[co-author: Nicole Hager]
On March 29, 2021, the Department of Commerce’s Bureau of Industry and Security (BIS) issued a final rule implementing certain changes in the Export Administration Regulations (EAR) agreed upon in December 2019 by governments participating in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement), a multilateral export control regime. In addition to these clarifications and modifications, the rule eases BIS’s encryption controls, including eliminating certain reporting requirements for mass market products. These encryption-related changes follow the U.S. government’s trend of slowly and steadily loosening controls on encryption products and reducing the regulatory burden for encryption exporters.
The EAR controls the export, reexport, and in-country transfer of commercial and dual-use commodities, software, and technology. Items with encryption functionality are subject to special rules under the EAR, including export classification and reporting requirements.
Under the existing regime, exporters can self-classify most products that use encryption for data confidentiality as Export Control Classification Number (ECCN) 5A002 (hardware) or 5D002 (software). These products are known as “(b)(1)” products, and they generally can be exported to non-sanctioned destinations without a license under License Exception ENC. To rely on this exception, exporters must submit an annual report to the U.S. government listing all self-classified products exported or reexported during the prior calendar year.
Additionally, most mass market products—i.e., those products that are generally available and of interest to the public—can be self-classified as ECCN 5A992 (hardware) or 5D992 (software) and exported to all destinations other than sanctioned countries without a license. Historically, the annual reporting requirement also applied for these products.
Certain more advanced or sensitive products, such as network infrastructure items, non-public source code, encryption technology, and quantum cryptography, are considered License Exception ENC “(b)(2)” products. Other items, including encryption components such as chips and chipsets, non-standard cryptography, digital forensics products, and cryptographic activation items, are considered ENC “(b)(3)” products. These (b)(2) and (b)(3) products are generally only eligible for export under License Exception ENC after submission of a formal commodity classification request to BIS; semi-annual reporting and additional licensing requirements also apply under certain circumstances.
Changes Under the New Rule
The new rule makes a number of changes to BIS’s encryption rules, including the elimination of the annual self-classification reporting requirement for most mass market products. The changes are summarized below:
BIS has eliminated the email notification requirement for publicly available encryption source code, as well as beta test encryption software, as long as the source code and beta test software do not implement non-standard cryptography. (Note that non-standard cryptography generally involves incorporation or use of proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body, e.g., IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA, and that have not otherwise been published.)
The rule also adds gateways to an existing carve-out from the encryption controls for certain items (e.g., routers, switches, relays) that are limited to the tasks of Operations, Administration or Maintenance (OAM).
Apart from these encryption changes, as noted above, BIS clarified and modified several ECCNs in Categories 0, 1, 2, 3, 6, and 9 of the EAR’s Commerce Control List (CCL) to align with decisions made at the Wassenaar plenary meeting in 2019. These changes follow BIS’s October 2020 rule implementing revisions to the EAR related to emerging technologies, which also were agreed upon at the December 2019 plenary meeting. Companies that manufacture or engage in export transactions involving products and technologies classified in the modified CCL Categories should carefully review BIS’s changes and make any necessary updates to their export classifications.