Archive for the ‘Information Technology’ Category

The Export Control Reform Act and Possible New Controls on Emerging and Foundational Technologies

2018/09/27

By: Kevin Wolf, Partner, Akin Gump Strauss Hauer & Feld, kwolf@akingump.com

(Former) Assistant Secretary of Commerce for Export Administration (2010-2017)

Key Points

ECRA became law on August 13, 2018. It is the permanent statutory authority for the EAR, which is administered by the U.S. Department of Commerce’s BIS. The new law codifies long-standing BIS policies and does not require changes to the EAR, such as to its country-specific licensing requirements.

However, as part of the larger effort to reform the authorities governing CFIUS, the law effectively requires BIS to lead an interagency, regular order process to identify and add to the EAR controls on “emerging” and “foundational” technologies that are “essential to the national security of the United States.”

Although the types of emerging and foundational technologies to be identified are not yet publicly known, anyone involved in emerging and foundational technology areas, such as artificial intelligence, driverless vehicle technology, advanced computing, additive manufacturing or microelectronics, should begin preparing comments on possible new controls in line with the standards in the new law. Commerce will likely soon publish a notice seeking such comments, and the formal comment period will likely be short relative to the complexity and the significance of the issue. The submission of thoughtful and well-supported industry comments will be absolutely critical to the creation of properly scoped and clearly described controls that are consistent with the statutory standards.

  1. Introduction

The Export Control Reform Act of 2018 (ECRA) and the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) became law on August 13, 2018, as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA). One of the primary policy motivations behind both acts was the need to enhance U.S. export and investment controls to address concerns regarding the release of critical technologies to end uses, end users and destinations of concern, primarily China. (FIRRMA is described in a prior alert.)

Another motive behind ECRA was the creation of permanent statutory authority for the Export Administration Regulations (EAR). The EAR primarily control the export, reexport, and transfer of commercial, dual-use and less sensitive military items to end users, end uses and destinations of concern. They also include the antiboycott regulations that the Bureau of Industry and Security (BIS) administers. Part I of ECRA is titled “Export Controls Act of 2018” (ECA) and is the authority for the administration of the export controls that BIS administers. Part II of ECRA is titled “Anti-Boycott Act of 2018” and is the authority for the antiboycott regulations that BIS administers.

For most of the last two decades, the statutory authority for the EAR—the Export Administration Act of 1979—has been defunct. The EAR have been kept in effect through Executive Orders and an emergency declaration issued under the authority of the International Emergency Economic Powers Act (IEEPA) that was renewed by annual presidential notices. (A description of this issue, the export control system generally and the issues motivating the introduction of the legislation can be found in the March 2018 testimony of Kevin Wolf before the House Foreign Affairs Committee.)

The new law essentially codifies existing written and unwritten BIS practices, policies and definitions as they have evolved since 1979. It also gives BIS enforcement officials more authority to investigate possible violations of the EAR. Because the new law essentially preserves the status quo from an exporter’s perspective and does not, for example, change any country-specific licensing policies, it is primarily of interest to export control practitioners. It, however, includes one section, Section 1758, that should be of particular interest to those who do not normally consider themselves affected by the EAR (i.e., those involved in the development or export of emerging and foundational technologies that are not now identified in the EAR or other export control regulations).

  1. ECA Section 1758 Requires the Administration to Identify and Control in the Export Control Regulations Emerging and Foundational Technologies of Concern

BIS has always had the authority to impose unilateral controls on items for national security and foreign policy reasons. (Unilateral controls are those that only the United States imposes, as opposed to controls that BIS publishes to implement agreements of the multilateral export control regimes.) In 2012, BIS provided more structure around the process of identifying and imposing unilateral controls when it created the “0Y521” series. As further described in this notice, BIS has the authority to impose controls over the export of any previously uncontrolled commodity, software or technology that provides the United States with at least a significant military or intelligence advantage, or for any foreign policy reason, so long as the government works to make the controls multilateral within three years (i.e., to get our regime allies to control the same item). The 2012 notice stated that such items are “typically emerging technologies.”

Section 1758 of the ECA essentially codifies this regulatory process and gives the administration a statutory mandate to make the effort a priority. This statutory instruction evolved in response to concerns about a key element of the Committee on Foreign Investment in the United States (CFIUS) reform legislation, FIRRMA, which, as introduced, would have given CFIUS jurisdiction over outbound investments, such as overseas joint ventures, by U.S. critical technology companies that would involve the transfer of intellectual property and associated support. The sponsors’ policy objective with this provision was to give the U.S. government the opportunity to determine and, if necessary, alter or block such outbound investments if they could result in the release of critical emerging or foundational technologies not controlled by the export control system. (More detail about this issue can be found here.)

Over the course of many congressional hearings and other discussions, a consensus emerged that addressing the concern through CFIUS would result in both over-controls and under-controls. The approach would have been an over-control because many benign outbound investments would become subject to CFIUS jurisdiction, which would have placed unnecessary burdens on CFIUS and U.S. industry, and would likely have discouraged welcome foreign investments. It would have been an under-control because it would have regulated only the transfer of the newly identified critical technologies in connection with a covered investment, meaning that the identical technologies could have been legally transferred without government oversight to a foreign person as part of any other type of transaction, such as a simple purchase-and-sale arrangement. The solution was to require the already existing dual-use export control system to put more effort into identifying emerging and foundational technologies of concern and to control their export to end uses, end users and destinations of concern regardless of the nature of the underlying investment.

  1. Technologies Likely to Be Considered “Emerging” or “Foundational”

Congress did not define the terms “emerging” or “foundational” technologies “essential to national security,” but the public debate over the legislation provided hints as to the general areas of concern. During the discussions about CFIUS and export control reform bills, and related public discussions about CFIUS cases and China’s plans to acquire technologies pursuant to its “Made in China 2025” plan, emerging and foundational technologies, such as the following, were informally cited as warranting consideration for possible new controls:

  • artificial intelligence and machine learning
  • augmented reality
  • automated machine tools
  • additive manufacturing
  • autonomous vehicles
  • advanced battery technology
  • “big data”
  • biotechnology
  • gene editing
  • high-temperature superconducting technology
  • hydrogen and fuel cells
  • integrated circuits, semiconductors and microelectronics
  • intelligent mobile terminals
  • nanotechnology
  • robotics

Neither Congress nor the administration has published any sort of list of technologies that are under review or that should be studied. BIS, however, is likely to publish a notice soon, seeking information from the public about broad categories of technologies that potentially warrant control and how the controls could be worded to satisfy the requirements of Section 1758. Consistent with past BIS practice, this notice would not be a proposed rule. Rather, it would be a formal tool for the government to solicit industry input as part of its efforts to identify what technologies should and should not be the subject of possible new controls in a proposed rule to be published later. Industry’s role in this process is critical. Thoughtful and well-supported comments will likely have a positive influence on the government’s efforts to identify which emerging and foundational technologies are and are not essential to our national security and otherwise within the scope of Section 1758.

