Five things we learnt from the ‘Cloud computing and export controls’ webinar yesterday (9 September)

cloud computing

As with moving goods overseas, transferring information or technology to an international buyer can be counted as an export. 

If the information or software being exported is controlled, the sender should be aware of their regulatory requirements and may need an export licence. 

In a webinar held this week for the IOE&IT Export Control Profession, expert consultant Richard Tauwhare explained what this means for companies using cloud computing. 

Here are the five main takeaways from the webinar [see below to watch]:

1. Controls can apply in the cloud

Controls can be applied to certain types of information being sent internationally online 

As with goods exports, information that may have a military or dual-use – i.e. it could be used for either military or non-military purposes – could be affected. 

“The problem we face when using a cloud service is that a software or technology could be either routed through or stored in a foreign country, often without your knowledge,” said Richard. “Because it’s going to a foreign country, it could be subject to export controls.” 

Controls are not applied to technology that is already in the public domain or which is being used in basic scientific research.  

Any research that has a “practical aim” or “commercial purpose” will not count as scientific research in this context, Richard said. 

2. International regulations could apply

Companies exporting information or software between the UK, EU and US will need to be aware of the control regulations in these countries. 

These are: 

  • UK: Export Control Order 2008 
  • EU: EU Dual-Use Regulation, 428/2009 
  • US: International Traffic in Arms Regulations and the Export Administration Regulations 

Controls apply to technologies being exported from a country irrespective of its origin – for example, UK regulation applies to technology made in France but exported from the UK. 

3. Licence required if controlled tech is ‘made available’

New advice is currently being drafted as to what will count and not count as a controlled export in the UK. 

Currently, Richard explains that a “licence will be required if you make controlled technology or software available to anyone who is physically located outside of the UK”.  

For the length of the transition period an export of dual-use items counts as anyone outside of the EU, he added. 

4. Technology can be stored on the cloud 

Whether a licence is required is determined by the location of the recipient, not the item – under current UK guidance. 

This means software can be uploaded to the cloud without requiring a licence. 

However, “users do need to take appropriate action to ensure controlled technology which is uploaded to a server overseas is suitably protected, for example, by using industry-standard encryption,” he said. 

5. Post-transition 

The outcome of the negotiations for a post-transition UK-EU trade deal is unlikely to have an impact on export controls.  

Military items are already controlled under UK law and the EU dual-use rules will be retained in UK law. 

Here are the main points to consider: 

  • If you move dual-use items from the UK to the EU, you need to apply for an Open General Export Licence (OGEL) 
  • For EU-to-UK dual-use transfers, you will need to register for a General Export Authorisation 001. 
  • When moving controlled items from an EU state to a third-party country, a UK licence will no longer be valid, and you will need to apply for an EU licence.  
  • Similarly, an EU licence will not be valid for transferring software from the UK to a third-party country and you would need to apply for a UK licence.