Uploading software or technology to the ‘cloud’ can risk breaching export controls or sanctions and incurring heavy civil and criminal penalties. This article looks at the law, how it applies to cloud computing and how organisations can comply.
The Legal Framework
Restrictions may apply as part of the general controls on what may be exported or as part of a package of trade sanctions adopted in relation to a particular country.
General Export Controls
Export controls aim to prevent items which can have military or security applications from being acquired by those who might misuse them. The three main legal instruments applicable in the UK are as follows:
- The Export Control Act 2002, which empowers the Government to make Orders to control the export of strategic goods, the transfer of technology, the provision of technical assistance overseas and trade in military-rated equipment between overseas countries.
- The Export Control Order 2008, which provides for the control of exports from the UK of listed military, paramilitary and certain other goods, technology and software. Most require a licence for export outside the UK, including to other countries within the EU. The licensing process is administered by the Export Control Organisation, a unit within the Department for Business, Innovation and Skills.
- The EU Dual Use Regulation (Council Regulation (EC) No 428/2009) establishes similar controls on exports of listed goods, software and technology considered to be ‘dual-use’.[1] Most require licences only if exported outside the EU but particularly sensitive items need a licence for transfers within the EU.
Taken together, these instruments impose licence requirements which are broader than is often appreciated. The controls apply:
- not only to exports of physical goods but also to exports of software or technology[2] by any means including, in some cases, by face-to-face meeting, by paper, by email, fax or phone (if information is communicated so as to achieve substantially the same result as if the recipient had read it), carrying overseas on a laptop or storage device and – the key point relevant to cloud computing – giving access to software or technology in electronic form to someone overseas;
- not only to military items but also to ‘dual-use’ civilian items in a wide range of fields including: nuclear engineering; biological sciences and pharmaceuticals; chemicals with toxic properties; high strength materials; high specification electronics, computers, and telecommunications; automation and control systems; lasers, optics and sonar; navigation and avionics; submersible equipment; aerospace; and – the main basis for the controls on software – encryption;
- potentially to the export or transfer of any goods, software or technology, even if they are not listed. In most cases, the controls are defined by the lists of military and dual-use items which are annexed to the Order and the EU Dual Use Regulation and which reflect regular discussion in international groups[3]. But the regulations also provide for ‘end-use’ controls which are defined not on the basis of the exported item itself but on how it will ultimately be used. In the EU, there are two main categories of end-use which require a non-listed item to be licensed: if the exporter has been informed, is aware or has reason to suspect that it will be used for WMD purposes[4] outside the EU; or if it may be intended for military use in a country subject to an arms embargo;
- not only to exports outside the EU but also in some cases to transfers within it and even within the UK if the transferor knows or has been informed that the item will be used for WMD purposes outside the EU.
But the controls are not intended to interfere unduly with normal commercial or academic practices, and there are exemptions for information already in the public domain,[5] basic scientific research[6] and the technology required for the installation, operation, maintenance and repair of controlled items whose export has been previously authorised.
Other major exporting countries impose similar controls, notably the US. But a significant difference in the US regulations, both for sensitive military items (ITAR)[7] and for less sensitive military and all dual use items (EAR),[8] is that the controls apply not only to the original export from the US but also to any subsequent transfer within the UK or re-export from the UK, notwithstanding that this entails a significant stretching of the traditional notion of extraterritorial jurisdiction.
The US definition of re-export includes the release within the UK of controlled software and technology to a dual or foreign national from a country to which restrictions apply for the item (termed a ‘deemed re-export’). US-controlled items therefore require particularly careful handling to avoid unintended, unauthorised re-exports.
Export controls in sanctions programmes
Sanctions put pressure on target governments, entities and individuals to change their behaviour and, by restricting their access to certain goods and services, help to contain the threats which they may pose to international peace and security. Sanctions take a variety of forms but often involve some kind of export control, including:
· embargoes on exporting weapons, equipment that might be used for internal repression, and associated technical assistance, training and financing;
· restrictions on making goods or services available to named individuals or entities; and
· bans on trade in specified categories of goods (eg dual use goods, oil and gas equipment) or services (eg financial transfers, insurance, investment), either to designated individuals and entities or to a whole country.
All countries are obliged to give effect to UN Security Council sanctions resolutions. But some, particularly the EU and US, commonly adopt further measures. Firms and individuals need to be aware not only of the EU measures (which apply to all EU persons and entities incorporated under the law of a Member State wherever they are located, as well as to anyone located in the EU) but they also need to be aware of which other countries’ sanctions may apply. In particular, the US asserts a very broad jurisdiction for its sanctions.
