For companies handling export-controlled technology, the increasing prevalence of cloud computing and cross-border IT networks raises significant challenges for effective compliance. In a move to accommodate these trends, the US Department of Commerce ("DoC") has newly defined what they are calling an "encryption carve-out", which states that the transmission of encrypted technology or software is no longer deemed to be an export/reexport/transfer activity under the EAR, provided certain criteria are satisfied.
These rules will enter effect on September 1, alongside a range of notable new definitions of terms used in the Export Administration Regulations ("EAR") and International Traffic in Arms Regulations ("ITAR") (see Part I of this two-part post for an overview). However, companies should note that the encryption carve-out applies only to technology controlled under the EAR, and not to technical data controlled under the ITAR.
The encryption carve-out
Key features of the new encryption carve-out include the following:
End-to-end encryption between security boundaries The electronic transmission of technology/software will not be subject to the EAR if the data is protected with "end-to-end encryption", meaning that the data is encrypted from the sender to the recipient, and cannot be accessed by other third parties while in transit.
In response to industry comments that in-transit data could potentially be encrypted and decrypted multiple times for technical reasons during transmission from the sender to the recipient (such as to establish communications with a VPN server), the final rule permits decryption and re-encryption within the "security boundary" of either the originator or recipient, provided that the security boundary does not cross any country borders. Additionally, third parties outside of the security boundaries should not have the means to decrypt in-transit data.
Encryption standards The encryption carve-out applies to in-transit data that is encrypted to standards defined in the Federal Information Processing Standards Publication 140-2, supplemented by cryptographic controls specified under U.S. National Institute for Standards and Technology (NIST) publications. The final rule also allows the use of "equally or more effective cryptographic means" (EAR §734.18); however, the exporter would be responsible for ensuring that any alternate encryption used works as well or better than the reference standard.