Get Ready – Here They Come: Commerce’s and State’s Final Rules Revising Certain EAR and ITAR Definitions Go into Effect on September 1
Exactly a year after their last round of proposed rules, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) published their much-anticipated final rules revising certain key terms in the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR) on June 3, 2016 (the “Final Rules”). The Final Rules’ effective date—September 1, 2016—is quickly approaching, a fact that has no doubt already spurred at least a little extra activity as members of impacted industries gear up to incorporate and address the changes in their compliance programs. Largely echoing the themes contained in the proposed rules, the Final Rules set forth a number of important changes and revisions to the EAR and the ITAR, including the streamlining and alignment of many cross-regulatory definitions for such critical terms as “export,” “reexport,” and “release.” However, even after September 1, 2016, work remains on the path to harmonization.
One of the main goals of the President’s Export Control Reform (ECR) Initiative is the harmonization, where possible and practical, of definitions and terms used across both the EAR and the ITAR. While both BIS’s and DDTC’s proposed definitions rules pursue this goal, BIS covers more ground in its Final Rule than DDTC. BIS’s Final Rule includes the addition of numerous key definitions and the separate enumeration of several exclusions and is supplemented by a set of Frequently Asked Questions (FAQs) that BIS compiled to address the issues covered in its Final Rule. While DDTC has provided some helpful clarifications in its Final Rule, the agency has also left for a later, “separate rulemaking” several terms that it covered in its proposed rule.
“Export,” “Reexport,” and “Retransfer” / “Transfer (in-country)”
Both agencies’ Final Rules attempt to more fully harmonize the EAR and ITAR by revising/adding definitions of “export,” “reexport,” and “transfer”(BIS)/“retransfer” (DDTC). BIS and DDTC specify in their Final Rules that “reexports” occur outside of the United States, describing transfers of items between two foreign countries. Similarly, BIS’s newly carved-out definition of “transfer (in-country)” runs parallel to DDTC’s definition for “retransfer,” both of which describe a change in end-use or end-user within the same foreign country.
In addition to better alignment of their definitions for “export” and its variations, both agencies codified explicit “deemed export” rules. DDTC’s Final Rule clarifies that disclosing “technical data” to a foreign person in the United States is deemed to be an export to all countries in which the foreign person holds or has held citizenship or holds permanent residency. BIS’s Final Rule, in contrast, codifies long-standing BIS policy that a “release” of “technology” or source code to a foreign person is deemed to be an export to that person’s most recent country of citizenship or permanent residency.
Additionally, both BIS’s and DDTC’s Final Rules create new stand-alone definitions for “release.” BIS specifies that a “release” extends beyond mere observation of a controlled item, requiring that, to constitute a “release” pursuant to the EAR, that inspection must actually reveal technology or source code subject to the EAR; mere theoretical or potential access does not constitute a release unless the technology or source code is actually revealed. Similarly, DDTC’s “release” definition includes allowing a foreign person to inspect a defense article in such a way that reveals “technical data” to the foreign person, as well as the oral or written exchange of “technical data” (including software object code) with a foreign person.
And, while both agencies proposed new definitions of activities that do not constitute exports, reexports, or transfers, only BIS addressed this issue in its Final Rule. Consistent with its proposed rule, BIS drew several existing exclusions from elsewhere in the EAR and compiled them into a separate section, 734.18. Further, BIS carved out from the definitions of “export,” “reexport,” and “transfer,” transmissions of technology or software when the transmission meets certain security-related criteria. Among these criteria is the requirement that the data must be secured using “end-to-end encryption,” meaning that the data must be encrypted between the sender’s security boundary and the recipient’s security boundary without being revealed in clear text or unencrypted form. Further, such data must be encrypted to the standard established by FIPS 140-2 or through equally or more effective cryptographic means. Additionally, though BIS’s Final Rule prohibits such excluded data from being intentionally stored in a country listed in Country Group D:5 or Russia, it also clarifies that data in transit via the Internet is not deemed to be stored, assuaging concerns raised by commenters regarding the possibility of such data technically being “stored” temporarily on servers located in these countries without the knowledge of the sender.
