Three steps

On September 1, new definitions of terms used in the International Traffic in Arms Regulations (“ITAR”) and Export Administration Regulations (“EAR”) will enter into effect. This two-part blog post highlights key upcoming changes.

In Part 1 of this two-part post, we focus on new controls on the “release” of technology and technical data. In Part 2 (available here), we look at new rules related to the use of end-to-end encryption for transferring EAR-controlled technology.  

Overview of changes

Definitions that have been updated include the following: 

Updated Definitions Updated in EAR? Updated in ITAR?
Technology/Technical Data Yes No
Required Yes No
Export Yes Yes
Reexport Yes Yes
Transfer Yes No
Transfer (in-country) Yes No

New definitions that have been added include the following:

Newly Added Definitions Added to EAR? Added to ITAR?
Retransfer No Yes
Release Yes Yes
Access Information Yes No
Foreign Person Yes Already defined
Proscribed Person Yes No
Published/Public Domain Yes No
Fundamental Research Yes No

 Managing access controls under the new ‘release’ definitions

Currently, the EAR controls the “release” (e.g., visual inspection, oral exchange) of EAR-controlled technology to non-US (i.e., “foreign”) nationals within or outside the US. Similarly, the ITAR controls the “disclosing” of technical data to a non-US person within or outside the US. The broad scope of these controls has required companies handling US-controlled items to implement effective controls in areas such as:

  • Physical access by non-US employees to US-controlled items;
  • Visitor access to facilities containing US-controlled items;
  • Access by IT administrators and “super users” to technical data in IT networks; and
  • Access to technical data by third parties in workspaces.

The new definitions of ‘export’ and ‘release’ under both the EAR and ITAR now specify that access by a non-US person to US-controlled technical data or technology is considered a ‘release’ (i.e., subject to export authorisation requirements) if it “reveals” technical data or technology to that person. Although the term “reveals” is not defined, Guidance in the Department of Commerce’s (“DoC”) Final Rule states that “merely seeing an item briefly is not necessarily sufficient to constitute a release of the technology required, for example, to develop or produce it,” and also excludes “theoretical or potential access” from the definition of ‘release’.

Impact on companies

These changes may provide companies with more flexibility to define access control measures and manage instances where an unauthorised individual comes into contact with technical data. This is especially true for companies handling EAR-controlled technology, as the new DoC rules also clarify the scope of EAR controls on cloud computing networks and technology  secured using encryption (please see Part 2 of this two-part blog post for further detail).

However, companies must exercise caution in relaxing their controls, as there is still ambiguity under the new definitions. Companies must update existing policies and procedures (particularly sections that include definitions of terms), and define precisely what types of visual access they wish to control, and determine when exactly technical data or technology may be “revealed.” In some cases, companies may prefer to maintain current levels of access controls in order to minimise the risks of inadvertent non-compliance.

The new rules can be accessed here:

Tina Carlile is a Senior Manager in Deloitte's Global Export Controls & Sanctions team
Holly Mortimer is an Associate in Deloitte's Global Export Controls & Sanctions team