By: Bruce H. Leeds, Senior Counsel
It is common these days for individuals and companies to store data in the “cloud”, which means that a server, or sets of servers located here, there, and everywhere are connected via the Internet. Is there a problem if that data is export controlled?
Example 1 – A company has technical data controlled under the International Traffic in Arms Regulations (ITAR). It wants to store that data on a server located outside the U.S. Is that OK?
Example 2 – A company has technology controlled under the Export Administration Regulations. It is currently stored on a server in the U.S., however the cloud storage service wants to move it to a foreign server. Is that permissible?
Will any of these transactions require an export license or U.S. Government approval? Will the companies get in trouble if they try? Let’s take a look.
First: Can storing data on a server outside the U.S. be considered an “export?” Under the recently revised definition in the EAR, “export” means, among other things, “An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner.” “Item” in this case can include controlled information and data. The regulatory agencies have consistently interpreted “export” very broadly. Pretty much any way that a controlled article or data can wind up in the hands of a foreign person is considered an export. In fact, a foreign person having access to data and information stored on a server in the U.S. would also be an export.
So, if placing controlled data on a server in a foreign country, or allowing a foreign person in the U.S. to have access to that data it is deemed an export. What do the regulations and interpretations say the data owner has to do to make it legal? Or should they just forget about cloud storage altogether?
On June 2, 2016 the Bureau of Industry & Security published a Final Rule in the Federal Register that contained several new definitions and interpretations. This rule, which becomes effective on Sept. 1, 2016, establishes a “carve out” for transmissions of controlled data within a cloud service infrastructure requiring what is defined as “end-to-end” encryption of the data. This means that “data eligible for the carve-out must by definition be encrypted before crossing any national boundary, and must remain encrypted at all times while being transmitted from one security boundary to another.” Any data sent to a cloud server outside the U.S., or moved from a U.S. server to a foreign server, or potentially accessed by a foreign person inside or outside the U.S. must be appropriately encrypted before crossing an international border (or before any potential access by a foreign person). The means of decrypting the data cannot be provided to any third party before reaching the recipient.
The change to the EAR added some further requirements for cloud storage of controlled technology:
- The technology must be unclassified
- It must be secured using cryptographic modules compliant with FIPS 140-2*, supplemented by software implementation, key management and other procedures and controls
- The technology cannot be stored in a country subject to a U.S. arms embargo (EAR Country Group D:5 or ITAR §126.1) or in Russia.
*Federal Information Processing Standard Publication 140-2, a U.S. Government security standard used to accredit cryptographic modules.
What about ITAR rules for cloud storage of technical data? On the same day that BIS published the Final Rule in the Federal Register, DDTC published a corresponding Interim Final Rule with revisions to definitions in the ITAR. This rule also becomes effective on Sept. 1, 2016. It was an interim rule because DDTC would accept further comments until July 5, 2016.
The DDTC rule did not specifically cover cloud storage of technical data; however its revised definitions of “export”. “re-export” and “release” certainly encompass transfers of technical data to, or within, foreign cloud servers.
Although the Interim Final Rule did not address cloud storage, Advisory Opinion letter GC 0317-14 of May 27, 2014 set forth a standard very similar to that published by BIS. The letter stated that tokenization (the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value) could be used to process controlled technical data even to servers located outside the U.S., provided that certain requirements were met. They included:
- The data must be received and used only by U.S. persons who are U.S. Government employees or employees of a U.S. corporation through all phases of the transfer including transmission, storage and receipt;
- The sender must also be a U.S. person who is an employee of the U.S. Government or a U.S. corporation;
- Movement of classified data must be in accordance with the Department of Defense National Industrial Security Program Operating Manual.
The General Correspondence letter actually said the data fell under the ITAR exemption in 125.4(b)(9) and that the limitations in §125.1 will apply to such storage and transfers. This means that any export or re-export from the country of ultimate end use or authorized foreign end user (as specified on a license, exemption or agreement), or transfer to a foreign person, will require prior DDTC approval.
Thus it appears that controlled technical data and technology can potentially be stored or moved to a cloud server outside the U.S., but all requirements in the ITAR and EAR must first be satisfied.
It is 2016. Do you know where your data is?