The concept of exporting might conjure up images of large shipping crates hoisted aboard ships or wheeled through the cargo bay doors of humongous transoceanic aircraft. What likely doesn’t come to mind is that invisible place where you back up your computer. But if you are saving data on a cloud server humming away in a building outside the U.S., you may be exporting, several experts say.
“It's important to understand the type of data you are storing and where that information is located,” wrote Ryan M. Murphy in the Syracuse Sciences & Technology Law Reporter 2013published by the Syracuse University School of Law. “Many cloud providers utilize a vast array of servers … located all over the world. These servers are connected and work together to provide a seamless hosting environment for users. A significant export control issue arises when the data stored on a cloud falls within the type regulated by the Export Administration Regulations (EAR), and it's sent to a server in another country. If so, you may have just unknowingly exported your data and become subject to government regulation.”
In a recent article by Jonathan T. Cain of Mintz Levin, the attorney ended any notion that shipping crates and digital data are completely different when it comes to U.S. export regulations. “Setting the ‘cloud’ image and all of its marketing hype aside, the transmission of data to a cloud platform for manipulation or storage is not conceptually different for export control purposes than carrying a hard copy of that data abroad or sending it through the mail. Transmission of data to the cloud for processing or backup involves copying that data to a server or group of servers, located somewhere. If that location is outside the U.S., then sending the data to the cloud server for processing or storage is an export. If the data or software sent to the cloud server is export controlled, then doing so is an export of controlled technical data as surely as if it had been copied on paper and carried abroad.”
“Furthermore,” Cain wrote, “it is not necessary that export controlled technical data actually leave the U.S. to be deemed exported. Under the EAR, the disclosure of technical data to an individual in the U.S. who is not entitled to permanent residence here is deemed to be an export of that technical data to the individual’s home country. If the export of the technical data to the individual’s home country would require a license under the EAR, then disclosing the data to the individual in the U.S. also requires a license. Similarly, under the ITAR, controlled technical data may not be disclosed to a ‘foreign person,’ regardless of where that person is located, without a license.”
It’s important to know that the consequences are serious, warn attorney Burt Braverman and paralegal Brian Wong of Davis Wright Tremaine LLP.
“Cloud services can expose users to unforeseen, complex and ill-defined export requirements and, in the event of non-compliance, to significant potential civil and criminal penalties, including substantial fines and even imprisonment,” wrote Braverman and Wong in a recent client alert. “U.S. exporters typically have procedures and practices in place to comply with the export laws. However, cloud computing raises export issues and challenges that may not be addressed by such existing export compliance programs, and that may not even have been considered by many companies that previously believed that they were not engaged in the export of products, services or technology.”
“Of the many sets of applicable government regulations, those most likely to apply to cloud services are the Export Administration Regulations (EAR), which are enforced by the Department of Commerce’s Bureau of Industry and Security (BIS) and regulate generally the export and ‘deemed export’ of ‘dual-use’ (i.e., civilian and military) products and technologies, including technical data and other non-physical exports.”
You might expect—given all the regulations governing exporting—there must be volumes of agency guidance to keep your company compliant. If so, you would be disappointed. Only the BIS has addressed the issue, and only in the form of advisory opinions issued in 2009 and 2011.
In its 2009 Advisory Opinion, BIS found that “the provision of cloud computing services is not subject to U.S. export controls,” Braverman and Wong wrote. “BIS stated that providing ‘computational capacity’ (cloud computing services) is not by itself an ‘export’ subject to the EAR. BIS observed that generally the provider of cloud computing services is providing only a service and not exporting data or technology. A cloud provider in the U.S. generally is not the exporter of any data that users place on and retrieve from the cloud because the cloud provider does not receive the ‘primary benefit … of the transaction.’ In BIS’s view, on the facts presented, only the cloud service user could be the exporter, and that user would be responsible for any export violation.”
However, Braverman and Wong wrote, the government offered situations in which cloud computing arrangements could be considered regulated exporting by a cloud provider. The first example involved shipping or transmitting controlled software or technology subject to the EAR to a foreign destination, or a foreign person in the U.S., to enable cloud computing (e.g., manuals or instructions) or technical services to show a user how to access and use the computational capacity of a cloud. The second example offered by BIS was transmitting controlled software or technology to and from the cloud.
“While limited to the specific facts of the Advisory Opinion request, BIS made clear that, in general, the cloud user is responsible for export compliance,” Braverman and Wong wrote. They pointed out that the BIS advisory opinions are its own and not those of other agencies. For example, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) might impose restrictions on providing cloud computing services to blocked persons or embargoed destinations even if BIS did not.