  1. Questions to Answer for Comments to Be Provided to the Administration

Any formal comment period will be, or will seem, short relative to the complexity and the significance of the issues. Because, as discussed below, Section 1758 foreshadows the questions that will likely be asked in such a notice, those potentially affected by new controls do not need to wait for the notice to be published before internally answering the following questions:

  • Which of the company’s technologies that are not now identified on an export control list (a) are essential to national security or (b) might be deemed so by the administration, particularly in light of the debate over FIRRMA?

 

  • Which such technologies are and are not being developed outside the United States?

 

  • Would research on, and development of, such technologies in the United States be affected if the government were to impose unilateral export controls on such technologies, including on their release to foreign persons in the United States?

 

  • Would unilateral controls on the release of such technologies to foreign persons in the United States or to foreign countries be effective at deterring their transfer to countries of concern?

 

  • Would export control regime allies, such as those in Europe, likely eventually agree to impose controls on the release of such technologies from their countries?

Answers to these questions, and supporting documentation and analyses, will be vital to the preparation of quality comments filed in response to a notice.

III. Elements of Section 1758 – the ECA’s Emerging and Foundational Technologies Provision

  1. The process for identifying technologies must be an interagency process.

Some of the ideas floated during the FIRRMA debate would have given CFIUS or individual agencies, such as the Department of Defense, the authority to nominate and have controlled emerging and foundational technologies. The ECA requires the President to establish an interagency process to do so that involves the departments of Commerce, Defense, Energy and State, and any other necessary department or agency. The motive behind this provision was to ensure that the equities and expertise of all relevant agencies would be considered when identifying such technologies. Because BIS’s mission includes coordinating such interagency efforts, and because any new controls would be published in the EAR, which BIS administers, BIS has the lead role in the identification effort.

  1. The interagency emerging and foundational technology identification process must be a “regular, ongoing” effort.

This reference in the provision makes it clear that the identification and addition of new controls over emerging and foundational technologies is not just a one-time event. It is now, as a statutory matter, rather than just a standard interagency practice, a regular part of the U.S. export control system. The technologies at issue are, by definition, emerging. They are not what the export control system has a history of controlling and analyzing. They are not technologies that have been specially designed for military or intelligence applications because such technologies are already controlled by either the EAR or the International Traffic in Arms Regulations (ITAR). Thus, BIS and the other agencies are likely setting up more formal processes to regularly search for and, as needed, amend the export controls over commercial technologies of concern as they emerge.

  1. The emerging and foundational technologies to be identified are limited to those “essential to the national security of the United States.”

During the debates over the CFIUS and export control reform bills, there was some discussion about whether controls should be imposed on such technologies for purely economic reasons, such as for use as part of protectionist or industrial policy efforts. Export control statutes dating back to the Export Control Act of 1949 have expressly limited the reasons for control to national security, foreign policy and short supply. Although an administration has broad authority to define what constitutes a national security concern, the law conspicuously limits the scope of any new controls to not only those that would address “national security” concerns, but also to those that are “essential” to our national security.

  1. The emerging and foundational technologies to be identified must not include technologies that are already subject to export controls or that become subject to controls under other authorities.

This means that any technologies that are already identified in the export control regulations, primarily the EAR and the ITAR, or that would be added to such regulations later under other authorities, must not be part of the process described in Section 1758. The government thus still has extraordinary discretion to identify items for control, and none of that discretion is affected by this provision, which is focused on resolving a specific policy issue raised during the debate over FIRRMA. If Section 1758 were not included in the law, the administration would have the same authority to do what is required under Section 1758. The only difference is that Congress is requiring the administration to conduct the special effort and setting standards for how to do so.

  1. The interagency process must be informed by multiple sources of information, including (i) publicly available information, (ii) classified information, (iii) information developed during the CFIUS process and (iv) information developed by BIS’s technical advisory committees.

The export control system has always drawn upon such information sources when considering which technologies to control, but not always as part of a formal process. The provision is also a subtle congressional reminder to export control officials to ensure that they expand their technology review horizons over what are, by definition, novel, emerging technologies to get the benefit of those who may have contact with such technologies before they do. Thus, for example, it effectively requires export control officials to reach out to industry and academic experts who may not otherwise interact with the government. It also indirectly emphasizes the need for the intelligence community to commit resources to analyzing emerging technology issues and to provide its work product to export control officials for consideration.

The provision requires that technology issues generated during the review of CFIUS fillings be formally fed back into the export control system for broader consideration. The export control agencies are core members of CFIUS, and there is a long history of their considering whether issues developed during CFIUS cases warrant changes to export controls. The only difference now is that this practice is a formal, statutory requirement. Finally, the provision reconfirms the need for industry experts on BIS’s multiple technical advisory committees to provide their input to export control officials about emerging and foundational technologies. Indeed, BIS is in the process of creating an additional technical advisory committee to focus on such issues, as described here. For those with significant expertise in the emerging and foundational technologies at issue, participating in the new, or in any of the existing, technical advisory committees is a significantly important way to contribute to the quality of the controls.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider whether comparable technologies are being developed outside the United States.

This provision does not prohibit the imposition of controls on technologies being developed outside the United States. When read with other parts of Section 1758, however, foreign availability is clearly an important variable the government must consider when deciding whether technologies should become subject to the new controls. Thus, when responding to BIS’s notices asking for comments on new technologies to control, those potentially affected should provide information about which comparable technologies are and are not being developed outside the United States. Such commercial information, which often is not available to the government, should be as specific as possible if it is to be effective. That is, conclusory comments, such as “This technology is widely available in many countries outside the United States” will not be helpful. Comments such as “This technology is available from Company A in Country X (brochures and specifications attached),” on the other hand, are what the government needs to see in order to make a sensible judgment about whether to impose new controls.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider the effect that the imposition of a unilateral export control “may have on the development of such technologies in the United States.”

