When most people think of exports, they imagine the movement of goods across international borders. However, an export can occur without having to leave the United States, such as in your office break room, storing unencrypted information in the cloud, or even sharing your screen on a video call. A “deemed” export occurs when certain types of information are disclosed to a foreign person. This primer is intended to outline the introductory concepts of United States Deemed Export Enforcement, which contemplates the rules enforced by the Bureau of Industry and Security (“BIS”) under United States regulations. Administration (“EAR”), as well as the rules applied by the Directorate of Defense Trade Controls (“DDTC”) under the International Traffic in Arms Regulations (“ITAR”).
What is a deemed export?
Under the EAR, a “deemed export” occurs with the dissemination or transfer of technology or source code (but not object code) to a foreign person in the United States. Dissemination of technology or source code to a foreign person is a deemed export to the foreign person’s last country of citizenship or permanent residence. See 15 CFR § 734.13. The DDTC has a similar rule for “deemed” exports. However, the DDTC uses the term “technical data” rather than technology or source code and considers a disclosure of technical data to a foreign person to be an export to ALL countries of which the foreign person holds or held citizenship or residence. permed. See 22 CFR § 120.10.
Who is considered a foreigner in a deemed export?
The EAR and ITAR share the definition of “foreign person”, which includes any natural person who is not a lawful permanent resident of the United States, a citizen of the United States, or other protected person as defined by 8 USC 1324b(a)(3) such as asylum seekers. See 15 CFR § 772.1 and 22 CFR § 120.16. This means that if a person is not a US citizen or permanent resident of the United States, they are considered a “foreign person” for deemed export purposes.
What is technology, source code and technical data?
The EAR defines technology as any information necessary for the development, production, use, operation, installation, maintenance, repair, overhaul or refurbishment of ‘an article. The EAR defines source code as a practical expression of one or more processes that can be transformed by a programming system into an executable form of equipment (ie, object code or object language). On the other hand, object code is defined as an executable form by equipment of a practical expression of one or more processes (i.e. source code) which has been compiled by a programming system .
The DDTC definition of “technical data” includes software and other information necessary for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. These include plans, drawings, photographs, blueprints and instructions. Technical Data does not include general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities, or information that is in the public domain or used for marketing purposes. See 22 CFR § 120.10. The difference between the EAR and ITAR definitions is attributable to the way each is organized to categorize these types of information.
What is considered a “version” of technology, source code or technical data?
Under the EAR, a “dissemination” of technology or software may occur through visual or other inspection by an outside person of items that reveal the technology or source code. Verbal or written exchanges, including emails and split-screen video calls, are also considered a release. See 15 CFR § 734.15. However, the DDTC does process a visual, oral, or written inspection or exchange of technical data, including the use of access information (for example, decryption keys, network access codes, and passwords). password) to display technical data or cause technical data outside the United States to be unencrypted, such as a version. 22 CFR § 120.17.
Examples of implementing measures
Based on the definitions of deemed export under EAR and ITAR, for example, a Belarusian employee who works for the company in the United States on a work visa (but not as a permanent resident ) who opens a file on a computer and consults the technical drawings of the defense articles of their company will be considered as an export of these technical data to Belarus. Companies that employ foreign employees working on technical data, technology, or source code are more at risk of export violations. These highest-risk companies and institutions are universities, research and development startups, software developers, cloud-based service providers, and defense equipment developers.
For example, in 2007, Intevac, Inc. provided certain technology to a Russian national working at its factory in Santa Clara, California. Intevac has released drawings and plans for the parts, along with part identification numbers, ECCN 3E001 classified development and production technology without license. Upon discovering its violations, Intevac applied for a deemed export license after discovering the violations – however, Intevac failed to prevent additional releases of the technology while the license application was pending. BIS reduced Intevac’s fine to $115,000 in civil penalties, largely due to Intevac’s cooperation with the BIS investigation and the fact that Intevac filed a self-disclosure regarding violations. A copy of the settlement agreement is available on the BIS website here
Another example of alleged export violations can be seen in the acquisition of cloud storage companies overseas without compliance checks to limit information disclosure. SAP SE (Germany) paid more than $8 million in fines resulting from the unauthorized disclosure of software to Iranian nationals through cloud storage providers it acquired between around 2011 and 2017. Iran cloud services. Although SAP was aware prior to the acquisition that these companies did not have adequate export control and sanctions compliance processes in place, SAP did not prevent disclosure of information and did not implement compliance procedures to prevent future violations. Although SAP eventually filed an error disclosure, it was too little too late. Read the copy of the non-prosecution agreement on the Department of Justice website here.
Exports go beyond the physical shipment of goods; the definition extends to the disclosure of information to foreign nationals, even while staying within the borders of the United States. There are severe penalties for violations of alleged export rules under EAR and ITAR. However, the penalties can be mitigated by filing a voluntary self-disclosure and taking proactive compliance measures to avoid disclosure of controlled information to outsiders. Businesses at high risk of suspected export violations should seek expert advice from knowledgeable and experienced export compliance attorneys.