Revisions to Definitions in the Export Administration Regulations

Federal Register, Volume 81 Issue 107 (Friday, June 3, 2016)

Federal Register Volume 81, Number 107 (Friday, June 3, 2016)

Rules and Regulations

Pages 35586-35608

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-12734

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 734, 740, 750, and 772

Docket No. 141016858-6004-02

RIN 0694-AG32

Revisions to Definitions in the Export Administration Regulations

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: This final rule is part of the Administration's Export Control Reform (ECR) Initiative. The Initiative will enhance U.S. national and economic security, facilitate compliance with export controls, update the controls, and further the goal of reducing unnecessary regulatory burdens on U.S. exporters. As part of this effort, the Bureau of Industry and Security (BIS), in publishing this rule, makes revisions to the Export Administration Regulations (EAR) to include certain definitions to enhance clarity and consistency with terms also found in the International Traffic in Arms Regulations (ITAR), which is administered by the Department of State, Directorate of Defense Trade Controls (DDTC), or that DDTC expects to publish in proposed rules. This final rule also revises the Scope part of the EAR to update and clarify application of controls to electronically transmitted and stored technology and software, including by way of cloud computing. DDTC is concurrently publishing comparable amendments to certain ITAR definitions for the same reasons. Finally, this rule makes conforming changes to related provisions.

DATES: This rule is effective September 1, 2016.

ADDRESSES: Although there is no formal comment period, public comments on this final rule are welcome on a continuing basis. You may submit comments by either of the following methods:

By email directly to publiccomments@bis.doc.gov. Include RIN 0694-AG32 in the subject line.

By mail or delivery to Regulatory Policy Division, Bureau of Industry and Security, U.S. Department of Commerce, Room 2099B, 14th Street and Pennsylvania Avenue NW., Washington, DC 20230. Refer to RIN 0694-AG32.

Commerce's full plan for retrospective regulatory review can be accessed at: http://open.commerce.gov/news/2011/08/23/commerce-plan-retrospective-analysis-existing-rules.

Page 35587

FOR FURTHER INFORMATION CONTACT: For questions on application of controls to electronically transmitted and stored technology and software, contact Bob Rarog, Senior Advisor to the Assistant Secretary for Export Administration, Bureau of Industry and Security at (202) 482-9089. For other questions, contact Hillary Hess, Director, Regulatory Policy Division, Office of Exporter Services, Bureau of Industry and Security at (202) 482-2440 or rpd2@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

This final rule is part of the Administration's Export Control Reform (ECR) Initiative. The Initiative will enhance U.S. national and economic security, facilitate compliance with export controls, update the controls, and continue the process of reducing unnecessary regulatory burdens on U.S. exporters. As part of this effort, the Bureau of Industry and Security (BIS), in publishing this rule, makes revisions to the Export Administration Regulations (EAR) to include the definitions of ``access information,'' ``technology,'' ``required,'' ``foreign person,'' ``proscribed person,'' ``published,'' results of ``fundamental research,'' ``export,'' ``reexport,'' ``release,'' ``transfer,'' and ``transfer (in-country)'' to enhance clarity and consistency with terms also found in the International Traffic in Arms Regulations (ITAR), which is administered by the Department of State, Directorate of Defense Trade Controls (DDTC). This final rule also revises the Scope part of the EAR to update and clarify application of controls to electronically transmitted and stored technology and software. DDTC is concurrently publishing comparable amendments to the ITAR's definitions of ``export,'' ``reexport,'' ``release,'' and ``retransfer'' for the same reasons. Finally, this rule makes conforming changes to related provisions. DDTC anticipates publishing its comparable provisions pertaining to ``technical data,'' ``directly related,'' ``public domain,'' and the results of ``fundamental research'' in a separate proposed rule.

One aspect of the ECR Initiative includes amending the export control regulations to facilitate enhanced compliance while reducing unnecessary regulatory burdens. For similar national security, foreign policy, including human rights, reasons, the EAR and the ITAR each control, inter alia, the export, reexport, and in-country transfer by U.S. and foreign persons of commodities, products or articles, technology, technical data, software, and services to various destinations, end users, and end uses. The two sets of regulations have been issued pursuant to different statutes, have been administered by different agencies with missions that are distinct from one another in certain respects, and have covered different items (or articles). For those reasons, and because each set of regulations has evolved separately over decades without much coordination between the two agencies regarding their structure and content, they often use different words, or the same words differently, to accomplish similar regulatory objectives.

Many parties' export, reexport, and transfer transactions are regulated by both the Commerce Department's EAR and the State Department's ITAR, particularly now that regulatory jurisdiction over many types of military items has been transferred from the ITAR to the EAR. Using common terms and common definitions to regulate the same types of items or actions will facilitate enhanced compliance and reduce unnecessary regulatory burdens. Conversely, if different concerns between the two sets of export control regulations warrant different terms or different controls, the differences should be made clear for the same reason. Such clarity will benefit national security because it will be easier for exporters to comply with the regulations and for prosecutors to prosecute violations of the regulations. Such clarity will also enhance our economic security because it will reduce unnecessary regulatory burdens for exporters when attempting to determine the meaning of key words and phrases across similar sets of regulations. Finally, this rule and the rule DDTC is publishing concurrently address only a portion of the terms and phrases that warrant harmonization between the ITAR and the EAR. They are nonetheless a significant step toward accomplishing one of the ultimate objectives of the ECR initiative, which is the creation of a common export control list and common set of export control regulations.

Proposed Rule

On June 3, 2015, BIS published a proposed rule entitled ``Revisions to Definitions in the Export Administration Regulations'' (80 FR 31505) (hereafter ``the June 3 proposed rule'' or ``the June 3 rule''). Simultaneously, the Department of State published a proposed rule entitled ``International Traffic in Arms: Revisions to Definitions of Defense Services, Technical Data, and Public Domain; Definition of Product of Fundamental Research; Electronic Transmission and Storage of Technical Data; and Related Definitions'' (80 FR 31525) (hereafter ``the State June 3 rule'').

BIS welcomed comments on all aspects of the June 3 rule. Additionally, in the preamble to the June 3 rule, BIS specifically solicited public comment with questions on eight issues. Two of those questions pertained to the definition of fundamental research; one pertained to whether the questions and answers in Supplement No. 1 to part 734 had criteria that should be retained in part 734; two pertained to encryption standards in the definition of ``Activities that are Not Exports, Reexports, or Transfers;'' and one pertained to the effectiveness of the proposed definition of ``peculiarly responsible.'' Public comments on these questions are addressed in their corresponding sections below.

The two remaining questions were broadly applicable across the rule: Whether the proposed revisions created gaps, overlaps, or contradictions between the EAR and the ITAR or among various provisions within the EAR; and whether a 30-day delayed effective date was appropriate for the final rule.

Eleven commenters cited the difference between the EAR and ITAR standards for prepublication review of research as a significant gap between the two bodies of regulations that would create compliance difficulties. These commenters recommended that both final rules adopt the EAR standard. Further discussion of this issue may be found in the section of the preamble describing fundamental research, below.

Twenty-two commenters recommended a six-month delayed effective date from date of publication. Most of these commenters explicitly based the recommendation on the anticipated difficulty created by adoption of differing proposed EAR and ITAR standards for prepublication review of research. State is not publishing revisions to fundamental research at this time; therefore, the rationale for requesting a six-month delay is largely eliminated.

One commenter recommended at least a three-month delayed effective date to enable non-U.S. companies to understand and prepare for compliance with the revisions. BIS accepts this recommendation, and this final rule will be effective 90 days from the date of publication.

One commenter recommended issuing an interim final rule with a comment period of at least 60 days due

Page 35588

to the breadth of the proposed changes. BIS does not accept this recommendation, because this final rule has a 90-day delayed effective date, which is a longer delay than generally applies to an interim final rule. The State rule published concurrently with this final rule also has a 90-day delayed effective date. Moreover, the State Department plans to publish a second proposed rule seeking comment on most of the terms at issue.

Frequently Asked Questions

Objectives of this final rule include streamlining, clarifying, and updating regulatory text. BIS has attempted to focus the regulatory text on control criteria, limiting notes and examples to those necessary to adequately convey the criteria. Many public comments raised questions about how criteria would be applied in particular situations or suggested illustrative revisions. BIS considers these comments helpful to compliance with the EAR and is publishing them along with responses on the BIS Web site as Frequently Asked Questions (FAQs).

Items Subject to the EAR

The June 3 rule proposed re-titling the section ``Subject to the EAR'' (from ``Important EAR terms and principles''), retaining the definition and description of that term, and creating separate sections in part 734 to define ``export,'' ``reexport,'' ``release,'' and ``transfer (in-country),'' rather than retaining them in that section. The June 3 rule also proposed removing Sec. 734.2(b)(7) regarding the listing of foreign territories and possessions in the Commerce Country Chart (Supplement No. 1 to part 738) because it duplicated existing Sec. 738.3(b).

BIS received no comments on its proposed revisions to Sec. 734.2. These revisions are adopted in this final rule.

Items Not Subject to the EAR

Section 734.3(a) describes items (i.e., commodities, software, and technology) subject to the EAR. Paragraph (b) describes items that are not subject to the EAR. The June 3 rule proposed minor revisions to paragraph (b)(3), which describes software and technology that are not subject to the EAR, to describe more fully educational and patent information that are not subject to the EAR, and to add a note to make explicit that information that is not ``technology'' as defined in the EAR is per se not subject to the EAR. One commenter specifically offered support for inclusion of the note, and no commenters objected to it; BIS has adopted it in this final rule.

Educational Information

The June 3 rule proposed to move the statement in Sec. 734.9 that educational information released by instruction in a catalog course or associated teaching laboratory of an academic institution is not subject to the EAR to Sec. 734.3(b) and remove Sec. 734.9. The June 3 rule also proposed to revise the description of such educational information as information and software that ``concern general scientific, mathematical, or engineering principles commonly taught in schools, and released by instruction in a catalog course or associated teaching laboratory of an academic institution'' to better match the existing ITAR description. The proposed revisions were not intended to change the scope of educational information that is not subject to the EAR.

Twenty-seven commenters stated that, in spite of BIS's declared intent to leave the scope of this provision unchanged, the proposed revision in fact narrowed the scope of educational information that is not subject to the EAR. With the adoption of the terms in the comparable ITAR provision, such as ``general'' and ``commonly,'' commenters said that the revision could be read to make courses with advanced or novel content subject to the EAR and suggested either changing ``and released by instruction'' to ``or released by instruction'' or reverting to the existing wording. BIS agrees that the revision could be read to narrow the scope of the exclusion, and because this narrowing was not intended, reverts to the existing wording in this final rule.

BIS received no comments on the placement of the educational information provision in the list of information that is per se not subject to the EAR rather than in a separate section. BIS adopts the proposed placement in this final rule.

Additional Exclusions

This final rule adopts two additional revisions that were not in Sec. 734.3(b)(3) in the June 3 proposed rule. This final rule adds paragraphs (b)(3)(v) and (vi), two additional exclusions from the EAR: Items that are non-proprietary system descriptions or are telemetry data. These two exclusions appeared in the June 3 proposed rule as exclusions from the definition of technology. For discussion of public comments on these exclusions and BIS's response to those comments, see the section on ``Technology'' below.

Exports of Encryption Source Code Notes

The June 3 rule proposed no changes to the notes to paragraphs (b)(2) and (b)(3) of Sec. 734.3 that a printed book or other printed material setting forth encryption source code is not itself subject to the EAR, but that encryption source code in electronic form or media remains subject to the EAR. It also proposed no changes to the note that publicly available encryption object code software classified under Export Control Classification Number (ECCN) 5D002 is not subject to the EAR when the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR.

BIS received no comments on these notes, and this final rule makes no changes to them.

Published Technology and Software

Section 734.7 sets forth that technology and software is ``published'' and thus not subject to the EAR when it becomes generally accessible to the interested public in any form, including through publication, availability at libraries, patents, distribution or presentation at open gatherings, and public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public.

The June 3 rule proposed a definition of ``published'' that retained the same scope, but with a simpler structure. The proposed Sec. 734.7(a) read: ``Except as set forth in paragraph (b), ``technology'' or ``software'' is ``published'' and is thus not ``technology'' or ``software'' subject to the EAR when it is not classified national security information and has been made available to the public without restrictions upon its further dissemination,'' followed by a list of examples of published information. The proposed definition was substantially the same as the wording of definitions adopted by the multilateral export control regimes of which the United States is a member: The Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (herein ``Wassenaar Arrangement'' or ``Wassenaar''), the Nuclear Suppliers Group, the Missile Technology Control Regime, and the Australia Group. The phrase ``classified national security information'' refers to information that has been classified in accordance with Executive Order 13526, 75 FR 707; 3 CFR 2010 Comp., p. 298. The relevant restrictions do not include copyright protections or generic property rights in the underlying physical medium.

This final rule adopts the definition of ``published'' from the June 3 proposed rule, with the exception of adding certain information, intended to be

Page 35589

published, released to ``researchers conducting fundamental research'' (see discussion below of ``Fundamental Research''). BIS received a number of comments on the definition of ``published.'' Two commenters found helpful the addressing of Internet posting and the clarification that submission of manuscripts to journal editors constitutes ``published.'' Commenters requested that BIS define ``unclassified'' and clarify whether university libraries are ``open to the public.'' ``Unclassified information'' refers to information that has not been classified in accordance with Executive Order 13526, 75 FR 707; 3 CFR 2010 Comp., p. 298. University libraries are open to the public. BIS does not implement these requests in this final rule because answering them does not require a change to the regulations. BIS is, however, addressing the questions in FAQs posted on BIS's Web site. One commenter stated that, as proposed, the definition of ``published'' ``suggests that releasing (publishing) technology that is unclassified but subject to the EAR makes that technology no longer subject to the EAR.'' One commenter described allowing publication by Internet posting as a ``loophole'' because the site may be obscure and the duration of posting is not specified. Another commenter warned of ``the risk of intentional abuse.'' Nonetheless, BIS confirms that technology or software that is ``published'' as provided in Sec. 734.7 is not subject to the EAR.

A commenter noted that the definition ``does not appear to address the case of information posted by someone other than the rightful owner.'' BIS agrees with this statement, but notes that such cases are addressed by other laws and regulations.

