Cloud Computing: U.S. Export Controls Reach for the Sky

by Davis Wright Tremaine LLP
Contact

Cloud computing is widespread and growing at a rapid pace in corporate information management because it generally is less expensive and more efficient than using internal corporate resources. But cloud services can expose users to unforeseen, complex and ill-defined export requirements and, in the event of non-compliance, to significant potential civil and criminal penalties, including substantial fines and even imprisonment. Businesses that store export-controlled data in the cloud need to be aware that their cloud service providers may store that data not only in the U.S. but also overseas, as part of load balancing and other techniques aimed at maximizing server efficiency and security, and that such practices, as well as the use of export-controlled software on cloud servers, could subject the cloud user (and in some cases the cloud service provider) to export compliance obligations. This Advisory provides an introduction to the export compliance issues raised by cloud computing, the laws that govern such activities, and best practices for cloud computing users and providers.

Cloud Computing
Cloud computing enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Market analysts project that the global cloud computing market may increase from $40.7 billion in 2011 to $240 billion in 2020. Cloud computing is already widely embraced, with major providers—including Amazon Web Services, Google Apps and Microsoft—offering a complete set of storage, infrastructure, applications and services that enable businesses, government agencies, universities and individuals to fulfill virtually all computing needs in the cloud.

A fundamental aspect of cloud computing is ubiquitous access from anywhere to data and services that may be located anywhere, often in locations invisible and unknown to the user. But that basic characteristic creates an inherent tension between cloud computing and the U.S. export laws, which establish location-based rules governing exports of, and access to, technical data stored and accessed in the cloud.

U.S. exporters typically have procedures and practices in place to comply with the export laws. However, cloud computing raises export issues and challenges that may not be addressed by such existing export compliance programs, and that may not even have been considered by many companies that previously believed that they were not engaged in the export of products, services or technology.

U.S. Export Regulations
The U.S. government enforces multiple regulatory regimes controlling the export to non-U.S. persons, wherever located, of services, technology and products (including software) manufactured or designed in, transshipped through, or augmented in the U.S. These laws are expansively and aggressively applied with sweeping jurisdictional reach, and violations can result in significant fines, imprisonment and even in denial of future export privileges and debarment from certain government procurement opportunities. Of the many sets of applicable government regulations, those most likely to apply to cloud services are the Export Administration Regulations (EAR), which are enforced by the Department of Commerce’s Bureau of Industry and Security (BIS) and regulate generally the export and “deemed export”1 of “dual-use” (i.e., civilian and military) products and technologies, including technical data and other non-physical exports.

Export Agency Guidance on Cloud Computing
Of the principal U.S. agencies with export authority, only BIS has issued any formal guidance on cloud computing. While the EAR do not directly discuss cloud computing, BIS has issued two Advisory Opinions in response to questions submitted concerning the regulatory status of cloud computing.

In its First Advisory Opinion, BIS found that the provision of cloud computing services is not subject to U.S. export controls. BIS stated that providing “computational capacity” (cloud computing services) is not by itself an “export” subject to the EAR. BIS observed that generally the provider of cloud computing services is providing only a service and not exporting data or technology. A cloud provider in the U.S. generally is not the exporter of any data that users place on and retrieve from the cloud because the cloud provider does not receive the “primary benefit … of the transaction.” In BIS’s view, on the facts presented, only the cloud service user could be the exporter, and that user would be responsible for any export violation. BIS did note examples of situations arising in cloud computing arrangements that could constitute an “export” by a cloud provider that would be subject to the EAR, including for example, (1) shipping or transmitting controlled software or technology subject to the EAR to a foreign destination, or a foreign person in the U.S., to enable cloud computing (e.g., manuals or instructions) or technical services to show a user how to access and use the computational capacity of a cloud, or (2) transmitting controlled software or technology to and from the cloud.

While limited to the specific facts of the Advisory Opinion request, BIS made clear that, in general, the cloud user is responsible for export compliance. Note, however, that this AO expressed only the opinion of BIS and did not speak for other agencies with export enforcement responsibilities. Indeed, BIS noted that the Department of the Treasury’s Office of Foreign Assets Control (OFAC) might impose restrictions on the provision of cloud computing services to blocked persons or embargoed destinations even if BIS did not.

In its Second Advisory Opinion, BIS found that cloud computing providers do not require “deemed export” licenses for foreign national IT administrators who service and maintain the providers' cloud computing systems. Relying on its First Advisory Opinion, BIS noted that the service provider is not an exporter—it does not ship or transmit any EAR-controlled commodity, software or technology—and thus would not make a deemed export if its foreign national IT administrators monitored or screened the cloud user-generated technology subject to the EAR. BIS specifically did not address the release of EAR-controlled technology by the cloud service provider to any other foreign national employees under different factual circumstances.

Although BIS determined that release of EAR-controlled technology by the cloud provider to its foreign national IT administrators is not a deemed export, it did not take the next step and determine who would be responsible for the export, i.e., the disclosure of the U.S. technology to the foreign national IT administrator. However, since BIS relieved the provider of such responsibility, and the foreign national IT administrator could not have exported the technology to himself, that left the cloud user as the only possible exporting party!

But—and this is a principal risk in using cloud computing services—the user typically does not have knowledge of the location of the cloud service’s servers or the nationalities of all the IT personnel and other employees of the cloud service provider who may have access to the user’s data. Consequently, as explained below, cloud service users—particularly those who store certain technology-related data—may need to obtain commitments from cloud service providers that export-controlled user data will not be stored on servers located outside of the U.S. or be accessible by any foreign national employed by the provider.

Best Practices
While both BIS Advisory Opinions focus on the regulatory treatment of cloud service providers, they make clear that cloud service users remain responsible for exports that occur through their use of cloud services, even where such violations are unintentional and perhaps not even within their control. Export violations, both in cloud service and other contexts, are prosecuted by the enforcement agencies essentially on a strict liability basis, where lack of intent or knowledge generally will not serve as a defense but, rather, only may factor into mitigation of penalties. Cloud service users therefore must be aware of the potential export implications of using public, hybrid or private cloud services, and should implement best practices, including the following, to avoid, or minimize the consequences of, export violations that may arise from their reliance on the cloud.

Cloud Service User Best Practices

  • Classify data in order to know whether any or all of it is subject to export controls and, if stored or routed outside of the U.S., or exposed to foreign nationals, would constitute an export for which a license is required.
  • Determine the actual routing and physical destination of any export-controlled technical data uploaded to the cloud in order to know whether export restrictions or licensing requirements may apply. 
  • Seek assurances from providers that any export-controlled data will be located entirely on U.S. servers, and that it will not be accessible by foreign nationals employed by the providers, including specific contractual provisions in service level agreements. 
  • Even with assurances or contractual commitments, exercise continuing diligence regarding any indication that export-controlled data is being maintained, or routed, outside the U.S. or made accessible by foreign nationals.
  • Be aware that cloud deployment of software utilizing or enabling certain types of encryption, or some types of networking technologies, can trigger export restrictions and licensing requirements not present when running that same software on a local network or U.S.-located private cloud.
  • When unsure of the export implications of a cloud service arrangement, consider seeking a license under the EAR (or determining if a license exception applies) for single or multiple transactions involving potential exports of such data from the cloud.
  • Impose restrictions on creation of copies of data by cloud service providers, and require that providers delete all copies (including backup copies) of such data once cloud services are terminated.
  • Review and modify, as necessary, export compliance policies and practices, and technology control plans, and inform and update employees on export issues arising from use of cloud services. 
  • Ensure that cloud service agreements address the respective responsibilities of the parties for export compliance, and the penalties and other consequences of failure to comply with applicable export laws.

Cloud Service Provider Best Practices
Likewise, cloud service providers should implement best practices not only to lessen the possibility of their own liability under export agencies’ evolving interpretation and application of the export laws to cloud computing, but also to be responsive to the export compliance needs of their customers.

  • Consider offering users control over the physical location of the cloud services, e.g., by offering different service tiers (presumably with different pricing) accommodating user needs for U.S. servers administered by U.S. persons.  
  • If they provide technical data (such as manuals or instructions), or technical services showing users how to access and use the computational capacity of a cloud, consider whether such data and services constitute exports subject to the EAR. 
  • Guard against providing service to users in countries subject to sanctions under the export regulations (e.g., Cuba, Iran, North Korea, Sudan and Syria), consult with counsel or export regulatory personnel before providing service to other countries subject to export restrictions, and include prohibitions on use in those countries in their terms of service. 

Conclusion
We can only hope that additional agency guidance on the export implications of cloud computing will be forthcoming sooner rather than later, and before unwary companies become ensnared in government enforcement actions due to their migration to the cloud. Until such advice is issued, companies need to be proactive in adopting policies and practices, and exercising diligence, that will reduce the risk of export violations arising from increased reliance on cloud services.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.