US proposes upgrades to export controls
government digitization

US proposes upgrades to export controls

The US submitted proposals to modernize export controls. Some seem to bear business improvement potentials and others new regulatory burden. Let’s take a closer look.

Taking initiative: US proposes changes

The US Department of State, Directorate of Defense Trade Controls (“DDTC”) aims to harmonize certain definitions under the ITAR with definitions under the Export Administration Regulations (EAR). In line with this goal, proposed revisions were published by the involved US agencies in June. The most significant proposed revision involves the new definition of the term “export” in each US agencies’ regulations, which would allow the use of the cloud for encrypted data if certain provisions are met.

But while this part of the proposal may have the biggest impact (if it should pass) for businesses involved in trading US-origin goods and data, it is not the only part of interest. I have summarized the three key changes proposed by the DDTC below:

Proposed key change 1: cloud storage

The DDTC has proposed definitions that would allow companies to make more efficient use of the Internet – and the cloud – in transmitting and storing ITAR-controlled technical data and software. This would require the respective data to be comprehensively encrypted, the servers not to be located in a Section 126.1 prohibited country or Russia, and the encryption to meet certain standards. The proposed revisions also may enable companies to increase use of Software as a Service (SaaS) solutions, as long as the application service provider cannot access ITAR-controlled data.

  • This is a significant change as it considers export controls from a cloud computing point of view. I would be interested to discuss this topic in more detail with our customers and partners to get their take on it. Would this change present opportunities for easier transmission and storage of US-controlled data?

Proposed key change 2: public domain

The DDTC also proposed to change the definition of “public domain”. This is very relevant, because the proposed revision would not consider information and software in the “public domain” as ITAR-controlled technical data. The DDTC argues that the proposal would create more versatility than the current list-based approach to identify public domain sources. However, to be considered “public domain”, release of the materials would need to be approved in advance by assigned US government agencies or officials, and failure to comply would be considered an export violation.

  • Is this a ‘warning flag’? Would compliance with this public domain qualification have an impact on operations? Again, I would be interested to hear your views.

Proposed key change 3: defense service

Under the current ITAR, any defense service provided by a US person abroad requires DDTC authorization. Under the proposed new definition, a “defense service” would include a US person providing certain assistance and training related to defense articles to a foreign person, if this US person “has knowledge of U.S.-origin technical data directly related to the defense article that is the subject of the assistance prior to performing the assistance.” The proposal makes clear that US persons abroad who do not have access to US-origin technical data are not in a position to provide defense services covered by the ITAR.

  • This proposal bears the potential to simplify compliance requirements for many US persons working abroad in the defense industry.

How are you coping? And things to keep in mind.

When considering the impact of these proposed changes, thoughts turn to companies that are already tackling the various challenges as part of the ongoing US Export Control Reform (ECR). These latest change proposals – while presenting opportunities – could certainly add to the challenges already faced by EU businesses implementing and maintaining national, regional, and US compliance programs. If you have any questions about how AEB software can help you with managing US export controls, please contact us

PS: In case you would like to review the official references: the ITAR notice of proposed rulemaking can be found at 80 Fed. Reg. 31525, and the corresponding EAR notice may be found at 80 Fed. Reg. 31505. A side-by-side comparison of the regulatory texts of the proposed definitions is available here.