Revisions to Definitions in the Export Administration Regulations

Federal Register, Volume 80 Issue 106 (Wednesday, June 3, 2015)

Federal Register Volume 80, Number 106 (Wednesday, June 3, 2015)

Proposed Rules

Pages 31505-31520

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2015-12843

=======================================================================

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Bureau of Industry and Security

15 CFR Parts 734, 740, 750, 764, and 772

Docket No. 141016858-5228-01

RIN 0694-AG32

Revisions to Definitions in the Export Administration Regulations

AGENCY: Bureau of Industry and Security, Commerce.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This proposed rule is part of the Administration's Export Control Reform Initiative. The Initiative will enhance U.S. national and economic security, facilitate compliance with export controls, update the controls, and reduce unnecessary regulatory burdens on U.S. exporters. As part of this effort, this rulemaking proposes revisions to the Export Administration Regulations (EAR) to include the definitions of ``technology,'' ``required,'' ``peculiarly responsible,'' ``proscribed person,'' ``published,'' results of ``fundamental research,'' ``export,'' ``reexport,'' ``release,'' ``transfer,'' and ``transfer (in-country)'' to enhance clarity and consistency with terms also found on the International Traffic in Arms Regulations (ITAR), which is administered by the Department of State, Directorate of Defense Trade Controls (DDTC). This rulemaking also proposes amendments to the Scope part of the EAR to update and clarify application of controls to electronically transmitted and stored technology and software. DDTC is concurrently publishing comparable proposed amendments to the ITAR's definitions of ``technical data,'' ``required,'' ``peculiarly responsible,'' ``public domain,'' results of ``fundamental research,'' ``export,'' ``reexport,'' ``release,'' and ``retransfer'' for the same reasons. Finally, this rulemaking proposes conforming changes to related provisions.

DATES: Comments must be received by August 3, 2015.

ADDRESSES: Comments may be submitted to the Federal rulemaking portal (http://www.regulations.gov). The regulations.gov ID for this proposed rule is: BIS-2015-0019. Comments may also be submitted via email to publiccomments@bis.doc.gov or on paper to Regulatory Policy Division, Bureau of Industry and Security, Room 2099B, U.S. Department of Commerce, Washington, DC 20230. Please refer to RIN 0694-AG32 in all comments and in the subject line of email comments. All comments (including any personally identifying information) will be made available for public inspection and copying.

FOR FURTHER INFORMATION CONTACT: Hillary Hess, Director, Regulatory Policy Division, Office of Exporter Services, Bureau of Industry and Security at 202-482-2440 or rpd2@bis.doc.gov.

SUPPLEMENTARY INFORMATION:

Background

This proposed rule is part of the Administration's Export Control Reform (ECR) Initiative. The Initiative will enhance U.S. national and economic security, facilitate compliance with export controls, update the controls, and reduce unnecessary regulatory burdens on U.S. exporters. As part of this effort, this rulemaking proposes revisions to the Export Administration Regulations (EAR) to include the definitions of ``technology,'' ``required,'' ``peculiarly responsible,'' ``proscribed person,'' ``published,'' results of ``fundamental research,'' ``export,'' ``reexport,'' ``release,'' ``transfer,'' and ``transfer (in-country)'' to enhance clarity and ensure consistency with the International Traffic in Arms Regulations (ITAR), which is administered by the Department of State, Directorate of Defense Trade Controls (DDTC). This rulemaking also proposes amendments to the Scope part of the EAR to update and clarify application of controls to electronically transmitted and stored technology and software. The DDTC is concurrently publishing comparable proposed amendments to the ITAR's definitions of ``technical data,'' ``required,'' ``peculiarly responsible,'' ``public domain,'' results of ``fundamental research,'' ``export,'' ``reexport,'' ``release,'' and ``retransfer'' for the same reasons. Finally, this rulemaking proposes conforming changes to related provisions.

One aspect of the ECR Initiative includes amending the export control regulations to facilitate enhanced compliance while reducing unnecessary regulatory burdens. For similar national security, foreign policy, including human rights, reasons, the EAR and the ITAR each control, inter alia, the export, reexport, and in-country transfer of commodities, products or articles, technology, technical data, software, and services to various destinations, end users, and end uses. The two sets of regulations have been issued pursuant to different statutes, have been administered by different agencies with missions that are distinct from one another in certain respects, and have covered different items (or articles). For those reasons, and because each set of regulations has evolved separately over decades without much coordination between the two agencies regarding

Page 31506

their structure and content, they often use different words, or the same words differently, to accomplish similar regulatory objectives.

Many parties are regulated by both the Commerce Department's EAR and the State Department's ITAR, particularly now that regulatory jurisdiction over many types of military items has been transferred from the ITAR to the EAR. Using common terms and common definitions to regulate the same types of items or actions is intended to facilitate enhanced compliance and reduce unnecessary regulatory burdens. Conversely, if different concerns between the two sets of export control regulations warrant different terms or different controls, then the differences should be clear for the same reason. Such clarity will benefit national security because it will be easier for exporters to know how to comply with the regulations and for prosecutors to be able to prosecute violations of the regulations. Such clarity will also enhance our economic security because it will reduce unnecessary regulatory burdens for exporters when attempting to determine the meaning of key words and phrases across similar sets of regulations. Finally, such harmonization and clarification is a necessary step toward accomplishing one of the ultimate objectives of the ECR initiative, which is the creation of a common export control list and common set of export control regulations.

BIS and DDTC have identified a series of similar terms in the EAR and the ITAR that are defined differently and that warrant either harmonization or the creation of similar structures that would identify more clearly the differences in how similar concepts are treated under the EAR and the ITAR. The proposed revisions to these terms are generally not intended to materially increase or decrease their existing scope. In particular, BIS and DDTC will continue to maintain their long-standing positions that ``published'' (or ``public domain'') information and the results of ``fundamental research'' are excluded from the scope of ``technology'' subject to the EAR and the ITAR's ``technical data.'' Rather, the proposed changes are designed to clarify and update BIS policies and practices with respect to the application of the terms and to allow for their structural harmonization with their counterparts in the ITAR.

Harmonizing definitions does not mean making them identical. For example, under the EAR, technology may be ``subject to'' or ``not subject to the EAR.'' Technical data under the ITAR is subject to those regulations by definition. While the two terms have substantial commonality, they remain different terms used in different ways. This rulemaking proposes that, to the extent possible, similar definitions be harmonized both substantively and structurally. Substantive harmonization will mean using the same words for the same concepts across the two sets of regulations. Structural harmonization will mean setting forth similar definitions in a paragraph order that renders their similarities and differences clearly visible. This structural harmonization may require reserving certain paragraphs in an EAR definition if the corresponding paragraph does not exist in the ITAR definition, or vice versa.

A side-by-side comparison on the regulatory text proposed by both Departments is available on both agencies' Web sites: www.pmddtc.state.gov and www.bis.doc.gov.

Scope of the Export Administration Regulations

An interim rule entitled ``Export Administration Regulation; Simplification of Export Administration Regulations'' (61 FR 12714) published March 25, 1996, established part 734, Scope of the Export Administration Regulations. The interim rule stated that part 734 ``establishes the rules for determining whether commodities, software, technology, software, and activities of U.S. and foreign persons are subject to the EAR.'' (61 FR at 12716) This rulemaking proposes to streamline and clarify part 734 while retaining its purpose and scope of control.

Items Subject to the EAR

Section 734.2, currently titled ``Important EAR terms and principles,'' contains two sets of important definitions: A definition and description of ``subject to the EAR,'' and definitions of export, reexport, and a number of associated terms. This rulemaking proposes to retitle the section ``Subject to the EAR,'' retain the definition and description of that term, and create separate sections in part 734 to define ``export,'' ``reexport,'' ``release,'' and ``transfer (in-

country),'' which will be described in greater detail below. This rulemaking proposes to remove current Sec. 734.2(b)(7) regarding the listing of foreign territories and possessions in the Commerce Country Chart (Supplement No. 1 to part 738) because it duplicates current Sec. 738.3(b).

Items Not Subject to the EAR

Section 734.3(a) describes items (i.e., commodities, software, or technology) subject to the EAR. Paragraph (b) describes items that are not subject to the EAR. This rulemaking proposes minor revisions to paragraph (b)(3), which describes software and technology that is not subject to the EAR, to describe more fully educational and patent information that is not subject to the EAR, and to add a note to make explicit that information that is not ``technology'' as defined in the EAR is per se not subject to the EAR. These changes are part of an effort to make more clear throughout the EAR that ``technology'' is a subset of ``information.'' Only information that is within the scope of the definition of ``technology'' is subject to the EAR. If information of any sort is not within the scope of the definition of ``technology,'' then it is not subject to the EAR. This proposed rule makes no changes to the notes to paragraphs (b)(2) and (b)(3) that a printed book or other printed material setting forth encryption source code is not itself subject to the EAR, but that encryption source code in electronic form or media remains subject to the EAR. It also makes no changes to the note that publicly available encryption object code software classified under ECCN 5D002 is not subject to the EAR when the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR. (See proposed corresponding revisions to Sec. 120.6(b) of the ITAR.)

Published Technology and Software

Current Sec. 734.7 sets forth that technology and software is ``published'' and thus not subject to the EAR when it becomes generally accessible to the interested public in any form, including through publication, availability at libraries, patents, and distribution or presentation at open gatherings.

This rulemaking proposes a definition of ``published'' with the same scope but a simpler structure. The proposed Sec. 734.7(a) reads: ``Except as set forth in paragraph (b), ``technology'' or ``software'' is ``published'' and is thus not ``technology'' or ``software'' subject to the EAR when it is not classified national security information and has been made available to the public without restrictions upon its further dissemination. This proposed definition is substantially the same as the wording of definitions adopted by the multilateral export control regimes of which the United States is a member: The Wassenaar Arrangement, Nuclear Suppliers Group, Missile Technology Control Regime, and Australia Group. The phrase ``classified national security information'' refers to information that has been classified in accordance with Executive Order 13526, 75 FR 707; 3

Page 31507

CFR 201 Comp., p. 298. The phrasing following the definition quoted above (``such as through'') means that the list that follows consists of representative examples taken from the list of such things that are in both the ITAR and the EAR and merged together. This is not an exhaustive list of published information. Section 734.7(b) keeps certain published encryption software subject to the EAR, a restriction currently found in Sec. 734.7(c). BIS believes that the proposed revised section is easier to read and that the list of examples is easier to update than current text. The relevant restrictions do not include copyright protections or generic property rights in the underlying physical medium. (See proposed corresponding revisions to ``public domain'' in Sec. 120.11 of the ITAR.)

