BIS Encryption Reporting Changes to Substantially Reduce Exporter Reporting Requirements, Law Firms Say
The Bureau of Industry and Security's decision to eliminate reporting requirements for encryption items (see 2103260019) should substantially ease reporting burdens for certain companies, law firms said. Although the changes will affect a narrow set of exports, they’re expected to provide significant relief for companies that ship mass market encryption items or publish source code software online, the firms said.
The changes “reflect an awareness of the proliferation of encryption in the global market and the perceived overbreadth” of the agency's reporting requirements, Arnold & Porter said in an April 5 advisory. The firm expects the rule to “considerably reduce regulatory burden for companies” that use “commercial-standard” encryption in their exported products.
The final rule, which took effect March 29, eliminates the annual self-classification reporting requirement for most mass-market encryption products, which represents a “fairly significant change,” Wiley Rein said in a March 29 client alert. Exporters will now be able to self-classify a range of goods, including mass market chips, chipsets, electronic assemblies and “field programmable logic devices,” Fried Frank said March 29, meaning companies won't have to obtain a commodity classification from BIS and will no longer have to file semi-annual sales reports.
In its rule, BIS said the elimination of this requirement should reduce overall encryption self-classification reports by about 60%. While the changes are “technical” and “modest,” Fried Frank said they may “significantly reduce the reporting obligations” for software companies that make mass market encryption items and beta test encryption software. Wilson Sonsini on March 30 said the changes are “significant liberalizations” that “should save considerable effort on the part of exporters.”
BIS also eliminated an email notification requirement for certain publicly available encryption source code. Previously, exporters were required to provide the government with information on the “internet location” of that source code before it could be released from the Export Administration Regulations’ controls, Wiley said. Exporters will no longer have to provide notifications to BIS for source code that uses “standard cryptography,” and source code will be released from EAR licensing requirements once the code is published online, Kelley Drye said March 29. “The change should substantially reduce the reporting burden for companies that frequently publish open source software online.”
Wiley said the changes follow a government trend of “slowly and steadily loosening controls on encryption products and reducing the regulatory burden for encryption exporters.” Companies associated with export transactions involving any of these products should “carefully review BIS’s changes and make any necessary updates to their export classifications,” the firm said.