Exporting into the Cloud: Export Compliance Issues Associated with Cloud Computing
Legal Technology
February 2, 2010
What if your company's sensitive intellectual property or export-controlled military or "dual use" commercial/military data wound up exported to a computer in China or India when using "cloud computing" services? Could your company or company officials be subject to civil or even criminal penalties?

The answer might be "Yes."

The volume of electronic data that requires storage and processing is growing rapidly each day.

Because traditional methods of storing and processing data have become costly, cumbersome, and, in some cases, scarce, the search for viable alternative storage methods has intensified. This search poses a challenge to companies that must rapidly increase data storage and processing capacity, while still providing networks that are both secure and legally compliant - in other words, most companies.

Increasingly, computing service providers and their customers are turning to "cloud computing" as a way to meet these challenges. Most providers and potential customers, however, have yet to recognize all of the challenges involved in making "cloud computing" both secure and legally compliant The risks of putting your company's data into "the cloud" are real and they could prove costly. Putting data on the cloud that is controlled for export (e.g. data showing how to make a military item, or data showing how to develop, produce or use certain sensitive commercial - dual - use) items) can lead to civil penalties up to $1,000,000 per violation for military technology or $250,000 per violation for dual use items - or even to criminal charges, if controlled data is exported without a required government license.

"Cloud computing" (also known as "utility computing") takes place when data, software applications, and computer processing are accessed from "clouds" of online resources (including servers) with indeterminate or shifting locations - including potential locations outside the United States. In simple terms, these "clouds" consist of many computers spread out in a multitude of locations, most of which are unknown to the customer using the service.

Whereas in traditional computing, a user typically accesses software that has been downloaded to a specific device and then saves the data on that individual device's hard drive, users of "cloud computing" merely pay a fee to "rent" data storage services, processing power, or applications that are stored in "the cloud." After processing on a local computer, data are returned to the cloud, but they could be stored in a new location (perhaps overseas).

"Cloud computing" has advantages for both individual users and organizations. For individuals, cloud computing allows a user to access data that he or she has stored in the "cloud" from any individual "client" device. This frees the user from the tether of a client device that must be carried from place to place. For organizations, "cloud computing" is an attractive option because it can reduce capital costs. It does so by allowing the organization to "rent" an application server space, or data access for only as long as the organization needs it and only pay for the time the application or storage space is actually used (similar to a utility arrangement). The concept is that computing costs are lowered as the costs of computing services are shared among users (with the service provider naturally taking a fee). In contrast, traditional computing requires organizations to buy servers or software applications outright at full price. Those resources could be idle at times while servers in the cloud could be used around the clock by users in every time zone.

At least one cloud computing service provider found the export compliance issues associated with cloud computing to be important enough to seek an advisory opinion from the Department of Commerce's Bureau of Industry and Security (BIS), which is responsible for administering U.S. export controls on non-military items.

This opinion, released on Jan. 13, 2009, addressed issues related to cloud computing service providers, but did not address any export compliance issues related to individual users. The opinion addressed: (1) whether cloud computing services, in the absence of any transfer of software or technology subject to the Export Administration Regulations (EAR - 15 C.F.R. 730 et seq.), are subject to the regulation; (2) whether cloud computing services constitute an "activity unrelated to exports"; (3) whether cloud computing service providers are "exporters" of any derivative data resulting from the use of the computational capacity and liable for export screening on that basis alone; (4) whether computation access restrictions apply to cloud computing service providers; and (5) whether the grid or cloud computing service provider must inquire about the nationality of the customer (or user). While these issues are relatively well-resolved for service providers, those who use the services have not had their questions addressed. Moreover, Commerce (BIS) makes it clear that the transfer of software or technology that is subject to the regulations remains controlled for export. Thus, any company that uses controlled software or technology, and that is a high percentage of companies in the United States, must be careful about using cloud computing services.

Unwittingly, users of "cloud computing" could "export" controlled technical data without proper government authorization every time they save a document to the cloud if the server being used to store or process the data is outside the U.S. in a country where an export license would be required to export the technology. For example, a company that makes chemical handling pumps that are controlled for export might have controlled production technology for those pumps that could require an export license approximately 150 countries. That company would need an export license to use cloud computing services if a server was located in one of those 150 countries. There are thousands of similar examples for controlled commercial technology that require export licenses.

The key is that because a user has relatively little control over where data is stored, the data could cross international boundaries to reach the server whenever a document is sent "into the cloud" to be stored. According to the Export Administrative Regulations ("EAR"), 15 C.F.R. § 734.2(b)(1), and the International Trafficking in Arms Regulations ("ITAR"), 22 C.F.R. § 120.17(a)(1), any time controlled technical data is exported from the U.S., even in electronic format (fax, international phone calls, emails, and export to a non-U.S. server) regardless of whether that data is accessed abroad, an export has occurred that might require a license. No intention to export technology is required to violate the regulations - they are strict liability controls. In short, any time a document containing U.S.-origin technical data that is controlled for export is saved on an international server, it has been exported. Any time an export of controlled technical data occurs, the exporter must follow the export regulations set forth in either the EAR, for dual use technology, or the ITAR, for munitions list technical data.

