October 21, 2021
Export Controls in the Digital Space – Overview
What do Honeywell, Princeton University, and Keysight Technologies have in common?
In the past year, all three entities have been found in violation of the US Export Administration Regulations (EAR). They could make it into the next edition of Don’t Let This Happen to You by the Bureau of Industry and Security (BIS).
Export controls comprise a system that the US and other countries maintain to control the trade in arms and dual-use items (goods, materials, and technologies that may be used for both civilian and military purposes). One of the most complex challenges to the effective implementation of export controls is detecting, investigating, and prosecuting any violations therein.
Keysight Technologies reached a $6.6 million settlement with the US Department of State for the alleged unauthorized exports of software used for testing radar equipment on fixed or mobile platforms. Honeywell International Inc. settled for $13 million for alleged unauthorized exports and retransfers of ITAR-controlled technical data for manufacturing castings and finished parts for aircraft, gas turbine engines, and military electronics. Princeton University was fined $54,000 for the improper export of various strains and recombinants of an animal pathogen over a five-year period. These are just a few of the many examples of export control violations when companies may not even be aware that products are subject to the EAR.
Export controls in the digital space
Before the Internet (and the rapid commercial rise in technology that ensued), it was easy to focus exclusively on physical goods – who was selling or exporting them and who was the buying party. These days, however, products and services can be simply software or even parts of a software code, uploaded in the cloud, ready to be shared with the buyer at the click of a button.
But sometimes, employees – and even employers – are unsure who (or what) will use "that software" or "those lines of code." That's where knowledge of your customer and the regulations governing your area of business come into play.
Simply "being aware" of existing regulations will not save even multi-billion dollar businesses with full-fledged compliance units from knowingly or inadvertently violating export controls and the repercussions that follow: investigation probes and possible prosecution by the Bureau of Industry and Security.
Employers can be held accountable for export violations, but uninformed employees might find themselves caught in the middle as well. As per the Bureau of Industry and Security (BIS), export violations will result in the following:
Violations of the Export Administration Regulations, 15 C.F.R. Parts 730-774 (EAR) may be subject to both criminal and administrative penalties. Under the Export Control Reform Act of 2018 (50 USC §§ 4801-4852) (ECRA), criminal penalties can include up to 20 years of imprisonment and up to $1 million in fines per violation, or both. Administrative monetary corrections can reach up to $300,000 per violation or twice the value of the transaction, whichever is greater. In general, the administrative financial penalty max is adjusted for inflation annually.
How does that translate in the digital era and the age of cloud computing? Cloud services can expose users to unforeseen and complex export requirements. There is an inherent tension between cloud computing and export control. While the central premise of "the cloud" concentrates on removing the need to track the details of data movement among various destinations, export control regulations are built mainly around restrictions tied to those very movements, as per a legal analysis of Davis Wright Tremaine LLP.
Businesses that store export-controlled data in the cloud need to be mindful that their cloud service providers may store that data not only in the US but also overseas, as part of load balancing and other techniques aimed at maximizing server efficiency and security. Such practices, and the use of export-controlled software on cloud servers, could subject cloud users (and in some cases, cloud service providers) to export compliance obligations.
Of the many sets of applicable government regulations, those most likely to apply to cloud services are Export Administration Regulations (EAR), enforced by the BIS. These regulate, primarily, the export and "deemed export" of dual-use products and technologies, including technical data and other non-physical exports. In an advisory opinion, the BIS stated that only the cloud service user could be the exporter and that the user would be responsible for any export violation.
However, tech companies should keep in mind that other agencies might have export enforcement responsibilities, such as the Office of Foreign Assets Control.
It's critical, then, that providers, employers, employees, and users of cloud services are aware of the potential pitfalls of export regulations. Putting safeguards in place on all levels and educating staff is strongly advised.
So what should you do to stay compliant with export controls?
To start, you should have a lean and strict system in place to address possible export violations. Identify how and to whom violations will be reported. Put into place a clear process, such that any employee who finds a violation—or suspected violation—can report it.
Educate and inform all staff. For your system to work properly, this process should be known throughout your organization. Share an Export Compliance Program (ECP) with everyone at your company, and don't shy away from contracting a due diligence firm to run checks on your potential customers or partners.
Report violations. You have a legal obligation to report them. Self-reporting is a mitigating factor; in some cases, self-reporting may eliminate or significantly reduce the fines and penalties you face.
Investing in the education of your employees and keeping your company informed on the complex topic of export controls ultimately means you will not lose money, and you will not lose your reputation.