The Commerce Department has issued new encryption export regulations to implement policy changes announced last September. The new rules will affect all exporters of commercial encryption products and will generally make it easier to sell encryption products abroad. The new rules are effective immediately.
Although encryption export restrictions have been reduced, significant procedural requirements will remain in place. For example, virtually all new commercial encryption products will still be subject to government review, and most exporters will be required to file post-shipment sales reports with the Commerce Department.
Highlights of the new rules are summarized below.
Non-Governmental End-Users. After a one-time government review, encryption products of any key length will be exportable to non-governmental end-users worldwide, except for the embargoed countries of Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Taliban-controlled areas of Afghanistan. Thus, it is generally no longer necessary to follow separate rules based on encryption key length, "recoverability," or the type of end user or end use. Products which have been approved in the past may be exported to non-government end users without a new technical review unless exports were previously limited to subsidiaries of U.S. companies. Applications which are now pending do not have to be re-filed.
"Retail" Encryption Items. If the government determines that an encryption product is a "retail" product, then it may be exported to any end user, including foreign government end-users, in non-embargoed countries. "Retail" products are those which (1) are designed for individual consumer use, or sold through independent retailers, or sold to the public in large volume via telephone, mail order, or electronic transactions; (2) do not require substantial technical support for installation and use; (3) do not allow users to easily change the encryption functionality; (4) are not customized to a customer's specifications; and (5) are not "high-volume" network infrastructure products. "Retail" certification requires a new application to the Commerce Department, except that previously reviewed 56-bit products and "finance-specific" products are considered to be "retail" products without additional review.
Telecommunications and Internet Service Providers. Export licenses are still required for exports of non-"retail" encryption products to Internet and telecommunications service providers if the products are used to (1) provide services specifically to a foreign government or (2) provide non-subscriber-based bulk "backbone" encryption.
Public, Non-Proprietary or "Open Source" Encryption Source Code. Encryption source code which is not subject to any proprietary restriction, licensing fee, or royalty may be exported without government technical review, but exporters are required to notify the government of the export and provide the government with a copy of the code "by the time of the export."
Commercial Encryption Source Code and Toolkits. Encryption source code which is proprietary or subject to license fees or royalties may still require government review. Exporters may also be required to inform the government about foreign products derived from U.S.-origin commercial encryption source code or toolkits.
Subsidiaries of U.S. Companies. Encryption items may be exported to foreign subsidiaries of U.S. companies without any prior review or licensing, but new products developed from the exported products are still subject to a one-time Government technical review. In addition, foreign employees (from non-embargoed countries) of U.S. firms no longer need licenses to work on encryption products.
Key Length Upgrades. Any "mass market" encryption product previously authorized for export under License Exception "TSU" may be upgraded to 64-bit encryption without a new technical review, provided the exporter certifies to the Government that the encryption is unchanged except for the increased key length.
Reporting Requirements. Semi-annual post-export reporting is now required for most encryption exports. However, reporting is not required for (1) products with key lengths of 64 bits or less; (2) products limited to encryption of specific financial data; (3) "retail" products exported to individual consumers; (4) products which are exported free or by anonymous download; or (5) products exported to subsidiaries, affiliates, customers or contractors of a U.S. bank or financial institution.
In summary, while the encryption rules have been relaxed, they have not been repealed. Products which have been reviewed in the past may benefit from a new review. Most new products will need to be submitted to the Government before they are exported to any destination. Exporters should become familiar with the new reporting requirements.
The new rules will affect different companies and products in different ways. Please do not hesitate to call or e-mail us to discuss how the new rules will affect your company's export opportunities.