Encryption is generally defined as the process of converting information or data into a code, especially to prevent unauthorized access. Put simply, encryption makes a wide range of technologies more secure. Since 1996, most encrypted technology is controlled by the EAR. Some encrypted technology, which has military-related functionalities, is controlled by the International Traffic in Arms Regulations (“ITAR”). This article provides an overview of encryption controls under the EAR, outlines license exceptions for certain encrypted technologies, and provides best practices for export compliance.
Background on Export Administration Regulations
Over 95% of the world’s population is outside of the United States. Opportunities abound for U.S. companies that export. However, exporting is a privilege and not a right. U.S. exporters have an important responsibility to adhere to U.S. export control laws, including the Export Administration Regulations (“EAR”).
Administered by the U.S. Commerce Department, the EAR is a set of regulations which governs whether U.S. persons may export or transfer goods, software, and technology outside of the United States or to non-U.S. citizens. U.S. exporters have an important responsibility to adhere to the EAR. Violations of the EAR carry hefty civil and criminal penalties. Exporters can pay hundreds of thousands of dollars in penalties, lose export privileges, and even be imprisoned.
Encryption Controls
According to 15 CFR 742.15:
“Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected.”
Under the EAR, encrypted technology is generally classified under Category 5 Part 2 of the Commerce Control List. To classify encrypted technology of the CCL, like with classifying most articles, data, and services, it is essential to consult experts. Generally, engineers and subject matter experts on the specifications of the technology can serve as valuable resources to export compliance personnel in the classification process. Furthermore, for encrypted technology, resources such as encryption registration numbers, sales reports, marketing materials, technical specifications, and user manuals can be used to classify encrypted technologies.
Encrypted technology is everywhere. Daily household, commercial, and industrial goods are encrypted. Common encrypted items on the CCL include the following applications:
- Entertainment
- Mass commercial broadcast equipment
- Medical record management technology
- Telecommunications equipment
- Mobile applications
- Filesharing platforms
- Financial platforms
Encrypted technology is often controlled for the following reasons:
- Anti-terrorism (AT)
- National Security (NS)
- Encryption Items (EI)
Encryption Licensing Exceptions
However, most encryption items may be exported under the provisions of License Exception ENC set forth in § 740.17 of the EAR. This license exception permits exportations of technology controlled for EI under any of the following circumstances:
- ‘Private sector end-users’ headquartered in a Supp. 3 country (Supplement No. 3 to Part 740) for internal use for the “development” or “production” of new products.
- Certain additional exports to ‘private sector end-users’ headquartered in a Supp. 3 country for uses other than the “development” or “production” of new products. To meet this requirement:
- The item must not be U.S. origin and must have become subject to the EAR after production.
- All parties to the transaction must be subsidiaries of the same Supp. 3 company;
- The end-user must be a ‘private sector end-user’; and
- The characteristics of the item must not be enhanced unless otherwise authorized
- Exports to “U.S. Subsidiaries”, wherever located, for internal use, including to foreign national employees and individual contractors or intern of the U.S. company
- Exports of foreign made encryption items developed with or incorporating U.S. origin encryption source code, components, or toolkits, provided the U.S. origin encryption item has been classified or reported under license exception ENC and the encryption functionality has not changed
What You Can Do
Exporters have significant responsibilities to ensure compliance, to avoid penalties and/or jail time (i.e., your compliance manager deserves a raise!). Proper adherence to EAR requirements ensures that your business contributes to safeguarding U.S. national security and avoiding costly penalties. Many U.S. businesses have paid hefty civil penalties for violating U.S. export control laws. L3Harris Technologies, for example, was fined $13 million for illicitly exporting defense technology and software. For more examples of costly civil and criminal penalties, check out BIS’ latest Don’t Let This Happen to You! Publication.
If you are exporting goods subject to EAR, we propose you should:
- Develop an effective export compliance plan.
A key foundation of proactive and effective export compliance requires the development of an export compliance plan. An export compliance plan establishes a set of procedures for your organization to ensure that everyone is on the same page about how standard processes work, who is responsible for what, how to identify violations, what to do when violations occur, etc. An export compliance plan helps build consciousness in your organization that compliance is critical – both to avoid costly penalties and also to protect national security. Diaz Trade Law helps exporters create export compliance manuals that help prove you have a process in place to classify your merchandise correctly, vet your customers and ensure you can prove you can take compliance seriously and implement all of the important great weight mitigating factors. Diaz Trade Law has significant experience in developing and enhancing export compliance plans for organizations. Additionally, Diaz Trade Law can assist your business in auditing and improving your current plan so that it is in its best shape.
- Engage in regular export compliance training.
A foundation of a strong export compliance program is export compliance training. Training is important because it (1) ensures that all employees understand the export regulations and reinforces internal policies and procedures, (2) demonstrates to federal government agencies that your business is proactive about export compliance, and (3) avoids your business from being subject to costly penalties and even criminal liability. Fortunately, export compliance training can be highly tailored to meet your company’s needs. All of your training events include assessments for comprehension, certificates for successful participation, and ample opportunities for Q&A. For your next export compliance training event, trust Diaz Trade Law to provide highly-effective, engaging training.
- Thoroughly vet your proposed export transactions
Unsure whether a proposed export transaction violates the EAR? Diaz Trade Law has significant experience vetting your potential transaction against U.S. export control laws. Through research and due diligence, Diaz Trade Law ensures that your transaction won’t get you in trouble later down the road.
- Request authorization when necessary
BIS export authorization is required for many export transactions of controlled goods. Diaz Trade Law has significant experience in vetting proposed transactions to determine whether BIS authorization is required. Furthermore, Diaz Trade Law assists clients by filing BIS export license applications on their behalf on BIS’ SNAP-R portal.
- Engage in mitigation and corrective actions.
If your business has violated U.S. export control laws, there is a lot you can do to mitigate penalties and prevent future violations. Diaz Trade Law has significant experience representing businesses in dealing with the U.S. Commerce Department’s Bureau of Industry & Security and the Census Bureau. Specifically, Diaz Trade Law has successfully assisted clients in (1) submitting voluntary self-disclosures to mitigate penalties, (2) negotiated agreements with BIS and Census, and (3) built corrective action systems to help ensure that your business does not make the same violation again.
Contact Us
Diaz Trade Law has significant experience in a broad range of export compliance matters. To learn more about the services we offer, contact us at info@diaztradelaw.com or call us at 305-456-3830.
