Welcome Revisions to the Encryption Export Control Regulations
On June 25, 2010, the Department of Commerce, Bureau of Industry and Security ("BIS"), issued an interim final rule (75 Fed. Reg. 36481), significantly modifying and relaxing certain regulations regarding encryption items under the Export Administration Regulations ("EAR").
Among the most significant reforms, the new rule:
- Replaces the current "product-by-product" authorization scheme for less sensitive and mass market encryption items with a company-based authorization scheme that will operate like a bulk license for such products;
- Removes the 30-day delay and review requirement for exporting less sensitive encryption items and classifying most mass market encryption items;
- Creates an annual self-classification reporting requirement for less sensitive and most mass market items, in place of the prior semi-annual post-export sales and distribution reporting requirement;
- Expands the scope of encryption technology eligible for License Exception ENC to permit broad exportation except to countries of the highest concern; and
- Removes "ancillary cryptography" from control under the "Information Security" ECCNs in Category 5, Part 2 of the EAR.
Company Registration for Less Strictly Controlled and Mass Market Encryption Items: For encryption items of lesser national security concern and for most mass market encryption items, the rule establishes a new, one-time, company "encryption registration" requirement. Once a company has electronically submitted an encryption registration and been issued an Encryption Registration Number ("ERN"), it may immediately self-classify and export eligible products. This modification thus removes the previous requirement of a 30-day technical review by BIS for each individual product. Exporters and reexporters of a product may rely on the manufacturer's self-classification, and need not submit a separate encryption registration or classification request.
Revised Reporting Requirements: BIS has also revised the former requirement to file semi-annual post-export reports for nearly all items exported under License Exception ENC. Parties must now submit an annual self-classification report identifying the less strictly controlled commodities and software exported under ENC. Although semi-annual reports will still be required for more strictly controlled items, BIS expects the total number of semi-annual reports filed to decline from approximately 400 to fewer than 100 per year.
Greatly Expanded Applicability of License Exception ENC for Encryption Technology: Prior to the new rule, all exports of ECCN 5E002 encryption technology to end-users other than U.S. subsidiaries and companies located or headquartered in "favorable treatment" countries (under Supplement 3 to Part 740 of the EAR) required a license. Under the new rule, encryption technology classified as 5E002 -- as long as it is not related to cryptanalytic items, non-standard cryptography, or open cryptographic interfaces -- may be exported under License Exception ENC to any non-government end-user located in a country not listed in country groups D:1 or E:1 of the EAR. This change is expected to decrease encryption licensing arrangements ("ELAs") and other license applications to export encryption technology by approximately 60 percent.
Removal of "Ancillary Cryptography" Items from Control Under Category 5 of the EAR: The rule completely excludes "ancillary cryptography" items -- those where the item's primary function is not information security, computing, communications, storing information, or networking -- from control under Category 5, Part 2 of the EAR. This change brings the EAR in line with agreements made by the Wassenaar Arrangement in December 2009, and focuses "information security" controls on encryption used for computing, communications, networking, and information security. The rule provides an extensive illustrative list of items now excluded from Category 5, Part 2.
Encryption Classification Requests: Beyond greatly limiting the number of products for which encryption classification requests are required, the rule also removes the requirement to file such requests separately with both BIS and the National Security Agency's ("NSA") ENC Encryption Coordinator (although all reports still must be filed with both agencies).
Grandfathering Provision: The new rule includes a grandfathering provision, by which most products reviewed and classified by BIS prior to June 25, 2010 may be exported using the CCATS previously obtained by BIS, without requiring registration, new classification by BIS, or reporting.
What Has Not Changed: Items classified under 5x992 (such as items with limited cryptographic functionality) and those eligible for ENC under EAR § 740.17(a) (certain exports for internal development and production or to U.S. subsidiaries) remain eligible for self-classification without registration or reporting. Likewise, more strictly controlled encryption items described in EAR § 740.17(b)(2) continue to require classification by BIS with, in most cases, a 30-day waiting period, as well as semi-annual reporting (in addition to company registration).
This rule is a significant first step in the administration's effort to reform and streamline U.S. encryption export controls. It will reduce the number of items subject to Encryption Items ("EI") controls -- a real advance -- and will eliminate the waiting time associated with reviews for a wide variety of products and technology. Compliance requirements will therefore shift from waiting for BIS to review products' functionality to establishing an effective internal corporate process to register, self-review, and report. This approach will place a premium on quickly analyzing the specific encryption functionality of products, and confirming their treatment under these new rules.
For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.