Fundamental Research

The current Sec. 734.8 excludes most information resulting from fundamental research from the scope of the EAR. The section is organized primarily by locus, specifically by the type of organization in which the research takes place. This proposed rule would revise Sec. 734.8, but it is not intended to change the scope of the current Sec. 734.8. The proposed revisions streamline the section by consolidating different provisions that involve the same criteria with respect to prepublication review, removing reference to locus unless it makes a difference to the jurisdictional status, and adding clarifying notes. The proposed revisions also consistently use the description ``arises during or results from fundamental research'' to make clear that technology that arises prior to a final result is subject to the EAR unless it otherwise meets the provisions of Sec. 734.8. Comments regarding whether the streamlined Sec. 734.8 text is narrower or broader in scope than the current text in Sec. 734.8 are encouraged.

Proposed notes clarify that technology initially transferred to researchers, e.g., by sponsors, may be subject to EAR, and that software and commodities are not ``technology resulting from fundamental research.'' Additional notes clarify when technology is ``intended to be published,'' as it must be in order to be not subject to the EAR pursuant to this section.

Issued in 1985, National Security Decision Directive (NSDD)-189 established a definition of ``fundamental research'' that has been incorporated into numerous regulations, internal compliance regimes, and guidance documents. Therefore, in this rulemaking, BIS has proposed a definition of ``fundamental research'' that is identical to that in NSDD-189. However, BIS solicits comment on a simpler definition that is consistent with NSDD-189, but not identical. Specifically, the alternative definition would read: ```Fundamental research' means non-

proprietary research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community.'' BIS believes that the scope of this wording is the same as that of the wording in NSDD-189 and seeks comment on whether the final rule should adopt the simpler wording.

The proposed definition of ``fundamental research'' includes references to ``basic'' and ``applied'' research. For clarity, this rulemaking proposes definitions of those terms. The definition of ``basic research'' in proposed Sec. 734.8 is that currently defined in the EAR (Sec. 772.1), and in the Wassenaar Arrangement's General Technology Note as ``basic scientific research.'' The proposed definition of ``applied research'' was drawn from the Defense Federal Acquisition Regulation Supplement (48 CFR part 31.205-18). A possible alternative definition of applied research is that found in the 2014 Office of Management and Budget Circular A-11: ``Systematic study to gain knowledge or understanding necessary to determine the means by which a recognized and specific need may be met.'' (See proposed corresponding Sec. 120.49 of the ITAR.)

Educational Information

Current Sec. 734.9 states that educational information released by instruction in a catalog course or associated teaching laboratory of an academic institution is not subject to the EAR. This rulemaking proposes moving this exclusion to Sec. 734.3(b) and removing Sec. 734.9. This proposed rule is not intended to change the scope of the current Sec. 734.9.

Patents

This rulemaking proposes to revise current Sec. 734.10, ``Patent applications,'' for clarity. For example, instead of an internal cross-

reference to the section of the EAR identifying items not subject to the EAR the revised section directly states that ``technology'' is not ``subject to the EAR'' if it is contained in the patent-related documents described in the section. For the sake of structural consistency with the ITAR's treatment of information in patents, paragraph (a)(1) is added to state that a patent or an open (published) patent application available from or at any patent office is per se not subject to EAR. The proposed revisions do not, however, change the scope of current Sec. 734.10. The existing footnote to the current Sec. 734.10 is removed because it would be redundant of the proposed text.

Specific National Security Controls

This rulemaking proposes minor conforming edits to current Sec. 734.11, which describes specific national security controls. The proposed revisions do not change the scope of current Sec. 734.11. As described below, this rulemaking proposes to remove Supplement No. 1 to part 734, ``Questions and Answers--Technology and Software Subject to the EAR.'' Questions and answers are illustrative rather than regulatory and are thus more appropriately posted as Web site guidance than published as regulatory text.

Export

In Sec. 734.2(b) of the current EAR, there are definitions of export, export of technology or software, and export of encryption source code and object code software. Section 772.1 also defines ``export'' as follows: ``Export means an actual shipment or transmission of items out of the United States.'' This rulemaking proposes to consolidate the definitions of ``export'' and ``export of technology and software,'' while moving ``export of encryption source code and object code software'' to a new Sec. 734.13.

Proposed Sec. 734.13(a) would have six paragraphs. Paragraphs (a)(4) and (5) would be reserved. The corresponding paragraphs in the ITAR would contain provisions that are not relevant to the EAR.

Proposed paragraph (a)(1) of the definition of ``export'' uses the EAR terms ``actual shipment or transmission out of the United States,'' combined with the existing ITAR ``sending or taking an item outside the United States in any manner.''

Paragraph (a)(2), specifying the concept of transfer or release of technology to a foreign national in the United States, or ``deemed export,'' reflects the long-standing BIS practice of treating software source code as technology for deemed export purposes.

Paragraph (a)(3) includes in the definition of ``export'' transferring by a person in the United States of registration, control, or ownership (i) of a spacecraft subject to the EAR that is not eligible for export under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country, or (ii) of any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country.

Page 31508

Paragraphs (a)(4) and (a)(5) remain reserved, reflecting placeholders. The ITAR's parallel proposed provisions would control transfers to embassies within the United States and defense services. Neither topic is relevant to the EAR.

Paragraph (a)(6) defines as an export the release or other transfer of the means of access to encrypted data. This is intended to complement the exclusion of certain encrypted data from the definition of export, specified in proposed Sec. 734.18(a)(4) and discussed below. Logically, providing the means to decrypt or otherwise access controlled technology or software that is encrypted should constitute a controlled event to the same extent as releasing or otherwise transferring the unencrypted controlled technology or software itself. Upon transfer of the means of access to encrypted technology or software, the technology or software would acquire the classification and control status of the underlying technology or software, as specified in proposed Sec. 764.2(l). The meaning of ``clear text'' in the proposed definition is no different than an industry standard definition, e.g., information or software that is readable without any additional processing and is not encrypted. Comments are encouraged regarding whether a specific EAR definition of the term is warranted and, if so, what the definition should be.

Paragraph (a)(6) of export and paragraph (a)(4) of reexport in this proposed rule and the DDTC companion proposed rule present different formulations for this control and the agencies request input from the public on which text more clearly describes the control. The agencies intend, however, that the act of providing physical access to unsecured ``technical data'' (subject to the ITAR) will be a controlled event. The mere act of providing physical access to unsecured ``technology'' (subject to the EAR) will not, however, be a controlled event unless it is done with ``knowledge'' that such provision will cause or permit the transfer of controlled ``technology'' in clear text or ``software'' to a foreign national.

This provision is not confined to the transfer of cryptographic keys. It includes release or other transfer of passwords, network access codes, software or any other information that the exporter ``knows'' would result in the unauthorized transfer of controlled technology. As defined in current Sec. 772.1 of the EAR, ``knowledge'' includes not only positive knowledge that a circumstance exists or is substantially certain to occur, but also an awareness of a high probability of its existence or future occurrence.

Paragraph (b) of Sec. 734.13 would retain BIS's deemed export rule as set forth in current Sec. 734.2(b). It would also codify a long-

standing BIS policy that when technology or source code is released to a foreign national, the export is ``deemed'' to occur to that person's most recent country of citizenship or permanent residency. See, e.g., 71 FR 30840 (May 31, 2006).

Paragraph (c) would state that items that will transit through a country or countries or will be transshipped in a country or countries to a new country, or are intended for reexport to the new country are deemed to be destined to the new country. This provision would be moved without change from current Sec. 734.2(b)(6).

(See proposed corresponding revisions to Sec. 120.17 of the ITAR.)

Reexport

The current definitions of reexport and reexport of technology or software in Sec. 734.2(b) are shipment or transmission of items from one foreign country to another foreign country, and release of technology or source code to a foreign national ``of another country.'' This rulemaking proposes to move the definition of ``reexports'' to new Sec. 734.14. In general, the provisions of the proposed definition of reexport parallel those of the proposed definition of export discussed above, except that reexports occur outside of the United States. Paragraphs (a)(1) and (a)(2) mirror the current definition but divide it into two paragraphs so that one paragraph pertains to actual reexports and another paragraph is specific to deemed reexports. Paragraph (a)(3) expands on the existing reference to transfer of registration or operational control over satellites in the definition of reexport in Sec. 772.1 to include transferring by a person outside the United States of registration, control, or ownership (i) of a spacecraft subject to the EAR that is not eligible for reexport under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country, or (ii) of any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country. Paragraph (a)(4) mirrors the proposed addition in the definition of ``export'' of the concept that releasing or otherwise transferring, in this case, outside the United States, the means to transfer to a foreign national controlled technology or software in readable form constitutes a ``reexport.'' (See proposed corresponding Sec. 120.19 of the ITAR.)

Release

This provision changes the existing definition of ``release'' in Sec. 734.2(b)(3) and adds it to new Sec. 734.15. Notably, while existing text provides that ``visual inspection'' by itself constitutes a release of technical data or source code, the proposed text provides that such inspection (including other types of inspection in addition to visual, such as aural or tactile) must actually reveal controlled technology or source code. Thus, for example, merely seeing an item briefly is not necessarily sufficient to constitute a release of the technology required, for example, to develop or produce it. This rulemaking proposes adding ``written'' to current ``oral exchanges'' as a means of release.

The proposed text also clarifies that the application of ``technology'' and ``software'' is a ``release'' in situations where U.S. persons abroad use personal knowledge or technical experience acquired in the United States in a manner that reveals technology or software to foreign nationals. This clarification makes explicit a long-standing EAR interpretation. This provision complements proposed new Sec. 120.9(a)(5) of the ITAR, which would include in the definition of ``defense service'' the furnishing of assistance (including training) to the government of a country listed in Sec. 126.1 of the ITAR in the development, production, operation, installation, maintenance, repair, overhaul or refurbishing of a defense article or a part, component, accessory or attachment specially designed for a defense article. The proposed definition does not use the existing phrase ``visual inspection by foreign nationals of U.S.-

origin equipment and facilities'' because such inspections do not per se release ``technology.'' For example, merely seeing equipment does not necessarily mean that the seer is able to glean any technology from it and, in any event, not all visible information pertaining to equipment is necessarily ``technology'' subject to the EAR. (See proposed corresponding Sec. 120.50 of the ITAR.)

Transfer (In-Country)

The current definition of transfer (in-country) is the ``shipment, transmission, or release of items subject to the EAR from one person to another person that occurs outside the United States within a single foreign country'' (Sec. 772.1). There is no difference between this phrase and the phrase ``in-country transfer'' that is used in the EAR. Variations in the use of the term will be harmonized over time.