As a matter of logic, expectations and history, unilateral controls tend to discourage research and investment in the United States in the affected technologies. Indeed, the ECA states that “[e]xport controls applied unilaterally to items widely available from foreign sources generally are less effective in preventing end-users from acquiring those items. Application of unilateral export controls should be limited for purposes of protecting specific United States national security and foreign policy interests.” This does not mean that unilateral controls are per se prohibited or ineffective, only that this standard is a high bar for the government when deciding whether to propose a new unilateral control. Those in potentially affected industries will thus want to provide in their public comments a thoughtful analysis of whether—and how—a unilateral control over a specific emerging or foundational technology is or is not likely to harm the domestic development of such technologies.

  1. Before imposing new controls on an emerging or foundational technology, the government must consider whether they would be effective in “limiting the proliferation of emerging and foundational technologies to foreign countries.”

This standard is basically a corollary to the other provisions above, but it nonetheless emphasizes the point that imposing controls on technologies being developed outside the United States or with the substantial assistance in the U.S. of foreign scientists and engineers will not likely accomplish the objectives of this section. If commenters have any other reasons that a proposed new control would or would not be effective, then this is the statutory provision to cite in support of why it should or should not be imposed.

  1. Before any new controls may be imposed, the government must provide the public with a notice and an opportunity to comment.

This is the most critical step for industry to comment formally on actual regulatory text and whether the proposed controls do or do not meet the standards in Section 1758. Based on the experience of the Obama administration’s export control reform effort, which involved the publication of dozens of proposed rules for public comment, career staff at the agencies are likely to take well-supported, thoughtful comments seriously.

  1. The new controls will be published as amendments to the EAR.

Earlier versions of the CFIUS and the export control reform bills were unclear about whether or, if so, where new investment or export controls on emerging and foundational technologies would be published. Section 1758 effectively requires that they will be identified in the EAR’s Commerce Control List (CCL).

  1. BIS has broad authority to decide when, and under what circumstances, licenses or other types of authorizations will be required to export identified emerging and foundational technology.

Criteria that BIS, in coordination with the other agencies, must consider when imposing controls include whether the destination is subject to U.S. arms and other embargoes, as well as the potential end uses and end users of such technology. The group of countries subject to such embargoes includes China, Russia and Iran.

  1. Commerce is not required to impose licensing requirements on finished items that are destined to regular customers or on technology when the acquisition would not give the foreign recipient the ability to produce critical technologies.

This exception reflects the provision’s emphasis on emerging and foundational technologies, rather than finished products, that can be used to enhance the indigenous manufacturing capability outside the United States of items essential to U.S. national security.

  1. The Secretary of State, in coordination with the other export control agencies, is required to propose each year for three years any new controls to the relevant multilateral export control regimes for control.

This element of the control reflects Congress’ view that multilateral controls are more effective than unilateral controls. If the regimes do not accept a new control, then Commerce must decide whether national security concerns warrant the continuation of unilateral controls with respect to the technology at issue. Another part of ECA commits the U.S. government to “carry out obligations and commitments under international agreements and arrangements, including multilateral export control regimes.” The most relevant such regime to this issue is the Wassenaar Arrangement, which was “established in order to contribute to regional and international security and stability, by promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilizing accumulations. The aim is also to prevent the acquisition of these items by terrorists. Participating States seek, through their national policies, to ensure that transfers of these items do not contribute to the development or enhancement of military capabilities which undermine these goals, and are not diverted to support such capabilities.” Thus, to remain consistent with its obligations under ECA, the administration should propose only new controls on emerging or foundational technologies that meet this standard or one of the corresponding standards in the other multilateral regimes (i.e., those pertaining to controlling the proliferation of missiles, nuclear items, and chemical or biological weapons, and related items).

  1. Commerce must report to CFIUS and Congress every 180 days of the actions that it and the other agencies have taken to implement this section.

Normally, congressional reporting requirements do not get much public attention, but this regular obligation to show progress likely will keep the process for identifying and controlling emerging and foundational technologies high on the list of priorities for this and subsequent administrations. This fact further reinforces the need for industry to stay engaged with the government with respect to identifying emerging and foundational technologies that are and are not essential to the national security of the United States.

  1. BIS has broad authority to impose “interim controls” on exports and reexports of emerging or foundational technologies by specific persons.

The EAR contain multiple “is informed” provisions allowing BIS to inform parties that, to address a specific national security or foreign policy concern, a license is required to export an item that would not normally require a license. Section 1758 explicitly gives BIS the authority to create any form of interim controls, such as through the use of similar “is informed” actions imposing licensing requirements on the export by specific persons of specific technologies in a particular transaction, before regulations controlling such technologies are promulgated and made generally effective.

Used properly, this new authority could be a way for BIS to surgically address policy concerns about the transfer of specific kinds of technology in unique circumstances without imposing controls on entire types of technologies or destinations. Thus, for example, if BIS has information that a specific foreign entity plans to use a specific type of EAR99 technology deemed to be “emerging” or “foundational” that would be released during a joint venture for an activity contrary to U.S. national security interests, BIS could prohibit the technology transfer without having to sanction the foreign entity (such as by using the entity list process) or imposing an across-the-board control on the same technology for all exports. In a way, this new omnibus “is informed” authority, which is tucked into a parenthetical in Section 1758, is the broad authority that the proponents of the original FIRRMA bill contemplated when they sought to give CFIUS jurisdiction over outbound investments by critical technology companies. They wanted the U.S. government to have the authority to block otherwise uncontrolled technology transfers in specific circumstances on case-by-cases bases. Such authority now exists, but within BIS (rather than CFIUS) pursuant to Section 1758.

  1. The Statement of Policy Codifies Long-Standing BIS Policies—and Provides the Administration with Considerable Discretion in Administering the System

Section 1752 contains a lengthy statement of policy that may seem new to some, but fairly accurately reflects the written and unwritten licensing and other export control policies that have evolved within BIS since the Export Administration Act was passed in 1979. Some provisions may seem contradictory, but they are examples of the difficult choices that BIS and its interagency colleagues make daily when deciding which dual-use and other items to control, how to control them and when to approve, condition or deny their export.

For example, the section states that export controls should be used only after consideration of their impact on the U.S. economy and only to the extent necessary to advance the national security and foreign policy interests of the United States. These interests require regulations to control the proliferation of items for use in weapons of mass destruction; acts of terrorism; or military programs that could threaten the United States or its allies, or that could disrupt critical infrastructure. They must also, for example, simultaneously (i) preserve the military superiority of the United States; (ii) promote human rights; (iii) carry out our commitments to the multilateral regimes; (iv) facilitate interoperability with our NATO and other close allies; (v) be focused on core technologies of concern; (vi) maintain U.S. leadership in science, engineering, manufacturing and technology, including foundational technologies; (vii) be enforced aggressively and consistently; (viii) be administered in a way that is able to be easily understood; and (ix) be transparent, predictable, timely and flexible.

