Primer on Deemed Export Compliance
When most people think of exports, they imagine the movement of merchandise across international borders. However, an export can happen without having to leave the United States, such as in your office breakroom, by storing unencrypted information in the cloud, or even by sharing your screen on a video call. A “deemed” export occurs when certain types of information are released to a foreign person. This primer seeks to describe the introductory concepts of deemed export enforcement in the United States, which contemplates the rules enforced by the Bureau of Industry and Security (“BIS”) under the Export Administration Regulations (“EAR”), as well as the rules enforced by the Directorate of Defense Trade Controls (“DDTC”) under the International Traffic in Arms Regulations (“ITAR”).
What is a deemed export?
Under the EAR, a “deemed export” occurs with the release or transfer of technology or source code (but not object code) to a foreign person in the United States. A release of technology or source code to a foreign person is a deemed export to the foreign persons most recent country of citizenship or permanent residency. See 15 C.F.R. § 734.13. DDTC has a similar rule for “deemed” exports. However, DDTC uses the term “technical data” rather than technology or source code and deems a release of technical data to a foreign person is an export to ALL countries that the foreign person holds or has held citizenship or permanent residency. See 22 CFR § 120.10.
Who is considered a foreign person in a deemed export?
The EAR and ITAR share the definition of “foreign person,” which includes any natural person who is not a lawful permanent resident of the United States, citizen of the United States, or any other protected individual as defined by 8 U.S.C. 1324b(a)(3) such as asylees. See 15 C.F.R. § 772.1 and 22 CFR § 120.16. This means that, if a person is not a U.S. citizen or U.S. permanent resident, they are considered a “foreign person” for deemed export purposes.
What is technology, source code, and technical data?
The EAR defines technology to mean any information necessary for the development, production, use, operation, installation, maintenance, repair, overhaul, or refurbishing of an item. The EAR defines source code as a convenient expression of one or more processes that may be turned by a programming system into equipment executable form (i.e., object code or object language). On the other hand, object code is defined as an equipment executable form of a convenient expression of one or more processes (i.e., source code) that has been compiled by a programming system.
The DDTC’s definition of “technical data” includes software and other information required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. These include blueprints, drawings, photographs, plans, and instructions. Technical data does not include general scientific, mathematical, or engineering principles commonly taught in schools, colleges, and universities, or an information that is in the public domain or used for marketing. See 22 CFR § 120.10. The difference in the EAR and ITAR definitions are attributable to the ways each are organized to categorize these types of information.
What is considered a “release” of technology, source code or technical data?
Under the EAR, a “release” of technology or software can occur through visual or other means of inspection by a foreign person of items that reveals the technology or source code. Verbal or written exchanges, including emails and shared-screen video calls, are also considered a release. See 15 C.F.R. § 734.15. However, DDTC treats a visual, oral, or written inspection or exchange of technical data, including use of access information (e.g., decryption keys, network access codes, and passwords) to view technical data or cause technical data outside the U.S. to be in unencrypted, as a release. 22 C.F.R. § 120.17.
Examples of Enforcement Actions
Based on the definitions of deemed export under the EAR and ITAR, for example, an employee from Belarus who is working for the company in the U.S. on a work visa (but not as a permeant resident) that opens a file on a computer and views technical blueprints for their company’s defense articles will be considered an export of that technical data to Belarus. Companies who have foreign employees working on technical data, technology, or source code are at a higher risk for export violations. These companies and institutions with the highest risk are universities, research and development startups, software designers, cloud-based service providers, and developers of defense equipment.
For example, in 2007, Intevac, Inc. released certain technology to a Russian national working at its Santa Clara, California facility. Intevac released drawings and blueprints for parts, and identification numbers for parts, development and production technology classified as ECCN 3E001 without a license. After discovering its violations, Intevac applied for a deemed export license after discovering the violations – however, Intevac failed to prevent additional releases of technology while the license application was pending. BIS mitigated Intevac’s penalty amount down to $115,000 in civil penalties largely based on Intevac’s cooperation with BIS’s investigation and the fact that Intevac filed a voluntary self-disclosure concerning the violations. A copy of the settlement agreement can be found on BIS’s website here
Another example of deemed export violations can be seen from the acquisition of cloud storage companies abroad without compliance controls to limit release of information. SAP SE (Germany) paid more than $8 million in penalties resulting from the unauthorized disclosure of software to Iranian nationals through cloud storage providers that it acquired from approximately 2011 to 2017. SAP’s Cloud Business Group companies permitted approximately 2,360 Iranian users to access U.S.-based cloud services from Iran. Though SAP was aware prior to acquisition that these companies lacked adequate export control and sanctions compliance processes –, SAP did not prevent the release of information and did not implement compliance procedures to prevent future violation. Although SAP ended up filing a disclosure of the errors, it was too little too late. Read the copy of the Non-Prosecution Agreement on the Department of Justice’s website here.
Exports go beyond the physical shipment of goods; the definition extends to the release of information to foreign nationals, even staying within the borders of the U.S. There are severe penalties for violation of deemed export rules under the EAR and ITAR. However, penalties can be mitigating by filing a voluntary self-disclosure and taking proactive compliance measures to avoid release of controlled information to foreign persons. Companies with an elevated risk of deemed export violations should get the expert advice from attorneys with skill and experience in export compliance.