The Bureau of Industry and Security (BIS) has issued a new advisory opinion (its third) on whether and when cloud-based service providers must be concerned with U.S. export compliance. While such providers are in the clear with respect to many activities, there are still a number of ways cloud-based service providers can unwittingly trigger export compliance concerns.
General Rule. Generally, cloud service providers who provide only “computational capacity … for storing data or running pre-determined programs using” customer data (what I’ll call a “pure cloud service”) are not subject to the Export Administration Regulations (EAR). However, if the cloud provider ships or transmits any “commodity, software or technology” to the user, then the service provider becomes subject to EAR. See 2009 BIS Advisory Opinion and 2014 BIS Advisory Opinion. This creates a potential minefield for unwary cloud-based service providers. A few of those “mines” are described below.
Mine #1 – Software Uploaded in Background. Where cloud providers can get tripped up here is when they transmit software or technology in connection with providing the otherwise pure cloud service. In order to provide a smoother and faster user experience, some cloud-based platforms are configured to (perhaps unbeknownst to the user) upload software to the user’s computer (typically to RAM) to perform certain functions locally. This type of configuration would, of course, constitute a transmission of software which would be subject to the EAR even though the other aspects of the service may not be.
Mine #2 – Export of Technology. The new advisory opinion drives home the point that even where no software is transmitted to the user, EAR compliance requirements may also be triggered by an export of “technology.” The 2009 BIS Advisory Opinion provided that such technology may come in the form of technical data (e.g., manuals, instructions, plans) or technical assistance (e.g., instructions, consulting services). EAR §772.1 goes even further by defining “technology” to include such things as diagrams, tables, specifications, manuals and instructions, instruction, skills training, working knowledge, and consulting services necessary for operation, installation, maintenance, repair, overhaul, refurbishing, development, production or use. So where the cloud service is provided with user instructions or other consulting services, for example, the provision of those items may trigger EAR compliance requirements even though the underlying service itself does not.
Mine #3 – Deemed Export. The 2011 BIS Advisory Opinion clarified that for a pure cloud service, the provider does not constitute an “exporter” since the provider does not ship or transmit any “commodity, software or technology” to the user. In such a case, since the provider is not an exporter, there can be no “deemed export” even if a foreign national monitored user generated technology which was otherwise subject to EAR export restrictions. However, the provider may nonetheless trigger EAR compliance issues where the user is a foreign national and the service is not a pure cloud service. In other words, even where the user is physically located in the United States, if the user is a foreign national and the cloud-based service includes any transmitted software or the provision of technical data or technical assistance (as described above), then a deemed export may occur.
Finally, the 2009 BIS Advisory Opinion suggest that even for a pure cloud service, the provider should “take into account” the location (presumably physical) of the user where the user is located in a country within Country Group D and will be involved in certain activities. The 2009 BIS Advisory Opinion limited its scope to certain “missile” activities, but presumably the provision of even a pure cloud service to a person located in a country on the Country Group D list engaging in activities within the restricted subject matter of the Group D list (e.g., national security, nuclear, chemical & biological, missile technology and U.S. arms embargoed countries) would be problematic or at least warrant close scrutiny.