Page 31509

This proposed rule would remove the definition from Sec. 772.1 and add a revised definition to new Sec. 734.16. This rulemaking proposes: ``a transfer (in-country) is a change in end use or end user of an item within the same foreign country.'' This revision eliminates any potential ambiguity regarding whether a change in end use or end user within a foreign country is or is not a ``transfer (in-country).'' This new text would parallel the term ``retransfer'' in the ITAR. (See proposed corresponding definition of retransfer in Sec. 120.51 of the ITAR.)

Export of Encryption Source Code and Object Code Software

Proposed new Sec. 734.17, export of encryption source code and object code software, would retain the text of Sec. 734.2(b)(9). It would be moved to this section with only minor conforming and clarifying edits so that it is under the section of the regulations that would define when such an ``export'' occurs rather than under the existing ``important EAR terms and principles.'' Describing when an export occurs in the ``export of encryption source code and object code software'' section of the regulations is more clear than under a general ``important EAR terms and principles'' heading.

Activities That Are Not Exports, Reexports, or Transfers

Proposed new Sec. 734.18 gathers existing EAR exclusions from exports, reexports, and transfers into a single provision, and includes an important new provision pertaining to encrypted technology and software.

Paragraph (a)(1) reflects that by statute, launching a spacecraft, launch vehicle, payload, or other item into space is not an export. See 51 U.S.C. 50919(f).

Paragraph (a)(2), based on existing text in Sec. 734.2(b)(2)(ii), would state that the release in the United States of technology or software to U.S. nationals, permanent residents, or protected individuals is not an export.

Paragraph (a)(3) would move from current Sec. 734.2(b)(8) text stating that shipments between or among the states or possessions of the United States are not ``exports'' or ``reexports.'' The word ``moving'' and `transferring'' were inserted next to ``shipment'' in order to avoid suggesting that the only way movement between or among the states or possessions would not be a controlled event was if they were ``shipped.''

Paragraph (a)(4) establishes a specific carve-out from the definition of ``export'' the transfer of technology and software that is encrypted in a manner described in the proposed section. Encrypted information--i.e., information that is not in ``clear text''--is not readable, and is therefore useless to unauthorized parties unless and until it is decrypted. As a result, its transfer in encrypted form consistent with the requirements of paragraph (a)(4) poses no threat to national security or other reasons for control and does not constitute an ``actual'' transmission of ``technology'' or ``software.'' Currently, neither the EAR nor the ITAR makes any distinction between encrypted and unencrypted transfers of technology or software for control or definitional purposes.

This section specifies the conditions under which this part of the definition would apply. An important requirement is that the technology or software be encrypted ``end-to-end,'' a phrase that is defined in paragraph (b). The intent of this requirement is that relevant technology or software is encrypted by the originator and remains encrypted (and thus not readable) until it is decrypted by its intended recipient. Such technology or software would remain encrypted at every point in transit or in storage after it was encrypted by the originator until it was decrypted by the recipient.

BIS understands that end-to-end encryption is not used in all commercial situations, particularly when encryption is provided by third party digital service providers such as cloud SaaS (software as a service) providers and some email services. However, in many such situations, technology or software may be encrypted and decrypted many times before it is finally decrypted and read by the intended recipient. At these points, it is in clear text and is vulnerable to unauthorized release. BIS considered this an unacceptable risk and therefore specified the use of end-to-end encryption as part of the proposed definition. A key requirement of the end-to-end provision is to ensure that no non-US national employee of a domestic cloud service provider or foreign digital third party or cloud service provider can get access to controlled technology or software in unencrypted form.

Paragraph (a)(4)(iii) describes encryption standards for purposes of the definition. In this proposed rule, use of encryption modules certified under the Federal Information Processing Standard 140-2 (FIPS 140-2), supplemented by appropriate software implementation, cryptographic key management and other procedures or controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, would qualify as sufficient security. FIPS 140-2 is a well understood cryptographic standard used for Federal Government procurement in the United States and Canada, as well as for many other uses, both in the United States and abroad. However, BIS understands that companies may use hardware and software that has not been certified by NIST or that does not conform to NIST guidelines (e.g., for internal use or conforming to other standards). To accommodate this, this paragraph allows for use of ``similarly effective cryptographic means,'' meaning that alternative approaches are allowable provided that they work. In such cases, the exporter is responsible for ensuring that they work. In contrast, the corresponding definition proposed by DDTC makes FIPS 140-2 conformity a baseline requirement. Hardware and software modules must be certified by NIST, and NIST key management and other implementation standards must be used. Alternatives are not permitted regardless of effectiveness.

This paragraph also specifically excludes from the definition technology and software stored in countries in Country Group D:5 and Russia for foreign policy reasons in light of the embargoes and policies of presumptive denial now in place with respect to such countries.

Logically, providing keys or other information that would allow access to encrypted technology or software should be subject to the same type of controls as the actual export, reexport, or transfer of the technology or software itself. This is specifically addressed in the proposed Sec. 734.13(a)(6) as part of the definition of ``export.'' In addition, the proposed Sec. 764.2(1) states that for enforcement purposes such an unauthorized release will constitute a violation to the same extent as a violation in connection with the actual export, reexport, or transfer (in-country) of the underlying ``technology'' or ``software.''

Paragraph (c) confirms that the mere ability to access ``technology'' or ``software'' while it is encrypted in a manner that satisfies the requirements in the section does not constitute the release or export of such ``technology'' or ``software.'' This responds to a common industry question on the issue. (See proposed corresponding Sec. 120.52 of the ITAR.)

Activities That Are Not Deemed Reexports

Proposed Sec. 734.20, activities that are not deemed reexports, merely codifies

Page 31510

BIS's interagency-cleared Deemed Reexport Guidance posted on the BIS Web site dated October 31, 2013. This guidance was created so that the provisions regarding possible deemed reexports contained in Sec. Sec. 124.16 and 126.18 of the ITAR would be available for EAR technology and source code.

Under this guidance and new Sec. 734.20, release of technology or source code by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport of such technology or source code if the entity is authorized to receive the technology or source code at issue, whether by a license, license exception, or situations where no license is required under the EAR for such technology or source code and the foreign national's most recent country of citizenship or permanent residency is that of a country to which export from the United States of the technology or source code at issue would be authorized by the EAR either under a license exception, or in situations where no license under the EAR would be required.

Release of technology or source code by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport if: (i) The entity is authorized to receive the technology or source code at issue, whether by a license, license exception, or through situations where no license is required under the EAR; (ii) the foreign national is a bona fide regular and permanent employee (who is not a proscribed person under U.S. law) directly employed by the entity; (iii) such employee is a national exclusively of a country in Country Group A:5; and (iv) the release of technology or source code takes place entirely within the physical territory of any such country. This rulemaking also proposes a definition of ``proscribed person'' in Sec. 772.1.

This paragraph corresponds to Sec. 124.16 of the ITAR, but the reference to Country Group A:5 instead of the countries in the corresponding ITAR section varies slightly. This variation is a function of BIS's national security and foreign policy assessment of the application of this proposed rule to the nationals of Country Group A:5 and as part of a general BIS effort to reduce the number of variations in groups of countries identified in the EAR consistent with U.S. national security and foreign policy interests. South Korea and Argentina are in Country Group A:5, but not in ITAR Sec. 124.16. Malta, Albania, and Cyprus are in Sec. 124.16, but not in Country Group A:5.

For nationals other than those of Country Group A:5 countries, which are close military allies of the United States, other criteria may apply. In particular, the section specifies the situations in which the releases would not constitute deemed exports in a manner consistent with Sec. 126.18 of the ITAR. An additional paragraph on scope of technology licenses included in the Web site would not be included in this proposed Sec. 734.20. It would be included in proposed Sec. 750.7, discussed below. For purposes of this section, ``substantive contacts'' would have the same meaning as it has in Sec. 126.18 of the ITAR. The proposed phrase ``permanent and regular employee'' is a combination of BIS's definition of ``permanent employee,'' as set forth in a BIS advisory opinion issued on November 19, 2007, and the ITAR's definition of ``regular employee'' in Sec. 120.39. This proposed rule adds specific text excluding persons proscribed under U.S. law to make clear that Sec. 734.20 does not authorize release of technology to persons proscribed under U.S. law, such as those on the Entity List or the Specially Designated Nationals List, or persons denied export privileges, and defines ``proscribed person'' in Sec. 772.1. The US-UK Exchange of Notes and US-Canadian Exchange of Letters referred to in the existing online guidance can be found on the State Department's Web site. The URL's for the letter are not proposed to be published in the EAR since URL addresses periodically change. Upon implementation of a final rule in this regard, BIS will place the URL references in an ``FAQ'' section of its Web site.

Technology

Like the current definition of ``technology'' in the EAR (Sec. 772.1), the definition proposed in this rulemaking is based on the Wassenaar Arrangement definition of technology. It continues to rest on the Wassenaar-defined sub-definitions of ``development,'' ``production,'' and ``use,'' which are currently defined in Sec. 772.1 and which this rulemaking does not propose to change. This rulemaking also does not propose to change BIS's long-standing policy that all six activities in the definition of ``use'' (operation, installation (including on-site installation), maintenance (checking), repair, overhaul and refurbishing) must be present for an item to be classified under an ECCN paragraph that uses ``use'' to describe the ''technology'' controlled. See 71 FR 30842, May 31, 2006. The proposed definition includes, as does the current EAR definition, the terms ``operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control `technology') of an item'' because such words are used as to describe technology controlled in multiple ECCNs, often with ``or'' rather than the ``and'' found in ``use.''

This rulemaking proposes to incorporate the definitions of ``technical data'' and ``technical assistance'' into the definition of ``technology'' as illustrative lists. The note in the existing definition of ``technology'' that ``technical assistance'' ``may take the forms such as instruction, skills training, working knowledge, and consulting services'' is not repeated given that the proposed definition and its examples would include any ``technology'' in such circumstances and in a manner that is harmonized with the ITAR's definition of technical data.

This rulemaking proposes to add a note to address a common industry question about modification. This proposed rule also would add three exclusions to clarify the limits of the scope of the definition in a manner consistent with long-standing BIS policy and interpretation of existing scope of ``technology.'' The first two insertions parallel exclusions in the ITAR and the third, the exclusion of telemetry data, mirrors specific exclusions inserted into both the ITAR and the EAR as part of recent changes regarding the scope of U.S. export controls pertaining to satellites and related items. See 79 FR 27417 (May 13, 2014). Several paragraphs of this section are held in reserve merely to allow the entire section to mirror the corresponding ITAR provisions that are not relevant to the EAR. (See proposed corresponding revisions to Sec. 120.10 of the ITAR.)

Questions and Answers--Technology and Software Subject to the EAR

This rulemaking proposes to remove Supplement No. 1 to part 734, ``Questions and Answers--Technology and Software Subject to the EAR.'' Because the questions and answers are illustrative rather than regulatory, they are more appropriately posted as Web site guidance than included in the EAR.