  1. The Authority to Control Activities by U.S. Persons Is Codified and Slightly Expanded

Unlike the ITAR, the EAR does not have general controls over services provided by U.S. persons, except in connection with violations of the EAR—“General Prohibition 10.” Most of the EAR are focused on regulating the export, reexport and transfer by U.S. and foreign persons of commodities, software and technology subject to the EAR. EAR Part 744 has long regulated the activities of U.S. persons, regardless of whether any technology is transferred, if they relate to weapons of mass destruction or foreign maritime nuclear projects. Section 1753 adds specific authority for the EAR to regulate services by U.S. persons, wherever located, if they are related to “specific foreign military intelligence services.” It remains to be seen how, or whether, BIS will implement this new authority in the EAR.

  1. Licensing Considerations Regarding the Defense Industrial Base

Section 1756(d) requires BIS to deny an application if the proposed export would have a “significant negative impact” on the defense industrial base, which is defined as including (i) a reduction in the availability of an item produced in the United States that is likely to be acquired by the U.S. government for the advancement of U.S. national security, (ii) a reduction in the production in the United States of an item that is the result of federally funded research and development, or (iii) a reduction in the employment of U.S. persons whose knowledge and skills are necessary for the continued production in the United States of an item that is likely to be acquired by the U.S. government for the advancement of U.S. national security. To help make this determination, BIS may seek information from the applicant regarding, for example, why the proposed export would be in the national interest and what the impact would be on the relative capabilities of U.S. and foreign militaries. Although previous administrations took such considerations into account when making licensing decisions, this section describes the standard in a novel, formal way consistent with the underlying policy motivations behind FIRRMA.

VII. Required Review of Licensing Policies Regarding Exports to Countries Subject to Arms Embargoes, Such as China

Although the ECA does not change any country-specific licensing policies, it does require BIS, in coordination with the other export control agencies, to “review license requirements relating to countries subject to a comprehensive arms embargo.” The section does not refer expressly to China or any other country, but it is clearly focused on requiring an evaluation of whether (i) the EAR’s China “Military End Use” rule should be expanded to also apply to “military end users” in China or additional items on the control list not now captured by the rule, and (ii) additional low-end items controlled for “anti-terrorism” reasons to only Iran and other comprehensively embargoed destinations should also be controlled for export to China. BIS must implement any recommended changes before early May 2019. Such changes are likely to occur.

VIII. Penalties and Enforcement

Section 1760 of the ECA codifies civil and criminal penalties that were established under the International Emergency Economic Powers Act (IEEPA). The maximum criminal penalties for willful violations will continue to be $1 million and, for individuals, imprisonment of up to 20 years. Maximum civil penalties will be slightly higher than the current inflation-adjusted penalties under IEEPA—$300,000 or twice the value of the applicable transaction, whichever is greater. Other penalties, such as denying a party the ability to export, remain the same.

Section 1761 of the ECA enhances BIS’s enforcement authorities, which are now on par with other enforcement agencies, such as the Department of Homeland Security and the Federal Bureau of Investigation. For example, a violation of ECRA, which includes both the export control and antiboycott provisions, is now a predicate offense that can be cited to justify a wiretap. ECA also gives BIS enforcement officials the authority to conduct investigations “outside the United States consistent with applicable law.” There are broader issues about the authority of the U.S. government to conduct investigations abroad that are beyond the scope of this alert, but ECA, unlike previous authorities, does not limit BIS to conducting investigations in only the United States. In addition, ECA gives BIS the authority to spend funds or engage in other financial transactions (such as leasing space) to conduct undercover investigations. Finally, ECA expands the bases upon which BIS enforcement can impose denial orders. Previously, BIS’s authority to impose denial orders was limited to situations where the person was convicted of a criminal violation of export control and other national security statutes. ECA expands the authority for BIS to issue denial orders when someone is convicted of criminal violations of conspiracy, smuggling or false-statements laws.

  1. Industry-Friendly Provisions

Consistent with long-standing BIS policies and practices, ECA requires that “licensing decisions are to be made in an expeditious manner [ideally, within 30 days of a request], with transparency to applicants on the status of license and other authorization processing and the reason for denying any license or request for authorization.” As under the Export Administration Act of 1979, no fees may be charged in connection with any license or other request made in connection with the EAR. In addition, BIS is required to continue helping U.S. persons, particularly including small- and medium-sized companies, comply with the EAR through training and other outreach.

  1. Coordination of Export Control and Sanctions Authorities

One of the key unrealized aspirations of the Obama administration’s export control officials was the creation of a single export control licensing agency that administered a single set of export control regulations in order to accomplish the national security and foreign policy objectives of the controls with significantly fewer regulatory burdens. Although the ECA does not suggest or require any organizational changes within the export control system, it does require the President to coordinate the export controls and sanctions administered by the departments of Commerce, State, Treasury and Energy. The ECA goes on to state that, in order to achieve such effective coordination, Congress believes that these agencies:

“should regularly work to reduce complexity in the system, including complexity caused merely by the existence of structural, definitional, and other non-policy based differences between and among different export control and sanctions systems” and

“should coordinate controls on items exported, reexported, or in-country transferred in connection with a foreign military sale [administered by the Department of State’s Office of Regional Stability and Arms Transfers (RSAT)]. . . or a commercial sale [of defense articles administered by the Department of State’s Directorate of Defense Trade Controls (DDTC)] to reduce as much unnecessary administrative burden as possible that is a result of differences between the exercise of those two authorities.”

Examples of how such coordination could be enhanced (but that are not described in ECA) include (i) continued efforts to harmonize definitions of terms in, and organizational structures of, the EAR, the ITAR and the sanctions regulations; (ii) the creation of a single online portal with a single common license application for submissions to BIS, DDTC, and the Office of Foreign Assets Control (OFAC), (iii) combined BIS, DDTC and OFAC training, outreach and enforcement efforts; (iv) regularly scheduled rotations of licensing officers among the agencies for cross training; and (v) delegations of authority making it so that the reexport of military items subject to the EAR have the same requirements and prohibitions, regardless of whether the item was originally exported under a foreign military sale or a direct commercial sale.