“Technology” and “Required”
While DDTC has reserved its revision of the definition of “technical data” for a separate rulemaking action, BIS moved forward with its revised “technology” definition. While most of BIS’s revisions to its “technology” definition are cosmetic, there are several notable changes that have been approved for the Final Rule. As it initially proposed, BIS has adopted a definition of “technology” that is consistent with the Wassenaar Arrangement’s definition, including the incorporation of Wassenaar-defined terms “development,” “production,” and “use,” which were already referenced in previous versions of the regulatory text. Further, BIS’s Final Rule codifies the agency’s “long-standing policy” that all six activities in the definition of “use” must be present to qualify as “use” technology.
Additionally, BIS provided a definition for “required,” retaining the existing EAR definition of the term but also adding notes to clarify its application. In its proposed rule, BIS had also offered a definition of the term “peculiarly responsible,” which was drafted to model the structure of the definition of “specially designed.” However, BIS declined to adopt the proposed “peculiarly responsible” definition for its Final Rule, citing a dozen comments from the public objecting to the definition’s expansion of the scope of control, and explaining that the term is already defined within the scope of the existing definition of “required.” Though DDTC had also proposed a definition of “required” last year, it did not include a revised version of the term in its Final Rule.
BIS made a number of other definitional changes and provided several points of guidance for industry. For example, BIS codified its interagency-cleared Deemed Reexport Guidance that was posted on its website, which ensures that deemed reexport authorizations for dual and third-country nationals available under the ITAR are also available under the EAR. BIS also codified the concept that an unwitting victim of a hacking incident is not the one responsible for the theft of EAR-controlled technology. Instead, the hacker is the one responsible because he/she caused the “release” of controlled technology through the use of a password or other access information.
Although it made limited definitional revisions, DDTC made some noteworthy changes to certain ITAR exemptions. In particular, DDTC revised the exemption in Section 125.4(b)(9) of the ITAR to also allow foreign persons (as opposed to only U.S. persons) authorized to receive technical data in the United States to receive that same technical data abroad, as long as such foreign persons are on travel or temporary assignment of behalf of their employer. In response to a comment from industry, DDTC also confirmed that the act of a U.S. person or authorized foreign person accessing technical data in the United States from abroad using a secure connection constitutes an “export,” but may be authorized under the Section 125.4(b)(9) exemption.
Further, DDTC converted Section 124.16 of the ITAR into an exemption and moved it to new Section 126.18(d) of the ITAR. This language generally is used to allow dual and third-country nationals of a foreign signatory or sub-licensee to a DDTC Agreement to access approved technical data and defense services as long as they are nationals exclusively of countries that are members of NATO, countries that are members of the European Union, Australia, Japan, New Zealand, and Switzerland, and certain other conditions are satisfied. Given that this language has been converted into an ITAR exemption, companies no longer need to request this special access in their DDTC Agreements. DDTC has updated its Agreements Guidelines to reflect this and other changes made in its Final Rule.
* * *
As noted above, DDTC’s Final Rule covers significantly less ground than BIS’s Final Rule. There are many key terms missing from DDTC’s Final Rule that were addressed in its proposed rule, including “defense article,” “defense service,” “technical data,” “public domain,” “development,” “production,” “technical data that arises during, or results from, fundamental research,” and “activities that are not exports, reexports, or retransfers.” DDTC also specifically shied away from any major definition revision related to transfers of encrypted technical data abroad. Whether and when DDTC will address the remaining definitions included in its proposed rule but missing from its Final Rule remains to be seen; the likelihood that the agency will be able to complete the revision of these and other key terms by the close of the current Administration’s term—at which point the tides pushing ECR forward may very well change—is open to question. In the meantime, however, companies must charge ahead to address those changes made in these Final Rules. And, while DDTC closed its open comment period on its Final Rule just a little over one month after publication, BIS remains open to public comments on its Final Rule “on a continuing basis,” offering industry the opportunity to raise concerns and highlight issues with the new definitions even as they begin to be implemented and applied.
For the full text of the Final Rules, including a complete list of the regulatory changes, please refer to BIS’s Final Rule here and DDTC’s Final Rule here. The text of BIS’s Final Rule-related FAQs can be found here.
 The six activities are operation, installation (including on-site installation), maintenance (checking), repair, overhaul, and refurbishing.