BIS received thirty comments opposing a provision in the definition of ``public domain'' in the State June 3 rule to which there is no corresponding provision in the definition of ``published.'' BIS is making no changes to the EAR in response to these comments because they are outside the scope of this rule. They address concerns with the ITAR, not the EAR.

As adopted in this final rule, section 734.7(b) keeps certain published encryption software subject to the EAR, a restriction that the June 3 rule proposed moving from Sec. 734.7(c) without revision.

Fundamental Research

The June 3 rule proposed revising Sec. 734.8, which excludes most information resulting from fundamental research from the scope of the EAR, but it was not intended to change the scope of the current Sec. 734.8.

Alternative Definitions

In the June 3 proposed rule, BIS specifically solicited comments on whether the alternative definition of fundamental research suggested in the preamble should be adopted. BIS also specifically solicited comments on whether the alternative definition of applied research suggested in the preamble should be adopted, or whether basic and applied research definitions are needed given that they are subsumed by fundamental research.

Issued in 1985, National Security Decision Directive (NSDD)-189 established a definition of ``fundamental research'' that has been incorporated into numerous regulations, internal compliance regimes, and guidance documents. The June 3 proposed rule contained a definition of ``fundamental research'' that was identical to that in NSDD-189. However, in the preamble to that rule, BIS provided a simpler definition that was consistent with NSDD-189, but not identical. Specifically, the alternative definition read: `` `Fundamental research' means non-proprietary research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community.'' BIS believed that the scope of this wording was the same as that of the wording in NSDD-189 and sought comment on whether the final rule should adopt the simpler wording. Unlike the simpler alternative definition, the proposed definition of ``fundamental research'' included references to ``basic'' and ``applied'' research and proposed definitions of those terms, as well as a possible alternative definition of applied research.

Comments on alternative definitions of fundamental research were mixed. Thirteen commenters generally favored a simpler definition, in some cases offering their own revised versions of the alternative from the preamble to the June 3 proposed rule. Seven commenters recommended retaining the NSDD-189 wording. Many commenters favored one definition but expressed willingness to accept another. Comments on alternative definitions of basic and applied research were similarly mixed, including instances of the same commenter offering support for more than one option. There was greater unanimity on the term ``non-

proprietary:'' twenty commenters objected to it, most finding it vague. Commenters suggested the variation, research ``for which the researchers have not accepted restrictions for proprietary or national security reasons.''

BIS agrees with the majority of commenters that the shorter definition of fundamental research is clearer and covers the same scope. Given the wide spectrum of definitions and applications of basic and applied research in different bodies of regulations, BIS determined that the definition should address the core concept, i.e., that the research is to be published and shared broadly without restriction. Having sub-definitions of basic and applied research in the definition of fundamental research does not change this core concept and would, moreover, merely add more words and layers of interpretation that would not change the outcome of an analysis. Adopting the shorter definition drops references to basic and applied research. BIS accepted the comments regarding the term ``non-proprietary'' and adopted a clearer variation that has the same scope as that intended by the June 3 proposed rule.

In addition to research in science and engineering, BIS included the term ``mathematics'' to broaden the definition in response to a comment by a BIS technical advisory committee. In this final rule, BIS adopts the following definition of fundamental research: `` ``Fundamental research'' means research in science, engineering, or mathematics, the results of which ordinarily are published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons.''

Software

The June 3 proposed rule revised Sec. 734.8 to use the term ``technology'' in place of the term ``information.'' Thirty-two commenters objected that ``technology'' was too limiting and recommended including either ``software'' or ``source code'' in addition to ``technology'' to describe information arising during or resulting from fundamental research. Many commenters pointed to the text of Sec. 734.3(b)(3) (not subject to the EAR), which referred to certain ``technology and software'' not subject to the EAR, proposed to be revised to ``information and software'' in the June 3 rule, as support for this recommendation. The commenters further argued that ``findings resulting from fundamental research may be written in natural-language or computer language.'' BIS accepts these comments and has adopted ``technology'' and ``software'' throughout Sec. 734.8 in this final rule.

Page 35590

Two commenters recommended that BIS make commodities that result from fundamental research not subject to the EAR. BIS does not accept this recommendation because the policy foundations for the exclusion from the EAR of fundamental research apply only to technology and software, not commodities.

Note on Inputs

The June 3 proposed rule contained the following note: ``Note 1 to paragraph (a): The inputs used to conduct fundamental research, such as information, equipment, or software, are not `technology that arises during or results from fundamental research' except to the extent that such inputs are technology that arose during or resulted from earlier fundamental research.'' Six commenters stated that the proposed note arbitrarily narrows the conduct of fundamental research under NSDD-189. Two additional commenters seemed to find the text unclear regarding the nature of the inputs.

The note regarding inputs was intended to distill varying provisions found in the EAR but proposed to be revised by the June 3 rule that ultimately made the same point: Information that is not intended to be published is not fundamental research. For example, existing Sec. 734.8(b)(2) states, ``Prepublication review by a sponsor of university research solely to insure that the publication would not inadvertently divulge proprietary information that the sponsor has furnished to the researchers does not change the status of the research as fundamental research. However, release of information from a corporate sponsor to university researchers where the research results are subject to prepublication review, is subject to the EAR.'' Existing section 734.8(b)(4) states, ``The initial transfer of information from an industry sponsor to university researchers is subject to the EAR where the parties have agreed that the sponsor may withhold from publication some or all of the information so provided.''

To clarify this distinction, BIS has adopted a simpler note in this final rule. Paragraph (a) establishes that the intention to publish is what makes research not subject to the EAR; the following Note 1 to paragraph (a) states: ``This paragraph does not apply to technology or software subject to the EAR that is released to conduct fundamental research.'' To support this concept, this final rule adds the following phrase to Sec. 734.7(a)(5) (emphasis added): ``Submission of a written composition, manuscript, presentation, computer-readable dataset, imagery, algorithm, formula, or some other representation of knowledge with the intention that such information will be made publicly available if accepted for publication or presentation: (i) To domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers, or trade publications; (ii) To researchers conducting fundamental research, or (iii) To organizers of open conferences or other open gatherings.''

Prepublication Review

The June 3 proposed rule listed three types of prepublication review in Sec. 734.8 that could be performed on the results of fundamental research. Three commenters supported the clear statement that certain prepublication review does not render research subject to the EAR. One commenter recommended removing the criterion that the research be published without delay, pointing out that ``publication can be (and very often is) delayed for any number of reasons having nothing to do with the content or sensitivity of research results'' and that this provision would have the unintended effect of limiting or even eliminating the researchers' ability to use the fundamental research provisions. BIS accepts this latter comment and does not adopt the phrase ``or delay.'' The key point is that the researcher is able to publish without restriction.

One commenter suggested that Note 2 to paragraph (b) proposed in the June 3 rule be replaced with a similar note from the State June 3 rule (Sec. 120.49(b) of the ITAR) regarding research voluntarily subjected to U.S. government review. BIS agrees with commenters that the ITAR text is clearer. So, this final rule adopts that ITAR text in Note 2 to paragraph (b). Seven commenters recommended that BIS also adopt the text of Note 3 from the State June 3 rule's text of Sec. 120.49(b) of the ITAR regarding U.S. government-imposed access and dissemination controls. BIS agrees. With adoption of Note 3 to paragraph (b), paragraph (a) of Sec. 734.11, Specific National Security Controls, is no longer necessary. BIS includes the examples from paragraph (b) of Sec. 734.11, which commenters deemed helpful, in new Note 3 to paragraph (b) of Sec. 734.8 in this final rule. Thus, this rule removes Sec. 734.11 in its entirety.

One commenter stated that the only permissible method of restricting government-funded research was to classify it. BIS does not accept this comment because it is incorrect. Indeed, BIS has the authority under the EAR to control unclassified technology that warrants control for national security, foreign policy, or other reasons. For example, government-funded research that does not meet the criteria of Sec. 734.8, such as prepublication review, remains subject to the EAR regardless of whether it is classified information.

Locus of Research

The June 3 rule proposed streamlining the fundamental research provisions, in Sec. 734.8. Instead of organizing the provisions primarily by locus (specifically by the type of organization in which the research takes place: Universities; federal agencies or Federally Funded Research and Development Centers; or business entities), the June 3 rule proposed consolidating different provisions that involved the same criteria with respect to prepublication review and removing any reference to locus unless it made a difference to the jurisdictional status of the research.

Five commenters expressed support for the applicability of the concept of fundamental research regardless of locus, and this final rule retains the consolidated structure originally proposed.

Although not objecting to the consolidation, eleven commenters requested that BIS retain the Sec. 734.8(b) statement that there is a presumption that university-based research is fundamental research. Although this presumption continues to exist, BIS does not adopt the specific statement in this final rule. Such a presumption has no effect on the jurisdictional status of technology. If it meets the criteria for fundamental research, it is not subject to the EAR; if it does not meet the criteria, it is subject. However, BIS is noting in its FAQs on its Web site that, although university-based research is presumed to be fundamental research, as with all rebuttable presumptions, it is rebutted if the research is not within the scope of technology and software that arises during, or results from fundamental research as described in Sec. 734.8.

Eleven commenters requested that BIS retain the Sec. 734.8(b)(2) through (6) criteria for universities. BIS is not doing so because these criteria have been incorporated into this final rule more concisely. To address the comment, BIS has revised its FAQs to describe how these criteria are within the scope of the revised definition.

Patents

The June 3 rule proposed revising Sec. 734.10, ``Patent applications,'' only for clarity and did not change the scope of control. For the sake of structural consistency with the ITAR's treatment of information in patents, paragraph (a)

Page 35591

was added to state that a patent or an open (published) patent application available from or at any patent office is per se not subject to EAR. The former footnote to the Sec. 734.10 was removed because it would be redundant of the proposed text.

BIS received one comment on the proposed revisions to Sec. 734.10. Introductory text to the section reads: `` ``Technology'' is not ``subject to the EAR'' if it is contained in:''. The commenter suggested adding the phrase ``any of the following'' to this text. BIS agrees and is making the addition to this final rule.

Specific National Security Controls

The June 3 rule proposed minor conforming edits to Sec. 734.11, describing specific national security controls. The proposed revisions were not intended to change the scope of the section. As discussed above with respect to fundamental research, BIS has adopted the substance of former Sec. 734.11, Specific National Security Controls, in new Note 3 to paragraph (b) of Sec. 734.8 in this final rule. This final rule removes and reserves Sec. 734.11.

Export

The June 3 proposed rule included a new Sec. 734.13 to define ``Export.'' Section 734.13(a) had six paragraphs, with paragraphs (a)(4) and (5) reserved, because the corresponding paragraphs in the ITAR contained provisions that were not relevant to the EAR. One commenter noted that paragraph (a) had a typo and should refer to Sec. 734.18, not Sec. 734.17. BIS does not agree--the reference is to the subset of exports of encryption source code and object code software--

but does accept the recommendation to add a reference to Sec. 734.18 (Activities that are not exports, reexports, or transfers) in this final rule.

Proposed paragraph (a)(1) of the definition of ``export'' used the EAR terms ``actual shipment or transmission out of the United States,'' combined with the existing ITAR ``sending or taking an item outside the United States in any manner.''

One commenter recommended that BIS add ``release'' after ``actual shipment.'' BIS does not adopt this recommendation, because release is a separate concept and thus a separately defined term. BIS makes no revisions to this paragraph (a)(1) in this final rule.

Proposed paragraph (a)(2), specifying the concept of transfer or release of technology to a foreign national in the United States, or ``deemed export,'' retains the treatment of software source code as technology for deemed export purposes from Sec. 734.2(b)(2)(ii). In this final rule, including in this paragraph (a)(2), BIS has substituted the term ``foreign person'' for ``foreign national.'' ``Foreign person'' has the same scope as ``foreign national;'' it mirrors the ITAR term. One commenter found the term ``otherwise transferring'' confusing, but this final rule retains it to distinguish releases as a subset of transfers.

Proposed paragraph (a)(3) included in the definition of ``export'' the transfer by a person in the United States of registration, control, or ownership (i) of a spacecraft subject to the EAR that is not eligible for export under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country, or (ii) of any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country.

One commenter requested BIS to confirm whether the definition would carve out from the definitions of ``export'' and ``reexport'' the mere transfer of ownership to an entity outside of a Country Group D:5 country (e.g., as part of an on orbit transfer of ownership to an entity outside a D:5 country) of satellites subject to the EAR that are eligible for License Exception STA. BIS confirms this understanding of the definition and is adding an FAQ regarding the point to the BIS Web site.

Proposed paragraph (a)(6) defined as an export the release or other transfer of the means of access to encrypted data. This paragraph was not adopted in this final rule (see the section discussing transfer of access information in Sec. 734.19 below). Without a paragraph (a)(6), reserved paragraphs (a)(4) and (a)(5) that appeared in the June 3 rule are unnecessary and, therefore, do not appear in this final rule.

As adopted in this final rule, proposed paragraph (b) of Sec. 734.13 is unchanged from the June 3 rule, except for the substitution of the term ``foreign person'' for ``foreign national.'' This paragraph retains BIS's deemed export rule as set forth in Sec. 734.2(b). It also codifies a long-standing BIS policy that when technology or source code is released to a foreign national, the export is ``deemed'' to occur to that person's most recent country of citizenship or permanent residency. See, e.g., 71 FR 30840 (May 31, 2006).

Four commenters raised deemed export issues, particularly with respect to the difficulty of determining the ``permanent residency'' status of a person in a foreign country. Two of these commenters recommended changing ``permanent residency'' to ``legal residency'' or establishing criteria in the EAR. One of these commenters suggested making deemed exports a separate definition. BIS finds that these comments have merit; however, the issues they raise are too wide-

ranging and complex to be resolved in this final rule. Addressing these issues would constitute a novel proposal that is outside the scope of the proposed rule, requiring an opportunity for comment before BIS makes a decision as to whether to adopt it. Where practical, BIS will state existing policy in FAQs. For those issues not addressed by existing policy, BIS will develop proposed revisions and seek public comment.

Proposed paragraph (c) stated that items that will transit through a country or countries or will be transshipped in a country or countries to a new country, or are intended for reexport to the new country are deemed to be destined to the new country. (Proposed paragraph (c) text was taken without change from Sec. 734.2(b)(6).)

One commenter requested that BIS clarify ``new country.'' BIS accepts this comment, and adopts the term ``destination'' in this final rule. BIS also drops the term ``transshipped,'' because the intended meaning of this paragraph is captured by ``transit.'' One commenter recommended that BIS specify that paragraph (c) applies to items ``subject to the EAR.'' BIS does not believe the phrase is necessary.

