Exports of controlled technology - new guidance for exporters

Exports of controlled technology are licensable, but very few exporters are aware of all their obligations, particularly in relation to movements into and out of the “cloud” and intra-company and intra-group transfers.

The UK has now brought together all policy on exports of controlled technology. The new UK Guidance entitled 'Exporting Military and dual-use technology: definitions and scope' pulls together existing strands related to export of technology, provides case study examples and points out some “Brexit” wrinkles.

Exports of controlled technology

The Guidance starts with the “basics” of exports of controlled technology, which are worth summarising. The UK, along with most Western countries, including the EU and US, controls export of “technology”, whether in tangible or intangible form, and surprisingly to some, these controls cover intra-company and intra-group transfers.

Technology

As set out in the Guidance, the UK defines 'technology' to be:

“specific ‘information’ necessary for the development, production or use of goods or software.

where:

‘Information’ may take forms including, not limited to: blueprints, plans, diagrams, models, formulae, tables, ‘source code’, engineering designs and specifications, manuals and instructions written or recorded on other media or devices (for example disk, tape, read-only memories).

‘Source code’ (or source language) is a convenient expression of one or more processes which may be turned by a programming system into equipment executable form.”

It is also important to be methodical about what the “technology” might be. As an example, business use of a laptop overseas raises a number of different questions:

• Is the laptop itself controlled because of software or technology it uses to operate?
• Is content on the laptop’s hard drive export controlled?
• What if the laptop contains controlled software or technology, and controlled content?
• What happens if the user needs support getting access to controlled content while abroad, and the IT specialist “remotes on” to deal with the issue?

Exemptions from control

Certain carve outs from export controls apply. So, generally speaking, anything that is in the “public domain”, or is “basic scientific research”, is not controlled. Nor is technology that is the “minimum required” for the “installation, operation, maintenance or repair of non-military controlled items, whose export has been previously authorised”. Finally, UK controls “control only that portion of technology that is specific to the development, production or use of controlled items. Technology is not controlled if it is common to both controlled and non-controlled dual-use items.” These carve outs apply to the UK, EU and US, in large part without distinction.

What are exports?

The Guidance then looks at tangible and intangible exports, and makes it clear that almost any form of “technology” transfer out of the UK can be controlled, including:

• Physical export on devices (e.g. laptops) and other physical media such as USB sticks, paper copies etc.
• Intangible exports (e.g. materials presented at webinars, phone calls, emails, including attachments).

However, as one would expect, “technology” can be stored in, or be accessible from, a number of other sources. While the UK (and EU) has had some thinking on intranets and “cloud” for a few years, it is helpful that the UK has now integrated this into this Guidance.

Controlled materials stored on servers

The general principle

The starting point for the UK policy is that the infrastructure used to store and access the controlled technology is largely irrelevant. As the Guidance notes:

“For the purposes of UK export controls the location of the exporter and the intended recipient determines the routing of the transfer of technology, not the location of the servers containing the controlled technology.”

So, uploading controlled technology from the UK to a server in the US that can only be accessed from the UK is not an export, notwithstanding the server being located in the US. However, accessing the controlled technology from outside the UK is an export and a licence is required.

Protecting controlled technology on servers

The Guidance notes that:

“When uploading controlled technology to or through the cloud, appropriate actions should be taken to ensure the information is suitably protected.”

The Guidance then points to various industry protocols that would secure such technology.

Maintenance and administration

Where owners of controlled technology allow the infrastructure to be maintained or administered by third parties outside of the UK, then UK export licences may be required where the access is possible outside the UK. The Guidance notes:

“Responsibility for compliance with export controls lies exclusively with the owner of the technology, not with the service provider. If the owner delegates to the service provider the power to grant access to controlled technology to a person located overseas, the owner still has responsibility for how this is exercised. If staff of the service provider located overseas will intentionally have access to controlled technology, an export licence will be required.”

The same logic applies to, for example, penetration testing.

Movements from and back into servers

The Guidance also notes:

“When downloading controlled technology overseas local export controls may require you to obtain an authorisation for transfers back to the UK or to another country”.

This is a critical point, often overlooked: if you export a controlled item to a third country, and it may return to the UK, or be on shipped from that destination, you must consider any export restrictions in that third country of export. Some may require export licences. This is vital in respect of movements into and out of the cloud where the country that receives the data has export control rules.

If we take an example of a UK company storing controlled technology on a German server. Use by UK persons located in the UK does not trigger UK export controls. But if an employee goes to the US and accesses the data, works on it in the US and then returns it to the German server, is that an export of controlled data from the UK to the US? And under US export control rules is that an export of controlled data from the US to Germany? Here is not the place to solve this riddle, but to make one aware of the issue.

Applying for a licence

Licences can be applied for online in the UK, using the SPIRE system, and are free. It is important to note that there is a one-time pre-registration requirement to use SPIRE, and individual licences must be applied for before exporting and can take several months depending on the complexity of the issue.

What are the consequences for not obtaining a licence?

It is important that exporters of controlled technology understand their obligations. The new Guidance reflects UK law, and is backed up with both civil and criminal penalties.

The UK operates a system that has both civil and criminal consequences for breach. Generally speaking, all breaches of UK export control are punishable criminally. So, for example, export of controlled items without a licence, or failure to comply with licence conditions are criminal. The UK does not generally prosecute unintentional violations, but in this case will usually require a voluntary disclosure of breach, and may, in limited circumstances issue a civil penalty for the breach.

Author: Ross Denton, Senior Consultant, Head of International Trade