By Odyssey E. Gray, III, Associate, FD Associates, Inc.
Today’s world is a “smart” world, a world of various electronic devices that provide ever expanding connectivity and access. As a result of this age of “connectivity,” employers may require their employees to travel internationally, conducting business on their behalf while carrying electronic devices with them. What if your business involves ITAR controlled products? Will you receive or hand-carry ITAR regulated technical data on laptops, smart phones or other electronic devices? Are you remotely logging in to your company server while abroad to access ITAR regulated technical data? Are there controls in place to protect this data from being accessed by foreign persons while you are abroad? Is the ITAR technical data being accessed for individual use without further export, or, will you share the ITAR regulated technical data with foreign persons? Most importantly, does your company understand the authorizations required to allow the export of ITAR technical data on devices being carried internationally? Any export of ITAR controlled technical data requires ITAR authorization for the export.
What if the data being carried internationally is not ITAR regulated? Would this would mean no controls and thus, no USG authorization required? This is a common mistake by many who believe that if the data is not ITAR regulated, it is not export controlled. In fact, if the data is not ITAR controlled, then it is, or may be, subject to the Export Administration Regulations (“EAR”) and, if subject, the applicable ECCN for the information (technology) will determine whether Department of Commerce approval or EAR license exception is required for its export.
The good news for international travelers is that both the ITAR and the EAR have clear provisions for the license-free export of technical data and technology for employee use abroad under applicable ITAR license exemption and EAR license exception. The ITAR license exemption is available at ITAR 125.4(b)(9). The EAR has two applicable license exceptions at EAR Part 740.9 (TMP license exception) and EAR Part 740.14 (BAG license exception). These authorizations are commonly referred to as “personal use.”
The “personal use exemption” at ITAR Section 125.4(b)(9) authorizes the export, reexport or retransfer of ITAR controlled technical data, including classified information, without a license, by or to a U.S. person, or a foreign person employee of a U.S. person (who has been authorized to receive ITAR regulated technical data under an ITAR DSP-5 employment license) travelling or on temporary assignment abroad for their personal use.
The EAR “personal use exception” at EAR Part 740.9 – TMP (Temporary Imports, Exports, Reexports, And Transfers (In-Country), authorizes the export, reexport or transfer of EAR controlled technology, without a license, by or to a U.S. person, or a foreign person employee of a U.S. person travelling or on temporary assignment abroad for their personal use.
The EAR “personal use exception” at EAR Part 740.14 – BAG (Baggage), authorizes individuals leaving the United States either temporarily (i.e., traveling) or longer-term (i.e., moving) to take to any destination, as personal baggage, the classes of commodities, software and EAR controlled technology described pursuant to this license exception. License exception BAG authorizes the export of technology as “Tools of Trade” for use in the trade, occupation, employment, vocation, or hobby of the traveler. License exception BAG also authorizes the export of encryption commodities and software subject to EI controls, if for personal use.
Once you know where your data falls jurisdictionally, you can cite the proper export authority, contingent upon meeting all of the stated requirements of using either ITAR 125.4(b)(9) license exemption or the EAR license exceptions TMP or BAG.
Both the ITAR and EAR require that security precautions (e.g., encryption of the data; firewalls; use of secure network connections or other access restrictions on the electronic device on which the data is stored, e.g., passwords, etc.) are in place on the electronic device to prevent unauthorized access to the controlled information by foreign persons.
The most secure method for access abroad by an employee is the use of a secure encrypted tunnel into the company server (e.g., secure VPN), whereupon data may be viewed and accessed by the employee who is using either a company laptop / electronic device or a personal electronic device. All technical data remains on the company server and is not downloaded to the local device, except for viewing in an encrypted window.
If the company provides or allows its employee to use a company laptop or electronic device for hand-carry and use abroad while on travel, the device may already be loaded with ITAR controlled information/files (the hard drive should be encrypted and/or password protected). The company device should contain software that allows the device to be remotely wiped in case of theft or loss. The employee must maintain positive control and access of the company device with stored information so as not to allow unauthorized access. If the employee will not keep the laptop with them, at all times, they should plan to store the laptop in a secure place such as a hotel safe.
The company should have a written travel policy, including written processes and procedures, to provide guidance and instruction to all employees traveling to ensure that all regulatory requirements are met to remain compliant with the export of controlled information to the company employee.