  1. Definitions in the EAR Are Unchanged

The definitions of key terms in ECRA, such as “export” and “technology,” are consistent with the definitions revised during the Obama administration’s Export Control Reform initiative. (The definition of “U.S. Person” as proposed would have inadvertently dramatically increased the extraterritorial scope of the regulations. That issue was fixed in the final version of ECRA.) Also, ECRA does not require BIS to change EAR definitions or core concepts, such as the de minimis carveout, or the meaning of “published” information or “fundamental research.” BIS continues to have discretion to amend most of the EAR’s definitions as necessary and to create new definitions.

During the early public discussion about ECRA and the “emerging” and “foundational” technology topic, some in industry expressed concerns that the statutory definition of “technology” would sweep more information within the scope of the EAR than the EAR did. Part of the discussion revolved around the words “required” and “necessary.” Another part revolved the words “development” and “know-how.” ECRA uses the same essential elements of the definition as does the EAR. That is, it defines the term as including information “necessary” for the “development,” “production” or “use” of an “item,” which is defined the same way as the EAR in that it means “commodities,” “software” and “technology.” The main difference is that ECRA uses the word “includes” rather than “means.” This gives BIS authority to expand the scope of covered “technology.” Given this discretion, that “necessary” information is vastly broader in scope than “required” technology, and that the concepts of “emerging” and “foundational” technologies are inherently broad, industry should follow closely the evolution of the proposed new controls. Subtle differences in terminology—such as between the use of “necessary” or “required” as control parameters—can have extraordinarily large impacts on the scope of information subject to licensing or other obligations.


DDTC Posts IT Modernization Webinar: Commodity Jurisdiction

2016/11/15

(Source: State/DDTC)

The webinar presented October 14, 2016 regarding the upcoming deployment of Defense Export Control and Compliance System (DECCS) Release 1 is available for review. The webinar provided a brief overview of the status of the IT Modernization effort and a demonstration of the new Commodity Jurisdiction (CJ) (DS-4076) interface.

Click here to read
Recorded webinar
Presentation slides


Electronics Retailer Pays $275,000 for Illegal Exports of Optical Sighting Devices

2015/02/04

By: John Black

Well-known electronics retailer, B&H Electronics Corp. of New York, most likely lost money on 50 exports of 0A987 optical sighting devices after it agreed to pay $275,000 for 50 illegal export between 2009 and 2012.  In fact, if B&H paid the standard hefty legal fees normally involved in reaching settlement agreements and paid to implement corrective, remedial actions to prevent future illegal exports, its losses could easily exceed double the $275k settlement payment.

Ever the auditor, I couldn’t stop myself from making a quick check-up on the B&H website to see what happens if I pretended to be outside the United States and order some optical sites.  When I indicated I was in Australia, the B&H website would not accept my order and cited US export controls as the reason.  I tried again using the UK, Pitcairn Island, and Canada and B&H refused each one, even for Canada.  I then ordered an Audio Technica turntable pretending to be in the same countries and the system did not refuse my order.

I pulled my audit’s cap tighter onto my head and I entered a fake order from Canada using the name of a person on an export prohibited parties list.  Unfortunately, in order to see if it would accept my order, I would have had to enter a credit card number, and, well I stopped my spot check at that point.  Not only did I not want my credit card charged, I did not want to participate in an export involving a prohibited party.


BIS Adds New Controls in the CCL on Integrated Circuits, Helicopter Landing Systems Radars, Seismic Detection Systems and Technology for IR Up-Conversion Devices

2014/11/24

By: Brooke Driver

Source: Federal Register

The Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) to impose foreign policy controls on read-out integrated circuits and related “software” and “technology,” radar for helicopter autonomous landing systems, seismic intrusion detection systems and related “software” and “technology”, and “technology” “required” for the “development” or “production” of specified infrared up-conversion devices.

The read-out integrated circuits and related “technology” are controlled under new Export Control Classification Numbers (ECCNs) on the Commerce Control List. An existing ECCN has been amended to control the related “software” for those items.

New paragraphs have been added to certain existing ECCNs to control radar for helicopter autonomous landing systems, seismic intrusion detection systems, and the “technology,” as mentioned, for specified infrared up-conversion devices. Specified existing “software” and “technology” ECCNs have been amended to apply to helicopter autonomous landing systems and seismic intrusion detection systems.

The items are controlled for regional stability reasons Column 1 (RS Column 1) and Column 2 (RS Column 2), and antiterrorism reasons Column 1 (AT Column 1).  For more information, go to http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr66288.

 


BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules—Really?

2014/11/24

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large U.S. company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

  • Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.
  • The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.
  • The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.
  • BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.
  • The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the U.S. is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (U.S., France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes, affecting “cyber security” products, agreed to at the December 2013 plenary – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the U.S.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit, I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the U.S. Government still has the power to regulate which technologies are deployed internationally.


BIS Imposes $750,000 Fine on Intel Sub Wind River Inc. for Violations of Encryption Export Rules–Really?

2014/10/24

By: Felice Laird

I must admit to a shudder of excitement and disbelief when I visited the BIS homepage recently and noticed a banner ad announcing a fine against an “Intel subsidiary for violations of encryption export regulations.”  I am one of the original crypto export geeks, having followed the tortured evolution of the controls from the late 1990’s through the creation and mutations of License Exception ENC, to today’s largely self-policing paradigm.  And I had never heard of a company being investigated or fined for violations in connection with an encryption export–until now.  And so, I wonder, why this, why now?

First, let me give the standard disclaimer;  I have no knowledge of this case other than what I have read in the documents released by BIS last week, namely, the Press Release, the Proposed Charging Letter, the Settlement Agreement and the Order.  These documents were prepared and issued by BIS, and they reflect only Commerce’s side of the story.  In fact, BIS has ordered the companies involved not to say anything publicly about the case, especially not to deny any of the charges, so we will never get the other side of the story.  The documents give clues as to what the violations were, when they occurred, how the Department found out about them and what the specific punishment is.  What is not clear is why, for the first time in 15 years, BIS came out with a public and painful punishment of a large US company for encryption software exports.

For the export compliance professional, there are several really important things to note when reading the documents.  Here are some of them:

*    Wind River Systems is a subsidiary of Intel that was formed after Intel bought Wind River’s assets (and liabilities!) in 2009.  So, the important take away is that there is “successor liability,” and the government will go after a company for an acquisition’s export violations.  So, ask to be at the table in M&A talks.

*    The statute of limitations for the early violations had run out, but BIS made the company waive the statute somewhere along the line, so that the violations count.

*    The company submitted a Voluntary Self Disclosure that up until now (when done in connection with an encryption violation) usually leads to a nasty gram from BIS but no fines.