Two commenters requested that BIS clarify the status of services under the EAR. Unlike the ITAR, the EAR do not control services as such except as described in Sec. 744.6(a)(2) (``Restrictions on certain activities of U.S. persons'') and Sec. 736.2(b)(10) (``General Prohibition 10''). Section 744.6(a)(2) imposes licensing requirements on the performance by U.S. persons of any contract, service, or employment regarding various activities pertaining to missiles, biological weapons, and chemical weapons in various countries. General Prohibition 10 prohibits, inter alia, servicing an item subject to the EAR if a violation has occurred, is about to occur, or is intended to occur in connection with the item. Except for these provisions, the EAR regulates the export, reexport, and transfer (in-country) of commodities, technology, and software, regardless of whether such activities are in connection with a service. This means that, except with respect to activities described in these two provisions, services do not need to be analyzed separately for purposes of determining requirements under the EAR. Moreover, the ITAR does not impose controls on services unless they are ``directly related'' to a ``defense

Page 35592

article,'' i.e., an article, software, or technical data described on the ITAR's U.S. Munitions List at 22 CFR 121.1. In response to the commenters, BIS has added this explanation to its FAQs. A core goal of the ECR initiative was to make the distinctions in the ITAR and the EAR regarding the scope of controls over services as such clear. Thus, after the publication of the FAQs, if commenters believe that provisions of the ITAR or the EAR, statements by government officials, or any other government actions contradict this point regarding the narrow scope of controls over services pertaining to items subject to the EAR, they are encouraged to contact BIS to begin the process of resolving the issue.

Reexport

The June 3 rule proposed moving the definition of ``reexport'' to new Sec. 734.14. In general, the provisions of the proposed definition of ``reexport'' paralleled those of the proposed definition of export discussed above, except that reexports occur outside of the United States. Public comments on the definition of ``reexport'' and BIS responses also mirror those discussed above for ``export.''

One commenter recommended that BIS specify ``subject to the EAR'' in paragraphs (a)(1), (a)(2), and (a)(4) of ``reexport.'' BIS accepts this recommendation, except for paragraph (a)(4). Paragraph (a)(4) in the June 3 rule proposed to define as a reexport the release or other transfer of the means of access to encrypted data outside of the United States to a foreign national. This paragraph was not adopted in this final rule (see the section discussing transfer of access information in Sec. 734.19 below).

One commenter requested that BIS confirm that sending an item back to the United States is not a reexport. BIS confirms that sending items to the United States is not a ``reexport.'' Moreover, unlike the ITAR, the EAR have no provisions controlling or otherwise pertaining to the act of importing items into the United States. BIS will confirm these points in an FAQ.

Release

The June 3 proposed rule included a definition of ``release'' in a new Sec. 734.15. The proposed text provided that inspection (including other types of inspection in addition to visual, such as aural or tactile) must actually reveal technology or source code subject to the EAR to constitute a ``release.'' Thus, for example, merely seeing an item briefly is not necessarily sufficient to constitute a release of the technology required, for example, to develop or produce it. A foreign person's having theoretical or potential access to technology or software is similarly not a ``release'' because such access, by definition, does not reveal technology or software. A release would occur when the technology or software is revealed to the foreign person. The June 3 rule also proposed adding ``written'' to ``oral exchanges'' in paragraph (a)(2) as a means of release. No commenters objected to the clarification, and it remains unchanged. This final rule adds ``source code'' as well as ``technology'' to paragraph (a)(2) for consistency with paragraph (a)(1) and the definitions of deemed export and reexport; its omission from the June 3 rule was inadvertent.

The proposed text also clarified, in paragraph (a)(3), that the application of ``technology'' and ``software'' is a ``release'' in situations where U.S. persons abroad use personal knowledge or technical experience acquired in the United States in a manner that reveals technology or software to foreign nationals. As indicated by various BIS training materials and statements of BIS officials publicly and in response to specific questions, this clarification makes explicit a long-standing BIS interpretation of the EAR. The June 3 rule's proposed definition did not use the existing phrase ``visual inspection by foreign nationals of U.S.-origin equipment and facilities'' because such inspections do not per se release ``technology.'' For example, merely seeing equipment does not necessarily mean that the seer is able to glean any technology from it and, in any event, not all visible information pertaining to equipment is necessarily ``technology'' subject to the EAR.

Four commenters stated that this redefinition of ``release'' was helpful.

Three comments expressed concern that paragraph (a)(1) is not sufficiently explicit in clarifying that visual inspection must ``actually'' or ``substantively'' reveal technology in order to be defined as a ``release,'' or that ``actual access'' rather than ``theoretical access'' is caught. BIS believes that the intent is clear and that the text only would be complicated by additional modifications. One commenter requested that BIS simplify the provision in which application of personal knowledge constitutes a release. Upon further consideration, BIS determined that the control criteria in that provision are already covered by the provisions governing inspection and oral or written exchanges. Therefore, BIS does not adopt this paragraph (a)(3) in this final rule. BIS has, however, created FAQs that include the points and examples contained in the foregoing description of the changes to the definition of ``release.''

One commenter recommended that paragraph (a)(6) in the June 3 rule's proposed definition of ``export,'' which addressed transfer of decryption keys or other such information, be moved to the definition of ``release.'' Related to the revisions regarding transfer of access information, and consistent with this commenter's recommendation, this final rule adopts in Sec. 734.15(b) a provision stating that the act of causing the ``release'' of ``technology'' or ``software,'' through use of ``access information'' or otherwise, to onesself or another person requires an authorization to the same extent an authorization would be required to export or reexport such ``technology'' or ``software'' to that person.

The purpose of this provision is to make it clear that the person who uses, for example, a password to access a technology database, or who hacks into the database, to transfer technology to himself or someone else is the one who caused the release of technology rather than the person who first placed the technology in the database through a technology export or an act described in new Sec. 734.18(a)(5). This provision codifies that basic concept that the unwitting victim of, for example, a database hack is not the one responsible for the theft of technology--the hacker is the one responsible because it is that person who caused the release through the use of a password or other access information. This provision is merely an application with respect to intangibles of a concept that is basic to tangible items--the export of an item is not the cause of a third person's later reexport of the same item. Placing technology into a database is not the cause of a third person's later transfer of the technology through the use of access information. The third person's use of the access information is the cause of the release to himself or others.

Although the person who originally placed the technology into the database did not cause its release to the third person who used access information to later cause the technology to be released, the person who originally placed the technology into the database nonetheless would have liability in connection with the third party technology exfiltration if, for example, it conspired with the exfiltrator (see Sec. 764.2(d)) or placed the technology into the database with ``knowledge'' that the exfiltrator would later violate the EAR by causing its release without a required

Page 35593

license (see Sec. 764.2(e)). Similarly, liability would arise from a violation of new section 734.19, which, as discussed below, states that providing a password or other access information to someone with ``knowledge'' that the provision would result in the release of technology or software to the third person is tantamount to releasing the technology or software itself to the third person. BIS has created FAQs describing all the points in the foregoing examples.

Finally, and in contrast to section 734.19, new section 734.15(b) does not contain a ``knowledge'' element. Thus, a ``release'' of ``technology'' or ``software'' occurs when access information is used to transfer the ``technology'' or ``software''--resulting in liability if the release was not undertaken pursuant to a required authorization and regardless of whether the one using the access information knew it would be transferring controlled ``technology'' or ``software'' when it did so.

Transfer (In-Country)

The June 3 rule proposed removing the definition of ``transfer (in-

country)'' from Sec. 772.1 and adding the following revised definition to new Sec. 734.16: ``a transfer (in-country) is a change in end use or end user of an item within the same foreign country.'' This revision was intended to eliminate any potential ambiguity regarding whether a change in end use or end user within a foreign country is a ``transfer (in-country).'' ``Transfer (in-country)'' parallels the term ``retransfer'' in the ITAR.

Four commenters said that this revision expands controls, and that such changes were beyond exporters' knowledge or control. While BIS acknowledges that ``end use'' was not explicitly included in the former definition of ``transfer (in-country),'' a change in end use is nonetheless a material change. When BIS and the other agencies review an application's description of a proposed end use and approve the license based on that end use, BIS is approving the transaction for the end use described, not all other end uses in the same country. Other end uses may or may not be acceptable, but a change in end use from that which the U.S. Government reviewed would be material in that there is the possibility that another end use may not have been approved. BIS further notes that, depending on the facts of the transaction, the foreign party may be responsible for obtaining authorization for the subsequent disposition of the item subject to the EAR. If a violation occurs, BIS will assess responsibility based on whether the parties involved violated any of the provisions of section 764.2 (``violations'').

To assist the commenters and others who have questions about BIS's policy regarding when a license or other authorization is required for in-country transfers, BIS has made the following the standard first condition on its licenses: ``Items subject to the EAR and within the scope of this license may not be reexported or transferred (in-country) unless such reexport or in-country transfer is (i) authorized by this license, or another license or other approval issued by the U.S. Government; (ii) authorized by a license exception or other authorization under the Export Administration Regulations (EAR); or (iii) to a destination, end user, and end use that would be ``NLR'' (No License Required) under the EAR.''

Export of Encryption Source Code and Object Code Software

The June 3 proposed rule included a new Sec. 734.17, export of encryption source code and object code software, that retained the text of Sec. 734.2(b)(9) with only minor conforming and clarifying edits. Its relocation to a new, separate section, following similar definitions improves its accessibility to exporters.

BIS received no comments on its proposed minor revisions to Sec. 734.2(b)(9) or its creation of Sec. 734.17. These revisions are adopted in this final rule.

Activities That Are Not Exports, Reexports, or Transfers

The June 3 proposed rule solicited public comment on two questions regarding the proposed definition of ``Activities that are not exports, reexports, or transfers.'' First, with respect to end-to-end encryption, BIS asked whether the illustrative standard proposed in the EAR rulemaking also should be adopted in the ITAR rulemaking; whether the safe harbor standard proposed in the ITAR rulemaking also should be adopted in the EAR rulemaking; or whether the two bodies of regulations should have different standards. Second, BIS asked whether encryption standards adequately address data storage and transmission issues with respect to export controls.

As proposed, Sec. 734.18 gathered existing EAR exclusions from exports, reexports, and transfers into one place, and included a new exemption for encrypted technical data and software. A number of changes and adjustments are made in this final rule to the proposed text in response to comments received from the public.

Paragraph (a)(1) in the June 3 proposed rule stated that by statute, launching a spacecraft, launch vehicle, payload, or other item into space is not an export. See 51 U.S.C. 50919(f). BIS received no comments on this paragraph and adopts it in this final rule.

Paragraph (a)(2) in the June 3 proposed rule was based on text in former Sec. 734.2(b)(2)(ii) of the EAR, and provided that release in the United States of technology or software to U.S. nationals, permanent residents, or protected individuals would not be an export. In this final rule, the term ``release'' has been replaced in Sec. 734.18(a)(2) with ``transmitting or otherwise transferring,'' and the previous reference to U.S. persons, permanent residents, and protected individuals has been eliminated in favor of a reference to a person ``who is not a foreign person'' for reasons of clarity and brevity. The EAR contain three definitions of ``U.S. person,'' only one of which is applicable to this section. Additionally, the ITAR use the term ``foreign person,'' and a comment from a BIS technical advisory committee recommended adopting the term in the EAR. ``Foreign person'' accordingly is defined in a new entry in Sec. 772.1.

The change creates a structure parallel to that which is being adopted in the State rule published concurrently with this final rule, and to make clear that transmission from one U.S. person in the United States to another, regardless of the means or route of the transmission, does not constitute an export. Along the same lines, paragraph (a)(3) is added to clarify that the transmission between or among U.S. persons within the same foreign country similarly does not constitute an export, reexport, or transfer. The State June 3 rule received comments recommending these revisions, and this final rule adopts them in the EAR to stay parallel with the ITAR text.

Proposed paragraph (a)(3) in the June 3 rule contained text from Sec. 734.2(b)(8) stating that shipments between or among the states or possessions of the United States are not ``exports'' or ``reexports.'' The words ``moving'' and ``transferring'' were inserted next to ``shipment'' in order to avoid suggesting that the only way movement between or among the states or possessions would not be a controlled event was if they were ``shipped.'' BIS received no comments on this paragraph and adopts it in this final rule, renumbered as paragraph (a)(4).

Paragraph (a)(5)--numbered (a)(4) in the June 3 proposed rule--

provides that technology and software that is encrypted in accordance with certain

Page 35594

specified criteria are not exports, reexports, or transfers even when they leave one country for another. In the June 3 proposed rule, this paragraph specifically excluded from this carve-out technology and software stored in countries in Country Group D:5 and Russia, for foreign policy reasons. In response to comments pointing out that Internet traffic in transit across D:5 countries and Russia may be technically ``stored'' temporarily on servers located in these countries without the knowledge of the sender, BIS has added text in (a)(5) specifying that the carve-out continues to apply to technology not authorized under the EAR for storage in these countries or intended for storage in these countries. Encrypted data may not be stored in these countries unless an appropriate authorization is available or has been approved. BIS has also added a note clarifying that data in-

transit via the Internet is not deemed to be stored. For a more complete understanding of Sec. 734.18(a)(5), see the discussion above of Sec. 734.15(b).

BIS received many comments on the proposed definition of ``end-to-

end encryption,'' the presence of which is a condition of the export control carve-out for technology and software. Commenters observed that encryption and decryption services may be provided within defined security boundaries by organizational rather than personal systems or servers. BIS agrees that in such cases, the security objectives of the ``end-to-end'' requirement in terms of eliminating access by third parties can still be met by expanding the definition of ``end-to-end'' to include transmissions between security boundaries.

This approach has the added advantages of providing more flexibility and allowing the execution of shared services, such as virus scanning, that can enhance security. However, BIS has also specified that the ``security boundary'' must be in-country--that is, such boundaries cannot be defined as including infrastructure resources encompassing multiple countries. A consequence of this requirement is that data eligible for the carve-out must by definition be encrypted before crossing any national boundary and must remain encrypted at all times while being transmitted from one security boundary to another. This principle applies to transmissions within a cloud service infrastructure, where a transmission from one node or cloud infrastructure element to another could qualify for the carve-out provided that it was appropriately encrypted before any data crossed a national border.