Required

This proposed rule retains the existing EAR definition of ``required'' in Sec. 772.1, but proposes adding notes clarifying the application of the term. It removes the references in the existing definition to CCL Categories 4, 5, 6, and 9 to avoid the suggestion that BIS

Page 31511

applies the definition of ``required'' only to the uses of the term in these categories. BIS has never had a separate definition of ``required'' used elsewhere in the EAR and this removal merely eliminates a potential ambiguity and reflects long-standing BIS policy.

To address common questions BIS has received regarding the meaning of the word ``required,'' BIS proposes adding two notes to address the questions. The first states that the references to ``characteristics'' and ``functions'' are not limited to entries on the CCL that use specific technical parameters to describe the scope of what is controlled. The ``characteristics'' and ``functions'' of an item listed are, absent a specific regulatory definition, a standard dictionary's definition of the item. It then includes examples of this point. The second refers to the fact that the ITAR and the EAR often divide within each set of regulations or between each set of regulations (a) controls on parts, components, accessories, attachments, and software and (b) controls on the end items, systems, equipment, or other articles into which those parts, components, accessories, attachments, and software are to be installed or incorporated. Moreover, with the exception of technical data specifically enumerated on the USML, the jurisdictional status of unclassified technical data or ``technology'' is the same as the jurisdictional status of the defense article or item to which it is directly related. Examples of this point are provided. (See proposed corresponding revisions to Sec. 120.46 of the ITAR.)

Peculiarly Responsible

This rulemaking proposes a definition of the currently undefined term ``peculiarly responsible'' in order to respond to common industry questions. The new definition would be modeled on the catch-and-release structure BIS adopted for the definition of ``specially designed.'' Thus, under the proposed definition, an item is ``peculiarly responsible'' for achieving or exceeding any referenced controlled performance levels, characteristics, or functions if it is used in ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing of an item subject to the EAR unless (a) the Department of Commerce has determined otherwise in a commodity classification determination, (b) it is identical to information used in or with a commodity or software that is or was in production and is EAR99 or described in an ECCN controlled only for Anti-Terrorism (AT) reasons, (c) it was or is being developed for use in or with general purpose commodities or software, or (d) it was or is being developed with ``knowledge'' that it would be for use in or with commodities or software described (i) in an ECCN controlled for AT-only reasons and also EAR99 commodities or software or (ii) exclusively for use in or with EAR99 commodities or software.

Export of Technical Data for U.S. Persons Abroad

This rulemaking proposes to amend the temporary export of technology provisions of existing License Exception TMP by revising Sec. 740.9(a)(3) to clarify that the ``U.S. employer'' and ``U.S. persons or their employees'' using this license exception are not foreign subsidiaries. The proposed paragraph streamlines current text without changing the scope. (See proposed corresponding revisions to Sec. 125.4(b)(9) of the ITAR.)

Scope of a License

This proposed revision would implement in the EAR the interagency-

agreed boilerplate for all licenses that was posted on the BIS Web site and began appearing on licenses December 8, 2014. It is a slight revision to the existing Sec. 750.7(a), which states that licenses authorize only the transaction(s) described in the license application and the license application support documents. This proposed revision would also codify the existing interpretation that a license authorizing the release of technology to an entity also authorizes the release of the same technology to the entity's foreign nationals who are permanent and regular employees of the entity's facility or facilities authorized on the license, except to the extent a license condition limits or prohibits the release of the technology to nationals of specific countries or country groups.

Release of Protected Information

This rulemaking proposes adding a new paragraph (l) to Sec. 764.2 ``Violations.'' This paragraph would provide that the unauthorized release of decryption keys or other information that would allow access to particular controlled technology or software would, for enforcement purposes, constitute a violation to the same extent as a violation in connection with the export of the underlying controlled ``technology'' or ``software.'' Under these and other related provisions, the decryption keys (or other technology), while subject to the EAR, do not themselves retain the classification of the technology that they could potentially release. This allows them to be secured and transmitted independently of the technology they could be used to release. (See proposed corresponding revisions to Sec. 127.1(b)(4) of the ITAR.)

Removals From and Additions to EAR's List of Definitions in Sec. 772.1

With the changes proposed in this rulemaking, there would be stand-

alone sections in the EAR to address the scope and meaning of ``publicly available information,'' ``publicly available technology and software,'' and ``technical data.'' To avoid redundancy, the existing definitions in Sec. 772.1 would be removed. In light of the changes described above, the definitions of ``basic scientific research,'' ``export,'' ``reexport,'' ``required,'' ``technology,'' and ``transfer'' would be revised accordingly. A clarifying note would be added at the bottom of the definition that the use of ``transfer'' does not apply to the unrelated ``transfers of licenses'' provision in Sec. 750.10 or the antiboycott provisions in Supplement No. 8 to part 760 of the EAR. It also states that the term ``transfer'' may also be included on licenses issued by BIS. In that regard, the changes that can be made to a BIS license are the non-material changes described in Sec. 750.7(c). Any other change to a BIS license without authorization is a violation of the EAR. See Sec. Sec. 750.7(c) and 764.2(e). Finally, consistent with the explanations above, definitions for the terms ``applied research,'' ``fundamental research,'' ``peculiarly responsible,'' ``publicly available encryption software,'' ``published,'' and ``release'' would be added to Sec. 772.1.

Public Comments

BIS welcomes comments on any aspects of this proposed rule. With respect to the proposed revisions, BIS would like to receive comments that are as specific and well-supported as possible. Particularly helpful comments will include a description of a problem or concern, available data on cost or economic impact, and a proposed solution. BIS also welcomes comments on aspects of this proposed rule that the public considers effective or well designed.

BIS specifically solicits comment on the following issues:

1. Whether the revisions proposed in this rulemaking create gaps, overlaps, or contradictions between the EAR and the ITAR, or among various provisions within the EAR;

2. Whether the alternative definition of fundamental research suggested in the preamble should be adopted;

   Page 31512

3. Whether the alternative definition of applied research suggested in the preamble should be adopted, or whether basic and applied research definitions are needed given that they are subsumed by fundamental research;

4. Whether the questions and answers in existing Supplement No. 1 to part 734 proposed to be removed by this rulemaking have criteria that should be retained in part 734;

5. With respect to end-to-end encryption described in the proposed revision of the definition of ``Activities that are Not Exports, Reexports, or Transfers,'' whether the illustrative standard proposed in the EAR rulemaking also should be adopted in the ITAR rulemaking; whether the safe harbor standard proposed in the ITAR rulemaking also should be adopted in the EAR rulemaking; or whether the two bodies of regulations should have different standards;

6. Whether encryption standards adequately address data storage and transmission issues with respect to export controls; and

7. Whether the proposed definition of ``peculiarly responsible'' effectively explains how items may be ``required'' or ``specially designed'' for particular functions.

8. The public is asked to comment on the effective date of the final rule. Export Control Reform rules that revised categories of the USML and created new 600 series ECCNs have had a six-month delayed effective date to allow for exporters to update the classification of their items. In general, rules effecting export controls have been effective on the date of publication, due to the impact on national security and foreign policy. As this proposed rule, and the companion proposed rule from the Directorate of Defense Trade Controls, revise definitions within the ITAR and the EAR and do not make any changes to the USML or CCL, a 30-day delayed effective date is proposed to allow exporters to ensure continued compliance.

   Export Administration Act

   Although the Export Administration Act expired on August 20, 2001, the President, through Executive Order 13222 of August 17, 2001, 3 CFR, 2001 Comp., p. 783 (2002), as amended by Executive Order 13637 of March 8, 2013, 78 FR 16129 (March 13, 2013) and as extended by the Notice of August 7, 2014, 79 FR 46959 (August 11, 2014), has continued the Export Administration Regulations in effect under the International Emergency Economic Powers Act. BIS continues to carry out the provisions of the Export Administration Act, as appropriate and to the extent permitted by law, pursuant to Executive Order 13222 as amended by Executive Order 13637.

   Regulatory Requirements

1. Executive Orders 13563 and 12866 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distribute impacts, and equity). Executive Order 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This proposed rule has been designated a ``significant regulatory action,'' although not economically significant, under section 3(f) of Executive Order 12866. Accordingly, this proposed rule has been reviewed by the Office of Management and Budget (OMB).

2. This proposed rule does not contain information collections subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) (PRA). Notwithstanding any other provision of law, no person is required to respond to, nor is subject to a penalty for failure to comply with, a collection of information, subject to the requirements of the PRA, unless that collection of information displays a currently valid OMB control number.

3. This proposed rule does not contain policies with Federalism implications as that term is defined under E.O. 13132.

4. Pursuant to the Regulatory Flexibility Act, as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, 5 U.S.C. 601 et seq., BIS has prepared the following initial Regulatory Flexibility Act analysis of the potential impact that this proposed rule, if adopted, would have on small entities.

   Description of the Reasons Why Action Is Being Considered

   The policy reasons for issuing this proposed rule are discussed in the background section of the preamble of this document, and are not repeated here.

   Statement of the Objectives of, and Legal Basis for, the Proposed Rule; Identification of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule

   The objective of this proposed rule (and a proposed rule being published simultaneously by the Department of State) is to provide greater clarity and precision in the EAR and the ITAR by providing common definitions and common terms to regulate the same types of actions. The proposed rule also seeks to express some concepts more clearly.

   The proposed rule would alter definitions in the EAR. It also would update and clarify application of controls to electronically transmitted technology and software.

   The legal basis for this proposed rule is 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637 of March 8, 2013, 78 FR 16129 (March 13, 2013); Notice of August 7, 2014, 79 FR 46959 (August 11, 2014); Notice of November 7, 2014, 79 FR 67035 (November 12, 2014).

   No other Federal rules duplicate, overlap, or conflict with this proposed rule.

   Number and Description of Small Entities Regulated by the Proposed Action

   This proposed rule would apply to all persons engaged in the export, reexport, or transfer of commodities, technology or software that is regulated by the EAR. BIS does not maintain data from which it can determine how many of those persons are small entities as identified in the Small Business Administration size standards. Nevertheless, BIS recognizes that some of those persons are likely to be small entities.

   Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule

   This proposed rule is unlikely to increase the number of transactions that must be reported to BIS because EAR reporting requirements apply only in five specific situations, none of which would change as a result of this proposed rule. Those situations are: Exports that do not require a license of items on the Wassenaar Arrangement Sensitive List; Exports of High Performance Computers; Exports of certain thermal imaging cameras that do not require a license; Certain exports of Conventional Arms; and 600 series major defense equipment.

