U.S. Commerce Department Issues New Encryption Rules That Should Lighten Some Industry Burdens

By: Melissa Proctor (Shareholder, Polsinelli PC)

The U.S. Commerce Department’s Bureau of Industry and Security (BIS) recently published new rules that should make international sales and exports of hardware and software products a bit easier. Today, virtually all commercial hardware, software and network infrastructure products contain cryptographic features for user authentication, the safeguarding of data and the protection of intellectual property rights. Traditionally, it has been the cryptographic functions in these items that have driven their classification and export licensing requirements. Over the past several years, however, the BIS has been slowly easing export controls on encryption items.  On September 20, 2016, the BIS published a final rule that makes additional significant changes to the Export Administration Regulations’ (EAR’s) requirements for these items that should further lighten the burdens on sellers and exporters of commercial items with encryption.

The BIS’ final rule was published to implement changes made by the Wassenaar Arrangement, an international organization that focuses on the harmonization of export controls around the world to which the United States and forty (40) other countries belong. U.S. and foreign companies that develop, sell or distribute items that contain cryptographic features should take immediate steps to assess how the final rule may impact their products and operations. The final rule took immediate effect on September 20, 2016.  The following provides a high-level summary of the key changes that were made—

  • Companies of mass market items and items eligible for License Exception ENC no longer need to obtain encryption registration number (ERNs) from the BIS.
  • The BIS updated its technical questionnaire in Supplement 6 to Part 742 of the EAR, which must be submitted by companies seeking formal commodity classification requests from the BIS for items that have cryptographic features, by inserting additional questions that must be addressed.
  • The final rule created a new classification (Export Control Classification Number or ECCN 5A003) for items such as communications cable systems to detect surreptitious intrusion. Such items are controlled for national security and antiterrorism reasons.
  • The final rule also created a new classification (ECCN 5A004) for items that defeat, weaken or bypass information security. Unless a license exception applies, such items will require a license for export or reexport to all countries (with the exception of Canada).
  • The BIS removed the following classifications from the Commerce Control List: ECCNs 5A992.a, 5A992.b, 5D992.b and 5D992.b. Many of these items are now classified as EAR99 and may be exported or reexported to most countries without an export license (except where embargoed/sanctioned countries, prohibited parties or prohibited end-uses are involved in the proposed transactions). However, companies that previously classified their items in these ECCNs are encouraged to perform an internal review to ensure that proper classifications are being utilized.
  • The final rule transferred the mass market encryption provisions in Part 742.15 to the License Exception ENC provisions in Part 740.17 of the EAR—companies should take note of this so as not to mistakenly assume that the BIS did away with mass market treatment for items .
  • License Exception ENC now authorizes exports, reexports, and in-country transfers among related parties for internal use when the parent company is a License Exception ENC Favorable Treatment Country listed in Supplement Number 3 to Part 740 of the EAR. The final rule also added Croatia to this list of countries.
  • Companies that obtain formal commodity classification determinations from the BIS for items that are eligible for License Exception 740.17(b)(1) are no longer required to submit annual self-classification reports.
  • The final rule also revised the performance parameter thresholds for certain items eligible for License Exception ENC in Section 740.17(b)(2).
  • Certain items may now be exported under License Exception ENC (per Section 740.17(b)(2)) to “less sensitive government end users.” Previously, such items could only be exported to non-government end users.
  • Publicly available encryption source code classified as ECCN 5D002, for which a License Exception TSU notification has been emailed to the BIS and the ENC Encryption Request Coordinator, will no longer be subject to the EAR.
  • Encryption Licensing Arrangements (ELAs), which authorize exports of unlimited quantities of items for four (4) years, are no longer required for certain items that will be exported to “less sensitive government end users.” ELAs will only be required for sales and exports to “more sensitive government end users” in all countries with the exception of Cuba, Iran, North Korea, Sudan and Syria.

Sellers and exporters of items that have cryptographic features are urged to review the final rule carefully and assess its impact on the classifications and licensing requirements applicable to their operations. In many cases, companies should find that the previous administrative requirements and restrictions on certain encryption items have been somewhat lessened, and that their items may now be exported from the United States with fewer restrictions.

 Melissa Proctor is a Shareholder of national law firm Polsinelli, P.C. She has significant experience in customs laws and regulations, export controls, economic sanctions, and international trade. Ms. Proctor is committed to understanding companies’ operations and providing assistance geared toward helping them reach their specific business and operational goals. She may be reached at (602) 650-2002 or via e-mail at mproctor@polsinelli.com.