In its 2011 Advisory Opinion, BIS found that cloud computing providers do not require “deemed export” licenses for foreign national IT administrators who service and maintain the providers’ cloud computing systems. Relying on its 2009 Advisory Opinion BIS wrote that the service provider is not an exporter. “BIS specifically did not address the release of EAR-controlled technology by the cloud service provider to any other foreign national employees under different factual circumstances,” Braverman and Wong noted.
“Although BIS determined that release of EAR-controlled technology by the cloud provider to its foreign national IT administrators is not a deemed export, it did not take the next step and determine who would be responsible for the export, i.e., the disclosure of the U.S. technology to the foreign national IT administrator. However,” Braverman and Wong warned, “since BIS relieved the provider of such responsibility, and the foreign national IT administrator could not have exported the technology to himself, that left the cloud user as the only possible exporting party!”
“But—and this is a principal risk in using cloud computing services—the user typically does not have knowledge of the location of the cloud service’s servers or the nationalities of all the IT personnel and other employees of the cloud service provider who may have access to the user’s data. Consequently, as explained below, cloud service users—particularly those who store certain technology-related data—may need to obtain commitments from cloud service providers that export-controlled user data will not be stored on servers located outside of the U.S. or be accessible by any foreign national employed by the provider.”
What if the data is encrypted? “Encryption of controlled data transferred to the cloud does not address the export violation risk,” wrote Mintz Levin’s Jonathan Cain. “Exporting encrypted technical data is still an export of technical data. Neither ITAR nor EAR makes exceptions for export of controlled technical data or software in encrypted format. There are strong privacy and security reasons for encryption, but it is not a substitute for other measures.”
Braverman and Wong wrote, “We can only hope that additional agency guidance on the export implications of cloud computing will be forthcoming sooner rather than later, and before unwary companies become ensnared in government enforcement actions due to their migration to the cloud.”
Cloud service user best practices
The following list of cloud service user best practices was provided by Braverman and Wong of Davis Wright Tremaine LLP:
- Classify data in order to know whether any or all of it is subject to
export controls and, if stored or routed outside of the U.S., or
exposed to foreign nationals, would constitute an export for which
a license is required.
- Determine the actual routing and physical destination of any
export-controlled technical data uploaded to the cloud in order
to know whether export restrictions or licensing requirements
may apply.
- Seek assurances from providers that any export-controlled
data will be located entirely on U.S. servers, and that it will
not be accessible by foreign nationals employed by the
providers, including specific contractual provisions in service
level agreements.
- Even with assurances or contractual commitments, exercise
continuing diligence regarding any indication that export-controlled
data is being maintained, or routed, outside the U.S. or made
accessible by foreign nationals.
- Be aware that cloud deployment of software utilizing or enabling
certain types of encryption, or some types of networking technologies,
can trigger export restrictions and licensing requirements not
present when running that same software on a local network or
U.S.–located private cloud.
- When unsure of the export implications of a cloud service
arrangement, consider seeking a license under the EAR (or
determining if a license exception applies) for single or multiple
transactions involving potential exports of such data from the cloud.
- Impose restrictions on creation of copies of data by cloud
service providers, and require that providers delete all copies
(including backup copies) of such data once cloud services
are terminated.
- Review and modify, as necessary, export compliance policies
and practices, and technology control plans, and inform and update
employees on export issues arising from use of cloud services.
- Ensure that cloud service agreements address the respective
responsibilities of the parties for export compliance, and the penalties
and other consequences of failure to comply with applicable export laws.
Cloud service provider best practices
Braverman and Wong also suggest some best practices for the cloud providers.
- Consider offering users control over the physical location of the
cloud services, e.g., by offering different service tiers (presumably
with different pricing) accommodating user needs for U.S. servers
administered by U.S. persons.
- If they provide technical data (such as manuals or instructions),
or technical services showing users how to access and use the
computational capacity of a cloud, consider whether such data
and services constitute exports subject to the EAR.
- Guard against providing service to users in countries subject to
sanctions under the export regulations (e.g., Cuba, Iran, North
Korea, Sudan and Syria), consult with counsel or export regulatory
personnel before providing service to other countries subject to
export restrictions, and include prohibitions on use in those
countries in their terms of service.
Disclaimer: The views and opinions expressed in this article are those of the individual sources referenced and do not reflect the views, opinions or policies of the organizations the sources represent.
