On October 3, 2008, the U.S. Department of Commerce, Bureau of Industry and Security ("BIS") published new interim rules, effective immediately, rewriting and altering the export regulations on encryption items (specifically, the encryption restrictions at EAR 742.15 and the ENC license exception at EAR 740.17). 73 Federal Register 54795. BIS hopes that the new rules will streamline the existing encryption review process, expand the availability of the ENC license exception, and more fully harmonize the encryption restrictions with the rest of the Export Administration Regulations ("EAR").
Under the EAR, encryption items, which includes software, technology, and hardware incorporating encryption technology, generally fall into two categories:
Ø Export Commodity Classification Number ("ECCN") 5A002/5D002, for certain enumerated, high-functioning encryption products and software; and
Ø ECCN 5A992/5D992, for all other encryption items.
Generally speaking, 5A992/5D992 products can be shipped without delay anywhere in the world (except for Cuba, Iran, North Korea, Sudan, and Syria) as No License Required ("NLR"). 5A002/5D002 products also generally may be shipped around the world under license exception ENC, provided certain restrictions are met (including, for example, restrictions on certain high-end products and end-users in certain restricted countries). Further, there are generally three requirements for most such exports, including restrictions that:
Ø The ENC Encryption Request Coordinator at BIS pre-reviews the encryption item in question;
Ø A company waits at least 30 days for BIS to process the pre-review; and
Ø A company submits semi-annual sales reports to BIS for those sales.
While the new encryption rules do not disturb the existing broad formulation between 5A992/5D992 and 5A002/5D002 products, the new rules try to further delineate the requirements between the two ECCN categories. In particular, the new rules update technology levels to further clarify the differences. Additionally, the new rules help to streamline the processes by which 5A002/5D002 products shipped under license exception ENC are reviewed, exported, and subsequently reported to BIS. Following are three key highlights of the new rules.
1. The New Rules Reduce The BIS Pre-Review Requirements
Ø Under the old rules, companies were required to submit the vast majority of their encryption items to the ENC Encryption Request Coordinator at BIS for pre-review and approval before being able to take advantage of the ENC license exception or export their product broadly. In practice, this meant that nearly all encryption items were submitted for pre-review. Companies could then begin shipping encryption items NLR or under the ENC license exception almost immediately to a host of friendly countries, and to most other countries with limited restriction after 30 days.
Ø Under the new rules, the types of encryption items subject to the mandatory review process have been substantially limited.
o With regard to 5A992/5D992 products, the pre-review requirement has been completely eliminated.
o With regard to 5A002/5D002 products, the pre-review requirement has been limited. In particular, the license exception at EAR 740.17 has been restructured and reorganized, focusing on whether pre-review is required or exempted. The following types of 5A002/5D002 encryption items are exempt from the pre-review requirement:
a. Foreign Subsidiaries of U.S. Companies. Certain listed encryption items are exempt from the pre-review requirement when they are transferred to foreign subsidiaries of U.S. companies, provided the encryption items are used exclusively for internal company use (EAR 740.17(a)(2)). In addition to foreign subsidiaries, this exemption also applies to foreign national employees of the foreign subsidiary. While these types of products were previously exempt from the semi-annual reporting requirement, the pre-review exemption has also been added under these new rules.
b. Internal Development or Production of New Products. Certain listed encryption items are exempt from the pre-review requirement when they are exported to certain eligible private sector end-users for internal development or production of new products by those same end-users (EAR 740.17(a)(1)). Note that this new exception does not remove the pre-review requirement for products that will be used by foreign governments to develop new products; in such a situation, the exemption would not apply.
c. Short-Range Wireless Encryption Functions. Products that include encryption technology providing short-range wireless encryption functions are exempted from the pre-review requirement (EAR 740.17(b)(4)(i)).
d. Foreign-Manufactured Products. Products that are foreign-manufactured products developed with or incorporating U.S.-origin encryption source code, components, or tool kits are exempted from the pre-review requirements (EAR 740.17(b)(4)(ii)). While a newly manufactured foreign product is exempt from the pre-review requirement, it does not exempt the U.S.-origin encryption items that are incorporated in the foreign-manufactured product. The U.S.-origin encryption item must have been pre-reviewed by BIS, and the encryption functionality cannot have changed. Essentially, this new exception allows foreign manufacturers to avoid the mandatory pre-review requirement, but the obligation on U.S. companies in the first place remains.
e. Wireless Personal Area Network Items. A new exception under the new rules relates to wireless personal area network items (with a very limited range of 30 meters) that implement only published or commercial cryptographic standards (EAR 740.17(b)(4)(iii)). It applies to products such as hands-free headsets, wireless networks between personal computers, wireless mice, wireless keyboards, wireless printers, GPS receivers, and game controllers.