The June 3 proposed rule's definition of end-to-end encryption included a clause that specified that data not be decrypted at any point between the initiation of the transmission by the originator and its receipt by the intended recipient. The purpose of this requirement was to prevent unauthorized access to data in clear text by parties other than the originator (or the originator's company or organization) and the recipient, such as external service providers.

Commenters pointed out that in many circumstances, companies and organizations encrypt and decrypt multiple times in the course of transmission between originator and recipient for technical reasons (for example, to initially establish communications with a VPN server and subsequently to transmit among servers) without release to any third party. As a result, the point-to-point requirement in the original proposal would impose an unnecessary and potentially disruptive burden on many encryption applications, in which data in clear text are never actually shared.

To address this problem and more precisely describe BIS's original intent with the provision, BIS eliminated the statement in the end-to-

end definition specifying that exempted data must be encrypted by the originating party without decryption except by the intended recipient. This final rule adopts instead a requirement that the means of decryption may not be provided to any third party, thus permitting decryption and re-encryption within the security boundary of either the originator or recipient, provided that no third party (i.e., a party outside the security boundary) has the ability to access the data in clear text, and that no decryption takes place outside of the security boundaries of the originator and the recipient.

The June 3 proposed rule's paragraph (4)(iii), which this final rule adopts in paragraph (5)(iii), described encryption standards that would qualify for the exemption. In the BIS proposed rule, use of encryption modules certified under the Federal Information Processing Standards Publication 140-2 (FIPS 140-2), supplemented by appropriate software implementation, cryptographic key management and other procedures or controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, would qualify as sufficient security.

A number of commenters questioned the designation of the FIPS 140-2 as an example of effective cryptography and thus a qualification for the control carve-out, preferring instead no reference to a standard, or a reference to any ``commercially reasonable'' standard.

BIS rejects these suggestions. FIPS 140-2 is a well-understood cryptographic standard used for Federal Government procurement in the United States and Canada, as well as for many other uses, both in the U.S. and abroad. Citation of this standard provides a useful reference point for what the U.S. Federal Government considers effective encryption.

The text adopted in this final rule allows for use of ``equally or more effective cryptographic means,'' meaning that alternative approaches are allowable provided that they work as well as or better than FIPS 140-2. In such cases, the exporter is responsible for ensuring that the alternative approaches work as well as or better than FIPS 140-2, regardless of common commercial practices.

In the June 3 proposed rule, paragraph (c) confirmed that the mere ability to access ``technology'' or ``software'' while it is encrypted in a manner that satisfies the requirements in the section does not constitute the ``release'' or export of such ``technology'' or ``software.'' This responds to a common industry question on the issue. This final rule adopts the proposed text with only a minor revision to correct a cross-reference.

Transfer of Access Information

New Sec. 734.18(a)(5)(iii) excludes transfers of information encrypted to a particular standard as not being exports, reexports, or transfers and, thus, not subject to the EAR. Logically, providing keys or other information that would allow access to encrypted data exported, reexported, or released under this provision should be subject to controls much as the export, reexport, or transfer of the data itself. In the June 3 proposed rule, this concept was specifically addressed in proposed Sec. 734.13(a)(6) as part of the definition of ``export.'' The June 3 rule also proposed adding a new paragraph (l) to Sec. 764.2 ``Violations'' providing that the unauthorized release of decryption keys or other information that would allow access to particular controlled technology or software would constitute a violation to the same extent as a violation in connection with the export of the underlying controlled ``technology'' or ``software.''

Although recognizing the need to control the decryption of controlled technical data otherwise exempted by the encryption carve-

out, commenters noted that this construction might lead to the conclusion that keys and other

Page 35595

data permitting access might be controlled as separate stand-alone items, distinct from the underlying data that they could potentially release. This would pose problems with key and identity management, where such data are stored and transmitted separately. Controlling access information as a distinct item was not the intent of the proposal. As also discussed below with respect to the definition of ``technology,'' one commenter stated that decryption keys and other such information are not technology and recommended moving the proposed paragraph (a)(5) text to the definition of ``release'' and control ``accessing'' them. To address the concerns of such commenters, this final rule creates a new positive authorization requirement in a new Sec. 734.19, stating that ``to the extent an authorization would be required to transfer ``technology'' or ``software,'' a comparable authorization is required to transfer access information if with ``knowledge'' that such transfer would result in the release of such ``technology'' or ``software'' without a required authorization.'' Five commenters found use of the term ``cause or permit'' inconsistent with BIS's principle of an export's occurring only when actual export or transfer takes place. This final rule replaces the former reference to ``cause or permit'' with ``result in.''

One commenter requested ``the removal of Sec. 764.2(l) in its entirety as the current language of Sec. 764.2 is adequate.'' With creation of new Sec. 734.19, and in light of the availability of Sec. 764.2 to punish any violation of Sec. 734.19, BIS accepts this comment and does not adopt the proposed Sec. 764.2(l) in this final rule.

To simplify this section, proposed references to ``decryption keys, network access codes, passwords and other information,'' are replaced with a new Sec. 772.1 definition of ``access information,'' which uses these as examples only of information that allows access to encrypted technology or encrypted software in an unencrypted format. In response to a commenter's request for a definition of ``clear text,'' this final rule replaces references to ``clear text'' with ``in an unencrypted form,'' as part of the definition of ``access information.''

References in the June 3 proposed rule to what is termed ``access information'' in this final rule (e.g., references to decryption keys) were eliminated in the Sec. 772.1 definition of ``technology,'' the Sec. 734.13 definition of export, and the Sec. 734.14 definition of reexport.

Activities That Are Not Deemed Reexports

The June 3 proposed rule created a new Sec. 734.20, Activities that are not Deemed Reexports. This section codified BIS's interagency-

cleared Deemed Reexport Guidance previously posted on the BIS Web site and dated October 31, 2013. This guidance was created so that the provisions regarding possible deemed reexports contained in Sec. Sec. 124.16 and 126.18 of the ITAR would be available for EAR technology and source code in addition to legacy BIS guidance on the topic.

Under BIS's legacy guidance and new Sec. 734.20, release of technology or source code by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport of such technology or source code if the entity is authorized to receive the technology or source code at issue, whether by a license, license exception, or in situations where no license is required under the EAR for such technology or source code and the foreign national's most recent country of citizenship or permanent residency is that of a country to which export from the United States of the technology or source code at issue would be authorized by the EAR either under a license exception, or in situations where no license under the EAR would be required.

Release of technology or source code by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place also does not constitute a deemed reexport if: (i) The entity is authorized to receive the technology or source code at issue, whether by a license, license exception, or through situations where no license is required under the EAR; (ii) the foreign national is a bona fide regular and permanent employee (who is not a proscribed person) of the entity; (iii) such employee is a national exclusively of a country in Country Group A:5; and (iv) the release of technology or source code takes place entirely within the physical territory of any such country, or within the United States.

For nationals other than those of Country Group A:5 countries, which are close military allies of the United States, other criteria may apply. In particular, the section specifies the situations in which the releases would not constitute deemed exports in a manner consistent with Sec. 126.18 of the ITAR. For purposes of this section, ``substantive contacts'' has the same meaning as it has in Sec. 126.18 of the ITAR. The proposed phrase ``permanent and regular employee'' was a combination of BIS's definition of ``permanent employee,'' as set forth in a BIS advisory opinion issued on November 19, 2007 (available on the BIS Web site), and the ITAR's definition of ``regular employee'' in Sec. 120.39. The June 3 proposed rule added specific text excluding persons proscribed under U.S. law to make clear that Sec. 734.20 does not authorize release of technology to persons proscribed under U.S. law, and defined ``proscribed person'' in Sec. 772.1. (Note: The U.S.-

U.K. Exchange of Notes and U.S.-Canadian Exchange of Letters referred to in the existing online guidance can be found on the State Department's Web site. The URLs for the letters are not being published in the EAR because URL addresses periodically change. BIS will place the URL references in an ``FAQ'' section of its Web site.)

One commenter stated that due to the number of conditions contained in these provisions, this section should be a license exception. BIS does not agree. Many if not most of the transactions to which these provisions apply are already covered by a license or a license exception; this section will generally allow affected entities to comply with the terms of those authorizations in a rational way that will meet U.S. control objectives while minimizing conflict with non-

U.S. entities' domestic requirements.

Two commenters requested that BIS replace ``is certain'' of a foreign person's most recent country of citizenship or permanent residency with ``has knowledge,'' to address concerns about ability to comply with such a standard. BIS agrees with this comment and adopts ``has 'knowledge''' in this final rule.

One commenter requested that BIS add ``or within the physical territory of the United States'' to certain provisions to account for the possibility of releases in the United States, because often ``release of U.S.-origin technology or software could be said to take place partially within the United States and partially within the country in which the foreign person employee is located;'' BIS accepts this request. Another commenter requested that for releases to A:5 nationals, BIS ``also include countries where the entity conducts official business or operates, which is part of Sec. 734.20(c) Release to other than A:5 nationals.'' BIS did not adopt this request because it would expand the provision too broadly.

Two commenters requested that BIS cross reference the ``deemed reexport'' definition in Sec. 734.14(b). BIS accepts this request. One commenter asked BIS

Page 35596

to clarify that this section addresses non-U.S. entities. BIS believes that this is clear from context and is thus not changing the rule in response to this comment. However, BIS is including a description of the purpose of this section in its FAQs.

Two commenters objected to the requirement that employees must be engaged for a year to be eligible for these provisions and asked that it be removed. Additionally, two commenters objected to the associated screening and recordkeeping requirements and asked that they be reduced. BIS does not accept these comments. The year-long period and the screening and recordkeeping requirements reduce the risk of diversion associated with the technology release.

Questions and Answers--Technology and Software Subject to the EAR

The June 3 proposed rule removed Supplement No. 1 to part 734, ``Questions and Answers--Technology and Software Subject to the EAR'' on the basis that the questions and answers are illustrative rather than regulatory, and are therefore more appropriately posted as Web site guidance than included in the EAR. BIS specifically solicited comments on whether the questions and answers in existing Supplement No. 1 to part 734 proposed to be removed have criteria that should be retained in part 734.

Thirty commenters stated that BIS should not remove the questions and answers from the EAR. Reasons cited for opposing removal of the supplement included that the questions and answers will not have the same weight on the BIS Web site as they do in the EAR; that they are legally binding in the EAR; that their removal will create uncertainty; that their presence in EAR lessens the likelihood that interpretations will change outside the rulemaking process and promotes consistency of interpretation; and that other supplements contain regulatory information. One of these comments went on to say, ``Accordingly, Supplement No. 1 must not be removed unless all its substantive provisions are adequately incorporated into Part 734 or elsewhere in the regulations'' (emphasis supplied). BIS believes that the adequate incorporation of substantive provisions is the key point behind the comments. This concern drove the specific solicitation in the June 3 rule to identify criteria in the Supplement that should be retained in part 734. None of the thirty comments opposing removal of this Supplement from the EAR identified any substantive provisions that were not adequately incorporated into part 734 or elsewhere in the EAR. BIS is publishing on its Web site FAQs that will cover the same guidance that was found in Supplement No. 1, in addition to answers to other questions generated by the public comments to the proposed rule. Questions regarding how regulations apply to specific fact patterns are better set out in FAQs. In sum, although Supplement No. 1 will no longer be in the EAR, all its content will be placed into FAQs on BIS's Web site in addition to the other FAQs referred to in this preamble.

Technology

In the June 3 proposed rule, paragraph (a)(1) of the definition of technology reads as follows: ``Information necessary for the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control ``technology'') of an item. ``Technology'' may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information gleaned through visual inspection.''

A note addressed modification of items. Proposed paragraphs (a)(2) through (a)(4) of the definition were held in reserve to allow for the eventual mirroring of the corresponding ITAR paragraph structure while not including provisions that were not relevant to the EAR. Proposed paragraph (a)(5) described access information. Proposed paragraph (b) described exclusions from the definition of technology.

Required vs. Necessary

For the definition of ``technology,'' four commenters recommended that ``necessary'' be revised to read ``required'' to match the proposed ITAR definition. BIS does not adopt these recommendations. ``Required'' is a defined term that describes certain technology on the Commerce Control List, and not all technology that is subject to the EAR is controlled on the Commerce Control List. One commenter recommended restoring a note from the definition that existed in the EAR prior to publication of this rule, to the effect that technology not elsewhere specified on the Commerce Control List is designated as EAR99 unless it is not subject to the EAR. BIS does not accept this recommendation in this final rule because a regulatory change is not required to make the same point. BIS will, however, add an FAQ stating that ``technology'' subject to the EAR and that is not described on the CCL is designated EAR99. One commenter recommended including a note that refers to the General Technology Note. BIS accepts this comment and includes the reference in this final rule.

``Use'' Elements

As explained in the preamble to the June 3 rule, the proposed definition of ``technology'' was based on the Wassenaar Arrangement definition of technology, including the Wassenaar-defined sub-

definitions of ``development,'' ``production,'' and ``use,'' which are currently defined in Sec. 772.1. (No changes were proposed to the definitions of ``development,'' ``production,'' and ``use'' in the June 3 rule, and none are made in this final rule.) The June 3 rule proposed no change to BIS's long-standing policy that all six activities in the definition of ``use'' (operation, installation (including on-site installation), maintenance (checking), repair, overhaul and refurbishing) must be present for an item to be classified under an ECCN paragraph that uses ``use'' to describe the ``technology'' controlled. (See 71 FR 30842, May 31, 2006.) Drawing from this existing framework, the proposed definition of ``technology'' included the terms ``operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control `technology') of an item'' because such words are used to describe technology controlled in multiple ECCNs, often with ``or'' rather than the ``and'' found in ``use.''

One commenter recommended inserting a Note in the definition of technology that states the BIS policy that all six elements are necessary for ``use'' technology. BIS does not adopt this recommendation in this final rule because the definition of ``use'' links the six elements with the conjunctive ``and'' rather than the disjunctive ``or.'' BIS nonetheless makes this point in an FAQ pertaining to the word ``use'' in the definition of ``technology.'' One commenter recommended removing the term ``installation'' from the definition based on its use in the context of the definition of defense services. BIS does not accept this comment. Many entries on the Commerce Control List explicitly control installation technology, and it is also an element of ``use'' technology. Three commenters recommended that BIS remove the separate listing of the six ``use'' elements or limit them to control of 600 series items. BIS does not accept these recommendations. The six elements may be listed separately in

Page 35597

entries on the Commerce Control List and are not limited to 600 series entries.