Cloud Computing
(i) Users
For the purposes of this article, cloud computing is broadly defined as using shared rather than private local computing resources to store software or technology and handle applications. This includes:
· public clouds (networks open for public use);
· private clouds (which restrict access to those authorised by the subscriber);
· community clouds (a specific group of users with common requirements);
· hybrid clouds (a mix of public, community and private systems); and
· Software-as-a-Service, Infrastructure-as-a-Service and Platform-as-a-Service, in which subscribers access a range of computing resources.
By using these services, a user’s software or technology may be routed through and stored in multiple physical locations and countries, often without the knowledge or intent of the user (except in the case of private clouds). How do export controls apply?
General export controls
The key is what is meant by ‘export’ and ‘exporter’. The definition of ‘export’ in the EU Dual Use Regulation includes ‘transmission of software or technology by electronic media … to a destination outside the EU; it includes making available in an electronic form such software and technology to natural and legal persons and partnerships outside the EU.‘
The definition of ‘exporter’ includes ‘any natural or legal person or partnership which decides to transmit or make software or technology by electronic media … to a destination outside the EU.’
Based on these definitions, the act of making controlled technology or software available to anyone outside the UK or EU (as appropriate), whether through a cloud service or indeed by any other means, requires a licence. The controls apply:
- irrespective of who owns the server on which the software or technology is made available, eg whether it is on an organisation’s own servers or on those of any type of cloud service;
- irrespective of the nationality of the person in the UK who makes the software or technology available – the regulations apply not only to all EU persons but also to all non-EU persons conducting business in the EU;
- irrespective of the nationality or employment status of the person able to access the software or technology overseas, eg they could be a UK member of staff travelling overseas, a member of staff of a subsidiary overseas, an established customer with access rights, or anyone else;
- whether or not a UK employee abroad with access to the software or technology has any intention of passing it on to another person abroad – this corresponds to the rules for physical exports, where taking controlled technology abroad, even if only for personal use and not for onward transmission while abroad, still requires a licence;
- whether the transfer is between two parts of the same company or to a different entity;
- for the purposes of UK controls, it is also irrelevant where the software or technology is stored or routed, provided that adequate measures are in place to prevent unauthorized foreign nationals (eg system administrators) from having access to it. But note that the act of routing controlled software or technology through a non-EU country or storing it on a server on their territory, for however short a time, may render it subject to the export control laws of that country.
When a licence is required depends on the arrangements made for granting access. If software or technology is to be fully accessible to members of a company, group, or dedicated collaborative user-group situated abroad from the time when it is saved to a site, a licence is needed before it is saved to the site. But if individual permissions are required for employees or other approved users overseas before they can access the site, it is only necessary to obtain a licence before that permission is given.
Export controls in sanctions programmes
Export controls may also apply if the software or technology is made available to a person or entity overseas who is either:
· located in a country subject to sanctions and the export of the software or technology contravenes the terms of the embargo established by the sanctions (eg if military technology is made available to a person located in a country under an arms embargo); or
· themselves included on a list of sanctioned persons or entities, and the provision of the software or technology to them contravenes the sanctions.
(ii) Service Providers
The key is again in the definition of ‘exporter.’ The EU Dual Use Regulation states that this includes any natural or legal person or partnership ‘which decides to transmit or make software or technology by electronic media … to a destination outside the Union.’
Unlike the US authorities,[9] the European Commission has not provided specific guidance on this. But on the basis of this definition, the exporter is generally understood to be the user of a cloud service and not the provider. This again reflects the rules applicable to physical exports, for which it is the exporter – not the freight forwarder or shipper – who is responsible for securing a licence before any licensable activity may take place.
Sanctions, on the other hand, may apply to providers (as well as users) if they give a service to individuals, entities or countries in contravention of sanctions. Neither the US nor the EU authorities have published formal guidance on this so service providers must interpret and apply each set of sanctions measures as they are drafted.
Compliance
The European Commission has recognised[10] the challenges which the development of cloud services poses to regulators and to companies working to implement export controls. It may examine options to address such challenges, potentially including a review of legal provisions, providing guidance and/or introducing specific tools such as new types of licence. But that process is likely to take several years. In the meantime, the following offers nine basic pointers for users and providers of cloud services:
- Be clear which if any of your software and technology is subject to export controls (under UK, EU and any applicable third country laws).
