- On December 26, 2019, DDTC published an interim final rule that would allow, under certain conditions, encrypted technical data and software that is subject to the ITAR to be sent, shipped or stored outside the United States without the need for a DDTC license or other authorization.
- Although DDTC’s planned amendments to the ITAR contain subtle differences to the corresponding provisions in the EAR that BIS published in 2016, DDTC’s rule would nonetheless allow for the common international cloud-based storage and handling of properly encrypted technology/technical data and software subject to either the ITAR or the EAR.
- The rule is a continuation of efforts begun in 2015 to harmonize the definition of core terms in the EAR and the ITAR to reduce unnecessary regulatory burdens. Although it does not complete the effort, it nonetheless harmonizes additional provisions pertaining to the sharing of technology/technical data and software between U.S. persons, shipments within the United States and space launches.
- Comments must be submitted by January 27, 2020. The rule will become effective on March 25, 2020, unless DDTC decides to publish a new rule.
On December 26, 2019, the U.S. Department of State, Directorate of Defense Trade Controls (DDTC) published an interim final rule that would amend the International Traffic in Arms Regulations (ITAR) to largely harmonize with the Export Administration Regulations (EAR) the core regulatory definitions of what is and is not an export, a reexport and a retransfer. DDTC is accepting public comment on rule until January 27, 2020. The rule will become effective on March 25, 2020, unless DDTC decides to publish a new rule.
The rule is a continuation of an effort DDTC and the Commerce Department’s Bureau of Industry and Security (BIS) began in 2015 to harmonize, to the extent possible, the definitions of common terms in the regulations to reduce regulatory burden. BIS published in 2016 amendments to the EAR to implement its half of the harmonization effort. DDTC at the same time harmonized some of the definitions at issue, but needed more time to get input on some issues unique to the ITAR. The December 26 rule will complete much of the earlier efforts, particularly with respect to issues pertaining to when technical data and software subject to the ITAR could be legally stored on international cloud systems without the need for specific authorizations for each encrypted transmission to cloud servers outside the United States.
Specifically, DDTC’s published rule would create ITAR section 120.54 to largely mirror EAR section 734.18, which defines activities that are not an export, reexport or retransfer. The corresponding provisions are thus not exemptions or exceptions to the ITAR’s or EAR’s licensing obligations. Rather, they are carve-outs from the definitions of what constitute controlled events under the regulations, and can thus be applied with fewer variations and case-specific limitations.
The primary benefit of ITAR section 120.54 is that it would allow technical data to be taken or sent outside the United States without authorization from DDTC when it is end-to-end encrypted to an appropriate level.
- The technical data can be in any form, including in cloud storage, an email attachment, on your phone or computer, or in a hard or flash drive.
- The technical data must be encrypted in one of two ways, either (1) compliant with the U.S. National Institute for Standards and Technology (NIST) Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or (2) by other cryptographic means that provide security strength that is at least comparable to the minimum 128 bits of security strength achieved by the Advanced Encryption Standard (AES-128).
- The technical data must remain encrypted at all times between the sender and intended recipient. The intended recipient must be the sender, a U.S. person in the United States or a person otherwise authorized to receive the technical data, such as by a Technical Assistance Agreement (TAA), DSP-5, foreign person employment license or ITAR exemption such as that in ITAR section 125.4(b)(9).
- Access to the encrypted technical data by foreign persons does not require authorization from DDTC. This means that ITAR-compliant cloud storage no longer needs to be done only on servers located in the United States or administered only by U.S. persons.
- The technical data may not be intentionally sent to, stored in or sent from an ITAR section 126.1 country or the Russian Federation. However, the encrypted technical data may incidentally transit these locations en route.
- The means of decrypting the technical data is defined as “access information” under new ITAR section 120.55. New provisions are also added to ITAR sections 120.17 and 120.50 to make it a controlled release to use access information to decrypt the technical data outside the United States or by or for a foreign person. These releases are authorized by obtaining authorization for the underlying technical data, such as through a TAA, DSP-5, foreign person employment license or the use of an ITAR exemption.
New ITAR section 120.54 also explicitly provides that sending technical data from within the United States to a U.S. person in the United States is not an export, reexport or retransfer. This means, for example, that if an email between two U.S. persons in the United States incidentally transits Canada or another foreign country, it will not be an “export” and, therefore, not a potential violation of the ITAR.
New ITAR section 120.54 also provides that a transfer of technical data between U.S. persons abroad, but within the same foreign country, is not an export, reexport or retransfer, so long as it does not result in a release to a foreign person or a U.S. person who is debarred from receiving technical data. There have been many incidents over the years where U.S. persons visiting a foreign site have discussed technical data between themselves that is not covered by the relevant TAA. Companies have filed voluntary disclosures with DDTC when this occurred. This will no longer be necessary so long as the conversation is limited to U.S. persons.
New ITAR section 120.54 further provides that shipping, moving or transferring defense articles between or among the United States is not an export, reexport or retransfer. This is also addressed in ITAR section 123.12, but now it is clear that this activity is not conducted under an exemption and is, in fact, not controlled. It also incorporates the current provisions of ITAR section 120.17 that it is not a controlled event to launch items into space.
The changes, once they become effective, will advance the long-term effort to harmonize the basic elements of the two primary sets of export control regulations in order to reduce unnecessary regulatory burden. DDTC’s rule, combined with the existing EAR provisions, will also have significant practical benefits because they will allow for the common, and commercially viable, international cloud-based storage and handling of properly encrypted technology/technical data and software subject to either the ITAR or the EAR. The combination will thus create incentives for companies to encrypt securely their controlled technology/technical data and software, which benefits both industry and national security objectives.
There are, however, subtle differences and nuances to the regulations that may warrant comments to DDTC and BIS in order to accomplish the harmonization and security objectives more clearly and effectively. The administration is actively seeking input from industry on this issue. If you would like to discuss what comments may be of benefit to these efforts, and to your company or industry, do not hesitate to contact us. The contacts below were, during their government service, the primary drafters of the published definitions rules and would likely be able to provide unique and precise insights on your specific issues.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.