Information Gleaned Through Visual Inspection

One commenter suggested dropping ``or information gleaned through visual inspection'' because it was a form or method of transfer, not what constitutes technology. BIS adopts the recommendation in this comment in part. ``Information gleaned through visual inspection'' is an example of a form of technology, with visual inspection as the method of transfer. The list to which this example belongs, however, illustrates rather than defines ``technology;'' therefore, BIS adopts the text as Note 1 to the definition of ``technology'' in this final rule, limiting the definition to what constitutes technology and illustrating the forms in a note.

Another commenter suggested using ``revealed'' instead of ``gleaned,'' first to align with ``release,'' and second, because ``use of the term `glean' implies the value of the information is based on the capability of the viewer, which is unknowable and unquantifiable. The use of the term `reveal' is a more objective measure of what is provided by the visual inspection.'' BIS agrees and has adopted the term ``revealed'' in this final rule.

Modification Note

The June 3 rule proposed adding a note to address a common industry question about modification. The note read as follows: ``The modification of an existing item creates a new item and technology for the modification is technical data for the development of the new item.''

Three commenters suggested revisions to this note. Two commenters described the note as overbroad or confusing. One commenter recommended adding ``production'' as well as ``development.'' In this final rule, BIS has adopted a revision that clarifies and narrows the description of the technology for modification, and includes ``production'' technology. The revised note reads as follows: ``The modification of the design of an existing item creates a new item and technology for the modified design is technology for the development or production of the new item.'' BIS created this note to address the fact that multiple variations of a product are usually created by one or more companies, and companies often struggle with how to classify the technology that is and is not common to the variations. Consider, for example, a company that makes a 9A991.d civil aircraft switch. It later modifies the switch so that it would work in a military aircraft. The modified switch--the ``dash one'' model--is, in this example, specially designed for a military aircraft and thus controlled under ECCN 9A610.x. The technology that is common to both switches is 9E991, but the additional or different technology to make the 9A610.x switch is controlled under 9E610. That is, the technology additional or different that is required to make the 9A991.d commercial aircraft switch into a 9A610.x switch is the technology for the new, modified item. This example is contained in an FAQ posted on the BIS Web site.

Decryption Keys

One commenter stated that decryption keys and other such information are not technology and recommended moving the proposed paragraph (a)(5) text to the definition of ``release'' and control ``accessing'' them. Another commenter pointed out that keys may also be hardware or software. BIS agrees with these comments; therefore, BIS does not adopt proposed paragraph (a)(5) in this final rule and adds text to the definition of ``release'' regarding transfer of ``access information'' (see also discussion above).

Exclusions

The June 3 rule proposed adding three exclusions to clarify the limits of the scope of the definition of ``technology:'' non-

proprietary general system descriptions; information on basic function or purpose of an item; and telemetry data as defined in note 2 to Category 9, Product Group E (see Supplement No. 1 to Part 774 of the EAR).

The first two exclusions paralleled exclusions in the ITAR and the third, the exclusion of telemetry data, mirrored specific exclusions added to both the ITAR and the EAR as part of recent changes regarding the scope of U.S. export controls pertaining to satellites and related items. See 79 FR 27417 (May 13, 2014).

One commenter recommended excluding Build/Design-to-Specifications from the definition of technology and adding sub-definitions of different forms of technology. BIS does not accept this recommendation in this final rule because such specifications are not always outside the scope of the EAR's definition of ``development'' or ``production'' technology. However, BIS will incorporate information on this topic into its FAQs. Five commenters objected to use of the term ``non-

proprietary,'' arguing that certain proprietary system descriptions should not be subject to the EAR. One commenter thought that the term ``systems'' was too narrow. BIS did not adopt these recommendations. Whether a particular technology is one that the possessor would readily share with competitors provides a fairly reliable test of whether that technology is subject to the EAR. With respect to the breadth of the term ``system,'' BIS notes that this exclusion is not the only provision in the EAR under which technology may be determined to be not subject. BIS did remove the modifier ``general,'' because of its potential to be ambiguous and subjective. BIS also did not adopt in this final rule the exclusion for ``information on basic function or purpose of an item,'' because the phrase was too vague and substantively already addressed by other provisions.

One commenter questioned the scope of these exclusions from the definition of technology and another questioned how the exclusions from the definition should be read in conjunction with the provisions in the Scope part that make items not subject to the EAR. Based on these comments, and as noted earlier in the preamble to this final rule, the exclusion of ``information on basic function or purpose of an item'' is not adopted and the remaining two exclusions are moved from the definition of technology to Sec. 734.3(b)(3).

Required

The June 3 proposed rule retained the existing EAR definition of ``required'' in Sec. 772.1, but added notes clarifying the application of the term. It removed parenthetical references in the existing definition to CCL Categories 4, 5, 6, and 9 to avoid the suggestion that BIS applies the definition of ``required'' only to the uses of the term in these categories. BIS has never had a separate definition of ``required'' used elsewhere in the EAR, and this removal merely eliminated a potential ambiguity and reflects long-standing BIS policy that ``required'' applies generally to ``technology'' entries on the CCL. (See, e.g., the Advisory Opinion dated December 27, 2010 on the BIS Web site.) BIS received one comment praising the removal of the references and none objecting to it; the revision is adopted in this final rule. The definition of ``required'' contained an illustrative example. BIS did not propose any revisions to this example in the June 3 rule. In this final rule, however, BIS revises the example to make clear that technology that is peculiarly responsible for the characteristics of the item that make it controlled is thus ``required'' technology. This subtle change thus responds to the question of which

Page 35598

technology is ``peculiarly responsible'' but without changing the well-

established definition of ``required'' that is central to the scope of the technology and software controls in the EAR. This revision also addresses issues raised by commenters, discussed more fully below, with respect to the proposed definition of ``peculiarly responsible.''

To address common questions BIS has received regarding the meaning of the word ``required,'' the June 3 rule proposed adding two notes. The first stated that the references to ``characteristics'' and ``functions'' are not limited to entries on the CCL that use specific technical parameters to describe the scope of what is controlled. The ``characteristics'' and ``functions'' of an item listed are, absent a specific regulatory definition, a standard dictionary's definition of the item. The first note also included examples of this point. The second note referred to the fact that the ITAR and the EAR often divide within each set of regulations or between each set of regulations (a) controls on parts, components, accessories, attachments, and software and (b) controls on the end items, systems, equipment, or other articles into which those parts, components, accessories, attachments, and software are to be installed or incorporated. The note also referred to jurisdiction over technology. The public comments on these parts of the notes were favorable and the first note is included in this final rule without modification, except that it is now designated as Note 2 to the definition of ``required.'' The second note is split into Notes 1 and 3 to the definition of ``required,'' and the text is modified from the June 3 proposal as discussed below.

A core tenet of ECR is that the jurisdictional status of the technical data/technology for an article that moves from the USML to the EAR follows the article. BIS and DDTC recognize the need to clarify the jurisdictional line for such technical data/technology. To help those making jurisdictional self-determinations for technical data/

technology pertaining to articles affected by the reform effort, BIS and DDTC had proposed in their respective June 3 rules common definitions of ``required'' and ``peculiarly responsible'' so that the regulatory line between technical data subject to the ITAR and technology subject to the EAR would be bright. Based on a review of the comments, BIS and DDTC have, however, decided not to publish their proposed common definitions of ``required'' and ``peculiarly responsible.'' (See discussion of the public comments on ``peculiarly responsible'' below.) Rather, DDTC and BIS have determined that a better way for the ITAR to address this bright-line objective is for DDTC to publish, and get public comments on, a proposed definition of ``directly related'' that will eventually lead to a final ITAR definition acceptable to both DDTC and BIS. The reason for this approach is that, with the exception of technical data specifically enumerated on the USML, technical data is subject to the ITAR only if it is ``directly related'' to a defense article. This means, by definition, that technology that is indirectly related to, or only ``related to,'' a defense article, such as by merely being capable for use with, used in connection with, or somehow having something generally to do with the eventual functioning of a defense article, is not subject to the ITAR and is, thus, subject to the EAR. For example, technology required for the production of a 9A610.x aircraft component--which, by definition, means that that it is specially designed for a USML VIII(a) aircraft--does not become subject to the ITAR merely because it generally relates to a defense article by virtue of being a component that will be or is integrated into and necessary for the functioning of the aircraft subject to the ITAR. It is technology required for the aircraft component subject to the EAR, not the whole of the USML aircraft or another defense article, and thus subject to the EAR. On the other hand, technical data that is directly related to the production of a component subject to the ITAR does not become subject to the EAR merely because, for example, it is developed or manufactured with equipment subject to the EAR.

Wanting to nonetheless respond to the comments seeking guidance regarding the jurisdictional status of technology pertaining to items that have moved to the CCL from the USML and to further advance the effort of creating a truly bright line jurisdictional rule, BIS is publishing with this rule as a third note to ``required'' its guidance on the topic because the meaning of ``required'' is central to such determinations. Specifically, unclassified technology not specifically enumerated on the USML is ``subject to the EAR'' if it is ``required'' for the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control ``technology'') of a commodity or software that is ``subject to the EAR.'' If such information is technical data that is not ``required'' for an item subject to the EAR and directly related to a defense article, then it is subject to the ITAR. If the application of industry-standard or dictionary definitions of ``directly related'' does not resolve doubts about whether any unit of technical data is, as a matter of law, ``directly related'' (as opposed to indirectly related) to a defense article, one should contact DDTC for resolution of the doubt through established procedures in the ITAR's Part 120.

Peculiarly Responsible

In the June 3 rule, BIS proposed a definition of the term ``peculiarly responsible'' that was modeled on the catch-and-release structure BIS adopted for the definition of ``specially designed.'' Thus, under the proposed definition, an item was ``peculiarly responsible'' for achieving or exceeding any referenced controlled performance levels, characteristics, or functions if it was used in ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing of an item subject to the EAR unless (a) the Department of Commerce had determined otherwise in a commodity classification determination, (b) the item was identical to information used in or with a commodity or software that was or had been in production and was EAR99 or described in an ECCN controlled only for Anti-Terrorism (AT) reasons, (c) the item had been or was being developed for use in or with general purpose commodities or software, or (d) the item had been or was being developed with ``knowledge'' that it would be for use in or with commodities or software described (i) in an ECCN controlled for AT-only reasons and also EAR99 commodities or software or (ii) exclusively for use in or with EAR99 commodities or software.

BIS specifically solicited comments on whether the proposed definition of ``peculiarly responsible'' effectively explained how items may be ``required'' or ``specially designed'' for particular functions. Two commenters offered support for the definition but still suggested revisions. Twelve additional commenters objected to the definition, describing it as confusing and stating that it dramatically expanded the scope of control beyond the existing ``required'' technology definition. BIS agrees with these comments and does not adopt the proposed definition of ``peculiarly responsible'' in this final rule. As described above, in this final rule, peculiarly responsible is defined within the scope of the already existing definition of required, thus providing a definition while guaranteeing no expansion of scope.

Page 35599

Temporary Export of Technology

The June 3 proposed rule included amended text in the temporary export of technology provisions of License Exception TMP by revising Sec. 740.9(a)(3) to clarify that the ``U.S. employer'' and ``U.S. persons or their employees'' using this license exception are not foreign subsidiaries. The proposed paragraph streamlined current text without changing the scope. In this final rule, BIS substitutes ``foreign person'' for ``foreign national'' in this section for reasons discussed elsewhere in this preamble, except where ``natural person'' was meant and BIS substituted ``individual'' for clarity (and in so doing responded to a comment on including foreign nationals in paragraph (a)(3)(iii)). BIS also added authority to reexport or transfer (in-country) to the authority to export; the absence of these terms from the June 3 proposed rule was an oversight.

One commenter stated that BIS should provide for use of this license exception by non-U.S. persons. Another commenter recommended that BIS expand the scope of the license exception to include foreign subsidiaries and affiliates. BIS does not adopt these recommendations. Because of the risks associated with securing temporary exports of technology, BIS is not broadening the provisions for foreign persons beyond those employed by U.S. companies or to allow use by foreign companies.

BIS received two comments on the recordkeeping provision in paragraph (a)(3)(v), with one requesting that it be clarified and one requesting that it be removed in view of the existing broad recordkeeping requirements in the EAR. BIS agrees with these comments and does not adopt the recordkeeping provision in this final rule.

One commenter asked BIS to clarify if TMP is available for remote access to U.S. servers. Another commenter asked BIS to clarify if taking an encrypted device is an export. BIS is not including these changes in regulatory text, because these are applications of the rule that are more appropriate to FAQs. However, BIS is confirming in its FAQs that TMP is available for remote access if its provisions are met. BIS is also confirming in its FAQs that taking an encrypted device is an export and referring to a different paragraph of Sec. 740.9 for authorizing export of devices. Devices are commodities and therefore not eligible for paragraph (a)(3), which authorizes only technology.

One commenter recommended that BIS remove a requirement to encrypt the technology, saying that the list of techniques for securing the data required all to be used. BIS accepts this comment, and this final rule adds ``may'' before ``include'' to make clear that the list is illustrative. One commenter recommended allowing obfuscation/

tokenization to protect data. BIS agrees that done properly, this is an effective security measure, and will add an FAQ on the topic to its Web site.

Scope of a License

The June 3 rule proposed implementing in the EAR the interagency-

agreed boilerplate notification for all licenses that was posted on the BIS Web site and began appearing on licenses December 8, 2014. It was a slight revision to the former Sec. 750.7(a), which stated that licenses authorize only the transaction(s) described in the license application and the license application support documents. The proposed revision also codified the existing interpretation that a license authorizing the release of technology to an entity also authorizes the release of the same technology to the entity's foreign nationals who are permanent and regular employees of the entity's facility or facilities authorized on the license, except to the extent a license condition limits or prohibits the release of the technology to nationals of specific countries or country groups.

Two commenters requested that BIS drop the modifier ``permanent and'' from ``regular employees.'' BIS does not adopt this request due to risk of diversion associated with non-permanent and non-regular employees. See further discussion of this issue above with respect to activities that are not deemed reexports. The phrase ``under U.S. law'' that modified ``proscribed persons'' in the June 3 rule is not adopted in this final rule for reasons discussed in connection with the definition of ``proscribed persons'' below. Except for that change, this final rule adopts the text proposed in the June 3 rule.

