What is the issue?
As increasingly more employees telework and work remotely outside the office, it is important for organizations to ensure export compliance remains at the forefront. Sometimes, employees may be unaware that U.S. export controls continue to apply when working outside the office. Teleworking presents potential risks for inadvertent unauthorized transfers of technology and technical data by employees who may not fully understand the export controls under federal law on such transfers and the multiple means by which such transfers may occur.
Issues to Consider
1. Working Remotely and Exchanging Technical Specifications about a Product with a U.S. Person located outside the United States or with a Non-U.S. Person located anywhere:
Questions: If I share from the U.S. technical specifications of a product or operating software for a product with a person outside the United States, who is an employee of my company or an independent contractor hired by my company, might I require prior approval from the U.S. Government? Yes.
Might export restrictions under federal law apply to such a transfer to a non-U.S. Person within the United States? Yes.
U.S. export control regulations govern transfers of controlled technology, technical data, and software, including but not limited to, physical shipments or transfers and electronic transmissions of the controlled technology, technical data, and software.
The principal U.S. export control regulations include (a) the U.S. Export Administration Regulations (the “EAR”) administered and enforced by the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) and (b) the International Traffic in Arms Regulations (“ITAR”) enforced and administered by the U.S. Department of State, Directorate of Defense Trade Controls (“DDTC”). The EAR generally regulates the export of “dual use” goods, software, and technology, i.e., items which have principally civil application, but which may have military or other application. The ITAR regulates the export of certain defense and military related items and services, i.e., “defense articles” and “defense services.”
In addition, U.S. economic sanctions regulations and executive orders administered and enforced by the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) may function, in effect, as export controls. The U.S. Government also maintains more specialized export control regulations administered by the Nuclear Regulatory Commission and the U.S. Department of Energy related to exports or imports of nuclear material or equipment and exports of technology and services for the development, production, or use of nuclear reactors, equipment and material.
2. Determining whether an Export of Information—Technical Data or Software—is Controlled or Regulated by Federal Law:
Question: What are the key factors to determine whether a U.S. Government license or authorization is required to transfer technical data, technology, or software to a foreign person either within the U.S. or outside the U.S.?
The first step in determining whether a license or authorization may be required is to determine whether the technical data, technology, or software is subject to the ITAR or EAR. If subject to the ITAR, prior authorization generally must be obtained from DDTC to transfer technical data, technology, or software to a foreign person either within the U.S. or outside the U.S. BIS license requirements are dependent upon an item’s technical characteristics, the destination, end user, and end-use of the item.
In general, the key factors to consider when determining whether a license or authorization is required are:
- • Does your conduct or transfer of an item or information constitute an “export”? • What technical data, technology, or software are you exporting? Is such technical data, technology, or software subject to the ITAR or the EAR? If so, within which category of the ITAR’s U.S. Munitions List or within which Export Control Classification Number of the EAR’s Commerce Control List does the technical data, technology, or software fall? • To what foreign nation is the technical data, technology, or software going? If the technical data, technology or software will remain in the U.S., will a non-U.S. person receive or have access to it? • Who will receive it? • What will the technical data, technology, or software be used for?
3. Maintenance of Controlled Technical Data, Technology, or Software Outside the United States
Question: If my company stores technical data, technology, or software in the “cloud” or a computer server outside the U.S., might transfers to such storage and maintenance of our technical data, technology, or software outside the U.S. be considered an “export” controlled by U.S. law and requiring a U.S. Government license or authorization? Yes.
Uploading data to a cloud storage or computer server outside the United States, except as noted below, is generally considered an export and may require a U.S. Government license or authorization. In addition to possible U.S. government licensing requirement raised by the transfer of data to a non-U.S. computer server, the use of a computer server in certain foreign nations or under the control of certain non-U.S. persons may present compliance risks and may be prohibited by federal statute.
However, under the EAR and ITAR (effective March 25, 2020), the transfer of technology and technical data outside of the United States using end-to-end encryption is not considered an export provided that the technology and technical data is encrypted in accordance with certain specified criteria in the applicable regulation (See, 15 C.F.R. Section 734.18; 22 C.F.R. Section 120.54(a)(5).
4. Medical Research and Testing:
Question: If I am involved in medical research or medical testing, are there export controls under federal law applicable to the transfer or export of medical samples, such as a coronavirus / SARS-CoV-2 sample? Yes.
In a report published on February 7, 2020, the International Committee on Taxonomy of Viruses (ICTV) classified the causative agent of COVID-19 respiratory disease as SARS-CoV-2 virus. BIS currently considers SARS-CoV-2 to be distinct from the SARS-CoV virus and as such will continue to classify the SARS-CoV-2 and its specific genetic elements as EAR99. Assuming that no prohibited use or user is involved, an export license is generally not required for export of this virus or its genetic elements to most destinations outside the United States.
5. Enforcement and Penalties:
Question – Are there civil and criminal penalties applicable to violations of these federal regulations and laws? Yes.
Both violations of the ITAR and EAR may be subject to criminal prosecution and administrative or civil penalties. For each, a criminal violation may be subject to 20 years imprisonment, a $1 million fine, and additional penalties, including debarment and denial of export privileges. Administrative penalties for a violation of the ITAR may include a monetary penalty of up to $1.18 million, debarment, and other penalties. Administrative penalties for a violation of the EAR may reach up to $300,000 per violation or twice the value of the transaction, whichever is greater. Violators may also be subject to the denial of their export privileges.
See the following information provided by the U.S. Government concerning its investigations and enforcement actions relating to export control violations:
6. Status of Operations
Question – Have the DDTC and BIS notified the public of possible delays in processing license applications or other regulatory activity due to the COVID-19 pandemic? Yes.
Due to reduced work forces and employees working from home, DDTC and BIS have informed the public to anticipate delays in licensing processing, commodity jurisdiction and general correspondence requests, and other approval requests.
Information on Status of Operations: