On September 1, new definitions of terms used in the
International Traffic in Arms Regulations ("ITAR") and
Export Administration Regulations ("EAR") will enter into
effect. This two-part blog post highlights key upcoming
In Part 1 of this two-part post, we focus on new controls on the
"release" of technology and technical data. In Part 2
here), we look at new rules related to the use of end-to-end
encryption for transferring EAR-controlled technology.
Overview of changes
Definitions that have been updated include the
New definitions that have been added include the following:
Managing access controls under
the new 'release' definitions
Currently, the EAR controls the "release" (e.g.,
visual inspection, oral exchange) of EAR-controlled technology to
non-US (i.e., "foreign") nationals within or outside the
US. Similarly, the ITAR controls the "disclosing" of
technical data to a non-US person within or outside the US. The
broad scope of these controls has required companies handling
US-controlled items to implement effective controls in areas such
Physical access by non-US employees to US-controlled
Visitor access to facilities containing US-controlled
Access by IT administrators and "super users" to
technical data in IT networks; and
Access to technical data by third parties in workspaces.
The new definitions of 'export' and 'release'
under both the EAR and ITAR now specify that access by a non-US
person to US-controlled technical data or technology is considered
a 'release' (i.e., subject to export authorisation
requirements) if it "reveals" technical data or
technology to that person. Although the term "reveals" is
not defined, Guidance in the Department of Commerce's
("DoC") Final Rule states that "merely seeing an
item briefly is not necessarily sufficient to constitute a release
of the technology required, for example, to develop or produce
it," and also excludes "theoretical or potential
access" from the definition of 'release'.
Impact on companies
These changes may provide companies with more flexibility to
define access control measures and manage instances where an
unauthorised individual comes into contact with technical data.
This is especially true for companies handling EAR-controlled
technology, as the new DoC rules also clarify the scope of EAR
controls on cloud computing networks and technology secured
using encryption (please see Part 2 of this two-part blog post for
However, companies must exercise caution in relaxing their
controls, as there is still ambiguity under the new definitions.
Companies must update existing policies and procedures
(particularly sections that include definitions of terms), and
define precisely what types of visual access they wish to control,
and determine when exactly technical data or technology may be
"revealed." In some cases, companies may prefer to
maintain current levels of access controls in order to minimise the
risks of inadvertent non-compliance.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).