Hot Topics

M E M O R A N D U M

TO: Distribution
FROM: John A. Detzner
DATE: January 14, 1999 RE: New Encryption Export Control Regulations
---------------------------------------------------------------------------------

        This memorandum explains the new regulations controlling the export of encryption commodities and software to foreign subsidiaries of U.S. companies, foreign strategic partners, and foreign commercial entities. These regulations became effective on December 31, 1998. The attached BXA summaries provide useful overviews of these and many other changes made by the new encryption export regulations.

I. INTRODUCTION

        On December 31, 1998, the Commerce Department's Bureau of Export Administration ("BXA") published the long-awaited encryption amendments to the Export Administration Regulations ("EAR"), implementing Vice President Gore's related policy announcement on September 16, 1998. Prior announcements and policy summaries posted on the BXA web-site in October and November 1998 outlined anticipated changes, but the regulatory amendments were delayed by inter-agency discussions until the end of the year.

        Attached to this memorandum are the following documents: (1) BXA's "Summary of Encryption Policy Update," first posted on the BXA web-site on October 5, 1998; and (2) BXA's "Encryption Export Controls Update Licensing Policy Matrix," first posted on BXA's web-site on October 5, 1998 but subsequently revised slightly and re-posted on November 16, 1998. These documents, together with the 12-page December 31, 1998 Federal Register notice with the new regulatory amendments, can be found at BXA's web-site: www.bxa.doc.gov.

II.     NEW ENCRYPTION REGULATIONS FOR "U.S. SUBSIDIARIES," "STRATEGIC PARTNERS," AND "COMMERCIAL ENTITIES"

        A.      Encryption Exports to "U.S. Subsidiaries"

        Pursuant to a new "License Exception ENC," 15 C.F.R. § 740.17(a)(2), U.S. companies may export encryption commodities, software and technology to their foreign subsidiaries without prior license approval, after a one-time review procedure. In particular, License Exception ENC permits exports to "U.S subsidiaries" of:

        1.     encryption commodities, software, and technology, including "encryption chips, integrated circuits, toolkits, executable or linkable modules, source code and technology";

        2.     of any key length;

        3.     for "internal company proprietary use, including the development of new products";

        4.     after a one-time technical review by BXA (through a classification request as explained at 15 C.F.R. § 740.17(c), but with no subsequent reporting requirements and no required key recovery);

        5.     to U.S. subsidiaries located in any country with the exception of Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

       The applicable definition of "U.S. subsidiaries" is provided at 15 C.F.R. Part 772, as follows:

U.S. subsidiary . . . means:

(a) A foreign branch of a U.S. company; or

(b) A foreign subsidiary or entity of a U.S. entity in which:

        (1) The U.S. entity beneficially owns or controls (whether directly or indirectly) 25 percent or more of the voting securities of the foreign subsidiary or entity, if no other person owns or controls (whether directly or indirectly) an equal or larger percentage; or

        (2) The foreign entity is operated by the U.S. entity pursuant to the provisions of an exclusive management contract; or

        (3) A majority of the members of the board of directors of the foreign subsidiary or entity also are members of the comparable body of the U.S. entity; or

        (4) The U.S. entity has the authority to appoint the majority of the members of the board of directors of the foreign subsidiary or entity; or

        (5) The U.S. entity has the authority to appoint the chief operating officer of the foreign subsidiary or entity.

        Retransfers to other end-users or end-uses are prohibited without prior authorization.

        B.     Encryption Exports to "Strategic Partners"

        Pursuant to a new provision at 15 C.F.R. § 742.15(b)(8)(iii), exports to "strategic partners" of U.S. companies, such as subcontractors and joint ventures, will be considered favorably for license approval when the end-use is for the protection of U.S. company proprietary information. In particular, such export license applications will receive favorable consideration for exports to "strategic partners" of:

        1.     encryption commodities, software, and technology not otherwise eligible for a license exception (due to greater key length, unavailability of mass market status, etc.);

        2.     of any key length;

        3.     when the end-use is for "the protection of U.S. company proprietary information";

        4.     to "strategic partners" located in any country with the exception of Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria.