Removals From and Additions to EAR's List of Definitions in Sec. 772.1

This final rule creates stand-alone sections in the EAR to address the scope and meaning of ``publicly available information,'' ``publicly available technology and software,'' and ``technical data.'' To avoid redundancy, this rule removes those definitions from Sec. 772.1. In light of the changes described above, the definitions of ``export,'' ``reexport,'' ``required,'' ``technology,'' and ``transfer'' are revised accordingly. A clarifying note is added at the bottom of the definition explaining that the use of ``transfer'' does not apply to the unrelated ``transfers of licenses'' provision in Sec. 750.10 or the antiboycott provisions in Supplement No. 8 to part 760 of the EAR. It also states that the term ``transfer'' may be included on licenses issued by BIS. In that regard, the changes that can be made to a BIS license are the non-material changes described in Sec. 750.7(c). Any other change to a BIS license without authorization is a violation of the EAR. See Sec. Sec. 750.7(c) and 764.2(e). Finally, consistent with the explanations above, definitions for the terms ``access information,'' ``foreign person,'' ``fundamental research,'' ``proscribed person,'' ``publicly available encryption software,'' ``published,'' and ``release'' are added to Sec. 772.1.

One commenter stated that the definition of proscribed persons was overbroad, catching those individuals sanctioned under U.S. law without an export control nexus and recommended deleting ``under US law.'' BIS agrees with this comment. One commenter recommended striking ``scientific'' from the definition of ``basic scientific research'' in part 772 and adding definitions of applied and fundamental research to part 772. BIS does not accept this recommendation. The definition of ``basic scientific research'' reflects a Wassenaar Arrangement definition; it is retained in this final rule. A definition for applied research is not adopted because it is not necessary as a result of the adoption of a simplified definition of fundamental research, and as fundamental research is defined in Sec. 734.8, use of a cross reference in part 772 is appropriate.

Issues Raised by Public Comments That Are Outside the Scope of This Rule

One commenter requested that BIS clarify treatment of U.S.-origin chemical materials that are substantially transformed and exempt Japan and other like-minded countries from reexport controls. One commenter requested that BIS expand controls on missile production and drop Fiji from Country Group D:5. One commenter appended comments on a separate BIS proposed rule for which the comment period was already closed. One commenter stated that items classified under Export Control Classification Number 0A998 will no longer be subject to the EAR under the new note to Sec. 734.3(b)(3). One commenter requested that BIS drop the term ``serial'' from the definition of ``production,'' which was not revised by this rule. Although these comments are outside the scope of this rule and thus not addressed in this notice, BIS nonetheless encourages the

Page 35600

public to submit thoughts, suggestions, and comments to BIS about the EAR and the export control system. BIS cannot commit to addressing them in every case, but nonetheless encourages as much industry participation as possible in the development and drafting of the regulations.

Export Administration Act

Since August 21, 2001, the Export Administration Act of 1979, as amended, has been in lapse. However, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as amended by Executive Order 13637 of March 8, 2013, 78 FR 16129 (March 13, 2013), and as extended by the Notice of August 7, 2015 (80 FR 48233 (Aug. 11, 2015) has continued the EAR in effect under the International Emergency Economic Powers Act (50 U.S.C. 1701 et seq.). BIS continues to carry out the provisions of the Export Administration Act, as appropriate and to the extent permitted by law, pursuant to Executive Order 13222 as amended by Executive Order 13637.

Regulatory Requirements

1. Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This final rule has been designated a ``significant regulatory action,'' although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, this final rule has been reviewed by the Office of Management and Budget (OMB).

2. This final rule does not contain information collections subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA). Notwithstanding any other provision of law, no person is required to respond to, nor is subject to a penalty for failure to comply with, a collection of information, subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB control number.

3. This final rule does not contain policies with Federalism implications as that term is defined under E.O. 13132.

4. Pursuant to the Regulatory Flexibility Act, as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 601 et seq., BIS has prepared the following final Regulatory Flexibility Act analysis of the impact that this final rule will have on small entities.

   Statement of the Objectives of, and Legal Basis for, the Final Rule; Identification of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Final Rule

   The objective of this final rule (and a final rule being published simultaneously by the Department of State) is to provide greater clarity and precision in the EAR and the ITAR by providing, where warranted and possible, common definitions and common terms to regulate the same types of actions and issues. This final rule also seeks to express some concepts more clearly.

   The final rule alters definitions in the EAR. It also updates and clarifies application of controls to electronically transmitted technology and software.

   The legal basis for this proposed rule is 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637, 78 FR 16129, 3 CFR, 2014 Comp., p. 223; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015); Notice of November 12, 2015, 80 FR 70667 (November 13, 2015).

   No other Federal rules duplicate, overlap, or conflict with this final rule.

   Comments in Response to the Initial Regulatory Flexibility Analysis

   BIS received one comment from the public in response to the Initial Regulatory Flexibility Analysis (IRFA). The comment stated that while the proposed regulatory text indicated that the extent to which release of access information could be a violation of the EAR was limited by whether the party acted with knowledge, text in the IRFA regarding the impact of this provision created tension by stating that other provisions in the EAR could be used to bring charges for that same type of misconduct. The comment requested that BIS provide clarification in the final rule. BIS addressed this comment by not adopting Sec. 764.2(l), the provision that would have established the violation at issue in the final rule. The Chief Counsel for Advocacy of the Small Business Administration filed no comments in response to the proposed rule.

   Number and Description of Small Entities to Which This Rule Will Apply

   This final rule will apply to all persons engaged in the export, reexport, or transfer of commodities, technology, or software subject to the EAR. BIS does not maintain data from which it can determine how many of those persons are small entities as identified in the Small Business Administration size standards. Nevertheless, BIS recognizes that some of those persons are likely to be small entities.

   Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Final Rule

   This final rule is unlikely to increase the number of transactions that must be reported to BIS because EAR reporting requirements apply only in five specific situations, none of which will change as a result of this final rule. Those situations are: Exports of items on the Wassenaar Arrangement Sensitive List that do not require a license; Exports of High Performance Computers; Exports of certain thermal imaging cameras that do not require a license; Certain exports of Conventional Arms; and 600 series major defense equipment. Because recordkeeping requirements already apply to all transactions that are subject to the EAR, BIS expects that this final rule will not expand recordkeeping requirements.

   It is possible that some of these changes will increase the number of licenses that some small entities will have to seek from BIS, although BIS is not aware of any specific instance in which additional licenses will be required.

   The following discussion describes the changes made by this final rule. It is divided into two sections: Changes that BIS believes will not impose any new regulatory obligations; and Changes that are not intended to imposed any new regulatory obligation, but that BIS cannot state with certainty will not do so.

   Changes That BIS Believes Will Not Impose Any New Regulatory Burden

   This final rule makes certain changes to clarify and streamline the definitions of comparable terms, phrases, and concepts between the EAR and the ITAR. Many of these changes are technical in nature and attempt to consolidate and re-phrase the definitions to enhance readability and to parallel the structure of the ITAR's definition of the same term. There are a small number of new provisions, but these changes do not impose any new regulatory burdens. Specifically, this final rule makes the following changes:

   Page 35601

   Removes Sec. 734.2(b) which formerly defined export, reexport, release, transfer (in country) and export of encryption source code or object code software, because those terms are defined in separate sections. Section 734.2(b) also stated the policy of applying license requirements that apply to a country to its dependencies and possessions; this policy is currently stated elsewhere in the EAR.

   Creates new separate sections defining export, reexport, release and export of encryption source code or object code software. Those terms are clarified and presented in a more organized manner, but substantively unchanged from the former regulatory text.

   Creates a new section identifying activities that are not exports, reexports, or transfers. This section restates the transactions that are excluded from the definition of export in former regulatory text and adds two additional activities that are expressly declared not to be exports, reexports or transfers: Space launches; and sending, taking or storing certain technology or software abroad using specified cryptographic techniques. The former, although it was not included in past regulatory text, states an exclusion already set forth in a statute (see 51 U.S.C. 50919(f)) and is consistent with past BIS practice of not treating a space launch as an export, reexport or transfer. The latter is, in fact, new. However, by removing the transactions it describes from the definitions of exports, reexports, or transfers, it removes existing license requirements from those transactions.

   Clarifies without substantively changing the provisions related to patent applications and adds specific text stating that technology contained in a patent available from or at any patent office is not subject to the EAR. The addition reflects BIS's long-standing interpretation. To the extent that it could be characterized as new, its only effect would be to appear to release from the EAR technology that some readers of the EAR might have (erroneously) concluded was subject to the EAR.

   Adds text to License Exception TMP to emphasize that foreign subsidiaries of U.S. companies are neither U.S. employers nor ``U.S. persons or their employees'' as those terms are used in the license exception. This additional text adds no restriction that is not already imposed by the definition of ``U.S. persons'' that currently appears in the text of License Exception TMP.

   Adds text codifying in the EAR limits on transactions authorized by a license that currently are imposed by conditions on the license itself.

   Adds text specifying that to the extent an authorization would be required to transfer technology or software, a comparable authorization is required to transfer access information (e.g., decryption keys, network access codes, and passwords) with ``knowledge'' that such transfer would result in the unauthorized release of such technology or software.

   Changes That Are Not Intended To Impose Any Regulatory Obligation, But That BIS Cannot State With Certainty Would Not Do So

   This final rule revises the definitions of the two existing terms ``required'' and ``transfer (in-country).'' It also adopts BIS's interpretative guidance regarding deemed reexports as regulatory text. These changes are not intended to impose any regulatory obligations on regulated entities, but BIS cannot state with certainty that there will be no impact. This final rule makes the following changes:

   Adds to the EAR a definition of ``proscribed person.'' This definition does not create any new regulated class. It simply provides a clear, shorthand reference to a person who is already prohibited from receiving items or participating in a transaction that is subject to the EAR without authorization, such as persons on the Entity List.

   Removes from the definition of the term ``required'' references to CCL Categories 4, 5, 6 and 9 to accurately reflect BIS's long-standing interpretation that its definition applies wherever the EAR imposes a license requirement for technology ``required'' for a particular process or activity.

   In the definition of ``transfer (in-country),'' replaces the phrase ``shipment, transmission, or release of items subject to the EAR from one person to another person that occurs outside the United States within a single foreign country'' with ``a change in end use or end user of an item within the same foreign country.'' This new text will parallel the term ``retransfer'' in the ITAR and will eliminate any potential ambiguity that a change in end use or end user within a foreign country is or is not a ``transfer (in-country).''

   Each of the foregoing changes serves the overall policy goals of reducing uncertainty and harmonizing, to the extent warranted and possible, the requirements of the ITAR and the EAR. In most instances, reduced uncertainty will be beneficial to persons who have to comply with the regulations, particularly persons who engage in transactions subject to both sets of regulations. They will be able to make decisions more quickly and have less need to contact BIS for advice. Additionally, by making these terms more explicit, the possibility of their being interpreted contrary to BIS's intent is reduced. Such contrary interpretations would have three undesirable effects. First, they would undermine the national security and foreign policy objectives that the EAR are intended to implement. Second, persons who are interpreting the regulations in a less restrictive manner than BIS intends may seek fewer licenses from BIS than their competitors who are interpreting the regulations consistent with BIS's intent or who are obtaining advice from BIS, thereby gaining a commercial advantage to the detriment of the relevant national security or foreign policy interests. Third, unnecessary regulatory complexity and unnecessary differences between the terminology of the ITAR and that of the EAR could discourage small entities from even attempting to export. The beneficial effects of making these terms more explicit justify the economic impact that might be incurred by small entities that will have to change their conduct because their contrary interpretations can no longer be relied on given the clearer and more explicit terms in the regulations.

   This final rule also adds to the EAR a description of activities that are not deemed reexports. This description formerly appeared as interpretative guidance on BIS's Web site and closely tracks the regulatory text of the ITAR. Deemed reexports are releases of technology or software source code within a single foreign country by a party located outside the United States to a national of a country other than the country in which the releasing party is located. The new section describes three situations in which that party may release the technology or source code without obtaining a license from BIS.

   By adopting this guidance as regulatory text that closely tracks the text governing the same activities in the ITAR, BIS reduces both complexity and unnecessary differences between the two sets of regulations with the salutary effects of faster decision making, reduced need to contact BIS for advice, and reduced possibility that small entities would be discouraged from exporting as noted above.

   Page 35602

   Description of Any Significant Alternatives to the Final Rule That Accomplish the Stated Objectives of Applicable Statutes and That Minimize Any Significant Economic Impact of the Final Rule on Small Entities

   As required by 5 U.S.C. 603(c), BIS's analysis considered significant alternatives. Those alternatives are: (1) The preferred alternative of altering definitions and updating and clarifying application of controls to electronically transmitted technology and software; (2) Maintaining the status quo and not revising the definitions or updating and clarifying application of controls to electronically transmitted technology and software; and (3) Establishing a size threshold below which entities would not be subject to the changes proposed by this rulemaking.

   By altering definitions and updating and clarifying application of controls to electronically transmitted technology and software as this final rule does, BIS reduces uncertainty for all parties engaged in transactions that are subject to the EAR. Potential ambiguities are reduced; decisions can be made more quickly; the need to contact BIS for advice is reduced; and the possibility of inconsistent interpretations providing one party commercial advantages over others is reduced. Persons (including small entities) engaged in transactions that are subject to the ITAR and transactions that are subject to the EAR face fewer actual or apparent inconsistencies that must be addressed in their regulatory compliance programs. Although small entities, along with all other parties, will need to become familiar with the revised terminology, in the long run, compliance costs are likely to be reduced when compared to the present situation where the ITAR and the EAR use different terminology to regulate the same types of activity in the same manner. Therefore, BIS adopted this alternative.

   If BIS had chosen to maintain the status quo, small entities and other parties would not have to incur the cost and effort of becoming familiar with the revised regulations, and any party who was interpreting the regulations in a way that would clearly be precluded by the more explicit interpretations would not incur the cost of complying with the regulations consistent with their underlying intent and in the way that BIS believes most regulated parties do. However, the benefits of these proposed changes would be lost. Those benefits, greater clarity, consistency between the ITAR and the EAR, and reduced possibility of inconsistent application of the regulations by similarly situated regulated parties, would be foregone. Therefore, BIS has not adopted this alternative.

