Posted: 27 Jul. 2017 7 min. read

US defines new “encryption carve-out” for transfers of export-controlled data

For companies handling export-controlled technology, the increasing prevalence of cloud computing and cross-border IT networks raises significant challenges for effective compliance. In a move to accommodate these trends, the US Department of Commerce (“DoC”) has newly defined what they are calling an “encryption carve-out”, which states that the transmission of encrypted technology or software is no longer deemed to be an export/reexport/transfer activity under the EAR, provided certain criteria are satisfied.

These rules will enter effect on September 1, alongside a range of notable new definitions of terms used in the Export Administration Regulations (“EAR”) and International Traffic in Arms Regulations (“ITAR”) (see Part I of this two-part post for an overview). However, companies should note that the encryption carve-out applies only to technology controlled under the EAR, and not to technical data controlled under the ITAR.

The encryption carve-out

Key features of the new encryption carve-out include the following:

  • End-to-end encryption between security boundaries

The electronic transmission of technology/software will not be subject to the EAR if the data is protected with “end-to-end encryption”, meaning that the data is encrypted from the sender to the recipient, and cannot be accessed by other third parties while in transit.

In response to industry comments that in-transit data could potentially be encrypted and decrypted multiple times for technical reasons during transmission from the sender to the recipient (such as to establish communications with a VPN server), the final rule permits decryption and re-encryption within the “security boundary” of either the originator or recipient, provided that the security boundary does not cross any country borders. Additionally, third parties outside of the security boundaries should not have the means to decrypt in-transit data.

  • Encryption standards

The encryption carve-out applies to in-transit data that is encrypted to standards defined in the Federal Information Processing Standards Publication 140–2, supplemented by cryptographic controls specified under U.S. National Institute for Standards and Technology (NIST) publications. The final rule also allows the use of “equally or more effective cryptographic means” (EAR §734.18); however, the exporter would be responsible for ensuring that any alternate encryption used works as well or better than the reference standard.

  • Data storage in US arms-embargoed countries and Russia

The encryption carve-out does not apply to the storage of data in countries subject to a US arms embargo (defined under Country Group D:5 in the EAR) and Russia. It is important to note that data in-transit via internet traffic through a country is not deemed to be stored in that country. The final rule also clarifies that in-transit data stored temporarily on servers in these countries without the knowledge of the sender is not subject to the EAR.

  • Transfer of decryption keys or other means of decryption

The final rule introduces a new authorisation requirement for the transfer of “access information” if it is known that this could result in the unauthorised decryption and release of controlled software or technology. Examples of access information include decryption keys, network access codes and passwords that could be used to convert data to an unencrypted form.

Impact on companies

Companies using cloud-based solutions will need to review and ensure compliance with the specified encryption standards to be eligible for the carve-out from EAR control. Continued safeguards must be in place to prevent unauthorised storage of data in US arms-embargoed countries as well as in Russia. Cloud service providers should also revisit their current standards to cater to customers requiring solutions that adhere to the new regulatory requirements.

Finally, although the encryption carve-out has been defined in new rules published simultaneously by the DoC and the Department of State (“DoS”), the DoS has not yet addressed the use of encryption for transferring ITAR-controlled technical data. For businesses that handle both EAR-controlled technology and ITAR-controlled technical data and wish to take advantage of the encryption carve-out, this may raise new challenges should different standards and processes need to be applied for different export-controlled data.

The new rules can be accessed here:

Key contact