhanced compliance and reducing the unnecessary regulatory burden on exporters. Moreover, the harmonization of the definitions is a significant step toward the creation of a single control list and single set of export control regulations, an ultimate goal of ECR.
If you have specific questions regarding the definitions, please contact us.