*    BIS issued a gag order in the Settlement Agreement prohibiting Wind River from saying anything about the case.

*    The Settlement agreement states that Wind River has to pay up in 30 days, or else they won’t be allowed to use any licenses or exceptions.

From my perspective, enforcement actions are useful training tools.  It is always a “better sell” when I am talking to companies about the risks involved in non-compliance when I have a good enforcement case to present as an example.  And indeed, I have had more than one awkward moment when talking with tech executives and developers who ask me to come up with evidence that the encryption controls are worth compliance measures.  Sometimes, I have to appeal to their patriotism as a last resort.  It is good to know that BIS cares enough about encryption export controls to go after non-compliant companies.

Lately though, I have been seriously questioning the rationale for maintaining export controls on commercial products that use encryption, since the disclosures made regarding NSA surveillance by Edward Snowden last year.  If NSA can intercept and decipher 99 percent of data transmissions, how can the USG continue to maintain that the encryption regs are necessary to support the intelligence community?

The better answer is that Category 5 Part II is synced in most respects to the Wassenaar list and the US is obligated to maintain controls to honor commitments made to the Wassenaar member states.  And it is clear that efforts have been made by at least three of the most powerful delegations (US, France and the UK) to shore up controls on “cyber security” products, as they actively considered this at the December 2013 Plenary. (BIS deferred publication of CCL changes agreed to at the December 2013 plenary affecting “cyber security” products – indicating that these would be published in September, which has come and gone with no reg in sight.)

So, Wassenaar member states have had controls on encryption too.  But no country has a byzantine regulatory scheme comparable to that maintained by the US.  Over the years, License Exception ENC has morphed into a virtually inexplicable licensing loophole.  And so we wonder–should companies really have to continue funneling information to BIS and NSA by way of Classification Requests and Classification reports?  Does NSA really use any of the information?  Does anyone actually read the self-classification reports? ENC shipping reports?

In the few cases over the years that someone from NSA has shown up in daylight to an industry meeting, I always ask the question and I get the answer that, yes, the information it gleans from the classification requests and reporting process is still necessary.  I must admit I have never really bought that story, but that remains part of the answer to the why question.

That brings us back to the timing issue.  The press has widely reported the steps that the information technology industry has been taking to harden products and networks using cryptography and other security technologies to protect customer information from access by government agents.  Perhaps the Wind River case was meant to be a reminder to the industry that the US Government still has the power to regulate which technologies are deployed internationally.


Satellites and Spacecraft Shift from USML to CCL: The Circle is Now Complete

2014/07/16

By: John Black

“I’ve been waiting for you, Obi-Wan. We meet again, at last. The circle is now complete.” –Darth Vader, Star Wars

Darth Vader’s reign ended; so too has the ITAR controls on many commercial communication satellites.

Some of us remember when commercial satellite export controls moved from the ITAR to the EAR in 1996. Soon after that came the Loral and Hughes case, which resulted in millions in penalties for transferring technology to the Chinese to help them figure out why a Chinese Long March rocket carrying a US satellite crashed. (The primary violations in that case were related to the transfer of rocket technology, not the transfer of satellite technology.) Then, in 1998, Congress passed the FY 1999 National Defense Authorization Act that transferred export control jurisdiction of commercial satellites from the flexible, exporter-friendly EAR to the rigid, exporter-unfriendly ITAR.

Now, the US Government has decided to change satellite spacecraft controls so that the USML controls only the most sensitive satellites/spacecraft and related items, while shifting the less sensitive items to the CCL. Importantly, the revised USML Category XV uses performance capabilities and functions as the basis for defining which items warrant ITAR export controls-Category XV does not focus on whether the item is designed for military or commercial applications. So, in some cases, the new Category XV will not control certain satellites designed for the military, and it will control satellites designed for commercial applications. It is not important who you designed it for or who is going to use it. The important decisive factors are capabilities and functions.

(Please do not use the words “military” or “commercial” for describing what is and is not in Category XV. That type of loose and inaccurate description of the post-Export Control Reform (ECR) USML is rapidly becoming one of my biggest pet peeves.)

In the May 13, 2014 Federal Register, the departments of Commerce and State published notices shifting a wide range of satellites/spacecraft and related items off the US Munitions List (USML) and on to the Commerce Control List. And, as we have seen in past ECR list shifts, when things shift off the USML, the Commerce Department creates new ECCNs in the Commerce Control List to impose CCL-controls on the shifted items. Past reform list shifted items have gone into 600 series military ECCNs. Most list-shifting satellites, spacecraft and related items go into four new 9X515 space ECCNs. Commerce has also adjusted other ECCNs for various reasons.

The majority of the new changes do not enter into force until November 10, 2014, although I will mention below some instances when certain aspects of the changes have a different effective.

The Waning Influence of Darth Vader: How Does the New Category XV Work?

To understand what happened, we need to look at the new Category XV to identify what has shifted and then at the EAR to see how it controls the shifted items.

“I’m Luke Skywalker. I’m here to rescue you.” Woops! I mean, “I’m John Reg-Whisperer. I am here to rescue (some of) you.”

The new Category XV uses many more detailed descriptions than its predecessor and generally controls fewer items. Most of the items that shift off of Category XV go to 9×515 ECCNs in the CCL. Importantly, some of the USML changes enter into force prior to the regular November 10, 2014 effective date. Integrated circuits formerly controlled by XV(d) and (e) shift to 9A515.d and 9A515.e effective June 27, 2014. The same June 27 effective date applies to 9D515 software and 9E515 technology related to those 9A515.d and .e integrated circuits.

Paragraph XV(a) controls “spacecraft, including satellites and vehicles,” regardless of whether they were designed or developed for research, military or commercial applications. Paragraphs (a)(1) – (a)(13) identify the functions and performance that Category XV uses to control spacecraft.

Paragraph XV(b) now is limited to ground controls systems and simulators specially designed for telemetry, tracking, and control of XV(a) items.

Paragraph XV(c) controls certain GPS-receiving equipment, which will move to Category XII when Category XII is revised.

Paragraph XV(d) no longer controls anything. It formerly controlled radiation-hardened integrated circuits. This change is effective on June 27, 2014. The earlier effective date means that these components will shift to 9A515.d before most of the other Category XV changes.