   Because recordkeeping requirements already apply to all transactions that are subject to the EAR, BIS expects that this proposed rule would not expand recordkeeping requirements.

   It is possible that some of these changes would increase the number of

   Page 31513

   licenses that some small entities would have to seek from BIS although BIS is not aware of any specific instance in which additional licenses would be required.

   The following discussion describes the changes that would be made by this proposed rule. It is divided into two sections: Changes that BIS believes would not impose any new regulatory obligations; and Changes that are not intended to imposed any new regulatory obligation, but that BIS cannot state with certainty would not do so.

   Changes That BIS Believes Would Not Impose Any New Regulatory Burden

   This proposed rule would make certain changes to clarify and streamline the definitions of comparable terms, phrases, and concepts between the EAR and the ITAR. Many of these changes are technical in nature and attempt to consolidate and re-phrase the definitions to enhance readability and to parallel the structure of the ITAR's definition of the same term. However, there are a small number of new provisions, but these changes would not impose any new regulatory burdens. Specifically, this proposed rule would make the following changes:

   Remove Sec. 734.2(b) which currently defines export, reexport, release, transfer (in country) and export of encryption source code or object code software, because those terms would be defined in separate sections. Section 734.2(b) also states the policy of applying license requirements that apply to a country to its dependencies and possessions; this policy is currently stated elsewhere in the EAR.

   Create new separate sections defining export, reexport, release and export of encryption source code or object code software. Those terms would be clarified and presented in a more organized manner, but substantively unchanged from the existing regulatory text.

   Create a new section identifying activities that are not exports, reexports, or transfers. This section restates the transactions that are excluded from the definition of export in current regulatory text and adds two additional activities that would be expressly declared not to be exports, rexports or transfers: space launches and sending, taking or storing certain technology or software abroad using specified cryptographic techniques. The former, although not expressly in the current regulatory text, is required by statute (see 51 U.S.C. 50919(f)) and consistent with current BIS practice of not treating a space launch as an export, reexport or transfer. The latter is, in fact, new. However, by removing the transactions it describes from the definitions of exports, reexports, or transfers, it removes existing license requirements from those transactions.

   Clarify without substantively changing the provisions related to patent applications and add specific text stating that technology contained in a patent available from or at any patent office is not subject to the EAR. The addition reflects BIS' long-standing interpretation. To the extent that it could be characterized as new, its only effect would be to appear to release from the EAR technology that some readers of the EAR might have (erroneously) concluded was subject to the EAR.

   Add to License Exception TMP text to emphasize that foreign subsidiaries of U.S. companies are neither U.S. employers nor ``U.S. persons or their employees'' as those terms are used in the license exception. This additional text adds no restriction that is not already imposed by the definition of ``U.S. persons'' that currently appears in the text of License Exception TMP.

   Add text codifying in the EAR limits on transactions authorized by a license that currently are imposed by conditions on the license itself.

   Add text prohibiting the release or other transfer of information (e.g., decryption keys, passwords or access codes) with knowledge that such release or other transfer will result in an unauthorized export, reexport or transfer of other technology or software. This addition provides specific grounds for bringing charges with respect to one particular type of misconduct. However, existing EAR provisions, including the prohibition on causing, aiding or abetting a violation of the EAR or license, authorization or order could be used to bring charges for that same type of misconduct.

   Changes That Are Not Intended To Impose Any Regulatory Obligation, but That BIS Cannot State With Certainty Would Not Do So

   This proposed rule would add definitions for two new terms ``applied research,'' and ``peculiarly responsible'' and revise the definitions of two existing terms ``required'' and ``transfer (in-

   country).'' It also would adopt BIS' interpretative guidance regarding deemed reexports as regulatory text. These changes are not intended to impose any regulatory obligations on regulated entities, but BIS cannot state with certainty that there will be no impact. This proposed rule would make the following changes:

   Add to the existing definition of ``fundamental research'' a new definition of ``applied research.'' The information arising from fundamental research is not subject to the EAR. Fundamental research consists of basic and applied research where the results are ordinarily published and shared broadly within the scientific community. This proposed rule would retain the overall concept of fundamental research that is currently in the EAR, but would remove certain limitations based on the type of institution in which the research takes place, relocate the definition of ``basic research'' from the definitions section of the EAR to the section dealing with fundamental research and provide a definition of applied research.

   Add to the EAR a definition of the term ``peculiarly responsible.'' That currently undefined term appears in the definitions of ``specially designed'' and of ``required'' in the EAR. This proposed rule would define that term.

   Add to the EAR a definition of ``proscribed person.'' This definition does not create any new regulated class. It simply provides a clear, shorthand reference to a person who is already prohibited from receiving items or participating in a transaction that is subject to the EAR without authorization by virtue of U.S. law, such as persons on the Entity List, Specially Designated Nationals, or debarred parties.

   Remove from the definition of the term ``required'' references to CCL Categories 4, 5, 6 and 9 to accurately reflect BIS' long-standing interpretation that its definition applies wherever the EAR imposes a license requirement for technology ``required'' for a particular process or activity.

   In the definition of ``transfer (in-country),'' replace the phrase ``shipment, transmission, or release of items subject to the EAR from one person to another person that occurs outside the United States within a single foreign country'' with ``a change in end use or end user of an item within the same foreign country.'' This new text would parallel the term ``retransfer'' in the ITAR and would eliminate any potential ambiguity that a change in end use or end user within a foreign country is or is not a ``transfer (in-country).''

   Each of the foregoing changes would serve the overall policy goals of reducing uncertainty and harmonizing the requirements of the ITAR and the EAR. In most instances, reduced uncertainty will be beneficial to persons who have to comply with the regulations, particularly persons who engage in transactions subject to both sets of regulations. They would be able to make decisions more quickly and

   Page 31514

   have less need to contact BIS for advice. Additionally, by making these terms more explicit, the possibility of their being interpreted contrary to BIS' intent is reduced. Such contrary interpretations would have three undesirable effects. First, they would undermine the national security and foreign policy objectives that the EAR are intended to implement. Second, persons who are interpreting the regulations in a less restrictive manner than BIS intends may seek fewer licenses from BIS than their competitors who are interpreting the regulations consistent with BIS' intent or who are obtaining advice from BIS, thereby gaining a commercial advantage to the detriment of the relevant national security or foreign policy interests. Third, unnecessary regulatory complexity and unnecessary differences between the terminology of the ITAR and that of the EAR could discourage small entities from even attempting to export. The beneficial effects of making these terms more explicit justify any economic impact that might be incurred by small entities that would have to change their conduct because their contrary interpretations could no longer be defended given the clearer and more explicit terms in the regulations.

   This proposed rule also would add to the EAR a description of activities that are not deemed reexports. This description currently appears as interpretative guidance on BIS' Web site and closely tracks the regulatory text of the ITAR. Deemed reexports are releases of technology or software source code within a single foreign country by a party located outside the United States to a national of a country other than the country in which the releasing party is located. The guidance describes three situations in which that party may release the technology or source code without obtaining a license from BIS.

   By adopting this guidance as regulatory text that closely tracks the text governing the same activities in the ITAR, BIS reduces both complexity and unnecessary differences between the two sets of regulations with the salutary effects of faster decision making, reduced need to contact BIS for advice and reduced possibility that small entities would be discouraged from exporting as noted above.

   Description of Any Significant Alternatives to the Proposed Rule That Accomplish the Stated Objectives of Applicable Statutes and That Minimize Any Significant Economic Impact of the Proposed Rule on Small Entities

   As required by 5 U.S.C. 603(c), BIS' analysis considered significant alternatives. Those alternatives are: (1) The preferred alternative of altering definitions and updating and clarifying application of controls to electronically transmitted technology and software; (2) Maintaining the status quo and not revising the definitions or updating and clarifying application of controls to electronically transmitted technology and software; and (3) Establishing a size threshold below which entities would not be subject to the changes proposed by this rulemaking.

   By altering definitions and updating and clarifying application of controls to electronically transmitted technology and software as this proposed rule would do, BIS would be reducing uncertainty for all parties engaged in transactions that are subject to the EAR. Potential ambiguities would be reduced; decisions could be made more quickly; the need to contact BIS for advice be reduced; and the possibility of inconsistent interpretations providing one party commercial advantages over others would be reduced. Persons (including small entities) engaged in transactions that are subject to the ITAR and transactions that are subject to the EAR would face fewer actual or apparent inconsistencies that must be addressed in their regulatory compliance programs. Although small entities, along with all other parties, would need to become familiar with the revised terminology, in the long run, compliance costs are likely to be reduced when compared to the present situation where the ITAR and the EAR use different terminology to regulate the same types of activity in the same manner. Therefore, BIS adopted this alternative.

   If BIS chose to maintain the status quo, small entities and other parties would not have to incur the cost and effort of becoming familiar with the revised regulations and any party who is currently interpreting the regulations that would clearly be precluded by the more explicit interpretations would incur the cost of complying with the regulations consistent with their underlying intent and in the way that BIS believes most regulated parties do. However, the benefits of these proposed changes would be lost. Those benefits, greater clarity, consistency between the ITAR and the EAR, and reduced possibility of inconsistent application of the regulations by similarly situated regulated parties, would be foregone. Therefore, BIS has not adopted this alternative.

   If BIS chose to create a size threshold exempting small entities as currently defined by the SBA size standards from the changes imposed by this proposed rule, those entities would face a more complicated regulatory environment than larger entities. The small entities would continue to be subject to the EAR as a whole but without the benefit of the clarifications introduced by this proposed rule. The only way to make a size threshold beneficial to entities falling below the threshold would be to exempt them from all or at least many of the requirements of the EAR. However, doing so would create a major loophole allowing commodities, software, and technology that are controlled for export for national security or foreign policy reasons to go, without restriction, to any party abroad, undermining the interests that the regulations are intended to protect. Therefore, BIS has not adopted this alternative.

   List of Subjects

   15 CFR Parts 734 and 772

   Exports.

   15 CFR Parts 740 and 750

   Administrative practice and procedure, Exports, Reporting and recordkeeping requirements.

   15 CFR Part 764

   Administrative practice and procedure, Exports, Law enforcement, Penalties.

   For the reasons stated in the preamble, parts 734, 740, 750, 764, and 772 of the Export Administration Regulations (15 CFR subchapter C) are proposed to be amended as follows:

   PART 734--SCOPE OF THE EXPORT ADMINISTRATION REGULATIONS

   0

1. The authority citation for part 734 continues to read as follows:

   Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 12938, 59 FR 59099, 3 CFR, 1994 Comp., p. 950; E.O. 13020, 61 FR 54079, 3 CFR, 1996 Comp., p. 219; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637 of March 8, 2013, 78 FR 16129 (March 13, 2013); Notice of August 7, 2014, 79 FR 46959 (August 11, 2014) ; Notice of November 7, 2014, 79 FR 67035 (November 12, 2014).