The ITAR, which is administered by the U.S. Department of State's Directorate of Defense Trade Controls (DDTC), requires action by a company before it can export either "unclassified technical data" or "classified technical data" to any country (with very limited exemptions).

See 22 C.F.R. §§ 125.2, 125.3. "Technical data" includes "information, other than software . . . which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles," and "classified information relating to defense articles and defense services."

See 22 C.F.R. § 120.10. The ITAR lists blueprints, drawings, photographs, plans, instructions and documentation as technical data.

A defense article is defined as an item that is either "specifically designed, developed, configured, adapted, or modified for a military application . . .[d]oes not have predominant civil applications, and [d]oes not have performance equivalent (defined by form, fit and function) to those of an article or service used for civil applications;" or "[i]s specifically designed, developed, configured, adapted, or modified for a military application, and has significant military or intelligence applicability such that control . . . is necessary." 22 C.F.R. § 120.3. The intended use of the article or service after its export is not relevant in this determination.

The EAR puts similar restrictions on the export of technology - technical data and technical services related to dual-use items. The EAR defines "technology" as "technical data" which contains "specific information necessary for the ‘development', ‘production', or ‘use' of a product." See 15 C.F.R. § 772.1. Similar to the ITAR, "technical data," according to the EAR, includes "blueprints, plans, diagrams, models, formulae, tables, engineering designs and specifications, manuals and instructions written or recorded on other media or devices such as disk, tape, read-only memories."

See 15 C.F.R. § 772.1. Unlike the ITAR, which applies to all countries, the EAR controls the export of technology associated with certain products to certain locations. Moreover, controlled technical data under the EAR is limited to data "required" for the development, production or use of a controlled item under the regulations. It is surprising how many controlled items (and controlled technology) there are. Among hundreds of controlled items, even "low tech" items such as certain diesel engines, pumps, valves, pipes, chemicals, and metals are controlled, in addition to more sophisticated items like electronics, computers, aerospace items, and the technology to develop, produce and sometimes even to use them are controlled for export (among hundreds of other items).

Again, exports of controlled technical data are concerning because exports under both the EAR and the ITAR involve strict liability for non-compliance. Ignorance of the destination of the technology or the applicable product or technology control is no excuse for a violation and penalties can still be assessed. The obligation is on companies to understand the rules and prevent unintentional and intentional violations. In fact, "knowing" that a violation has occurred or will occur and continuing with the export will lead to even higher potential penalties. In short, any time that controlled technical data is sent into "a cloud" and crosses an international boundary where either the EAR or the ITAR restricts exports, regardless of the sender's knowledge of its destination, an unauthorized export has occurred, and the sender can be subject to penalties.

As indicated, recognizing these export controls on technical data and following the corresponding legal requirements are both extremely important. Recent legislation significantly increased the penalties for exporting dual use items without a license. Under the EAR, unauthorized exports of controlled items can carry civil penalties of up to $250,000 per transaction or twice the value of the violating transaction, whichever is greater. Penalties for "knowing" or "willful" exports are significantly higher and can involve jail time.

Moreover, every export of technology that requires an export license is a separate violation. Under the ITAR, civil penalties can reach $500,000, and criminal penalties that involve a knowing component can carry fines of up to $1,000,000 and/or imprisonment for up to 20 years. Additionally, companies that violate either the ITAR or the EAR can have their goods seized and/or their export privileges revoked (i.e. no more exporting from the U.S. for a period of years).

They may even be prohibited from doing business with the U.S. government.

A company that uses "cloud computing" can mitigate its risks by being sensitive to the data that it sends into "the cloud." If a company knows that it works with products or data that are controlled under either the EAR or ITAR, the first critical step is to classify products and associated technology properly under the regulations, label it, and ensure that it is not exported without an export license to an unauthorized destination.

Companies that utilize "cloud computing" services without segregating technology should thoroughly analyze technology to ensure that none of it is controlled for export under either the EAR or ITAR. After determining if their products and technology are controlled, companies should formulate and implement an export compliance management system that includes a technology control plan.

That plan should include language and procedures addressing cloud computing. Moreover, training on an export management system and TCP is an essential element of an export management system.

A possible alternative for a company that works extensively with controlled items might include attempting to require its "cloud computing" provider to ensure that its "cloud" only consists of domestic computers. While this approach may not completely eliminate risk, it is a good start for a company that wants to be conservative.

Companies are strongly encouraged to seek assistance from experienced export compliance counsel to deal with these issues given the surprisingly broad scope of the EAR and ITAR controls. This breadth, coupled with the strict liability standard for penalties means that costly mistakes can and do occur. Companies that may have already committed violations due to the unwitting use of cloud computing are strongly encouraged to seek the advice of export compliance attorneys immediately to evaluate options going forward.

This article was originally published in February 2010 on http://legal.tmcnet.com/.