f. Ancillary Cryptography. Another new exception under the rules relates to commodities and software that perform ancillary cryptography (EAR 740.17(b)(4)(iv)). This exception covers products that incorporate cryptography technology, even though the products are not particularly useful for computing, communications, networking, or information security. This includes products incidentally incorporating cryptography, such as music or entertainment products, household utilities, video recording or playback, business process modeling (supply chain management, inventory control), industrial and manufacturing systems, and transportation systems.
o Functionally, in all relevant respects, this means that 5A002/5D002 products that meet any of the foregoing criteria are essentially treated as 5A992/5D992 products. The only major difference is the licensing authority listed on the export documentation – 5A992 products would be listed as "NLR," while these specific 5A002 products would be listed as "ENC." All other licensing restrictions would be essentially identical.
Ø For those remaining 5A002/5D002 products that are submitted for ENC pre-review, BIS will continue to process those reviews as they have done in the past. The new rules attempt to simplify the pre-review application process, specifying additional information for electronic submissions, and modifying the types of information required in the application packets (EAR Part 742, Supplement 6). Most notably, the new rules note that submissions via fax will no longer be accepted – only electronic or hard-copy submissions.
Ø Additionally, in issuing an ENC approval, BIS will state whether the encryption item qualifies as "ENC Restricted" or "ENC Unrestricted" under EAR 740.17(b)(2) or (b)(3), which identify restrictions on the sale of the product to certain government end-users.
2. The New Rules Reduce A Company’s Ongoing Reporting Requirements
Ø Under the old rules, companies were required to submit semi-annual reports to BIS for virtually all products shipped under license exception ENC.
Ø Under the new rules, the ongoing reporting requirement is reduced.
o The new rules clarify that no reporting is required for sales of 5A992/5D992 products.
o Additionally, the new rules continue the old policy of exempting certain types of 5A002/5D002 transactions from the reporting requirement (EAR 740.17(e)(1)(iii)), as well as exempting the types of products described above where pre-review by ENC is not required. Finally, BIS has included a new generic "other" category exempting encryption items that BIS feels are unnecessary to include in the semi-annual reports.
Ø Reports should identify, in addition to a product’s ECCN, the corresponding CCATS number assigning that ECCN.
3. The New Rules Elaborate On And Clarify The "Mass Market" Classification
Ø Another highlight of the new rules is that they clarify the relationship between 5A002/5D002 and 5A992/5D992 products when the product qualifies for "mass market" treatment. Regardless of a product’s technical capability, it qualifies for "mass market" treatment and reduced export restrictions if:
o it is generally available to the public without restriction;
o its cryptographic functionality cannot be easily changed by the user; and
o it is designed for installation by the user without further substantial support from the supplier.
Ø While implicit in the prior rules, the new rules expressly clarify that "mass market" products are classified as ECCN 5A992/5D992. Additionally, the new rules provide additional descriptions of the "mass market" classification, including examples of "mass market" encryption products.
Ø Different from prior policy, the new rules clarify that all products that are submitted for pre-review to BIS for "mass market" treatment should be treated as 5A002/5D002 products, until formally approved as "mass market" and classified as 5A992/5D992. The new rules clarify that once an ENC pre-review application has been submitted to BIS, the product can be shipped under the ENC license exception, including immediate shipment to a long list of "friendly" countries (which has been expanded to include Bulgaria, Canada, Iceland, Romania, and Turkey under the new rules), and a number of other countries after 30 days, provided the ENC license exception requirements are satisfied. While BIS claims in the new rules that this is a major change from its prior policy, careful companies have long been treating their products as 5A002/5D002 until the formal "mass market" CCATS approval was issued by BIS.
Ø Another welcome feature of the new "mass market" classification is that company’s can self-classify as "mass market" products short-range wireless encryption items, wireless personal area network items, and items incorporating ancillary cryptography (EAR 742.15(b)(3)). Companies were not permitted to self-classify any product as "mass market" under the old rules, but the language in the new rules appears to permit self-classification.
We encourage everyone to examine the new rules in their entirety to consider specifically how the new rules will effect your business and your product lines.
The new rules are a welcome change to the encryption controls, reducing the pre-review and subsequent reporting requirements with BIS, and expanding the scope of the ENC license exception. Christopher Wall, Assistant Secretary of Commerce for Export Administration, stated that these new rule changes were "not fundamental, but they are a start." He further stated that these new rules were the beginning of a more comprehensive approach to simplifying encryption controls and that BIS was "already beginning that process." We welcome such simplification, especially considering that the encryption restrictions have long been among the most confusing sections of the EAR.