DDTC Interim Final Rule Makes Significant Changes to Encrypted Data Controls
The Directorate of Defense Trade Controls’ interim final rule (see 1912230052) to define activities that are not exports, re-exports or retransfers will significantly reduce regulatory and compliance burdens surrounding encrypted data, a law firm and export consulting firm said. In a long-awaited move, the rule will better facilitate international data storage subject to both the International Traffic in Arms Regulations and the Export Administration Regulations.
The rule mainly harmonizes the “basic elements” of the U.S.’s primary export control regulations -- the State Department's ITAR and the Commerce Department’s EAR -- to “reduce unnecessary regulatory burden,” according to a Dec. 30 alert from Akin Gump. The rule, which will also permit technical data to be exported from the U.S. without a DDTC authorization when it is appropriately end-to-end encrypted, will allow for “common, and commercially viable, international cloud-based storage and handling of properly encrypted technology/technical data and software,” Akin Gump said. This regulation change will incentivize companies to securely encrypt their controlled technology and data exports, the law firm said, benefiting both the U.S. industry and the U.S. government’s national security objectives relating to technology theft.
The change is “highly significant” but comes with important caveats that must be met, according to a Dec. 30 post from Export Solutions. One notable provision will require encryptions to be conducted in a manner certified by the National Institute of Standards and Technology, while another provision requires that the encrypted data not be sent to certain blocked countries. In the second provision, the EAR only mentions Russia, Export Solutions said, but the ITAR rule includes other “proscribed countries.”
This adds an extra “due diligence requirement” on companies, the post said. “You need to be sure (or as sure as you can be) that your technical data is not being sent or stored on a server located in a proscribed country, even if it is encrypted,” the post said. To comply with this rule, companies should document steps taken to make sure the data is not sent to blocked countries, “frequently” check which countries are blocked and audit third-party providers, Export Solutions said.
Another important rule change involves the exchange of data between two U.S. persons abroad, which would not be classified as an export once the rule is published, Akin Gump said. This change addresses “many incidents” wherein U.S. people visiting another country have discussed technical data that is not covered by a Technical Assistance Agreement. Previously, companies had to file voluntary disclosures with DDTC when this occurred, the law firm said, but will no longer be required to “so long as the conversation is limited to U.S. persons.”
There may be more changes to the rule before it is published as the State Department receives public comments, Export Solutions said. Companies may want to provide feedback on the “subtle differences and nuances” between the EAR regulations and the proposed ITAR changes “in order to accomplish the harmonization and security objectives more clearly and effectively,” Akin Gump said.