        The term "strategic partners" is defined at 15 C.F.R. Part 772 as follows:
Strategic partner (of a U.S. company) . . . means a foreign-based entity that

(a) Has a business need to share the proprietary information with one or more U.S. companies; and

(b) Is contractually bound to the U.S. company (e.g., has an established pattern of continuing or recurring contractual relations).

        Retransfers to other end-users or end-uses are prohibited without prior authorization.

        C.     Encryption Exports to "Foreign Commercial Entities"

        Pursuant to a new provision at 15 C.F.R. § 742.15(b)(7), exports of "recoverable" encryption commodities and software to "foreign commercial entities" generally will be approved under an "Encryption Licensing Arrangement" ( a more expansive and flexible version of a simple encryption export license) when the end-use is for the protection of internal company proprietary information. In particular, an "Encryption Licensing Arrangement" for "foreign commercial entities" will receive favorable consideration for exports of:

        1.     encryption commodities and software, not otherwise eligible for a license exception (due to greater key length, unavailability of mass market status, etc.);

        2.     of any key length;

        3.     that are "recoverable" (as defined below);

        4.     for "internal company proprietary use";

        5.     to "foreign commercial entities" and their branches located in any of the 45 foreign countries identified at Supplement No. 3 to 15 C.F.R. Part 740 (certain additional reexports to branches are available if the headquarters is located in one of 20 countries).

        The new regulations do not define the term "foreign commercial entities." BXA's related summary description, however, explains the relaxation does not extend to such encryption products "sold for individual use." The new regulation also excludes foreign commercial entities engaged in manufacturing or distributing ITAR-controlled (military) items or providing related services.

        The term "recoverable commodities and software" is defined at 15 C.F.R. Part 772 as follows:
Recoverable commodities and software . . . means any of the following:

(a) A stored data product containing a recovery feature that, when activated, allows recovery of the plain text of encrypted data without the assistance of the end-user; or

(b) A product or system designed such that a network administrator or other authorized persons who are removed from the end-user can provide law enforcement access to plain text without the knowledge or assistance of the end-user. This includes, for example, products or systems where plain text exists and is accessible at intermediate points in a network or infrastructure system, enterprise controlled recovery systems, and products which permit recovery of plain text at the server where a system administrator controls or can provide recovery of plain text across an enterprise.
        In the event the proposed exporter is not the manufacturer of the encryption commodity or software, the exporter may use an existing Encryption Licensing Arrangement of the manufacturer if the proposed export or reexport of the product meets the terms and conditions of 15 C.F.R. § 742.15(b)(7). The exporter also must submit to BXA the name and address of the end-user.

        Retransfers to other end-users or end-uses are prohibited without prior authorization.

        D.     Other Encryption Decontrols for Foreign Entities

        Please note these provisions are separate from the specific exceptions provided for certain foreign health and medical institutions, insurance companies, banks and financial institutions, and on-line merchants, as explained at 15 C.F.R. §§ 740.17 and 742.15.

        These provisions also are in addition to changes to streamline the key escrow and key recovery provisions of 15 C.F.R. § 742.15(b)(2), the related provisions for License Exception KMI found at 15 C.F.R. § 740.8, and the more general decontrol of encryption commodities and software with key lengths up to and including 56 bits, following a one-time BXA review.

        Finally, BXA will continue to consider other proposed encryption exports through a review of export license applications on a case-by-case basis.

III.     CONCLUSION

        The encryption decontrols published on December 31, 1998 should provide relief for U.S. parent companies and their foreign subsidiaries, for certain industry sectors, and for certain foreign entities. As always, these new regulations must be applied to specific proposed exports in order to confirm the available exceptions and the specific procedures to be followed.

        Please call or send an e-mail message if you have any questions concerning this memorandum, or if you would like additional information concerning BXA's encryption export control policies and regulations. My direct telephone number is (202) 776-1155, and my e-mail address is: jdetzner@npwdc.com.
Back To Hot Topics Page

Home I Overview I Areas of Practice
Our Attorneys I Firm Highlights I NP Trade Resource Library
Hot Topics I Reading Room I Links I Contact Us
The material on this site is protected under the copyright laws of the United States of America and international conventions, and is the exclusive property of Neville Peterson LLP or any licensee. All rights reserved. © Neville Peterson LLP 2002.

 Webline Designs Logo
Site by Webline Designs.