   If BIS had chosen to create a size threshold exempting small entities as currently defined by the SBA size standards from the changes imposed by this final rule, those entities would face a more complicated regulatory environment than larger entities. The small entities would continue to be subject to the EAR as a whole but without the benefit of the clarifications introduced by this final rule. The only way to make a size threshold beneficial to entities falling below the threshold would be to exempt them from all or at least many of the requirements of the EAR. However, doing so would create a major loophole allowing commodities, software, and technology that are controlled for export for national security or foreign policy reasons to go, without restriction, to any party abroad, undermining the interests that the regulations are intended to protect. Therefore, BIS has not adopted this alternative.

   List of Subjects

   15 CFR Parts 734 and 772

   Exports.

   15 CFR Parts 740 and 750

   Administrative practice and procedure, Exports, Reporting and recordkeeping requirements.

   For the reasons stated in the preamble, parts 734, 740, 750, and 772 of the Export Administration Regulations (15 CFR subchapter C) are amended as follows:

   PART 734--SCOPE OF THE EXPORT ADMINISTRATION REGULATIONS

   0

1. The authority citation for part 734 continues to read as follows:

   Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637, 78 FR 16129, 3 CFR, 2014 Comp., p. 223; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015); Notice of November 12, 2015, 80 FR 70667 (November 13, 2015).

   0

2. Section 734.2 is amended by revising the heading to read as follows and by removing and reserving paragraph (b).

   Sec. 734.2 Subject to the EAR.

   * * * * *

   0

3. Section 734.3 is amended by revising paragraph (b) introductory text, paragraph (b)(3), the Note to paragraphs (b)(2) and (b)(3), and adding a Note to paragraph (b)(3) to read as follows.

   Sec. 734.3 Items subject to the EAR.

   * * * * *

   (b) The following are not subject to the EAR:

   * * * * *

   (3) Information and ``software'' that:

   (i) Are published, as described in Sec. 734.7;

   (ii) Arise during, or result from, fundamental research, as described in Sec. 734.8;

   (iii) Are released by instruction in a catalog course or associated teaching laboratory of an academic institution;

   (iv) Appear in patents or open (published) patent applications available from or at any patent office, unless covered by an invention secrecy order, or are otherwise patent information as described in Sec. 734.10;

   (v) Are non-proprietary system descriptions; or

   (vi) Are telemetry data as defined in Note 2 to Category 9, Product Group E (see Supplement No. 1 to part 774 of the EAR).

   Note to paragraphs (b)(2) and (b)(3): A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.17)). Publicly available encryption object code ``software'' classified under ECCN 5D002 is not subject to the EAR when the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR.

   Note to paragraph (b)(3): Except as set forth in part 760 of this title, information that is not within the scope of the definition of ``technology'' (see Sec. 772.1 of the EAR) is not subject to the EAR.

   * * * * *

   0

4. Section 734.7 is revised to read as follows:

   Sec. 734.7 Published.

   (a) Except as set forth in paragraph (b) of this section, unclassified ``technology'' or ``software'' is ``published,'' and is thus not ``technology'' or ``software'' subject to the EAR, when it has been made available to the public without restrictions upon its further dissemination such as through any of the following:

   (1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;

   (2) Libraries or other public collections that are open and available

   Page 35603

   to the public, and from which the public can obtain tangible or intangible documents;

   (3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;

   (4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public; or

   (5) Submission of a written composition, manuscript, presentation, computer-readable dataset, formula, imagery, algorithms, or some other representation of knowledge with the intention that such information will be made publicly available if accepted for publication or presentation:

   (i) To domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications;

   (ii) To researchers conducting fundamental research; or

   (iii) To organizers of open conferences or other open gatherings.

   (b) Published encryption software classified under ECCN 5D002 remains subject to the EAR unless it is publicly available encryption object code software classified under ECCN 5D002 and the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR.

   0

5. Section 734.8 is revised to read as follows:

   Sec. 734.8 ``Technology'' or ``software'' that arises during, or results from, fundamental research.

   (a) Fundamental research. ``Technology'' or ``software'' that arises during, or results from, fundamental research and is intended to be published is not subject to the EAR.

   Note 1 to paragraph (a): This paragraph does not apply to ``technology'' or ``software'' subject to the EAR that is released to conduct fundamental research. (See Sec. 734.7(a)(5)(ii) for information released to researchers that is ``published.'')

   Note 2 to paragraph (a): There are instances in the conduct of research where a researcher, institution or company may decide to restrict or protect the release or publication of ``technology'' or ``software'' contained in research results. Once a decision is made to maintain such ``technology'' or ``software'' as restricted or proprietary, the ``technology'' or ``software,'' if within the scope of Sec. 734.3(a), becomes subject to the EAR.

   (b) Prepublication review. ``Technology'' or ``software'' that arises during, or results, from fundamental research is intended to be published to the extent that the researchers are free to publish the ``technology'' or ``software'' contained in the research without restriction. ``Technology'' or ``software'' that arises during or results from fundamental research subject to prepublication review is still intended to be published when:

   (1) Prepublication review is conducted solely to ensure that publication would not compromise patent rights, so long as the review causes no more than a temporary delay in publication of the research results;

   (2) Prepublication review is conducted by a sponsor of research solely to insure that the publication would not inadvertently divulge proprietary information that the sponsor has furnished to the researchers; or

   (3) With respect to research conducted by scientists or engineers working for a Federal agency or a Federally Funded Research and Development Center (FFRDC), the review is conducted within any appropriate system devised by the agency or the FFRDC to control the release of information by such scientists and engineers.

   Note 1 to paragraph (b): Although ``technology'' or ``software'' arising during or resulting from fundamental research is not considered intended to be published if researchers accept restrictions on its publication, such ``technology'' or ``software'' will nonetheless qualify as ``technology'' or ``software'' arising during or resulting from fundamental research once all such restrictions have expired or have been removed.

   Note 2 to paragraph (b): Research that is voluntarily subjected to U.S. government prepublication review is considered ``intended to be published'' when the research is released consistent with the prepublication review and any resulting controls.

   Note 3 to paragraph (b): ``Technology'' or ``software'' resulting from U.S. government funded research that is subject to government-imposed access and dissemination or other specific national security controls qualifies as ``technology'' or ``software'' resulting from fundamental research, provided that all government-imposed national security controls have been satisfied and the researchers are free to publish the ``technology'' or ``software'' contained in the research without restriction. Examples of specific national security controls include requirements for prepublication review by the Government, with right to withhold permission for publication; restrictions on prepublication dissemination of information to non-U.S. citizens or other categories of persons; or restrictions on participation of non-U.S. citizens or other categories of persons in the research. A general reference to one or more export control laws or regulations or a general reminder that the Government retains the right to classify is not a specific national security control.

   (c) Fundamental research definition. Fundamental research means research in science, engineering, or mathematics, the results of which ordinarily are published and shared broadly within the research community, and for which the researchers have not accepted restrictions for proprietary or national security reasons.

   Sec. 734.9--Removed and Reserved

   0

6. Section 734.9 is removed and reserved.

   0

7. Section 734.10 is revised to read as follows:

   Sec. 734.10 Patents.

   ``Technology'' is not subject to the EAR if it is contained in any of the following:

   (a) A patent or an open (published) patent application available from or at any patent office;

   (b) A published patent or patent application prepared wholly from foreign-origin ``technology'' where the application is being sent to the foreign inventor to be executed and returned to the United States for subsequent filing in the U.S. Patent and Trademark Office;

   (c) A patent application, or an amendment, modification, supplement or division of an application, and authorized for filing in a foreign country in accordance with the regulations of the Patent and Trademark Office, 37 CFR part 5; or

   (d) A patent application when sent to a foreign country before or within six months after the filing of a United States patent application for the purpose of obtaining the signature of an inventor who was in the United States when the invention was made or who is a co-inventor with a person residing in the United States.

   Sec. 734.11--Removed and Reserved

   0

8. Section 734.11 is removed and reserved.

   0

9. Section 734.13 is added to read as follows:

   Sec. 734.13 Export.

   (a) Except as set forth in Sec. Sec. 734.17 or 734.18, Export means:

   (1) An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner;

   (2) Releasing or otherwise transferring ``technology'' or source code (but not object code) to a foreign person in the United States (a ``deemed export'');

   Page 35604

   (3) Transferring by a person in the United States of registration, control, or ownership of:

   (i) A spacecraft subject to the EAR that is not eligible for export under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country; or

   (ii) Any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country.

   (b) Any release in the United States of ``technology'' or source code to a foreign person is a deemed export to the foreign person's most recent country of citizenship or permanent residency.

   (c) The export of an item that will transit through a country or countries to a destination identified in the EAR is deemed to be an export to that destination.

   0

10. Section 734.14 is added to read as follows:

    Sec. 734.14 Reexport.

    (a) Except as set forth in Sec. Sec. 734.18 and 734.20, Reexport means:

    (1) An actual shipment or transmission of an item subject to the EAR from one foreign country to another foreign country, including the sending or taking of an item to or from such countries in any manner;

    (2) Releasing or otherwise transferring ``technology'' or source code subject to the EAR to a foreign person of a country other than the foreign country where the release or transfer takes place (a deemed reexport);

    (3) Transferring by a person outside the United States of registration, control, or ownership of:

    (i) A spacecraft subject to the EAR that is not eligible for reexport under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country; or

    (ii) Any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country.

    (b) Any release outside of the United States of ``technology'' or source code subject to the EAR to a foreign person of another country is a deemed reexport to the foreign person's most recent country of citizenship or permanent residency, except as described in Sec. 734.20.

    (c) The reexport of an item subject to the EAR that will transit through a country or countries to a destination identified in the EAR is deemed to be a reexport to that destination.

    0

11. Section 734.15 is added to read as follows:

    Sec. 734.15 Release.

    (a) Except as set forth in Sec. 734.18, ``technology'' and ``software'' are ``released'' through:

    (1) Visual or other inspection by a foreign person of items that reveals ``technology'' or source code subject to the EAR to a foreign person; or

    (2) Oral or written exchanges with a foreign person of ``technology'' or source code in the United States or abroad.

    (b) Any act causing the ``release'' of ``technology'' or ``software,'' through use of ``access information'' or otherwise, to yourself or another person requires an authorization to the same extent an authorization would be required to export or reexport such ``technology'' or ``software'' to that person.

    0

12. Section 734.16 is added to read as follows:

    Sec. 734.16 Transfer (in-country).

    Except as set forth in Sec. 734.18(a)(3), a Transfer (in-country) is a change in end use or end user of an item within the same foreign country. Transfer (in-country) is synonymous with In-country transfer.

    0

13. Section 734.17 is added to read as follows:

    Sec. 734.17 Export of encryption source code and object code software.

    (a) For purposes of the EAR, the Export of encryption source code and object code ``software'' means:

    (1) An actual shipment, transfer, or transmission out of the United States (see also paragraph (b) of this section); or

    (2) A transfer of such ``software'' in the United States to an embassy or affiliate of a foreign country.

    (b) The export of encryption source code and object code ``software'' controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR) includes:

    (1) Downloading, or causing the downloading of, such ``software'' to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or

    (2) Making such ``software'' available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the ``software'' available takes precautions adequate to prevent unauthorized transfer of such code. See Sec. 740.13(e) of the EAR for notification requirements for exports or reexports of encryption source code ``software'' considered to be publicly available or published consistent with the provisions of Sec. 734.3(b)(3). Publicly available encryption ``software'' in object code that corresponds to encryption source code made eligible for License Exception TSU under Sec. 740.13(e) of the EAR is not subject to the EAR.

    (c) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under Sec. 740.17(b)(2) of the EAR (encryption ``software'' products, certain encryption source code and general purpose encryption toolkits) shall include such measures as:

    (1) The access control system, either through automated means or human intervention, checks the address of every system outside of the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end-user (e.g., ``.gov,'' ``.gouv,'' ``.mil'' or similar addresses);

    (2) The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic ``software'' subject to export controls under the Export Administration Regulations, and anyone receiving such a transfer cannot export the ``software'' without a license or other authorization; and

    (3) Every party requesting or receiving a transfer of such ``software'' must acknowledge affirmatively that the ``software'' is not intended for use by a government end user, as defined in part 772 of the EAR, and he or she understands the cryptographic ``software'' is subject to export controls under the Export Administration Regulations and anyone receiving the transfer cannot export the ``software'' without a license or other authorization. BIS will consider acknowledgments in electronic form provided they are adequate to assure legal undertakings similar to written acknowledgments.

    0

14. Section 734.18 is added to read as follows:

    Sec. 734.18 Activities that are not exports, reexports, or transfers.

    (a) Activities that are not exports, reexports, or transfers. The following activities are not exports, reexports, or transfers:

    (1) Launching a spacecraft, launch vehicle, payload, or other item into space.

    Page 35605

    (2) Transmitting or otherwise transferring ``technology'' or ``software'' to a person in the United States who is not a foreign person from another person in the United States.

    (3) Transmitting or otherwise making a transfer (in-country) within the same foreign country of ``technology'' or ``software'' between or among only persons who are not ``foreign persons,'' so long as the transmission or transfer does not result in a release to a foreign person or to a person prohibited from receiving the ``technology'' or ``software.''

    (4) Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

    (5) Sending, taking, or storing ``technology'' or ``software'' that is:

    (i) Unclassified;

    (ii) Secured using `end-to-end encryption;'

    (iii) Secured using cryptographic modules (hardware or ``software'') compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by ``software'' implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other equally or more effective cryptographic means; and

    (iv) Not intentionally stored in a country listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR) or in the Russian Federation.

    Note to paragraph (a)(4)(iv): Data in-transit via the Internet is not deemed to be stored.

    (b) Definitions. For purposes of this section, End-to-end encryption means (i) the provision of cryptographic protection of data such that the data is not in unencrypted form between an originator (or the originator's in-country security boundary) and an intended recipient (or the recipient's in-country security boundary), and (ii) the means of decryption are not provided to any third party. The originator and the recipient may be the same person.

    (c) Ability to access ``technology'' or ``software'' in encrypted form. The ability to access ``technology'' or ``software'' in encrypted form that satisfies the criteria set forth in paragraph (a)(5) of this section does not constitute the release or export of such ``technology'' or ``software.''

    0

15. Section 734.19 is added to read as follows:

    Sec. 734.19 Transfer of access information.

    To the extent an authorization would be required to transfer ``technology'' or ``software,'' a comparable authorization is required to transfer access information if done with ``knowledge'' that such transfer would result in the release of such ``technology'' or ``software'' without a required authorization.

