For companies handling export-controlled technology, the
increasing prevalence of cloud computing and cross-border IT
networks raises significant challenges for effective compliance. In
a move to accommodate these trends, the US Department of Commerce
("DoC") has newly defined what they are calling an
"encryption carve-out", which states that the
transmission of encrypted technology or software is no longer
deemed to be an export/reexport/transfer activity under the EAR,
provided certain criteria are satisfied.
These rules will enter effect on September 1, alongside a range
of notable new definitions of terms used in the Export
Administration Regulations ("EAR") and International
Traffic in Arms Regulations ("ITAR") (see
Part I of this two-part post for an overview). However,
companies should note that the encryption carve-out applies only to
technology controlled under the EAR, and not to technical data
controlled under the ITAR.
The encryption carve-out
Key features of the new encryption carve-out include the
End-to-end encryption between security boundaries
The electronic transmission of technology/software will not be
subject to the EAR if the data is protected with "end-to-end
encryption", meaning that the data is encrypted from the
sender to the recipient, and cannot be accessed by other third
parties while in transit.
In response to industry comments that in-transit data could
potentially be encrypted and decrypted multiple times for technical
reasons during transmission from the sender to the recipient (such
as to establish communications with a VPN server), the final rule
permits decryption and re-encryption within the "security
boundary" of either the originator or recipient, provided that
the security boundary does not cross any country borders.
Additionally, third parties outside of the security boundaries
should not have the means to decrypt in-transit data.
The encryption carve-out applies to in-transit data that is
encrypted to standards defined in the Federal Information
Processing Standards Publication 140–2, supplemented by
cryptographic controls specified under U.S. National Institute for
Standards and Technology (NIST) publications. The final rule also
allows the use of "equally or more effective cryptographic
means" (EAR §734.18); however, the exporter would be
responsible for ensuring that any alternate encryption used works
as well or better than the reference standard.
Data storage in US arms-embargoed countries and Russia
The encryption carve-out does not apply to the storage of data
in countries subject to a US arms embargo (defined under Country
Group D:5 in the EAR) and Russia. It is important to note that data
in-transit via internet traffic through a country is not deemed to
be stored in that country. The final rule also clarifies that
in-transit data stored temporarily on servers in these countries
without the knowledge of the sender is not subject to the EAR.
Transfer of decryption keys or other means of decryption
The final rule introduces a new authorisation requirement for
the transfer of "access information" if it is known that
this could result in the unauthorised decryption and release of
controlled software or technology. Examples of access information
include decryption keys, network access codes and passwords that
could be used to convert data to an unencrypted form.
Impact on companies
Companies using cloud-based solutions will need to review and
ensure compliance with the specified encryption standards to be
eligible for the carve-out from EAR control. Continued safeguards
must be in place to prevent unauthorised storage of data in US
arms-embargoed countries as well as in Russia. Cloud service
providers should also revisit their current standards to cater to
customers requiring solutions that adhere to the new regulatory
Finally, although the encryption carve-out has been defined in
new rules published simultaneously by the DoC and the Department of
State ("DoS"), the DoS has not yet addressed the use of
encryption for transferring ITAR-controlled technical data. For
businesses that handle both EAR-controlled technology and
ITAR-controlled technical data and wish to take advantage of the
encryption carve-out, this may raise new challenges should
different standards and processes need to be applied for different
On January 16th 2016, Implementation Day was announced. This marks the day on which the International Atomic Energy Agency verified that Iran implemented its agreed nuclear-related commitments contained in the JCPOA.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).