If you are a U.S.-based company that is either a vendor of technology or simply a user of technology, there are several ways that you can violate U.S. export laws and breach your software licenses, without ever leaving the U.S. or directly shipping any technology outside the U.S. borders.
The Commerce Department’s Bureau of Industry and Security (BIS) established the Export Administration Regulations (EAR), which deal with the export of “dual use” items, including technology and software that have both military and nonmilitary uses. The International Traffic in Arms Regulations (ITAR), established by the State Department, similarly governs “defense articles” and “defense services.” The EAR includes the Commerce Control List (CCL), which assigns an Export Classification Category Number (ECCN) to specific types of items that are subject to export regulation.
Both the EAR and the ITAR include “deemed export” provisions, which cover the disclosure of protected technology to foreign nationals. Under the deemed export rules of the EAR, technology or software is deemed to be “released” for export through: visual inspection by a foreign national of equipment or facilities in the U.S.; oral exchanges of information in the U.S. or abroad; or, application abroad of personal knowledge or technical experience acquired in the U.S. The deemed export rules cover basically any means of communication to a foreign national, including emails, conference calls and information made available on an intranet.
Under the EAR, a “foreign national” is generally anyone who is not a U.S. citizen, is not a permanent resident visa (green card) holder or does not have protected status, i.e., a refugee or an asylumee.
Accordingly, you can violate the deemed export rules in various unintended ways. For example, giving a tour of your company’s facilities to a potential customer or business partner who is a foreign national could be a deemed export Allowing a U.S.-based employee of your company who is a foreign national to have access to protected software or technology could be a deemed export—even if the employee does not leave the U.S. Unless you have a proper deemed export license, such acts could violate the EAR and result in serious criminal, civil and administrative penalties, not only for your company but also for the involved individuals.
Further, these deemed export rules are being enforced. For example, when Suntek Microwave, among other export violations, failed to get a deemed export license for Chinese nationals who worked at Suntek and were trained in technology controlled by the EAR, the BIS imposed a $275,000 civil penalty and a 20-year denial of export privileges for the company, and the president of the company agreed to a $187,000 civil penalty and a 20-year denial of export privileges. In related criminal cases, Suntek was fined more than $339,000 and its president was sentenced to 12 months imprisonment and two years’ supervised release.
Therefore, you need to put a program in place to prevent unintended violations of the deemed export rules.
You should first determine whether the technology your company uses or offers is subject to the EAR by checking the Commerce Control List. Information that is publicly available, i.e., has been released through print publications, presentations at public conferences or the web, is not subject to the EAR.
You should check the CCL to determine the ECCN for the technology or software your company offers. You also need to check on the software used by or licensed to your company. You should inquire of licensors providing your company with software how their software is classified under the CCL, particularly if their license agreement includes an export control clause.
Many software licenses contain export control clauses restricting export of the licensed software. The deemed export rules would apply here, too. So, in addition to being concerned with export laws, you need to comply with the deemed export rules to avoid being in breach of any export control restrictions in your software licenses.
Once you have determined the classification of the technology or software that your company offers, uses or is licensed to, you need to determine the status of the persons who will have access to the technology or software, i.e., their citizenship, residency and/or nationality. Note that this applies not only to the employees of your company but also to subcontractors your organization engages, such as consultants employed to work on the company’s systems. Therefore, if any subcontractors or consultants will have access to your protected technology or software, you should inquire as to the citizenship, etc. of the people assigned to your project and/or obtain contractual representations that such people are not foreign nationals.
After you have collected information on the status of your employees and subcontractors, you need to establish a clearance program to control and prevent access of your protected technology to foreign national from countries of concern, such as China, Russia, Iran, India, Syria, Iraq and Pakistan. There are currently commercial software solutions available that provide deemed export compliance programs. If your technology or software requires an export license by the EAR and if you intend to give a foreign national access to the technology or software, you need to apply for a deemed export license.
Establishing a program to determine the export status of the technology or software offered and/or used by or licensed to your company and to control the access of such technology or software by your employees or subcontractors who may be foreign nationals will help your company avoid liabilities for violating U.S. export laws and for being in breach of your software licenses.