Paragraphs XV(e)(1) – (21) control specified parts, components, accessories, attachments, equipment or systems. Items not controlled here (or anywhere else in the USML) shift to the 9×515 ECCNs. An interesting aspect of XV(e) is that, in a few places, it says that EAR-controlled spacecraft with certain Category XV content remains EAR controlled-explicitly cancelling out the unwritten, arbitrary so-called ITAR see-through rule. More specifically, XV(e)(17) controls payloads that perform any of the functions in XV(a). Note 2 for XV(e)(17) explains that a spacecraft classified as ECCNs 9A004 of 9A515 keeps that classification even when incorporating a “hosted” payload performing a function in XV(a). (Note 1 to (e)(17) defines “hosted” and other types of payloads.) The, Note 2 to paragraph (e) says paragraph (e) items are subject to EAR controls when they are integrated into an EAR item.

An important aspect of the new XV(e) is that integrated circuits that otherwise would have been controlled by (e) are now 9A515.e, effective June 27, 2104.

Paragraph XV(f) controls technical data and defense services. Paragraph (f) has some non-standard controls on tech data that are worth noting. It clarifies that the scope of defense services may apply, for example, to activities related to EAR controlled spacecraft:

“Defense services include the furnishing of assistance (including training) in the integration of a satellite or spacecraft to a launch vehicle, including both planning and onsite support, regardless of the jurisdiction, ownership, or origin of the satellite or spacecraft, or whether technical data is used. It also includes the furnishing of assistance (including training) in the launch failure analysis of a satellite or spacecraft, regardless of the jurisdiction, ownership, or origin of the satellite of spacecraft, or whether technical data is used.”

Paragraph (f) also has a Note 1 that says that XV(f) does not control technical data related to XV(c) or XV(e) items when such items are integrated into an EAR-controlled satellite. Such data is 9E515. Note 2 says that certain activities and technical data are not subject to the ITAR or EAR: “Activities and technology/technical data directly related to or required for the spaceflight… passenger or participant experience, regardless of whether the passenger or participant experience is for space tourism, scientific or commercial research, commercial manufacturing/production activities, educational, media, or commercial transportation purposes…” This Note 2 appears to exclude from control information related to getting into the spacecraft, lifting weights in the spacecraft gym, using the bathroom and even cooking a steak while onboard, among other things.

Note 3 to paragraph (f) says that EAR99 is the classification for “housekeeping data,” which is “data transmitted to or from a satellite or spacecraft, whether real or simulated, when limited to information about the health, operational status, or function of, or measurements or raw sensor output from, the spacecraft, spacecraft payload(s), or their associated subsystems or components.”

Other ITAR Changes

To make clear that USML Category IV controls may apply when a non-ITAR satellite spacecraft is to be used with a Category IV launch vehicle, Category IV(i) now states:

“Defense services include the furnishing of assistance (including training) in the integration of a satellite or spacecraft to a launch vehicle, including both planning and onsite support, regardless of the jurisdiction, ownership, or origin of the satellite or spacecraft, or whether technical data is used. It also includes the furnishing of assistance (including training) in the launch failure analysis of a launch vehicle, regardless of the jurisdiction, ownership, or origin of the launch vehicle, or whether technical data is used.”

Finally, DDTC revised the ITAR 120.10 definition of technical data to clarify that telemetry data as defined in XV(f) is not technical data.

EAR Controls: “Help me EAR-Bi-Wan Kenobi. You’re my only hope.”

To some extent, many exporters got what they wanted; while DDTC did not shift all commercial satellites off the USML, less-sensitive satellites, spacecraft and related items are not controlled by the EAR and the EAR has 4 new space ECCNs (9A515, 9B515, 9D515 and 9E515) that join other existing ECCNs, such as 9A004, that control space-related items. At the end of the day, most items shifted continue to be fairly highly controlled.

Prior to this list shift, various ECCNs, such as 9A004 controlled items, were used in space. 9A004 is revised so that its paragraph .a controls the International Space Station (ISS) and its paragraph x. controls parts, components, accessories and attachments specially designed for the ISS.

The new 9×515 ECCNs, however, are the highlight of the EAR revisions. The 9×515 ECCNs generally are eligible for No License Required to Canada, have some License Exception STA availability for Country Group A:5 and require a license for everywhere else. The EAR does offer some flexibility to exporters and reexporters, as certain license exceptions, such as RPL, TMP, GOV, LVS, and AVS, are available in certain cases subject to limitation and restrictions similar to those that apply to 600 series items.

The EAR includes the various ITAR clarifications discussed above, such as the explicit limitations on the see-through rule for EAR items containing ITAR content, no controls on housekeeping data, passenger space flight information being classified as EAR99 and telemetry data not being controlled. The EAR also reflects the June 27, 2014 effective date for the shift of integrated circuits from Category XV(d) and (e) to 9A515.d and .e, respectively, so exporters may take advantage of these changes sooner than the other changes.

The new 9A515 is structured similarly to 600 series ECCNs and contains enumerated controls in paragraphs .a – .e and .y, and a catch all control in paragraph .x, catching specially designed items. 9A515.x, however, unlike most 600 series ECCNs, says that 9A515.x does not apply to specially designed items that are

–Microelectronic circuits: This means 9A515.x does not want to control integrated circuits that are not controlled by 9A515.d or .e. Look elsewhere in the CCL for those items.
–Described in certain named ECCNs and paragraphs: This means that if an item is described in one of the specified ECCNs and paragraphs, that ECCN controls the item, not 9A515.x.

9A515.y, which requires a license only for China, Cuba, Iran, North Korea, Sudan and Syria, only applies to items for which there is an interagency approved commodity classification (CCATS) that assigns 9A515.y as the classification.

[Confusion Warning: Because the 9A515.d and .e changes enter into force before the other 9A515 changes, the Federal Register notice actually changes 9A515 twice. The first change is to create 9A515.d and .e effective in June and the second change is to create the rest of 9A515 effective in November.]

Good News for Universities: Universities are eligible to take advantage of a new authorization in License Exception AVS 740.15(e) that authorizes the export of spacecraft and components for fundamental research purposes. AVS authorizes an accredited institution of higher learning to export items to another accredited institute of higher learning, a government research center or to a government funded research center in any country outside of Country Group D:5 and involving only non-D:5 nationals. This must occur in a fundamental research environment where all resulting technical data and information will be shared broadly and will be restricted for proprietary reasons.

