US Export Regulations and Oregon’s High-Tech Exports
By Scott Goddin and Sara Denniston, Portland US Export Assistance Center
As Oregon software and high-technology companies move aggressively into international markets, they need to be aware of US regulations governing the export of sensitive high-tech products, software and technologies. Local companies Flir and Tektronix, among others, have been fined for violation of the regulations, even with skilled compliance staffs tracking the rules. US export control provisions are intended to serve the national security, foreign policy, nonproliferation and short supply interests of the United States. This article will provide a general overview of US software and technology licensing regulations and how to comply. Compliance with export regulations is critical to avoid potential civil and criminal penalties and future loss of export privileges. Given this importance, awareness of the regulations should be mandated throughout your firm from management and engineering to sales and shipping so that issues can be addressed at all levels.
The Bureau of Industry and Security (BIS) of the US Department of Commerce is responsible for implementing and enforcing the Export Administration Regulations (EAR), which regulate the export and reexport of most, but not all, commercial “dual-use” (those having commercial and potentially military applications) items. A list of the other US government agencies involved in regulating more specialized export controls can be found at BIS’s website at www.bis.doc.gov.
What is an export? You may be surprised.
Any item, which includes commodities and software or technology, which is sent from the United States to a foreign destination, is an export. How an item is transported outside the US is insignificant in determining export license requirements; the transaction is considered an export for export control purposes. An item is also considered an export even if it is leaving the United States temporarily, if it is leaving the US but is not for sale, or if it is going to a wholly-owned US subsidiary in a foreign country. Even a foreign-origin item exported from the United States, transmitted or transshipped through the United States, or being returned from the United States to its foreign country of origin is considered an export.
Of special concern for software companies, under the EAR, transferring information ("technical data"), a physical item, or a computer program to a foreign country is an export. This includes making information or computer software available over the Internet. Release of technology or source code subject to the EAR to a foreign national in the United States is “deemed” to be an export to the home country of the foreign national under the EAR. A deemed export is the release, including oral, written or visual disclosure, of technical data or software to a “foreign person” in the United States. A deemed export may also occur by allowing a foreign person access to a physical item, such as equipment or computer software, if a person can obtain the information from the use or inspection of those items. Assuming that a license is required because the technology does not qualify for treatment under EAR99 and no license exception is available, US entities must apply for an export license under the "deemed export" rule when both of the following conditions are met: (1) they intend to transfer controlled technologies to foreign nationals in the United States; and (2) transfer of the same technology to the foreign national's home country would require an export license.
What types of software, products and technologies are regulated?
US export regulations are established to prevent the export of products and technologies that can directly harm US interests or be used in the manufacture/production of such threats (from chemical weapons to computer hacks). The regulations address not only the sensitivity of the technology but also the likely use, end user and destination.
Along with technology and software that can be used in the production of harmful products, any product that includes software with encryption functionality must be reviewed to determine its export status before being exported or re-exported from the United States. The strength of encryption, at least for export control purposes, is measured by the key lengths of the algorithms. An exporter must determine if its product is subject to encryption export control; this determination is based on the export destination or the product itself. In certain cases, the exporter may have to notify the BIS or request a formal classification review before exporting. 1
A number of export destinations require a license regardless of whether the product actually contains encryption. Some products by their very nature are exempt from encryption controls, and therefore do not require licenses for any destination other than embargoed and terrorist countries. These special-purpose encryption products include authentication; access control; digital signature; copy protection; finance- and banking-specific functions; short-range wireless, broadcast or cable receivers; and wireless telephones without end-to-end encryption. 1
Other products may be exported to any destination other than embargoed and terrorist countries and nationals without any prior notification to, or review by, BIS. These include encryption products exported when a business traveler takes his laptop with him overseas but maintains control over it. Still other products may be exported as soon as the proper paperwork is filed with BIS. Encryption products using more than 64-bit encryption generally require review by BIS and other agencies before export or re-export outside the United States and Canada. A license is generally required to export any controlled encryption item outside the United States or Canada, unless a license exception applies. 1
The export regulations also control certain services, even if all of the information used or transferred in association with those services is publicly available and not otherwise controlled under the regulations. For the most part, such controlled services have to do with assistance for military or space projects, assistance with encryption commodities or software, or assistance to embargoed countries.
Re-exporting goods or technical data from foreign countries, which originated in the United States, or goods that incorporate US components or goods manufactured from US technology, technical data, or software, may all be subject to the EAR. The following categories are not subject to the EAR: publicly available technology, except software controlled for encryption, that are already published or will be published, or that arise during or result from fundamental research, are educational, or that are included in certain patent applications. There are also certain categories that are not defined as export controlled “technical data” or “software,” such as publicly available technical data and software published for sale and in public libraries.
