The export of encryption products, software, and technology has long been one of the most opaque sectors of export controls. While U.S. origin encryption is tightly controlled, exporters can avail themselves of numerous exceptions depending on such factors as the overall strength of the encryption, the type of entity involved (government versus non-government), and the location of the end-user. Over the past few years, the Department of Commerce, Bureau of Industry and Security ("BIS") generally has sought to simplify these regulations and ease the export restrictions on encryption. Its most recent attempt occurred on December 9, 2004, when BIS issued a final rule (the "Rule") further revising the encryption regulations. As discussed below, while some of the changes were more cosmetic in nature, BIS introduced certain substantive changes as well:

One of the major substantive revisions involves those cases where foreign-made items are subject to the Export Administration Regulations (the "EAR"). The EAR controls U.S. origin parts, components, materials, or other commodities incorporated abroad into foreign-made products, U.S. origin software commingled with foreign software, and U.S. origin technology commingled with foreign technology, provided that such U.S. origin content exceeds specified de minimis levels. Previously, U.S. firms were required to request eligibility for de minimis treatment when submitting their encryption review requests under License Exception ENC. Henceforth, such a request will no longer be required; most encryption items will be treated, for purposes of de minimis calculations, in the same way as foreign-made items that incorporate other U.S. origin dual-use items. The one noted exception to this rule is for high level encryption technology, which remains subject to the EAR regardless of the amount of U.S. origin content.

Several changes were made to License Exception ENC, the major exception that governs the export of strong encryption items. The so-called "European Union ("EU") plus 8" exception, which authorizes the immediate shipment of strong encryption items to the EU member states plus eight other countries upon the registration of a BIS review request, has been updated so that all 10 EU accession states are listed as eligible countries in Supplement No. 3 to part 740. This revised exception also eliminates the requirement that the U.S. government review encryption items and related technical assistance (as described in § 744.9 of the EAR) prior to their being provided for internal company use in the development of new products by private sector end-users headquartered in the EU and other countries designated in Supplement No. 3 to part 740 (and Canada). Any new product that results from such development, however, still requires BIS authorization before any sale or retransfer outside the private sector end-user that developed it.

The ENC exception for non-government end-users located outside the EU and other countries designated in Supplement No. 3 to part 740 has been modified to include an exclusive list of those encryption commodities and software that are only eligible for export to non-government end-users. Moreover, except for those commodities included in this exclusive list, as well as commodities and software that provide an open cryptographic interface, all other encryption items eligible for License Exception ENC now may be sent both to government and non-government end-users. The latter change enabled BIS to remove the word "retail" from this exception, a cosmetic change that nevertheless should help exporters better distinguish between the ENC and the "mass-market" exceptions.

The Rule makes several other changes as well. Exports of beta test equipment no longer need to report the names and addresses of their beta testers. In addition, no further notice of updates or modifications is required for "publicly available" encryption software that has been posted on the web under 15 C.F.R. § 740.13(e), provided that the Internet location of the software has not changed. Finally, the Rule substantially reorganizes several EAR encryption provisions in an attempt to provide greater clarity and transparency.

But even with these changes, the encryption regulations remain a tangled web of rules and exceptions that must be interpreted on an individual, case-by-case basis. While the above represents a general summary of the new Rule, exporters should still seek out expert advice when attempting to navigate the encryption maze. 

This article is presented for informational purposes only and is not intended to constitute legal advice.