    0

16. Section 734.20 is added to read as follows:

    Sec. 734.20 Activities that are not deemed reexports.

    The following activities are not deemed reexports (see ``deemed reexport'' definition in Sec. 734.14(b)):

    (a) Authorized Release of ``technology'' or source code. Release of ``technology'' or source code by an entity outside the United States to a foreign person of a country other than the foreign country where the release takes place if:

    (1) The entity is authorized to receive the ``technology'' or source code at issue, whether by a license, license exception, or situation where no license is required under the EAR for such ``technology'' or source code; and

    (2) The entity has ``knowledge'' that the foreign national's most recent country of citizenship or permanent residency is that of a country to which export from the United States of the ``technology'' or source code at issue would be authorized by the EAR either under a license exception or in situations where no license under the EAR would be required.

    (b) Release to Country Group A:5 nationals. Without limiting the scope of paragraph (a), release of ``technology'' or source code by an entity outside the United States to a foreign person of a country other than the foreign country where the release takes place if:

    (1) The entity is authorized to receive the ``technology'' or source code at issue, whether by a license, license exception, or through situations where no license is required under the EAR;

    (2) The foreign person is a bona fide `permanent and regular employee' of the entity and is not a proscribed person (see Sec. 772.1 for definition of proscribed person);

    (3) Such employee is a national exclusively of a country in Country Group A:5; and

    (4) The release of ``technology'' or source code takes place entirely within the physical territory of any such country, or within the United States.

    (c) Release to other than Country Group A:5 nationals. Without limiting the scope of paragraph (a), release of ``technology'' or source code by an entity outside the United States to a foreign person of a country other than the foreign country where the release takes place if:

    (1) The entity is authorized to receive the ``technology'' or source code at issue, whether by a license, license exception, or situations where no license is required under the EAR;

    (2) The foreign person is a bona fide `permanent and regular employee' of the entity and is not a proscribed person (see Sec. 772.1 for definition of proscribed person);

    (3) The release takes place entirely within the physical territory of the country where the entity is located, conducts official business, or operates, or within the United States;

    (4) The entity has effective procedures to prevent diversion to destinations, entities, end users, and end uses contrary to the EAR; and

    (5) Any one of the following six (i.e., paragraphs (c)(5)(i), (ii), (iii), (iv), (v), or (vi) of this section) situations is applicable:

    (i) The foreign person has a security clearance approved by the host nation government of the entity outside the United States;

    (ii) The entity outside the United States:

    (A) Has in place a process to screen the foreign person employee and to have the employee execute a non-disclosure agreement that provides assurances that the employee will not disclose, transfer, or reexport controlled ``technology'' contrary to the EAR;

    (B) Screens the employee for substantive contacts with countries listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR). Although nationality does not, in and of itself, prohibit access to ``technology'' or source code subject to the EAR, an employee who has substantive contacts with foreign persons from countries listed in Country Group D:5 shall be presumed to raise a risk of diversion, unless BIS determines otherwise;

    (C) Maintains a technology security or clearance plan that includes procedures for screening employees for such substantive contacts;

    (D) Maintains records of such screenings for the longer of five years or the duration of the individual's employment with the entity; and

    (E) Will make such plans and records available to BIS or its agents for civil

    Page 35606

    and criminal law enforcement purposes upon request;

    (iii) The entity is a U.K. entity implementing Sec. 126.18 of the ITAR (22 CFR 126.18) pursuant to the U.S.-U.K. Exchange of Notes regarding Sec. 126.18 of the ITAR for which the U.K. has provided appropriate implementation guidance;

    (iv) The entity is a Canadian entity implementing Sec. 126.18 of the ITAR pursuant to the U.S.-Canadian Exchange of Letters regarding Sec. 126.18 of the ITAR for which Canada has provided appropriate implementation guidance;

    (v) The entity is an Australian entity implementing the exemption at paragraph 3.7b of the ITAR Agreements Guidelines; or

    (vi) The entity is a Dutch entity implementing the exemption at paragraph 3.7c of the ITAR Agreements Guidelines.

    (d) Definitions--(1) Substantive contacts include regular travel to countries in Country Group D:5; recent or continuing contact with agents, brokers, and nationals of such countries; continued demonstrated allegiance to such countries; maintenance of business relationships with persons from such countries; maintenance of a residence in such countries; receiving salary or other continuing monetary compensation from such countries; or acts otherwise indicating a risk of diversion.

    (2) Permanent and regular employee is an individual who:

    (i) Is permanently (i.e., for not less than a year) employed by an entity, or

    (ii) Is a contract employee who:

    (A) Is in a long-term contractual relationship with the company where the individual works at the entity's facilities or at locations assigned by the entity (such as a remote site or on travel);

    (B) Works under the entity's direction and control such that the company must determine the individual's work schedule and duties;

    (C) Works full time and exclusively for the entity; and

    (D) Executes a nondisclosure certification for the company that he or she will not disclose confidential information received as part of his or her work for the entity.

    Note to paragraph (d)(2): If the contract employee has been seconded to the entity by a staffing agency, then the staffing agency must not have any role in the work the individual performs other than to provide the individual for that work. The staffing agency also must not have access to any controlled ``technology'' or source code other than that authorized by the applicable regulations or a license.

    Supplement No. 1 to Part 734 Removed and Reserved

    0

17. Supplement No. 1 to part 734 is removed and reserved.

    PART 740-- LICENSE EXCEPTIONS

    0

18. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015).

    0

19. In Sec. 740.9, paragraph (a)(3) is revised to read as follows:

    Sec. 740.9 Temporary imports, exports, reexports, and transfers (in-

    country) (TMP).

    * * * * *

    (a) * * *

    (3) ``Technology,'' regardless of media or format, may be exported, reexported, or transferred (in-country) by or to a U.S. person, or a foreign person employee of a U.S. person traveling or on temporary assignment abroad, subject to the following restrictions:

    (i) Foreign persons may only export, reexport, transfer (in country) or receive such ``technology'' as they are authorized to receive through a license, license exception other than TMP or because no license is required.

    (ii) ``Technology'' exported, reexported, or transferred under this authorization may only be possessed or used by a U.S. person or authorized foreign person. Sufficient security precautions must be taken to prevent the unauthorized release of the ``technology.'' Such security precautions may include encryption of the ``technology,'' the use of secure network connections, such as Virtual Private Networks, the use of passwords or other access restrictions on the electronic device or media on which the ``technology'' is stored, and the use of firewalls and other network security measures to prevent unauthorized access.

    (iii) The individual is an employee of the U.S. Government or is directly employed by a U.S. person and not, e.g., by a foreign subsidiary.

    (iv) ``Technology'' authorized under this exception may not be used for foreign production purposes or for technical assistance unless authorized through a license or license exception other than TMP.

    * * * * *

    PART 750--APPLICATION PROCESSING, ISSUANCE, AND DENIAL

    0

20. The authority citation for 15 CFR part 750 continues to read as follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637, 78 FR 16129, 3 CFR, 2013 Comp., p. 223; Presidential Determination 2003-23, 68 FR 26459, 3 CFR, 2004 Comp., p. 320; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015).

    0

21. Section 750.7 is amended by revising paragraph (a) to read as follows:

    Sec. 750.7 Issuance of licenses.

    (a) Scope. Unless limited by a condition set out in a license, the export, reexport, or transfer (in-country) authorized by a license is for the item(s), end-use(s), and parties described in the license application and any letters of explanation. The applicant must inform the other parties identified on the license, such as the ultimate consignees and end users, of the license's scope and of the specific conditions applicable to them. BIS grants licenses in reliance on representations the applicant made in or submitted in connection with the license application, letters of explanation, and other documents submitted. A BIS license authorizing the release of ``technology'' to an entity also authorizes the release of the same ``technology'' to the entity's foreign persons who are permanent and regular employees (and who are not proscribed persons) of the entity's facility or facilities authorized on the license, except to the extent a license condition limits or prohibits the release of the ``technology'' to foreign persons of specific countries or country groups.

    * * * * *

    PART 772--DEFINITIONS OF TERMS

    0

22. The authority citation for part 772 continues to read as follows:

    Authority: 50 U.S.C. 4601 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2015, 80 FR 48233 (August 11, 2015).

    0

23. Section 772.1 is amended by:

    0

    1. Adding in alphabetical order a definition for ``Access information'';

       0

    2. Revising the definition of ``Export'';

       0

    3. Adding in alphabetical order definitions for ``Foreign person,'' ``Fundamental research,'' ``Proscribed person,'' and ``Publicly available encryption software'';

       0

    4. Removing the definitions of ``Publicly available information'' and

       Page 35607

       ``Publicly available technology and software'';

       0

    5. Adding in alphabetical order a definition for ``Published'';

       0

    6. Revising the definition of ``Reexport'';

       0

    7. Adding in alphabetical order a definition for ``Release'';

       0

    8. Revising the definition of ``Required'';

       0

    9. Removing the definition of ``Technical data''; and

       0

    10. Revising the definitions of ``Technology,'' and ``Transfer.''

        The revisions and additions read as follows:

        Sec. 772.1 Definitions of terms as used in the Export Administration Regulations (EAR).

        * * * * *

        Access information. Information that allows access to encrypted technology or encrypted software in an unencrypted form. Examples include decryption keys, network access codes, and passwords.

        * * * * *

        Export. See Sec. 734.13 of the EAR.

        * * * * *

        Foreign person. Any natural person who is not a lawful permanent resident of the United States, citizen of the United States, or any other protected individual as defined by 8 U.S.C. 1324b(a)(3). It also means any corporation, business association, partnership, trust, society or any other entity or group that is not incorporated in the United States or organized to do business in the United States, as well as international organizations, foreign governments and any agency or subdivision of a foreign government (e.g., diplomatic mission). ``Foreign person'' is synonymous with ``foreign national,'' as used in the EAR, and ``foreign person'' as used in the International Traffic in Arms Regulations (22 CFR 120.16). This definition does not apply to part 760 of the EAR (Restrictive Trade Practices or Boycotts).

        * * * * *

        Fundamental research. See Sec. 734.8 of the EAR.

        * * * * *

        Proscribed person. A person who is prohibited from receiving the items at issue or participating in a transaction that is subject to the EAR without authorization under the EAR, such as persons on the Entity List or denied persons.

        Publicly available encryption software. See Sec. 740.13(e) of the EAR.

        Published. See Sec. 734.7 of the EAR.

        * * * * *

        Reexport. See Sec. 734.14 of the EAR.

        Release. See Sec. 734.15 of the EAR.

        * * * * *

        Required. (General Technology Note) --As applied to ``technology'' or ``software,'' refers to only that portion of ``technology'' or ``software'' which is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions. Such ``required'' ``technology'' or ``software'' may be shared by different products. For example, assume product ``X'' is controlled on the CCL if it operates at or above 400 MHz and is not controlled if it operates below 400 MHz. If production technologies ``A,'' ``B,'' and ``C'' allow production at no more than 399 MHz, then technologies ``A,'' ``B,'' and ``C'' are not ``required'' to produce the controlled product ``X''. If technologies ``A,'' ``B,'' ``C,'' ``D,'' and ``E'' are used together, a manufacturer can produce product ``X'' that operates at or above 400 MHz. In this example, technologies ``D'' and ``E'' are peculiarly responsible for making the controlled product and are thus ``required'' technology under the General Technology Note. (See the General Technology Note.)

        Note 1 to the definition of Required: The ITAR and the EAR often divide within each set of regulations or between each set of regulations:

        (a) Controls on parts, components, accessories, attachments, and software; and

        (b) Controls on the end items, systems, equipment, or other items into which those parts, components, accessories, attachments, and software are to be installed or incorporated.

        Note 2 to the definition of Required: The references to ``characteristics'' and ``functions'' are not limited to entries on the CCL that use specific technical parameters to describe the scope of what is controlled. The ``characteristics'' and ``functions'' of an item listed are, absent a specific regulatory definition, a standard dictionary's definition of the item. For example, ECCN 9A610.a controls military aircraft specially designed for a military use that are not enumerated in USML paragraph VIII(a). No performance level is identified in the entry, but the control characteristic of the aircraft is that it is specially designed ``for military use.'' Thus, any technology, regardless of significance, peculiar to making an aircraft ``for military use'' as opposed to, for example, an aircraft controlled under ECCN 9A991.a, would be technical data ``required'' for an aircraft specially designed for military use thus controlled under ECCN 9E610.

        Note 3 to the definition of Required: Unclassified technology not specifically enumerated on the USML is ``subject to the EAR'' if it is ``required'' for the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control ``technology'') of a commodity or software that is subject to the EAR. Thus, for example, if unclassified technology not specifically enumerated on the USML is ``required'' for the development or production of a 9A610.x aircraft component that is to be integrated or installed in a USML VIII(a) aircraft, then the ``technology'' is controlled under ECCN 9E610, not USML VIII(i). Conversely, technical data directly related to, for example, the development or production of a component subject to the ITAR does not become subject to the EAR merely because it is developed or produced with equipment subject to the EAR.

        * * * * *

        Technology. Technology means:

        Information necessary for the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control ``technology'') of an item.

        N.B.: Controlled ``technology'' is defined in the General Technology Note and in the Commerce Control List (Supplement No. 1 to part 774 of the EAR).

        Note 1 to definition of Technology: ``Technology'' may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information revealed through visual inspection;

        Note 2 to definition of Technology: The modification of the design of an existing item creates a new item and technology for the modified design is technology for the development or production of the new item.

        * * * * *

        Transfer. A shipment, transmission, or release of items subject to the EAR either within the United States or outside the United States. For In-country transfer/Transfer (in-country), see Sec. 734.16 of the EAR.

        Note to definition of Transfer: This definition of ``transfer'' does not apply to Sec. 750.10 of the EAR or Supplement No. 8 to part 760 of the EAR. The term ``transfer'' may also be included on licenses issued by BIS. In that regard, the changes that can be made to a BIS license are the non-material changes described in Sec. 750.7(c) of the EAR. Any other change to a BIS license without authorization is a violation of the EAR. See Sec. Sec. 750.7(c) and 764.2(e) of the EAR.

        * * * * *

        Page 35608

        Dated: May 23, 2016.

        Kevin J. Wolf,

        Assistant Secretary for Export Administration.

        FR Doc. 2016-12734 Filed 6-2-16; 8:45 am

        BILLING CODE 3510-33-P