Other Changes: In many respects, the new 9×515 space ECCNs are subject to many of the ITAR-lite or ITAR-like policies in the EAR that already apply to the 600 series military ECCNs. For example, the special rules applicable to 600 series ECCNs apply to 9×515 in these cases:

• 734.4 De minimis rule Limitations for Country Group D:5
• 740.2 Prohibitions on the use of license exceptions
• 744.21 Prohibition on export/reexport to China
• 758.1 and 758.2 AES filing requirements
• 758.6 Identify ECCN on the same documents requiring a Destination Control Statement

Action Items for the New ITAR and EAR Rules

Stormtrooper: Let me see your identification.
Obi-Wan Kenobi: [waves his hand] You don’t need to see his identification.
Stormtrooper: We don’t need to see his identification.
Obi-Wan Kenobi: These aren’t the droids you’re looking for.
Stormtrooper: These aren’t the droids we’re looking for.
Export Compliance Expert: These rules are complex.
EAR-Bi-Wan: [waves his hand]. These rules are easy to understand.
Export Compliance Expert: These rules are easy to understand.
EAR Bi-Wan: These changes and classifications will be easy to implement.
Export Compliance Expert: These changes and classifications will be easy to implement.

Feel better?

Unfortunately, while the force was helpful in the movie, I would not be looking for a miraculous force to come to your rescue, unless you consider the force to include the fact that you may continue to use ITAR licenses and approvals for these shifted items as you could for items in earlier ECR list shifts. Some spacecraft, satellites and related items have been freed from the ITAR dark side, but you still have to figure out exactly which of your items and technologies shifted off the USML to the CCL and how you will have to control the shifted items.

Instead of slaying storm troopers with your light saber, you need to get the Federal Register notices and read through them and study them. Those notices are at:

http://www.bis.doc.gov/index.php/regulations/federal-register-notices#79fr27417

http://www.gpo.gov/fdsys/pkg/FR-2014-05-13/pdf/2014-10806.pdf

It might help to play the theme music from Star Wars as you grind through the new regs–it certainly will cause your co-workers to wonder about you (again). Or more appropriately, as you grind through the regs, you might want to hear that famous quote from Chewbacca:

http://soundbible.com/484-Chewbacca-Wookie-Noise.html

“May the Force be with you.”


IT Problems Slow DDTC Commodity Jurisdiction Responses

2014/07/16

By: Brooke Driver

Even the government has to deal with IT problems, people. The State Department recently announced that those submitting Commodity Jurisdictions should be advised that, while the DDTC has not stopped accepting CJs for processing, there may be a delay in response due to “ongoing information technology assessments.” Here’s to hoping that “ongoing” doesn’t “go on” for long.


State Department Clarifies Recent Press Release Regarding Tokenization and Cloud Computing

2014/07/16

By: Brooke Driver

The Department of State’s Directorate of Defense Trade Controls recently issued minor clarifications to the postings on the Perspecsys, Inc. website relating to an advisory opinion on the secure transfer of technical data via the internet. The advisory opinion is stated below:

“In accordance with [ITAR] § 125.4(b)(9), tokenization may be used to process controlled technical data using cloud computing applications without a license even if the cloud computing provider moved tokenized data to servers located outside the U.S., provided sufficient means are taken to ensure the technical data may only be received and used by U.S. persons who are employees of the U.S. government or are directly employed by a U.S. corporation and not by a foreign subsidiary throughout all phases of the transfer, including but not limited to transmission, storage, and receipt. Inclusions of transfers to foreign persons would require the appropriate authorization from the Directorate of Defense Trade Controls.”

“Additionally, in all cases the technical data must be sent by a U.S. person who is an employee of a U.S. corporation or a U.S. government agency. Transmission of classified information through this means if sent or taken outside of the United States must be accomplished in accordance with the requirements of the Department of Defense National Industrial Security Program Operating Manual.”

The DDTC claims that the advisory opinion is not intended to imply that “sufficient means” to accomplish the requisite assurance levels exist today technologically, nor that tokenization by itself could achieve that end. In addition, the DDTC insists that the advisory opinion states that the use of cloud computing applications (even through tokenization) is limited to receipt and use of unclassified technical data by U.S. entities; transfer to a foreign entity would require separate authorization.
Finally, the DDTC asks readers to remember that advisory opinions are released in response to individual submissions and particular to individual situations, and therefore should not be considered reliable guidance or precedence for the general audience.


BIS Issues Advisory Opinion Confirming that the EAR’s General Technology Note Applies to All ECCNs Controlling ‘Technology’

2014/05/23

By: D. Jacobson and M. Burton (Source: International Trade Law News, http://www.tradelawnews.com/)

On March 25, 2014 the U.S. Commerce Department’s Bureau of Industry and Security (BIS) issued an Advisory Opinion (reprinted below) clarifying that the General Technology Note (GTN) in Supplement No. 2 to Part 774, http://www.bis.doc.gov/index.php/forms-documents/doc_download/750-774, of the U.S. Export Administration Regulations (EAR) applies to all Export Control Classification Numbers (ECCNs) on the Commerce on Commerce Control List “regardless of whether the ECCN specifically refers to the GTN or uses the term ‘required.’”

The reason for this inquiry is that there has been some uncertainty regarding the scope of the GTN in the EAR. This is because the GTN is based on the Wassenaar Arrangement’s (WA) GTN, which applies to the WA’s Dual-Use List. The U.S. Commerce Control List (CCL), however, includes many more items than covered by the WA Dual-Use List, such as items controlled for missile technology reasons, chemical and biological reasons, as well as many U.S. unilateral controls. As a result of Export Control Reform the CCL also contains certain military-related parts and components under the new “600 series” and will soon control commercial space and satellite-related items under the “500 series”.

The related “technology” for an item included on the CCL is controlled under the corresponding “E” Group of the ECCN. In many cases involving items controlled by the WA, the corresponding “E” Group specifically mentions the GTN, such as ECCN 3E001 which covers “‘Technology’ according to the General Technology Note for the ‘development’ or ‘production’ of equipment or materials controlled by 3A . . . 3B . . . or 3C.” Many other “E” Group ECCNs do not refer to the GTN.

The BIS Advisory Opinion makes clear that, while the GTN is based on the WA List, the “EAR does not limit its definition of technology or the GTN to only those technologies controlled in the EAR pursuant to the WA” and “[t]herefore, the GTN and the EAR’s definition of “required” apply to all references to ”technology” in all the ECCNs on the CCL.”

This confirms BIS’s longstanding but heretofore unwritten policy that, regardless of CCL category, the term “required” “refers to only that portion of ‘technology’ or ‘software’ which is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions.” What this means from a practical perspective is that while the GTN applies to all ECCNs, not all technology related to a controlled item is necessarily “required” for its development, production, or use. Thus, careful analysis must be performed when classifying technology under the EAR.