Consumer Electronics Daily was a Warren News publication.

State Department Issues Interim Final Rule for Definitions of Activities That Are Not Exports, Re-exports, Retransfers

The State Department published an interim final rule that will revise the International Traffic in Arms Regulations to provide definitions for activities that are not exports, re-exports, retransfers or temporary imports, the agency said in a notice in the Federal Register. The activities include launching items into space, providing technical data to U.S. people within the U.S. or “within a single country abroad,” and moving defense items within the U.S.

The changes also clarify that electronic transmissions and storage of “properly secured unclassified technical data via foreign communications infrastructure” do not constitute an export. The agency is also amending the ITAR to create a definition for “access information” and revise the definition of “release” to “address the provision of access information to an unauthorized foreign person.” The State Department has been preparing the rule since at least May (see 1905240025).

The State Department is giving industry an opportunity to provide input before issuing the final rule due to the “potential impact” the rule may have on the “regulated community’s process,” along with the rule’s “updated security strength standards,” the notice said. The State Department said the changes are “structured similarly” to a companion rule issued by the Commerce Department Bureau of Industry and Security in part 734.18 of the Export Administration Regulations, which also addresses certain activities that are not exports, re-exports or transfers. Comments are due Jan. 27, and the rule will take effect March 25.

The State Department said launching items into space is not an export, partly because the activity is “already excluded” from the definition of an export in part 120.17 of the ITAR. The agency made this change to “consolidate the different activities” within the ITAR that do not qualify as exports and to simplify language. In its second provision, the agency deemed that transfers of technical data to a U.S. person within the U.S. is “unequivocally” not a controlled event (an export, re-export, retransfer or temporary import), but said any “release” to a foreign person remains a controlled event.

The rule’s third provision, which states that transfers of technical data between U.S. people in the same foreign country are not exports, was not originally included in the proposed rule but added only after the agency received public comments, the notice said. The activity only qualifies as an export if the data at the center of the transfer is released to a foreign person or a person debarred from participating in U.S. exports. In the rule’s fourth revision, which states that moving a defense article within the U.S. is not an export, a commenter asked the agency to “explicitly’ include the U.S. Virgin Islands, Guam, American Samoa and other U.S. “outlying islands” in the definition. The State Department said it will not make this change because the ITAR already defines the term “'United States' ... and that definition is applicable.”

In the rule’s fifth provision, the State Department said an activity does not qualify as a controlled event if it involves sending, taking or storing unclassified technical data when it is “effectively encrypted using end-to-end encryption.” The agency also said a controlled event does not occur when technical data is encrypted “prior to leaving the sender’s facilities and remains encrypted until” it is received by the “intended authorized recipient or retrieved by the sender, as in the case of remote storage.” But if the data is decrypted by someone other than the sender, a U.S. person in the U.S. or a person authorized to receive the data, then the activity becomes a controlled event.

Encryptions must be “accomplished” in a manner certified by the National Institute of Standards and Technology, the State Department said, or must exceed a 128-bit security strength. In addition, the data may not be “intentionally” sent to certain prohibited countries, including Russia, “even in its encrypted state.” The agency included the word “intentionally” to “differentiate” between electronic transmissions that were intentionally sent to Russia and those that “simply transited them in route to another country.” The State Department said this rule will “allow for transmissions and storage of encrypted data in most foreign countries.”

In response to public comments, the State Department also clarified the definition of “end-to-end encryption,” which specifies that “cryptographic protection must be applied prior to the data being sent outside of the originator’s security boundary and remain undisturbed until it arrives within the security boundary of the intended recipient.” In all instances, means of decryption must not be provided to any third party “and the data must not have the cryptographic protection removed at any point in transit.”

The State Department said it disagreed with a commenter who suggested that the agency allow a transition period for exporters to implement information technology systems that are “compliant with paragraph (5),” which creates a “mechanism” for companies to send and store technical data outside the U.S. without it qualifying as a controlled event. The agency stressed that companies may not take advantage of this paragraph until it implements a compliant IT system. “Nothing in paragraph (5) places any new requirements on exporters, therefore there is no need for a transition period,” the agency said.

The interim final rule also includes a series of suggestions proposed by public commenters that the State Department disagreed with or noted but which did not lead to regulatory changes, including a request that certain emails be included in the rule’s definition for activities that do not qualify as exports and a suggestion to revise the local definition of end-to-end encryption. Other suggestions include a request to expand the definitions of activities that do not qualify as exports to include “tokenization,” the electronic storage and transfer of non-U.S. origin data that is not encrypted, and shipments to and within the territory of an approved end-user. The State Department did, however, say that it has “already engaged” U.S. allies about adopting the rule’s fifth provision on end-to-end encryption in their respective export control systems.

The State Department also added new language to define “access information,” which “allows access to encrypted technical data in an unencrypted form, such as decryption keys, network access codes, and passwords.” The agency said an authorization is required to “release technical data through access information to the same extent that an authorization is required to export the technical data when it is unsecured by encryption.”

The agency also added two subparagraphs to clarify the definition of “release.” The State Department said data qualifies as a “release” when it is used to “access information to cause or enable a foreign person to access, view, or possess technical data in unencrypted form,” and when it is used to “access information in a foreign country to cause technical data to be in unencrypted form, including when such actions are taken by U.S. persons abroad.”