   Sec. 734.2--Amended

   0

2. Section 734.2 is amended by revising the heading to read as follows and by removing and reserving paragraph (b).

   Sec. 734.2 Subject to the EAR.

   0

3. Section 734.3 is amended by revising paragraph (b) introductory text, paragraph (b)(3), the Note to paragraphs (b)(2) and (b)(3), and the Note to paragraph (b)(3) to read as follows.

   Page 31515

   Sec. 734.3 Items subject to the EAR.

   * * * * *

   (b) The following are not subject to the EAR:

   * * * * *

   (3) Information and ``software'' that:

   (i) Are ``published,'' as described in Sec. 734.7;

   (ii) Arise during, or result from, ``fundamental research,'' as described in Sec. 734.8;

   (iii) Concern general scientific, mathematical, or engineering principles commonly taught in schools, and released by instruction in a catalog course or associated teaching laboratory of an academic institution; or

   (iv) Appear in patents or open (published) patent applications available from or at any patent office, unless covered by an invention secrecy order, or are otherwise patent information as described in Sec. 734.10.

   Note to paragraphs (b)(2) and (b)(3): A printed book or other printed material setting forth encryption source code is not itself subject to the EAR (see Sec. 734.3(b)(2)). However, notwithstanding Sec. 734.3(b)(2), encryption source code in electronic form or media (e.g., computer diskette or CD ROM) remains subject to the EAR (see Sec. 734.17)). Publicly available encryption object code software classified under ECCN 5D002 is not subject to the EAR when the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR.

   Note to paragraph (b)(3): Except as set forth in part 760 of this title, information that is not within the scope of the definition of ``technology'' (see Sec. 772.1 of the EAR) is not subject to the EAR.

   * * * * *

   0

4. Section 734.7 is revised to read as follows:

   Sec. 734.7 Published.

   (a) Except as set forth in paragraph (b) of this section, unclassified ``technology'' or ``software'' is ``published,'' and is thus not ``technology'' or ``software'' subject to the EAR, when it has been made available to the public without restrictions upon its further dissemination such as through any of the following:

   (1) Subscriptions available without restriction to any individual who desires to obtain or purchase the published information;

   (2) Libraries or other public collections that are open and available to the public, and from which the public can obtain tangible or intangible documents;

   (3) Unlimited distribution at a conference, meeting, seminar, trade show, or exhibition, generally accessible to the interested public;

   (4) Public dissemination (i.e., unlimited distribution) in any form (e.g., not necessarily in published form), including posting on the Internet on sites available to the public; or

   (5) Submission of a written composition, manuscript or presentation to domestic or foreign co-authors, editors, or reviewers of journals, magazines, newspapers or trade publications, or to organizers of open conferences or other open gatherings, with the intention that the compositions, manuscripts, or publications will be made publicly available if accepted for publication or presentation.

   (b) Published encryption software classified under ECCN 5D002 remains subject to the EAR unless it is publicly available encryption object code software classified under ECCN 5D002 and the corresponding source code meets the criteria specified in Sec. 740.13(e) of the EAR.

   0

5. Section 734.8 is revised to read as follows:

   Sec. 734.8 ``Technology'' that arises during, or results from, fundamental research.

   (a) ``Technology'' that arises during, or results from, fundamental research and is `intended to be published' is thus not ``subject to the EAR.''

   Note 1 to paragraph (a): The inputs used to conduct fundamental research, such as information, equipment, or software, are not ``technology that arises during or results from fundamental research'' except to the extent that such inputs are ``technology'' that arose during or resulted from earlier fundamental research.

   Note 2 to paragraph (a): There are instances in the conduct of research, whether fundamental, basic, or applied, where a researcher, institution or company may decide to restrict or protect the release or publication of ``technology'' contained in research results. Once a decision is made to maintain such ``technology'' as restricted or proprietary, the ``technology,'' if within the scope of Sec. 734.3(a), becomes ``subject to the EAR.''

   (b) Prepublication review. ``Technology'' that arises during, or results, from fundamental research is ``intended to be published'' to the extent that the researchers are free to publish the technology contained in the research without restriction or delay. ``Technology'' that arises during or results from fundamental research subject to prepublication review is still ``intended to be published'' when:

   (1) Prepublication review is conducted solely to ensure that publication would not compromise patent rights, so long as the review causes no more than a temporary delay in publication of the research results;

   (2) Prepublication review is conducted by a sponsor of research solely to insure that the publication would not inadvertently divulge proprietary information that the sponsor has furnished to the researchers; or

   (3) With respect to research conducted by scientists or engineers working for a Federal agency or a Federally Funded Research and Development Center (FFRDC), within any appropriate system devised by the agency or the FFRDC to control the release of information by such scientists and engineers.

   Note 1 to paragraph (b): Although ``technology'' arising during or resulting from fundamental research is not considered ``intended to be published'' if researchers accept restrictions on its publication, such ``technology'' will nonetheless qualify as ``technology'' arising during or resulting from fundamental research once all such restrictions have expired or have been removed.

   Note 2 to paragraph (b): Except as provided in Sec. 734.11, ``technology'' that is subject to other publication restrictions, such as U.S. government-imposed access and dissemination controls, is not ``intended to be published.''

   (c) Fundamental research definition. ``Fundamental research'' means basic or applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community. This is distinguished from proprietary research and from industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reasons.

   (1) ``Basic research'' means experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective.

   (2) ``Applied research'' means the effort that:

   (i) Normally follows basic research, but may not be severable from the related basic research;

   (ii) Attempts to determine and exploit the potential of scientific discoveries or improvements in technology, materials, processes, methods, devices, or techniques; and

   (iii) Attempts to advance the state of the art.

   Sec. 734.9 Removed and Reserved

   0

6. Section 734.9 is removed and reserved.

   0

7. Section 734.10 is revised to read as follows:

   Page 31516

   Sec. 734.10 Patents.

   ``Technology'' is not ``subject to the EAR'' if it is contained in:

   (a) A patent or an open (published) patent application available from or at any patent office;

   (b) A published patent or patent application prepared wholly from foreign-origin technology where the application is being sent to the foreign inventor to be executed and returned to the United States for subsequent filing in the U.S. Patent and Trademark Office;

   (c) A patent application, or an amendment, modification, supplement or division of an application, and authorized for filing in a foreign country in accordance with the regulations of the Patent and Trademark Office, 37 CFR part 5; or

   (d) A patent application when sent to a foreign country before or within six months after the filing of a United States patent application for the purpose of obtaining the signature of an inventor who was in the United States when the invention was made or who is a co-inventor with a person residing in the United States.

   0

8. Section 734.11 is revised to read as follows:

   Sec. 734.11 Government-sponsored research covered by contract controls.

   (a) If research is funded by the U.S. Government, and specific national security controls are agreed on to protect information resulting from the research, the provisions of Sec. 734.3(b)(3) will not apply to any export or reexport of such information in violation of such controls. However, any export or reexport of information resulting from the research that is consistent with the specific national security controls may nonetheless be made under this provision.

   (b) Examples of ``specific national security controls'' include requirements for prepublication review by the Government, with right to withhold permission for publication; restrictions on prepublication dissemination of information to non-U.S. citizens or other categories of persons; or restrictions on participation of non-U.S. citizens or other categories of persons in the research. A general reference to one or more export control laws or regulations or a general reminder that the Government retains the right to classify is not a ``specific national security control.''

   0

9. Section 734.13 is added to read as follows:

   Sec. 734.13 Export.

   (a) Except as set forth in Sec. 734.17, ``export'' means:

   (1) An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner;

   (2) Releasing or otherwise transferring ``technology'' or ``source code'' (but not ``object code'') to a foreign national in the United States (a ``deemed export'');

   (3) Transferring by a person in the United States of registration, control, or ownership of:

   (i) A spacecraft subject to the EAR that is not eligible for export under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country; or

   (ii) Any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country; or

   (4) Reserved

   (5) Reserved

   (6) Releasing or otherwise transferring decryption keys, network access codes, passwords, ``software'' or other information with ``knowledge'' that such provision will cause or permit the transfer of other ``technology'' in clear text or ``software'' to a foreign national.

   (b) Any release in the United States of ``technology'' or ``source code'' to a foreign national is a deemed export to the foreign national's most recent country of citizenship or permanent residency.

   (c) The export of an item that will transit through a country or countries or will be transshipped in a country or countries to a new country, or are intended for reexport to the new country, is deemed to be an export to the new country.

   0

10. Section 734.14 is added to read as follows:

    Sec. 734.14 Reexport.

    (a) Except as set forth in Sec. Sec. 734.18 and 734.20, ``reexport'' means:

    (1) An actual shipment or transmission of an item from one foreign country to another foreign country, including the sending or taking of an item to or from such countries in any manner;

    (2) Releasing or otherwise transferring ``technology'' or ``source code'' to a foreign national of a country other than the foreign country where the release or transfer takes place (a ``deemed reexport'');

    (3) Transferring by a person outside the United States of registration, control, or ownership of:

    (i) A spacecraft subject to the EAR that is not eligible for reexport under License Exception STA (i.e., spacecraft that provide space-based logistics, assembly or servicing of any spacecraft) to a person in or a national of any other country; or

    (ii) Any other spacecraft subject to the EAR to a person in or a national of a Country Group D:5 country; or

    (4) Releasing or otherwise transferring outside of the United States decryption keys, network access codes, passwords, ``software,'' or other information with ``knowledge'' that such provision will cause or permit the transfer of other ``technology'' in clear text or ``software'' to a foreign national.

    (b) Any release outside of the United States of ``technology'' or ``source code'' subject to the EAR to a foreign national of another country is a deemed reexport to the foreign national's most recent country of citizenship or permanent residency, except as described in Sec. 734.20.

    (c) The reexport of an item subject to the EAR that will transit through a country or countries or will be transshipped in a country or countries to a new country, or are intended for reexport to the new country, is deemed to be a reexport to the new country.

    0

11. Section 734.15 is added to read as follows:

    Sec. 734.15 Release.

    (a) Except as set forth in Sec. 734.18, ``technology'' and ``software'' are ``released'' through:

    (1) Visual or other inspection by a foreign national of items that reveals ``technology'' or ``source code'' subject to the EAR to a foreign national;

    (2) Oral or written exchanges with a foreign national of ``technology'' in the United States or abroad; or

    (3) The application by U.S. persons of ``technology'' or ``software'' to situations abroad using personal knowledge or technical experience acquired in the United States, to the extent that the application reveals to a foreign national ``technology'' or ``source code'' subject to the EAR.

