The US Department of Commerce's Bureau of Industry and Security (BIS) has introduced substantial changes to the rules governing the export of encryption products from the United States. Effective since June 25, 2010, these revisions are among the first components of the Obama administration's promised reform of US export control laws. The modifications should substantially reduce the regulatory burden on exporters of encryption commodities, software, and technology, although restrictions and complications remain.
Under BIS’s Export Administration Regulations (EAR), certain encryption items were subject to unique pre-export review requirements and semi-annual, post-shipment reporting under License Exception ENC. BIS's changes streamline these procedures for readily available encryption products, such as mass market items. The rules eliminate the requirement to wait 30 days for a technical review before exporting certain low-sensitivity encryption items and, in many cases, eliminate the requirement to file semi-annual post-export sales reports.
Instead, companies may self-classify certain encryption products and, after filing with BIS an on-line "encryption registration" (essentially a company profile), may immediately export such items without a review or license, provided they submit an annual report of the encryption items that they have self-classified and exported. Notably, however, the new BIS rules do not require exporters to submit separate encryption registrations, classification requests, or self-classification reports if the exporters rely upon a manufacturer's self-classification or formal BIS classification. Furthermore, the new rules extend License Exception ENC to certain encryption technology, potentially facilitating the transfer of technology to foreign firms that help develop the encryption software used by US businesses. The new rules also exempt from encryption controls those items for which cryptography is only ancillary to the primary functions of the software, which is often the case for such items as business management software and household appliances.
While the new rules relax a number of important export restrictions, review and reporting requirements have not changed for many sensitive encryption items, including encryption components (e.g., chips within a de-controlled DVR), “non-standard cryptography," network forensics items, cryptographic enabling items, and high-performance network infrastructure items, such as routers and 3G wireless base stations.
Companies involved in the manufacture, development, or exportation of encryption items must evaluate the impact of these new BIS rules on their operations. Virtually all business software contains encryption and is subject to the EAR. Importantly, the export of encryption items may occur in a variety of commercial activities. For example:
- Outsourcing software development or back office support offshore;
- Re-exporting US-origin encryption products from outside the United States to a third country;
- Transferring technologies subject to encryption export controls to non-US companies for research and development projects; and
- Providing access to users abroad of US-origin encrypted software located on a US server.
The new encryption rules have been issued on an interim basis with a request for comments, so there remains ample opportunity for affected businesses to engage with BIS and shape subsequent revisions to export regulations that may restrict their operations.