Effective on the 25th of March 2020, the ITAR will be amended based upon an Interim Final Ruling published by the Department of State on 26 December 2019.
In an effort, under Export Control Reform, to further harmonize definitions found in the ITAR and the EAR, the State Department has amended definitions found in the ITAR to align them with those published in the EAR (§734.18 Activities that are not exports, reexports, or transfers) in December of 2017.
Five Activities NOT Considered Exports
This ruling will implement similar definitions for the ITAR as currently found in the EAR. The five activities (to be included in as new definitions in the ITAR [§ 120.54(a)(1) to § 120.54(a)(5)] when the Interim Final Ruling becomes Final) that will not be considered exports or “controlled events” (reexport, retransfer, temporary import) which would presently require a license or other approval are:
- Items launched into space (e.g., spacecraft, launch vehicle, payload, etc.);
- The transmission or transfer of technical data to a U.S. person within the United States from a person in the United States (Note: the transmission or transfer of technical data in the U.S. by a U.S. Person to a Foreign Person is still deemed to be an export for which an export authorization is required);
- Transmissions or other transfers of technical data between and among only U.S. persons in the same foreign country are similarly not reexports or retransfers provided they do not result in a release to a foreign person or transfer to a debarred or otherwise restricted person;
- It is not an export or a “controlled event” to move a defense article between the states, possessions, and territories of the United States (as currently defined in 120.13 of the ITAR);
- It is not an export or a “controlled event” to send, take, or store unclassified technical data when it is effectively encrypted using end-to-end encryption. The “controlled event” (export, reexport, retransfer, temporary import) occurs upon the release of the technical data.
READ #5 again, because it is the Ruling nearly everyone has been waiting for. This last activity, which will become § 120.54(a)(5) in the revised ITAR, is highly significant as it has been long awaited. The ability to “send, take, or store unclassified technical data” aligns closely with the ruling that was published by BIS in 15 CFR section 734.18, but there are additional restrictions to be imposed:
- The encryption must be accomplished in a manner that is certified by the U.S. National Institute for Standards and Technology (NIST) as compliant with the Federal Information Processing Standards Publication 140-2 (FIPS 140-2), or must meet or exceed a 128-bit security strength.
- The technical data may not be intentionally sent to a person in or stored in a proscribed country ( 126.1) or the Russian Federation, even in its encrypted state. (NOTE: 15 CFR section 734.18 of the EAR only lists the Russian Federation, whereas the ITAR Final Rule will include all § 126.1 proscribed countries).
Take a close look again at the last point, this is the one that levies the due diligence requirement on you and your company. You need to be sure (or as sure as you can be) that your technical data is not being sent or stored on a server located in a proscribed country, even if it is encrypted.
Compliance Hints
(1) Document the steps taken to ensure this does not occur;
(2) Check § 126.1 proscribed countries frequently. Countries come and go;
(3) If you use a 3rd party provider, audit them.
New Definition of “Release”
In addition to the above changes to the ITAR, the Interim Final Ruling has amended the definition of “release” (§ 120.50) by adding two new subparagraphs to paragraph (a) and a new paragraph (b) to clarify what constitutes a release of technical data, a controlled event requiring authorization from the Department, and the provision of access information that may result in the release of technical data.
The intended additional § 120.50(a)(3) will make it a release of technical data “to use access information to cause or enable a foreign person to access, view, or possess technical data in unencrypted form.” The intended additional § 120.50(a)(4) will make it a release of technical data “to use access information in a foreign country to cause technical data to be in unencrypted form, including when such actions are taken by U.S. persons abroad.” NOTE: this new addition does not change the existing exemption § 125.4(b)(9) which authorizes in certain circumstances most U.S. persons to release the technical data abroad to themselves or over their employer’s virtual private network.
The new paragraph in § 120.50 (b) was originally proposed as a new subparagraph to § 120.50(a) and it identified the action of providing to a foreign person information that can cause or enable access, viewing, or possession of technical data in unencrypted form; however, it apparently decided to clarify the intended language and make it clearer that the provision of access information to a foreign person is not itself an export or “controlled event”. Stated more clearly, there is no need for an export authorization for the provision of access information. However, paragraph § 120.50 (b) requires an export authorization for a release of technical data to a foreign person before providing the access information to that foreign person.
WARNING: If an authorization for the release of technical data in such circumstances has not been obtained prior to provision of the access information to a foreign person, it will be considered a violation of ITAR § 127.1(b)(1). In addition, causing or enabling a foreign person to access, view, or possess unencrypted technical data may constitute a separate violation if the exporter (or reexporter or retransferrer) has not received prior authorization in the form of a license or other approval.
Final Rule Coming Soon
It has taken two years since BIS provide its ruling § 734.18 on activities that are not exports, reexports, or transfers which opened the door to the sending, taking, or storing unclassified “technology” or “software” . It was hoped, at the time, that State Department would soon publish its ruling and amend the ITAR. Unfortunately, these types of significant changes to the ITAR do take time.
It is still possible that there will be further changes before the Final Rule is published on the 25th of March 2020. Additional comments have been solicited; however, it would seem that the amendments will occur as scheduled.
Between now and then, be sure you understand all the requirements and the nuisances that regulations can contain. Review the Final Ruling and the wording of each of the amendments. If you are unsure or have questions, contact your consultant at Export Solutions Inc. If you have not worked with us before, please contact us for a free consultation.
Jim McShane is a Sr. Consultant, Trade Compliance for Export Solutions -- a full-service consulting firm specializing in ITAR and EAR regulations.