The three key points in the US proposal to modernise export controls

In June this year, the US government published new Proposed Rules in the Federal Register. The proposal refers to significant changes in existing definitions within ITAR, the International Traffic in Arms Regulations.

If this proposal should pass, its impact would be far-reaching for our customers and business partners, particularly those who are active in the UK economy’s strongest sectors, i.e. the aerospace and defence industry.

In collaboration with involved US agencies, the US Department of State, Directorate of Defense Trade Controls (“DDTC”) aims to harmonise some definitions under the ITAR with definitions under the Export Administration Regulations (EAR). There are many developments in this area since the ongoing US Export Control Reform (ECR) has been initiated by the Obama Administration. In light of the recent proposal in June, the DDTC had given the public a chance to submit comments on the proposed changes, and the online consultation closed in August.

Here is a short outline of the three main areas the proposed revisions involve, and how they may impact businesses:

Cloud storage

The DDTC’s proposed definitions would allow companies to use the Internet – and the cloud – more efficiently when it comes to storing and transmitting ITAR-controlled technical data and software. The requirements for this are: (1) relevant data would have to be comprehensively encrypted; (2) servers could not be located in a Section 126.1 prohibited country or Russia; (3) the encryption would have to meet certain standards.

This change considers export controls from a cloud computing aspect, and I wonder if EU companies consider this an opportunity to more easily transmit and store US-controlled data in the future. Of course, this would require major adaptation of all involved business processes, which in turn could be a very complex project to implement.

Public domain

Another DDTC proposal concerns the definition of “public domain”. That’s quite important as it would mean that information and software in the “public domain” wouldn’t be considered as ITAR-controlled technical data. According to the DDTC, the proposal would generate more versatility to identify public domain sources than the current (list-based) approach.

But in order to be considered “public domain”, the release of such materials would require prior approval by specific US government agencies or officials. Failure to comply would be considered an export violation. This poses questions on whether and how such new qualification requirements would for example impact processing times and business operations. 

Defense service

Under the current ITAR, DDTC authorisation is required for any defence service provided by a US person abroad. Under DDTC’s proposed new definition, a “defence service” would include a US person providing assistance and training related to defence articles to a foreign, non-US individual - if they have “knowledge of U.S.-origin technical data directly related to the defence article that is the subject of the assistance prior to performing the assistance.”

The proposal specifies that US persons abroad who don’t have access to US-origin technical data cannot provide defence services covered by the ITAR. This suggested change seems to bear the potential to simplify compliance requirements for many US individuals working in the defence industry abroad.

Links and references

Export control compliance is a complex task for businesses today, and these latest proposed revisions by the US add to the challenge that companies are already facing to implement compliance programmes involving national, regional, and US regulations. It’s one of those areas in business where the devil is in the detail, and it pays off to stay up to date on latest developments to assess business impacts and improvement potentials.

If you’d like to review the official references, here are some links for you:

- the ITAR notice of proposed rulemaking can be found at 80 Fed. Reg. 31525 ( http://www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12844.pdf );

- the corresponding EAR notice may be found at 80 Fed. Reg. 31505 ( http://www.gpo.gov/fdsys/pkg/FR-2015-06-03/pdf/2015-12843.pdf );

- and a side-by-side comparison of the regulatory texts of the proposed definitions is available at https://www.pmddtc.state.gov/FR/2015/Definitions%20Rule%20Harmonization%20Chart.pdf.