    (b) Reserved

    0

12. Section 734.16 is added to read as follows:

    Sec. 734.16 Transfer (in-country).

    Except as set forth in Sec. 734.18, a transfer (in-country) is a change in end use or end user of an item within the same foreign country. ``Transfer (in-country)'' is synonymous with ``in-country transfer.''

    0

13. Section 734.17 is added to read as follows:

    Sec. 734.17 Export of encryption source code and object code software.

    (a) For purposes of the EAR, the export of encryption source code and object code software means:

    Page 31517

    (1) An actual shipment, transfer, or transmission out of the United States (see also paragraph (b) of this section); or

    (2) A transfer of such software in the United States to an embassy or affiliate of a foreign country.

    (b) The export of encryption source code and object code software controlled for ``EI'' reasons under ECCN 5D002 on the Commerce Control List (see Supplement No. 1 to part 774 of the EAR) includes:

    (1) Downloading, or causing the downloading of, such software to locations (including electronic bulletin boards, Internet file transfer protocol, and World Wide Web sites) outside the U.S., or

    (2) Making such software available for transfer outside the United States, over wire, cable, radio, electromagnetic, photo optical, photoelectric or other comparable communications facilities accessible to persons outside the United States, including transfers from electronic bulletin boards, Internet file transfer protocol and World Wide Web sites, unless the person making the software available takes precautions adequate to prevent unauthorized transfer of such code. See Sec. 740.13(e) of the EAR for notification requirements for exports or reexports of encryption source code software considered to be publicly available or published consistent with the provisions of Sec. 734.3(b)(3). Publicly available encryption software in object code that corresponds to encryption source code made eligible for License Exception TSU under Sec. 740.13(e) of this subchapter is not subject to the EAR.

    (c) Subject to the General Prohibitions described in part 736 of the EAR, such precautions for Internet transfers of products eligible for export under Sec. 740.17(b)(2) of the EAR (encryption software products, certain encryption source code and general purpose encryption toolkits) shall include such measures as:

    (1) The access control system, either through automated means or human intervention, checks the address of every system outside of the U.S. or Canada requesting or receiving a transfer and verifies such systems do not have a domain name or Internet address of a foreign government end-user (e.g., ``.gov,'' ``.gouv,'' ``.mil'' or similar addresses);

    (2) The access control system provides every requesting or receiving party with notice that the transfer includes or would include cryptographic software subject to export controls under the Export Administration Regulations, and anyone receiving such a transfer cannot export the software without a license or other authorization; and

    (3) Every party requesting or receiving a transfer of such software must acknowledge affirmatively that the software is not intended for use by a government end user, as defined in part 772 of the EAR, and he or she understands the cryptographic software is subject to export controls under the Export Administration Regulations and anyone receiving the transfer cannot export the software without a license or other authorization. BIS will consider acknowledgments in electronic form provided they are adequate to assure legal undertakings similar to written acknowledgments.

    0

14. Section 734.18 is added to read as follows:

    Sec. 734.18 Activities that are not exports, reexports, or transfers.

    (a) The following activities are not exports, reexports, or transfers:

    (1) Launching a spacecraft, launch vehicle, payload, or other item into space.

    (2) While in the United States, releasing technology or software to United States citizens, persons lawfully admitted for permanent residence in the United States, or persons who are protected individuals under the Immigration and Naturalization Act (8 U.S.C. 1324b(a)(3)).

    (3) Shipping, moving, or transferring items between or among the United States, the District of Columbia, the Commonwealth of Puerto Rico, or the Commonwealth of the Northern Mariana Islands or any territory, dependency, or possession of the United States as listed in Schedule C, Classification Codes and Descriptions for U.S. Export Statistics, issued by the Bureau of the Census.

    (4) Sending, taking, or storing technology or software that is:

    (i) Unclassified;

    (ii) Secured using end-to-end encryption;

    (iii) Secured using cryptographic modules (hardware or software) compliant with Federal Information Processing Standards Publication 140-2 (FIPS 140-2) or its successors, supplemented by software implementation, cryptographic key management and other procedures and controls that are in accordance with guidance provided in current U.S. National Institute for Standards and Technology publications, or other similarly effective cryptographic means; and

    (iv) Not stored in a country listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR) or in the Russian Federation.

    (b) Definitions. For purposes of this section, `end-to-end encryption' means the provision of uninterrupted cryptographic protection of data between an originator and an intended recipient, including between an individual and himself or herself. It involves encrypting data by the originating party and keeping that data encrypted except by the intended recipient, where the means to access the data in unencrypted form is not given to any third party, including to any Internet service provider, application service provider or cloud service provider.

    (c) The ability to access ``technology'' or ``software'' in encrypted form that satisfies the criteria set forth in paragraph (a)(4) of this section does not constitute the release or export of such ``technology'' or ``software.''

    Note to Sec. 734.18: Releasing ``technology'' or ``software'' to any person with knowledge that a violation will occur is prohibited by Sec. 736.2(b)(10) of the EAR.

    Sec. 734.19 Reserved

    0

15. Section 734.19 is reserved.

    0

16. Section 734.20 is added to read as follows:

    Sec. 734.20 Activities that are not ``deemed reexports.''

    (a) Release of ``technology'' or ``source code'' by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport of such ``technology'' or ``source code'' if:

    (1) The entity is authorized to receive the ``technology'' or ``source code'' at issue, whether by a license, license exception, or situations where no license is required under the EAR for such ``technology'' or ``source code;'' and

    (2) The entity is certain that the foreign national's most recent country of citizenship or permanent residency is that of a country to which export from the United States of the ``technology'' or ``source code'' at issue would be authorized by the EAR either under a license exception, or in situations where no license under the EAR would be required.

    (b) Release to A:5 nationals. Release of ``technology'' or ``source code'' by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport of such ``technology'' or ``source code'' if:

    Page 31518

    (1) The entity is authorized to receive the ``technology'' or ``source code'' at issue, whether by a license, license exception, or through situations where no license is required under the EAR;

    (2) The foreign national is a bona fide regular and permanent employee who is not a proscribed person under U.S. law and is directly employed by the entity;

    (3) Such employee is a national exclusively of a country in Country Group A:5; and

    (4) The release of ``technology'' or ``source code'' takes place entirely within the physical territory of any such country.

    (c) Release to other than A:5 nationals. Release of ``technology'' or ``source code'' by an entity outside the United States to a foreign national of a country other than the foreign country where the release takes place does not constitute a deemed reexport of such ``technology'' or ``source code'' if:

    (1) The entity is authorized to receive the ``technology'' or ``source code'' at issue, whether by a license, license exception, or situations where no license is required under the EAR;

    (2) The foreign national is a bona fide regular and permanent employee who is not a proscribed person under U.S. law and is directly employed by the entity;

    (3) The release takes place entirely within the physical territory of the country where the entity is located, conducts official business, or operates;

    (4) The entity has effective procedures to prevent diversion to destinations, entities, end users, and end uses contrary to the EAR; and

    (5) Any one of the following six (i.e., paragraphs (c)(5)(i), (ii), (iii), (iv), (v), or (vi) of this section) situations is applicable:

    (i) The foreign national has a security clearance approved by the host nation government of the entity outside the United States;

    (ii) The entity outside the United States:

    (A) Has in place a process to screen the foreign national employee and to have the employee execute a non-disclosure agreement that provides assurances that the employee will not disclose, transfer, or reexport controlled technology contrary to the EAR;

    (B) Screens the employee for substantive contacts with countries listed in Country Group D:5 (see Supplement No. 1 to part 740 of the EAR). Although nationality does not, in and of itself, prohibit access to ``technology'' or ``source code'' subject to the EAR, an employee who has substantive contacts with persons from countries listed in Country Group D:5 shall be presumed to raise a risk of diversion, unless BIS determines otherwise;

    (C) Maintains a technology security or clearance plan that includes procedures for screening employees for such substantive contacts;

    (D) Maintains records of such screenings for the longer of five years or the duration of the individual's employment with the entity; and

    (E) Will make such plans and records available to BIS or its agents for civil and criminal law enforcement purposes upon request;

    (iii) The entity is a UK entity implementing Sec. 126.18 of the ITAR (22 CFR 126.18) pursuant to the US-UK Exchange of Notes regarding Sec. 126.18 of the ITAR for which the UK has provided appropriate implementation guidance;

    (iv) The entity is a Canadian entity implementing Sec. 126.18 of the ITAR pursuant to the US-Canadian Exchange of Letters regarding Sec. 126.18 of the ITAR for which Canada has provided appropriate implementation guidance;

    (v) The entity is an Australian entity implementing the exemption at paragraph 3.7b of the ITAR Agreements Guidelines; or

    (vi) The entity is a Dutch entity implementing the exemption at paragraph 3.7c of the ITAR Agreements Guidelines.

    (d) Definitions. (1) ``Substantive contacts'' includes regular travel to countries in Country Group D:5; recent or continuing contact with agents, brokers, and nationals of such countries; continued demonstrated allegiance to such countries; maintenance of business relationships with persons from such countries; maintenance of a residence in such countries; receiving salary or other continuing monetary compensation from such countries; or acts otherwise indicating a risk of diversion.

    (2) ``Permanent and regular employee'' is an individual who:

    (a) Is permanently (i.e., for not less than a year) and directly employed by an entity, or

    (b) Is a contract employee who:

    (i) Is in a long-term contractual relationship with the company where the individual works at the entity's facilities or at locations assigned by the entity (such as a remote site or on travel);

    (ii) Works under the entity's direction and control such that the company must determine the individual's work schedule and duties;

    (iii) Works full time and exclusively for the entity; and

    (iv) Executes a nondisclosure certification for the company that he or she will not disclose confidential information received as part of his or her work for the entity.

    Note to paragraph (d)(2): If the contract employee has been seconded to the entity by a staffing agency, then the staffing agency must not have any role in the work the individual performs other than to provide the individual for that work. The staffing agency also must not have access to any controlled ``technology'' or ``source code'' other than that authorized by the applicable regulations or a license.

    PART 740--LICENSE EXCEPTIONS

    0

17. The authority citation for part 740 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; 22 U.S.C. 7201 et seq.; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014).

    0

18. Section 740.9(a)(3) is revised to read as follows:

    Sec. 740.9 Temporary imports, exports, reexports, and transfers (in-

    country) (TMP).

    * * * * *

    (a) * * *

    (3) ``Technology,'' regardless of media or format, may be exported by or to a U.S. person or a foreign national employee of a U.S. person, traveling or on temporary assignment abroad, subject to the following restrictions:

    (i) Foreign nationals may only export or receive such ``technology'' as they are authorized to receive through a license, license exception other than TMP or because no license is required.

