Cloud computing is widespread and growing at a rapid pace in corporate information management because it generally is less expensive and more efficient than using internal corporate resources. But cloud services can expose users to unforeseen, complex and ill-defined export requirements and, in the event of non-compliance, to significant potential civil and criminal penalties, including substantial fines and even imprisonment. Businesses that store export-controlled data in the cloud need to be aware that their cloud service providers may store that data not only in the U.S. but also overseas, as part of load balancing and other techniques aimed at maximizing server efficiency and security, and that such practices, as well as the use of export-controlled software on cloud servers, could subject the cloud user (and in some cases the cloud service provider) to export compliance obligations. This Advisory provides an introduction to the export compliance issues raised by cloud computing, the laws that govern such activities, and best practices for cloud computing users and providers.
Cloud computing enables ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Market analysts project that the global cloud computing market may increase from $40.7 billion in 2011 to $240 billion in 2020. Cloud computing is already widely embraced, with major providers—including Amazon Web Services, Google Apps and Microsoft—offering a complete set of storage, infrastructure, applications and services that enable businesses, government agencies, universities and individuals to fulfill virtually all computing needs in the cloud.
A fundamental aspect of cloud computing is ubiquitous access from anywhere to data and services that may be located anywhere, often in locations invisible and unknown to the user. But that basic characteristic creates an inherent tension between cloud computing and the U.S. export laws, which establish location-based rules governing exports of, and access to, technical data stored and accessed in the cloud.
U.S. exporters typically have procedures and practices in place to comply with the export laws. However, cloud computing raises export issues and challenges that may not be addressed by such existing export compliance programs, and that may not even have been considered by many companies that previously believed that they were not engaged in the export of products, services or technology.
U.S. Export Regulations
The U.S. government enforces multiple regulatory regimes controlling the export to non-U.S. persons, wherever located, of services, technology and products (including software) manufactured or designed in, transshipped through, or augmented in the U.S. These laws are expansively and aggressively applied with sweeping jurisdictional reach, and violations can result in significant fines, imprisonment and even in denial of future export privileges and debarment from certain government procurement opportunities. Of the many sets of applicable government regulations, those most likely to apply to cloud services are the Export Administration Regulations (EAR), which are enforced by the Department of Commerce’s Bureau of Industry and Security (BIS) and regulate generally the export and “deemed export”1 of “dual-use” (i.e., civilian and military) products and technologies, including technical data and other non-physical exports.
Export Agency Guidance on Cloud Computing
Of the principal U.S. agencies with export authority, only BIS has issued any formal guidance on cloud computing. While the EAR do not directly discuss cloud computing, BIS has issued two Advisory Opinions in response to questions submitted concerning the regulatory status of cloud computing.
In its First Advisory Opinion, BIS found that the provision of cloud computing services is not subject to U.S. export controls. BIS stated that providing “computational capacity” (cloud computing services) is not by itself an “export” subject to the EAR. BIS observed that generally the provider of cloud computing services is providing only a service and not exporting data or technology. A cloud provider in the U.S. generally is not the exporter of any data that users place on and retrieve from the cloud because the cloud provider does not receive the “primary benefit … of the transaction.” In BIS’s view, on the facts presented, only the cloud service user could be the exporter, and that user would be responsible for any export violation. BIS did note examples of situations arising in cloud computing arrangements that could constitute an “export” by a cloud provider that would be subject to the EAR, including for example, (1) shipping or transmitting controlled software or technology subject to the EAR to a foreign destination, or a foreign person in the U.S., to enable cloud computing (e.g., manuals or instructions) or technical services to show a user how to access and use the computational capacity of a cloud, or (2) transmitting controlled software or technology to and from the cloud.
While limited to the specific facts of the Advisory Opinion request, BIS made clear that, in general, the cloud user is responsible for export compliance. Note, however, that this AO expressed only the opinion of BIS and did not speak for other agencies with export enforcement responsibilities. Indeed, BIS noted that the Department of the Treasury’s Office of Foreign Assets Control (OFAC) might impose restrictions on the provision of cloud computing services to blocked persons or embargoed destinations even if BIS did not.
