Export Controls and The Cloud: US rules clarified but the EU’s remain obscure

Cloud Encryption

The use of cloud computing services is increasingly becoming a part of everyday business practice, particularly to store, back-up, share and to access data remotely. But those whose data is subject to export controls have to be wary of using such services. They risk breaking the law by inadvertently sending controlled technology out of the country or allowing access to it by anyone outside the country. The US has recently announced some welcome steps to clarify precisely what can be done with US-controlled data without needing authorisation. Richard Tauwhare, a consultant on  export control issues, looks at the US rules and the lack of similar clarity in the UK and the EU.

United States

The US Directorate of Defence Trade Controls has recently issued an interim final rule, due to take effect on 25 March (subject to public comments), listing a number of activities which will no longer be controlled under the International Traffic in Arms Regulations (ITAR). Notably, these include cloud storage and transfer of unclassified ITAR technical data.

This long-awaited step broadly harmonises ITAR with similar provisions in the Export Administration Regulations (EAR 734.18) adopted in 2016. The main requirements and differences from the EAR are:

  • Encryption standards: the technical data must be encrypted with defined minimum security standards (NIST-certified FIPS 140-2 modules or other means with at least 128 bits; EAR does not specify the minimum standards required for “other means”);
  • End-to-end: encryption must be applied prior to data being sent outside of the originator’s security boundary and remain in place until it is within the recipient’s security boundary;
  • Granting Access: providing “access information” (e.g. decryption keys) that enables access to the encrypted data by foreign persons or in a foreign country requires prior authorisation (EAR requires authorisation for access information only if it is transferred with “knowledge” that its transfer would result in the release of technology or software without a required authorisation); and
  • Excluded Countries: even encrypted data must not be sent to or from, or stored in, excluded countries including Russia (EAR refers only to storage).

Europe

In Europe, by contrast, clarity and consistency continues to be lacking on three issues.

  • Do controls depend on the location of the technology or the person accessing it?

The Dual-use Regulation defines an export of technology or software (Article 2(2)(iii)) as either:

  1. making it available to a person located outside the EU; or
  2. transmitting it to a destination outside the EU (i.e. regardless of whether it is then made available to a person outside the EU).

This definition is repeated, for example, by Germany in its guidelines on technology exports.

Back in 2016 the European Commission proposed a change to this definition in its draft updated Dual-Use Regulation 428/2009, confining an export only to the act of making technology available to a person located outside the EU. But the Council (i.e. EU Member States)  has argued for also retaining controls on any transmission to a destination outside the EU. Negotiations over the revision of the Regulation continue to drag on so this issue – among others – has yet to be resolved.

Nonetheless both the UK (Guidance on the export of dual-use technology and Guidance on the transfer of military technology) and the Netherlands (factsheet ) are already working in effect on the basis of the Commission’s draft proposal and the US position i.e. that it is the location of the person accessing the technology or software and not the location of the technology or software itself that determines whether a licence is required. So controlled technology and software can in principle be transferred and stored abroad without a licence as long as it is not made available to any person located outside the EU or, in the case of military technology or software, the country itself. (Japan has also adopted a similar approach.)

  • Security of the data

This leads directly on to the issue of how to ensure that such technology or software is not made available to any unauthorised person. The Netherlands has defined – albeit in less detail than the US – a set of security requirements:

  • a “risk identification and risk management system” must be in place;
  • the transferor “must, at all times, have insight into who has access to what data in the Cloud” and must be able to show this information to the supervisory authority;
  • the transferor must use a private cloud secured by end-to-end encryption;
  • data on servers must “be encrypted in accordance with or exceeding industry standards, providing a level of security geared to the risks associated with the technology in question”; and
  • encryption keys must only be exchanged via a secure route outside the cloud-based environment.

 

The UK guidance, by contrast, refers only to the need for “effective measures” to prevent access but does not specify what these should include, thereby placing the onus on transferors to decide what is required to ensure that they comply with export controls. Informally, expected measures are understood to include industry-standard end-to-end encryption, strict control of the decryption key and, where appropriate, contractual arrangements with third party administrators to ensure the security of the data. But this has not yet been codified in any form, although it is understood that work is in hand to update the existing guidance (which dates from 2010).

  • Excluded server locations

While the US rules explicitly prohibit storage (and, in the case of ITAR, transfer) of controlled software, technology and technical data in certain excluded countries, the UK and the Netherlands have not clarified whether they apply similar restrictions (although the Netherlands reportedly may place restrictions on server location in the case of items on the military list or particularly sensitive dual-use items).

Conclusion

The harmonisation of the ITAR and EAR rules in the US is clearly welcome and should ease the use of cloud services and remote servers for those handling controlled technical data although  considerable care will continue to be needed to ensure compliance. In Europe, unless and until there is greater clarity and consistency, even greater care in managing storage and transfers of controlled technology and software remains advisable.

 

By Richard Tauwhare MVO MA MIExCP [i]

[i] Richard Tauwhare, a former UK Foreign Office official and Head of Export Control Policy, is an independent consultant who specialises in advice and training on US, UK and EU export controls and sanctions. He is a Member of the new Export Control Profession recently established by the Institute of Export. richard@rtclimited.com