How do I find out if I need a license?
It is the responsibility of the exporter to determine whether your export requires a license. Using guidance provided on the BIS website (http://www.bis.doc.gov/), this determination can be made by considering: what the export is; where the exported item is going and who will receive it; and what the item will be used for. Both this determination and export license applications can be done through an on-line Simplified Network Application Process (SNAP) by visiting the BIS web site at http://www.bis.doc.gov/SNAP/index.htm.
A key in determining whether an export license is needed from the Department of Commerce is figuring out whether the item you are intending to export has a specific Export Control Classification Number (ECCN). The ECCN is an alpha-numeric code that describes a particular item or type of item, and shows the controls placed on that item. All ECCNs are listed in the Commerce Control List (CCL) (Supplement No. 1 to Part 774 of the EAR) available at http://www.access.gpo.gov/bis/ear/ear_data.html. The CCL is divided into ten broad industrial categories, and each category is further subdivided into five product groups depending on whether it’s a final product, component or used in the production process. The five groups are: Systems, Equipment and Components; Test, Inspection and Production Equipment; Material; Software; and Technology. The proper classification of your item is essential to determining any licensing requirements under the Export Administration Regulations (EAR).
Once you have classified the item, the next step is to determine whether you need an export license based on the “reasons for control” of the item and the country of ultimate destination. This process is started by comparing the ECCN with the Commerce Country Chart (Supplement No. 1 to Part 738). The ECCNs and the Commerce Country Chart, taken together, define the items subject to export controls based solely on the technical aspects of the item and the country of ultimate destination. If there is an “X” in the box based on the reason(s) for control of your item and the country of destination, a license is required, unless a license exception is available. Part 742 of the EAR sets forth the license requirements and licensing policy for most reasons for control.
If your item falls under US Department of Commerce jurisdiction and is not listed on the CCL, it is designated as EAR99. It indicates that a particular item is subject to the EAR, but not listed with a specific Export Control Classification Number (ECCN) on the Commerce Control List (CCL). While the classification describes the item, the authorization for shipment of that item may change, depending on the specific transaction. EAR99 items generally consist of low-technology consumer goods and do not require a license in many situations. If your proposed export of an EAR99 item is to an embargoed country, to an end-user of concern or in support of a prohibited end-use, you may be required to obtain a license. Restrictions vary from country to country, however, there are some restrictions that are worldwide. The most restricted destinations are the embargoed countries and those countries designated as supporting terrorist activities, including Cuba, Iran, Libya, North Korea, Sudan, and Syria.
Where can I get more information?
The Bureau of Industry and Security website will have information on the Commerce licensing process as well as regulations administered by the Departments of Treasury, Defense and State which operate independent/parallel systems of export controls and various denied parties lists to which certain exports may not be sent. On the other hand, several export destinations, such as Canada, are exempt from many export controls. BIS offers regular training on licensing compliance procedures and the training is a useful foundation for establishing a company export management system. A BIS seminar will be offered in Portland on April 25-26 with more information and registration details available at http://www.buyusa.gov/oregon/bisseminar.html.
This process can seem confusing and it is imperative to keep up with the regulations that can change as both technology and foreign policy shifts. It is important, however, that companies make the effort to comply with the regulations, not only for our national security and competitiveness, but also for continued company success.
This article was co-authored by Sara Denniston, a student intern at the Portland USEAC and future Oregon Attorney General in her second year of law school at Willamette University.
About the author
Scott Goddin is director of the Portland US Export Assistance Center (www.buyusa.gov/oregon) and has been working in international trade with the US Department of Commerce for more than 20 years. He works with Oregon and Southwest Washington high-technology companies to develop international markets, specifically helping them to design market-entry strategies; find and evaluate distributors, VARs or agents; evaluate product or service delivery methods; and “internationalize” their companies.
Goddin has served as a US trade negotiator working on Asian market access and standards issues for US high-tech and communications companies and intellectual property rights issues in Korea, Taiwan and China. Goddin also has served in temporary assignments as a commercial attaché at American Embassies in Seoul, Taipei and Nairobi and has managed the office in Portland supporting local Oregon firms since 1997. You can learn more about export assistance at www.export.gov or contact Goddin directly at scott.goddin@mail.doc.gov.
[1] S. Snyder and S. Nair, ‘Coping with the Cryptic, Software Export Controls,’ The Journal of New England
Technology 2004 (Volume 22, Issue 51).
<http://www.goulstonstorrs.com/uploadedFiles/Newsstand/Media_Articles/gands122004.pdf> accessed 2 March, 2007
|
