Both rule changes are effective September 1, 2016. BIS published its changes as a final rule, but is accepting comments on a continuing basis. DDTC published its changes as an interim rule, is accepting comments until July 5, 2016, and anticipates issuing additional rule changes.
This alert is the first in a series that will analyze the changes under these new regulations. It focuses on key changes to the ITAR and, in particular, the impact of those changes on the crucial area of technical data exports which can happen in the course of travel, global IT networks, emails, teleconferences and videoconferences, site visits, conversations and a variety of other commonplace activities for companies working with international partners, customers, supply chains and employees. Subsequent alerts will describe additional ITAR changes not covered in detail here, compare the ITAR and EAR changes, and provide more information on EAR-specific modifications.
Separately, on June 8, 2016, DDTC increased its penalty authority under the ITAR from $500,000 to $1,094,010 per violation to conform to the requirements of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. This is the first time since 1985 that civil penalty authority, which is set out in the Arms Export Control Act at $500,000 per violation, has been increased. The increase in penalties adds urgency to the need for companies engaged in trade in items that are subject to the ITAR to examine and update their compliance programs in view of the changes taking place under ECR.” The new penalty authority is effective August 1, 2016.
ITAR Technical Data Exports to Foreign Persons
Both DDTC and BIS published changes to definitions of terms common to the ITAR and EAR as part of the continuing effort to harmonize controls. In part, DDTC revised the definitions for “export” and “reexport or retransfer,” and created new definitions for “release” and “retransfer.” Elements of the revised definitions largely align with corollary definitions in the EAR, but they are not structured the same way in the two sets of regulations. They also retain critical differences and trigger questions as to their alignment with current ITAR standards, some of which are highlighted below.
Revised Definition of “Export” and the New Term “Release”
DDTC revised the definition of “export” to more closely align with the EAR’s definition of “export” and to remove activities that are now captured as “reexports” or “retransfers” (i.e., activities associated with the further movement of a defense article or its “release” outside of the United States). For purposes of technical data exports, the relevant text previously stated that an export included the following:
Disclosing (including oral or visual disclosure) or transferring technical data to a foreign person, whether in the United States or abroad.
That language has been deleted, and the new relevant text reads:
Releasing or otherwise transferring technical data to a foreign person in the United States (a “deemed export”).
DDTC added a definition of “release” in order to harmonize with the EAR. The definition states:
a. Technical data is released through:
(1) Visual or other inspection by foreign persons of a defense article that reveals technical data to a foreign person; or
(2) Oral or written exchanges with foreign persons of technical data in the United States or abroad.
On their face, these changes may seem relatively minor. However, the new language—particularly the word “reveals”—raises a fundamental question with respect to a potential shift in licensing and enforcement policy at DDTC.
DDTC’s long-standing view has been that mere access to technical data, whether in physical or electronic form, is sufficient to constitute an export. In other words, if a company does not prevent unauthorized access by a foreign national to technical data, it has committed a violation of the ITAR—irrespective of whether the foreign national actually accessed that data. See General Motors Corporation/General Dynamics Corporation 2004 Consent Agreement Draft Charging Letter. This approach has driven licensing structures, compliance resourcing, and investigation and voluntary disclosure decisions for more than a decade among ITAR-regulated parties.
DDTC’s comment on the definition of export does not reinforce this position, but it does not clearly back away from it, either:
If a foreign person views or accesses technical data as a result of being provided physical access, then an “export” requiring authorization will have occurred and the person who provided the foreign person with physical access to the technical data is an exporter responsible for ITAR compliance.
BIS, though, goes much further in describing the exact same definition of “release” in its new rule:
A foreign person’s having theoretical or potential access to technology or software is similarly not a “release” because such access, by definition, does not reveal technology or software.
This highlights a tension in the new rules. DDTC states that a “major purpose of this rule is to harmonize the ITAR with the EAR.” BIS’s interpretation of the definition of the term “release”—which is the same language as is used in the ITAR for that term—seems to conflict with the historic DDTC approach on the issue of access. The final DDTC rule would benefit from clarification on whether DDTC agrees with BIS’s statement above or whether it is taking a different view.
Country of Birth as a Factor in Licensing
In December 2007, DDTC published a Federal Register notice that stated the following:
For export control purposes, DDTC has considered a third country national to be an individual from a country other than the country which is the foreign signatory to the agreement. A third country national may also be a dual national if he holds citizenship from more than one country. In addition to citizenship, DDTC considers country of birth a factor in determining nationality.
Consistent with DDTC policy, exporters have been compelled to consider country of birth in export licensing and compliance activities—creating a significant source of conflict with foreign governments, companies and individuals.
The new DDTC definition of “export” explicitly limits deemed exports—releases in the United States—to countries of past or present citizenship or permanent residency:
Any release in the United States of technical data to a foreign person is deemed to be an export to all countries in which the foreign person has held or holds citizenship or holds permanent residency.
This appears to indicate that DDTC will not consider country of birth as a factor in license applications—at least those involving deemed exports in the United States—suggesting to the regulated community that it does not need to factor that information into compliance programs, licensing strategies and internal investigations. In the final rule, it would be helpful if DDTC could confirm that country of birth information is no longer a factor in determining nationality as a general proposition—if it agrees that past and present citizenship, along with permanent residency, represents the current standard—thus eliminating any remaining ambiguity on this point and removing a chronic source of strain in relationships among parties to ITAR licenses.
Exemption for the Export of Technical Data to U.S. Persons and Their Foreign Person Employees
DDTC revised and expanded an exemption to normal licensing requirements that formerly covered only U.S. persons. The exemption allowed U.S. persons to export technical data to other U.S. persons or to U.S. government agencies while traveling abroad, as long as certain criteria were met. DDTC expanded the exemption to allow, subject to certain conditions, the export, reexport or retransfer of technical data by or to a foreign person employee of a U.S. person traveling or on temporary assignment abroad.
The conditions include:
Foreign persons may export, reexport, retransfer or receive only technical data that they are already authorized to receive.
The technical data may be “possessed or used” by only a U.S. person or authorized foreign person, and sufficient security precautions must be taken to prevent unauthorized release of the technical data (e.g., virtual private networks, passwords).
The individual must be employed by the U.S. government or a U.S. person and not by a foreign subsidiary.
The technical data may not be used for foreign production purposes or defense services, unless otherwise authorized.
Exports of classified data must conform with the NISP Operating Manual.
BIS and DDTC should be commended for their ongoing attempts to rationalize the rules through ECR, including these new definitions. In an attempt to harmonize, the agencies should continue to strive for opportunities to explain how long-standing interpretations and past guidance should be applied to the definitions in order to provide clarity to the regulated community, which invests significant resources to address these regulations. The above examples of export, release, reveal and country of birth represent instances in which past practices of DDTC do not clearly align with the new definitions as interpreted in comments to these new rules.
Akin Gump Strauss Hauer & Feld LLP will publish additional analyses of these changes. To the extent that you would like assistance preparing comments and/or analyzing any of the changes for your company, please do not hesitate to contact us.