In its Second Advisory Opinion, BIS found that cloud computing providers do not require “deemed export” licenses for foreign national IT administrators who service and maintain the providers' cloud computing systems. Relying on its First Advisory Opinion, BIS noted that the service provider is not an exporter—it does not ship or transmit any EAR-controlled commodity, software or technology—and thus would not make a deemed export if its foreign national IT administrators monitored or screened the cloud user-generated technology subject to the EAR. BIS specifically did not address the release of EAR-controlled technology by the cloud service provider to any other foreign national employees under different factual circumstances.
Although BIS determined that release of EAR-controlled technology by the cloud provider to its foreign national IT administrators is not a deemed export, it did not take the next step and determine who would be responsible for the export, i.e., the disclosure of the U.S. technology to the foreign national IT administrator. However, since BIS relieved the provider of such responsibility, and the foreign national IT administrator could not have exported the technology to himself, that left the cloud user as the only possible exporting party!
But—and this is a principal risk in using cloud computing services—the user typically does not have knowledge of the location of the cloud service’s servers or the nationalities of all the IT personnel and other employees of the cloud service provider who may have access to the user’s data. Consequently, as explained below, cloud service users—particularly those who store certain technology-related data—may need to obtain commitments from cloud service providers that export-controlled user data will not be stored on servers located outside of the U.S. or be accessible by any foreign national employed by the provider.
While both BIS Advisory Opinions focus on the regulatory treatment of cloud service providers, they make clear that cloud service users remain responsible for exports that occur through their use of cloud services, even where such violations are unintentional and perhaps not even within their control. Export violations, both in cloud service and other contexts, are prosecuted by the enforcement agencies essentially on a strict liability basis, where lack of intent or knowledge generally will not serve as a defense but, rather, only may factor into mitigation of penalties. Cloud service users therefore must be aware of the potential export implications of using public, hybrid or private cloud services, and should implement best practices, including the following, to avoid, or minimize the consequences of, export violations that may arise from their reliance on the cloud.
Cloud Service User Best Practices
Classify data in order to know whether any or all of it is subject to export controls and, if stored or routed outside of the U.S., or exposed to foreign nationals, would constitute an export for which a license is required.
Determine the actual routing and physical destination of any export-controlled technical data uploaded to the cloud in order to know whether export restrictions or licensing requirements may apply.
Seek assurances from providers that any export-controlled data will be located entirely on U.S. servers, and that it will not be accessible by foreign nationals employed by the providers, including specific contractual provisions in service level agreements.
Even with assurances or contractual commitments, exercise continuing diligence regarding any indication that export-controlled data is being maintained, or routed, outside the U.S. or made accessible by foreign nationals.
Be aware that cloud deployment of software utilizing or enabling certain types of encryption, or some types of networking technologies, can trigger export restrictions and licensing requirements not present when running that same software on a local network or U.S.-located private cloud.
When unsure of the export implications of a cloud service arrangement, consider seeking a license under the EAR (or determining if a license exception applies) for single or multiple transactions involving potential exports of such data from the cloud.
Impose restrictions on creation of copies of data by cloud service providers, and require that providers delete all copies (including backup copies) of such data once cloud services are terminated.
Review and modify, as necessary, export compliance policies and practices, and technology control plans, and inform and update employees on export issues arising from use of cloud services.
Ensure that cloud service agreements address the respective responsibilities of the parties for export compliance, and the penalties and other consequences of failure to comply with applicable export laws.
Cloud Service Provider Best Practices
Likewise, cloud service providers should implement best practices not only to lessen the possibility of their own liability under export agencies’ evolving interpretation and application of the export laws to cloud computing, but also to be responsive to the export compliance needs of their customers.
Consider offering users control over the physical location of the cloud services, e.g., by offering different service tiers (presumably with different pricing) accommodating user needs for U.S. servers administered by U.S. persons.
If they provide technical data (such as manuals or instructions), or technical services showing users how to access and use the computational capacity of a cloud, consider whether such data and services constitute exports subject to the EAR.
Guard against providing service to users in countries subject to sanctions under the export regulations (e.g., Cuba, Iran, North Korea, Sudan and Syria), consult with counsel or export regulatory personnel before providing service to other countries subject to export restrictions, and include prohibitions on use in those countries in their terms of service.
We can only hope that additional agency guidance on the export implications of cloud computing will be forthcoming sooner rather than later, and before unwary companies become ensnared in government enforcement actions due to their migration to the cloud. Until such advice is issued, companies need to be proactive in adopting policies and practices, and exercising diligence, that will reduce the risk of export violations arising from increased reliance on cloud services.