Technical Data and Export Law
Understanding what technical data is and how it pertains to export law is important for companies doing business in the U.S. and Canada. Both countries have different requirements and regulations controlling how technical data is stored and transferred. Additionally, these regulations are subject to change.
What is Technical Data?
Definitions under U.S. Law
Under the International Traffic in Arms Regulations (ITAR), technical data, which is defined in 22CFR 120.10(4), is information which is specifically required for the design and production of defense articles and services such as drawings, instructions, or other documentation. It also includes software that is directly related to defense articles.
The Export Administration Regulations (EAR), which are administrated by the Department of Commerce, define controlled technical data as an export of technology that is required for the “development, production or use” of items on the Commerce Control List (CCL). Under the EAR transfer of technical data is defined as a Deemed Export.
Under both sets of U.S. export control regulations, transfer of technical data to a foreign nation or foreign persons will in most cases require an export license.
Definitions under Canadian Law
The Canadian Controlled Goods Program (CGP) defines technical data as Technical data is any information, such as blueprints, drawings, plans, computer software or technical documentation that could be developed or adapted for use in military or space equipment.
Canadian Export Regulations for Cloud Service Providers
Canada’s Controlled Goods Program, as of April of 2021, has placed requirements on cloud service providers that provide storage for controlled goods data. These cloud service providers must now be registered regardless of encryption protocols utilized.
Registrants that currently store data on unauthorized servers outside of Canada are required to remove all controlled goods data from the foreign service and move that data to local secure servers or cloud service providers registered in the Controlled Goods Program.
Differences in Canadian and U.S. Requirements
These cloud service requirements contrast with the Directorate of Defense Trade Controls (DDTC) interim final ruling, released on December of 2019, concerning transmissions or storage of unclassified technical data which is controlled for export under (ITAR).
The current ITAR requirements (§ 120.54) allow for storage of unclassified ITAR technical data on foreign servers if end to end encryption compliant with the U.S. National Institute of Standards and Technology (NIST) requirements.
This variance in requirements places increased complexity in compliance programs for organizations that conduct business in both Canada and the United States.
Protection of Technical Information
Both the U.S. and Canada are actively engaged in securing access to export controlled information to protect their national security interests.
In the United States protecting Controlled Unclassified Information (CUI) has been a priority for the Department of Defense (DOD) for many years now. DoD contractor CMMC requirements have been in development since 2015 in an on going effort to safeguard Controlled Unclassified Information (CUI).
In 2020 the Defense Acquisition Federal Regulation Supplement (DFARS), mandated that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework as an interim measure until the Cybersecurity Maturity Model Certification (CMMC) is finalized.
CVG Strategy is a consultancy dedicated to assisting businesses navigate increasing requirements for export compliance and information security.
Export Compliance Expertise
Navigating international import and export laws can be extremely challenging for organizations. This is especially the case for those whose products are defense related. CVG Strategy export compliance experts have over a decade of experience in assisting businesses establish and maintain export compliance programs.
CVG Strategy has helped companies comply with both U.S. and Canadian regulations. We can answer your export compliance questions to keep your organization in compliance to regulations. We can also provide essential training to ensure that your team is up to date on ever changing export laws.
CVG Strategy is committed to helping businesses protect the United State’s controlled unclassified information by helping them establish effective cybersecurity programs. We know that viable solutions include all stakeholders in an enterprise. They include people, policies, procedures, risk analysis, incident responses, and an internal auditing process that yields constant improvement.