Procedures should exist not only for the use of the applicable ITAR exemption or EAR license exception, but as a means to document the information released, to whom it was released, the manner in which the transfer occurred, as well as information concerning the device used to access/carry the data, whether it be a personal device or company device.
It is recommended that the traveler have a proforma invoice describing the device, the data or software installed, to include, any hard copies of data previously exported, and, the applicable ITAR license, license exemption / EAR license, license exception with them at the time of travel.
In addition to the actual export, the regulations require that records for each export be maintained by the exporter (e.g., description of the technical data that was exported; name of the recipient(s); date and time of export; method of transmission, i.e. facsimile, courier, email, meeting). The same record-keeping requirements that exist for any license approval for exports to foreign parties are the same as those for the use of any ITAR exemption or EAR license exception for exports to employees traveling internationally.
Any exports made beyond the scope of ITAR 125.4(b)(9) or EAR license exceptions TMP or BAG, i.e., not for “personal use,” are subject to the usual export licensing rules under the ITAR or EAR. In other words, if one seeks to provide controlled data to foreign persons, that export/transfer requires separate authorization, e.g., license approval, ITAR license exemption or EAR license exception.
Fines and penalties for any violation of the ITAR or EAR are applicable, thus, use of these “personal use” authorizations must be within the scope as cited in the ITAR or EAR, respectively.
While these steps might seem burdensome to a small company, did you know that the U.S. Customs and Border Protection (“CBP”) issued a new directive in January of this year (2018) which authorizes and provides guidance to CBP in its procedures for “…searching, reviewing, retaining, and sharing information contained in computers, tablets, removable media, disks, drives, tapes, mobile phones, cameras, music and other media players, and any other communication, electronic, or digital devices…” CBP has authority to search the contents of any electronic device leaving or entering the United States at their discretion. In 2017 alone, CBP conducted 30,000 searched of electronic devices.
CBP searches are authorized to facilitate border security. In practice, this means CBP may review and/or copy any information on any electronic device, even those items that are encrypted or password protected. CBP may make copies of any of the information on the device. If the information is not accessible, CBP may detain or seize the device to ship it off-site for further analysis and to facilitate CBP review of all information therein.
Even information marked as “Attorney-Client privileged” is subject to review and/or copy. Individuals, however, should alert and advise CBP if such information exists on the device and its status as “Attorney-Client privileged,” so that CBP is aware that this is protected information. A best practice would be to utilize the same procedures for confidential business information. Note, however, CBP may not use the electronic device to access information stored remotely. This directive is applicable only to the information stored on the actual electronic device.
Consistent with CBP policy, no specific cause is needed for CBP to conduct the search of the device. The directive does instruct that “CBP will protect the rights of individuals against unreasonable search and seizure and ensure privacy protections while accomplishing its enforcement mission.” Should CBP wish to review your device, you want to be able to provide CBP with evidence you have complied with applicable U.S. export laws. A copy of a completed traveler form that identifies the device, the applicable ITAR license exemption / EAR license exception, the reason for travel and the information being carried abroad is a good tool to demonstrate to CBP that you have not violated U.S. export laws.
The primary mission of both the ITAR and the EAR is national security and safeguarding U.S.-origin technology. The regulations recognize that company employees may require the use of export-controlled data to perform work assignments while abroad, thus, the ITAR 125.4(b)(9) license exemption and EAR license exceptions TMP and BAG for “personal use” permit this type of export.
There is one notable exclusion to the use of the ITAR 125.4(b)(9) exemption. It cannot be used for the carrying of ITAR controlled data to proscribed countries per ITAR 126.1 (e.g., China, Venezuela, etc.). Therefore, if a person is travelling to China or Venezuela, for example, on business, or even on personal travel, with their company issued device or a personal device that can access company information, they must know that they cannot lawfully carry or access ITAR technical data or EAR 600-series technical data while they are in ITAR 126.1 countries. Not only is there no applicable exemption under the ITAR or EAR, but there is a policy of denial for exports to these countries.
In today’s “smart” world, businesses should have travel policies and procedures that comply with the exemptions/exceptions available and protect the export of ITAR technical data or EAR controlled technology. If you need help with developing a travel policy, FD Associates stands by to assist you.