Changes in ITAR Definitions
The U.S. State Department has made changes in important definitions of what constitutes an export under the International Traffic in Arms Regulations (ITAR). These changes are due to take effect on March 25, 2020 and will effect the manner in which companies with ITAR classification must conduct business. These definitions concern what activities are deemed exports, reexports, retransfers, or temporary imports. Additionally a new definition has been created concerning “Access Information”.
Five Key Changes
Under § 120.54, five new provisions have been made for activities that do not require authorization from the Department of State. These provisions are as follows:
- Items launched into space are now not deemed a controlled event. A controlled event is defined as an export, reexport, retransfer, or temporary import.
- It is not deemed a controlled event to transfer technical data to a U.S. Person within the United States from a person in the United States.
- The third provision was added as a result of public comments to proposed rule changes in 2015. It states that transmissions or other transfers of technical data between and among only U.S. Persons in the same foreign country will not be deemed a reexport provided they do not provide that information to a Foreign Person or a person otherwise prohibited from receipt of such information.
- It is now not a controlled event to move a defense article between states, possessions, or territories of the United States.
- It is now not deemed a controlled event to send, take, or store technical data when it is appropriately end to end encrypted. Encryption must be executed in a manner that is certified by The U.S. National Institute for Standards and Technology (NIST), or must exceed a 128-bit security strength.
Definition of Access Information
The Department of Stated has added § 120.55 to define “access information.” Access Information is defined as methods of unlocking data security parameters. These would include decryption keys, network access codes, and passwords. It is important to note that an authorization for release of technical data is required through access information to the same extent as other provisions of data transfer under ITAR,
Definition of Release
Clarifications as to what constitutes a release of technical data have been provided as well. These controlled events which require authorization include the aforementioned access information. The definition of release include:
- The release of access information to cause or enable a foreign person to have access to controlled data.
- To use access information in a foreign country in a manner that would cause technical data to be in an unencrypted form, including when these actions are performed by a U.S Person abroad. There is an exemption however, in ITAR § 125.4(b)(9) that allows most U.S. Persons abroad to release technical data to themselves or over their employer’s virtual private network.
Our ITAR experts can guide you through the changing requirements of ITAR to keep your company compliant. We offer a wide array of services to help you keep on track with this important legislation.