Previous Page  14 / 40 Next Page
Show Menu
Previous Page 14 / 40 Next Page
Page Background


2017 California Export Guide



t is common these days for com-

panies to store data in the “cloud,”

meaning it is on a server located

somewhere in the world. What if

that data is export controlled?

For example, a company has

defense-related technical data

controlled under the International

Traffic in Arms Regulations (ITAR).

Can it be stored on a server located

outside the U.S.?

In another example, a company

has dual-use technology controlled

under the Export Administration Regulations (EAR). Can the

company move it from a U.S. server to a foreign server?

Data as an Export

Is storing data on a server outside the U.S. considered an “ex-

port?” Under the recently revised definition in the EAR, “export”

means: “An actual shipment or transmission out of the United

States, including the sending or taking of an item out of the

United States, in any manner.”

“Item,” includes controlled information and data. The

regulatory agencies have consistently interpreted “export” very

broadly. Any way a controlled article or data can wind up in

the hands of a foreign person is considered an export. In fact, a

foreign person having access to data and information stored on

a server in the U.S. is also an “export.”

Thus placing controlled data on a server in another country is

an “export.”What do the regulations and interpretations say the

data owner has to do to make it exportable? Or should they just

forget about cloud storage altogether?

A recent Bureau of Industry & Security (BIS – the agency

within Department of Commerce responsible for enforcing

the EAR) rule establishes a “carve out” for transmissions of

controlled technology within a cloud service infrastructure if

there is “end-to-end” encryption of the data. This means that

“data eligible for the carve-out must by definition be encrypted

before crossing any national boundary, and must remain

encrypted at all times while being transmitted from one

security boundary to another.”

Any data sent to a cloud server outside the U.S., or moved

from a U.S. server to a foreign server, or potentially accessed

by a foreign person inside or outside the U.S. must be appro-

priately encrypted before crossing an international border (or

before any potential access by a foreign person). The means

of decrypting the data cannot be provided to any third party

before reaching the recipient.

Cloud Storage Data Requirements

The change to the EAR added some further requirements for

cloud storage of controlled technology:

• The technology must be unclassified.

• The technology cannot be stored in a country subject to a

U.S. arms embargo or in Russia.

• It must be secured using cryptographic modules compli-

ant with Federal Information Processing (FIPS) 140-2

standards, supplemented by software implementation, key

management and other procedures and controls.

What about ITAR rules for cloud storage? An interim Final

Rule, dated Sept. 1, 2016, contained revised definitions to the

ITAR. The rule did not specifically cover cloud storage; how-

ever, its revised definitions of “export,” “re-export” and “release”

encompass transfers of technical data to foreign cloud serv-

ers. Although a cloud storage rule under the ITAR has not been

finalized, controls similar to those under the EAR, ensuring that

sufficient means to prevent foreign persons from having access

to the data, are recommended.

So, do you know where your data is?

Bruce H. Leeds is Of Counsel for Braumiller Law Group

PLLC, which has offices in Los Angeles, Dallas, Toledo

Chicago and Mexico, and is online at

Storing Export Controlled Data in the Cloud:

Consider ITAR and EAR Regulations

By Bruce H. Leeds

Bruce H. Leeds