BIS Final Rule On Cloud Computing
Cloud Computing Export Controls Relaxed
On September 1, 2016, new rules adopted by the Department of Commerce’s Bureau of Industry and Security (BIS) that amend the Export Administration Regulations (EAR) will go into effect. Among other things, the new rules are an attempt to update the EAR’s treatment of electronically transmitted and stored technology and software. The most significant change under the new rules is the decontrol of sending, taking, and storing of certain encrypted technology or software. Under the new rule, sending, taking, or storing this type of technology or software will not constitute an export if the technology or software is:
2. Uses end-to-end encryption;
3. The encryption technology meets or exceeds Federal Information Processing Standards (FIPS) Publication 140-2 and is supplemented by software implementation, cryptographic key management, and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and
4. Not intentionally stored in a military embargoed country (Country Group D:5) or in Russia.
Under the new rules, companies based in the U.S., whose technology and software meet the criteria set forth above, will be able to use cloud technology and other means of electronic transmission (email, IM, etc.) to transfer and store technology and software otherwise controlled by EAR without facing export control requirements. Additionally, under the new rules U.S. nationals located outside of the United States will be able to use secured remote access technology to access data on a U.S. server without it being considered an export.
Concerning the encryption requirements mentioned above, the EAR now allows for decryption and re-encryption during the course of data transmission to address technical concerns, for example to allow transmission of data between servers and establishing a VPN connection, provided that any decryption and re-encryption are within the in-country security boundaries of either the originator or recipient and no third party has access to the unencrypted data. The new rules also provide that “access information,” such as network access codes, passwords, decryption keys, that provide access to encrypted technology and software are subject to the same level of export controls that would apply to the data if the data were not encrypted.
The new rules also provide that victims of data or security breaches concerning encrypted data will not be considered responsible for the export, re-export, or transfer of such data if the originator of the technology did not provide access information or otherwise allowed access to the encrypted data.
In sum, this change to the EAR regulations will allow companies to use cloud technology to transfer and store unclassified “dual use” technology and software without the burden of export control compliance so long as the data meets the encryption requirements discussed above.
It is critically important to note that these changes apply only to EAR controlled technology and software and not to ITAR controlled technology and software. For this reason, companies that deal in technical data subject to ITAR controls must continue to distinguish between ITAR and EAR controlled technology and software when considering the use of cloud services.
Given this change, companies should determine whether their technology and software meets the criteria set forth above such that they could avail themselves of the new rules. Additionally, companies should review and revise their export control compliance programs accordingly.
Disclosure: Please note that the information provided in this article does not constitute legal advice and is not intended to be and should not be construed as legal advice. Readers with questions specific to the issues raised in this article should consult with qualified legal counsel. In the meantime, if you have any questions about the BIS Final Rule, please feel free to reach out to E. Martín Enriquez.