    (ii) ``Technology'' exported under this authorization may only be possessed or used by a U.S. person or authorized foreign national and sufficient security precautions must be taken to prevent the unauthorized release of the ``technology.'' Such security precautions include encryption of the ``technology,'' the use of secure network connections, such as Virtual Private Networks, the use of passwords or other access restrictions on the electronic device or media on which the ``technology'' is stored, and the use of firewalls and other network security measures to prevent unauthorized access.

    (iii) The U.S. person is an employee of the U.S. Government or is directly employed by a U.S. person and not, e.g., by a foreign subsidiary.

    (iv) Technology'' authorized under this exception may not be used for foreign production purposes or for technical assistance unless authorized through a license or license exception other than TMP.

    (v) The U.S. person employer of foreign nationals must document the use of this exception by foreign national

    Page 31519

    employees, including the reason that the ``technology'' is needed by the foreign nationals for their temporary business activities abroad on behalf of the U.S. person.

    * * * * *

    PART 750--APPLICATION PROCESSING, ISSUANCE, AND DENIAL

    0

19. The authority citation for 15 CFR part 750 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; Sec 1503, Pub. L. 108-11, 117 Stat. 559; E.O. 13026, 61 FR 58767, 3 CFR, 1996 Comp., p. 228; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; E.O. 13637 of March 8, 2013, 78 FR 16129 (March 13, 2013); Presidential Determination 2003-23 of May 7, 2003, 68 FR 26459, May 16, 2003; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014).

    0

20. Section 750.7 is amended by revising paragraph (a) to read as follows:

    Sec. 750.7 Issuance of licenses.

    (a) Scope. Unless limited by a condition set out in a license, the export, reexport, or transfer (in-country) authorized by a license is for the item(s), end-use(s), and parties described in the license application and any letters of explanation. The applicant must inform the other parties identified on the license, such as the ultimate consignees and end users, of the license's scope and of the specific conditions applicable to them. BIS grants licenses in reliance on representations the applicant made in or submitted in connection with the license application, letters of explanation, and other documents submitted. A BIS license authorizing the release of technology to an entity also authorizes the release of the same technology to the entity's foreign nationals who are permanent and regular employees (and who are not proscribed persons under U.S. law) of the entity's facility or facilities authorized on the license, except to the extent a license condition limits or prohibits the release of the technology to nationals of specific countries or country groups.

    * * * * *

    PART 764--ENFORCEMENT AND PROTECTIVE MEASURES

    0

21. The authority citation for part 764 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014).

    0

22. Section 764.2 is amended by adding paragraph (l) to read as follows:

    Sec. 764.2 Violations.

    * * * * *

    (l) No person may ``release'' or otherwise transfer information, such as decryption keys, network access codes, or passwords, that would allow access to other ``technology'' in clear text or ``software'' with ``knowledge'' that the release will result, directly or indirectly, in an unauthorized export, reexport, or transfer of the ``technology'' in clear text or ``software.'' Violation of this provision will constitute a violation to the same extent as a violation in connection with the export of the controlled ``technology'' or ``software.''

    PART 772--DEFINITIONS OF TERMS

    0

23. The authority citation for part 772 continues to read as follows:

    Authority: 50 U.S.C. app. 2401 et seq.; 50 U.S.C. 1701 et seq.; E.O. 13222, 66 FR 44025, 3 CFR, 2001 Comp., p. 783; Notice of August 7, 2014, 79 FR 46959 (August 11, 2014).

    0

24. Section 772.1 is amended by:

    0

    1. Adding, in alphabetical order, the definition for ``Applied research'';

       0

    2. Revising the definitions of ``Basic scientific research'' and ``Export'';

       0

    3. Adding, in alphabetical order, definitions for ``Fundamental research,'' ``Peculiarly responsible,'' ``Proscribed person,'' and ``Publicly available encryption software'';

       0

    4. Removing the definitions of ``Publicly available information'' and ``Publicly available technology and software'';

       0

    5. Adding, in alphabetical order, the definition for ``Published'';

       0

    6. Revising the definitions of ``Reexport'';

       0

    7. Adding, in alphabetical order, the definition for ``Release'';

       0

    8. Revising the definition of ``Required'';

       0

    9. Removing the definition of ``Technical data''; and

       0

    10. Revising the definitions of ``Technology,'' and ``Transfer.''

        The revisions and additions read as follows:

        Sec. 772.1 Definitions of terms as used in the Export Administration Regulations (EAR).

        * * * * *

        Applied research. See Sec. 734.8(c) of the EAR.

        * * * * *

        Basic scientific research. (GTN)--Experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective. See also Sec. 734.8(c) of the EAR.

        * * * * *

        Export. See Sec. 734.13 of the EAR.

        * * * * *

        Fundamental research. See Sec. 734.8 of the EAR.

        * * * * *

        Peculiarly responsible. An item is ``peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions'' if it is used in or for use in the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing of an item subject to the EAR unless:

        (1) The Department of Commerce has determined otherwise in a commodity classification determination;

        (2) Reserved;

        (3) It is identical to information used in or with a commodity or software that:

        (i) Is or was in production (i.e., not in development); and

        (ii) Is EAR99 or described in an ECCN controlled only for Anti-

        Terrorism (AT) reasons;

        (4) It was or is being developed with ``knowledge'' that it would be for use in or with commodities or software:

        (i) Described in an ECCN; and

        (ii) Also commodities or software either not enumerated on the CCL or the USML (e.g., EAR99 commodities or software) or commodities or software described in an ECCN controlled only for Anti-Terrorism (AT) reasons;

        (5) It was or is being developed for use in or with general purpose commodities or software, i.e., with no ``knowledge'' that it would be for use in or with a particular commodity or type of commodity; or

        (6) It was or is being developed with ``knowledge'' that it would be for use in or with commodities or software described:

        (i) In an ECCN controlled for AT-only reasons and also EAR99 commodities or software; or

        (ii) Exclusively for use in or with EAR99 commodities or software.

        * * * * *

        Proscribed person. A person who is prohibited from receiving the items at issue or participating in a transaction that is subject to the EAR without authorization by virtue of U.S. law, such as persons on the Entity List, Specially Designated Nationals, or debarred parties.

        Publicly available encryption software. See Sec. 740.13(e) of the EAR.

        Published. See Sec. 734.7 of the EAR.

        * * * * *

        Reexport. See Sec. 734.14 of the EAR.

        Release. See Sec. 734.15 of the EAR.

        * * * * *

        Required. (General Technology Note)--As applied to ``technology'' or

        Page 31520

        ``software'', refers to only that portion of ``technology'' or ``software'' which is peculiarly responsible for achieving or exceeding the controlled performance levels, characteristics or functions. Such ``required'' ``technology'' or ``software'' may be shared by different products. For example, assume product ``X'' is controlled if it operates at or above 400 MHz and is not controlled if it operates below 400 MHz. If production technologies ``A'', ``B'', and ``C'' allow production at no more than 399 MHz, then technologies ``A'', ``B'', and ``C'' are not ``required'' to produce the controlled product ``X''. If technologies ``A'', ``B'', ``C'', ``D'', and ``E'' are used together, a manufacturer can produce product ``X'' that operates at or above 400 MHz. In this example, technologies ``D'' and ``E'' are ``required'' to make the controlled product and are themselves controlled under the General Technology Note. (See the General Technology Note.)

        Note 1 to the definition of required:

        The references to ``characteristics'' and ``functions'' are not limited to entries on the CCL that use specific technical parameters to describe the scope of what is controlled. The ``characteristics'' and ``functions'' of an item listed are, absent a specific regulatory definition, a standard dictionary's definition of the item. For example, ECCN 9A610.a controls ``military aircraft specially designed for a military use that are not enumerated in USML paragraph VIII(a).'' No performance level is identified in the entry, but the control characteristic of the aircraft is that it is specially designed ``for military use.'' Thus, any technology, regardless of significance, peculiar to making an aircraft ``for military use'' as opposed to, for example, an aircraft controlled under ECCN 9A991.a, would be technical data ``required'' for an aircraft specially designed for military use thus controlled under ECCN 9E610.

        Note 2 to the definition of required:

        The ITAR and the EAR often divide within each set of regulations or between each set of regulations:

1. Controls on parts, components, accessories, attachments, and software; and

2. Controls on the end items, systems, equipment, or other items into which those parts, components, accessories, attachments, and software are to be installed or incorporated.

   Moreover, with the exception of technical data specifically enumerated on the USML, the jurisdictional status of unclassified technical data or ``technology'' is the same as the jurisdictional status of the defense article or ``item subject to the EAR'' to which it is directly related. Thus, if technology is directly related to the production of a 9A610.x aircraft component that is to be integrated or installed in a USML VIII(a) aircraft, then the technology is controlled under ECCN 9E610, not USML VIII(i).

   * * * * *

   ``Technology'' means:

   (a) Except as set forth in paragraph (b) of this definition:

   (1) Information necessary for the ``development,'' ``production,'' ``use,'' operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control ``technology'') of an item. ``Technology'' may be in any tangible or intangible form, such as written or oral communications, blueprints, drawings, photographs, plans, diagrams, models, formulae, tables, engineering designs and specifications, computer-aided design files, manuals or documentation, electronic media or information gleaned through visual inspection;

   Note to paragraph (a)(1) of this definition: The modification of an existing item creates a new item and technology for the modification is technical data for the development of the new item.

   (2) Reserved;

   (3) Reserved;

   (4) Reserved; or

   (5) Information, such as decryption keys, network access codes, or passwords, that would allow access to other ``technology'' in clear text or ``software.''

   (b) ``Technology'' does not include:

   (1) Non-proprietary general system descriptions;

   (2) Information on basic function or purpose of an item; or

   (3) Telemetry data as defined in note 2 to Category 9, Product Group E (see Supplement No. 1 to Part 774 of the EAR).

   * * * * *

   Transfer. A shipment, transmission, or release of items subject to the EAR either within the United States or outside the United States. For in-country transfer/transfer (in-country), see Sec. 734.16 of the EAR.

   Note to definition of transfer:

   This definition of ``transfer'' does not apply to Sec. 750.10 of the EAR or Supplement No. 8 to part 760 of the EAR. The term ``transfer'' may also be included on licenses issued by BIS. In that regard, the changes that can be made to a BIS license are the non-

   material changes described in Sec. 750.7(c) of the EAR. Any other change to a BIS license without authorization is a violation of the EAR. See Sec. Sec. 750.7(c) and 764.2(e) of the EAR.

   * * * * *

   Dated: May 18, 2015.

   Kevin J. Wolf,

   Assistant Secretary for Export Administration.

   FR Doc. 2015-12843 Filed 6-2-15; 8:45 am

   BILLING CODE P