- Consider limiting controlled software or technology to only private servers, or to a private cloud, or to cloud services specifically developed to be compliant with export controls.
- Conduct due diligence of cloud service providers and consider negotiating terms into contracts providing for: restrictions on the locations through which controlled software or technology may be routed; where it may be stored; how access by any unauthorised person (including system administrators) will be prevented; the right to audit the provider’s compliance; and obligations for providers to notify promptly any known or suspected breaches. UK and EU regulators have not defined what they consider to be ‘adequate’ measures to prevent unauthorised access; this remains the exporter’s responsibility.[11]
- If export licences are necessary, consider what type(s) would be most appropriate and register or apply for them at an early stage. Note that all licences require records of transfers to be maintained, which is clearly more challenging in cases where software or technology is being accessed remotely rather than actively transmitted from the UK, and some require formal undertakings to be signed by the end-user or consignee.
- Note that, if there are any substantive modifications to licensed software or technology, a new licence may be needed.
- Transfers of controlled dual use technology and software within the EU should be marked as ‘subject to controls if exported from the EU’.
- If acquiring software or technology which is subject or may be subject to US export controls, ensure that the supplier provides detailed information on what controls apply to it and includes, in their US export licence, authorisation for any proposed re-exports. Put in place all measures necessary to ensure that the US control requirements are fully met.
- Screen all those to be given access to controlled software or technology and their locations, for possible sanctions. Cloud providers should similarly screen all users of their services, their partners and the locations of their servers and other facilities. Screening should be repeated regularly to take account of the frequent changes in the sanctions rules and lists.
- Review internal compliance policies, procedures and training on export controls and sanctions to ensure cloud computing issues are fully incorporated.
Conclusion
Using cloud computing services can create risks for those handling software or technology that is subject to export controls or whose transfer could breach sanctions. The key is to recognise that making controlled software or technology available to anyone located outside the UK or EU, however this is done, requires a licence and could breach sanctions, so appropriate procedures need to be put in place to manage the risks.
Richard Tauwhare is a Senior Director in the London office of Dechert LLP. He specialises in advice on ensuring compliance with export controls and sanctions. He was formerly head of export controls policy in the Foreign and Commonwealth Office.
[1] ‘Dual use items’ are defined by the EU Dual Use Regulation as ‘items, including software and technology, which can be used for both civil and military purposes, and shall include all goods which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices.’
[2] ‘Technology’ is defined by the UK Export Control Order 2008 as ‘information (including but not limited to information comprised in software and documents such as blueprints, manuals, diagrams and designs) that is capable of use in connection with the development, production or use of any goods.’
[3] The ‘Export Control Regimes’: the Wassenaar Arrangement addresses conventional military and dual use items; the Australia Group covers items which could be used in programmes for chemical or biological weapons; the Nuclear Suppliers Group does the same for nuclear weapons; and the Missile Technology Control Regime covers ballistic and cruise missiles, as well as Unmanned Aerial Vehicles potentially capable of delivering WMD.
[4] ‘WMD purposes’ are defined by the Export Control Order 2008 as ‘use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons or other nuclear explosive devices, or the development, production, maintenance or storage of missiles capable of delivery such weapons.’
[5] ‘in the public domain’ is defined by the Export Control Order 2008 as ‘technology or software which has been made available without restriction upon its further dissemination (copyright restrictions do not remove technology or software from being in the public domain).’
[6] ‘basic scientific research’ is defined by the Export Control Order 2008 as ‘experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective.’
[7] The International Traffic in Arms Regulations, administered by the US Department of State
[8] The Export Administration Regulations, administered by the US Department of Commerce
[9] The US Department of Commerce has made clear that it is the user, not the provider, who has responsibility for export controls, unless the provider is aware of nefarious activities by the user. Permitting a foreign national to maintain a provider’s servers and software does not constitute a ‘deemed export’ unless the foreign national has access to the controlled technology itself. Operating software as a service does not constitute an export of the software to the user so no licence is required.
[10] Sections 2.2 and 3.1 of the Communication from the Commission to the Council and the European Parliament on ‘The Review of export control policy: ensuring security and competitiveness in a changing world’ published on 24 April 2014
[11] One option is to encrypt the technology. There is no EU guidance on this but the US authorities have not accepted that encrypting technology to established US government standards gives adequate protection to controlled technology, except if access is limited to US persons abroad who are directly employed by the same US corporation that sent the technology and the technology can only be used by US persons.