Cloud Computing and Export Controls

By Richard Tauwhare, Dechert LLP1

Uploading software or technology to the “cloud” can risk breaching export controls or
sanctions and potentially incurring heavy civil and criminal penalties. This article looks at the
law, how it applies to cloud computing and how organisations can comply.

The legal framework

Restrictions may apply as part of the general controls on what may be exported or as part of
a package of trade sanctions adopted in relation to a particular country.

General Export Controls

Export controls aim to prevent items which can have military or security applications from
being acquired by those who might misuse them. The three main legal instruments
applicable in the UK are:

 The Export Control Act 2002 empowers the Government to make “Orders” (a type
of secondary legislation) to control the export of strategic goods, the transfer of
technology, the provision of technical assistance overseas and trade in military-
rated equipment between overseas countries;

 The Export Control Order 2008 provides for the control of exports from the UK of
listed military, paramilitary and certain other goods, technology and software.
Most require a licence for export outside the UK, including to other countries within
the EU. The licensing process is administered by the Export Control Organisation, a
unit within the Department for Business, Innovation and Skills;

 The EU Dual Use Regulation2 2009 establishes similar controls on exports of listed
goods, software and technology considered to be ‘dual-use’3. Most require
licences only if exported outside the EU but particularly sensitive items need a
licence for transfers within the EU.

Taken together, these instruments impose licence requirements which are broader than is
often appreciated. The controls apply:

 not only to exports of physical goods but also of software or technology4 by any means
including, in some cases, by face-to-face meeting, by paper, by email, fax or phone (if
information is communicated so as to achieve substantially the same result as if the

1
Richard Tauwhare is a Senior Director in the London office of Dechert LLP, a global law firm. He specialises in advice on
ensuring compliance with export controls and sanctions. He was formerly head of export controls policy in the Foreign and
Commonwealth Office.

2
Council Regulation (EC) No 428/2009

3
‘Dual use items’ are defined by the EU Dual Use Regulation as ‘items, including software and technology, which can be used
for both civil and military purposes, and shall include all goods which can be used for both non-explosive uses and assisting in
any way in the manufacture of nuclear weapons or other nuclear explosive devices.’

4
‘Technology’ is defined by the UK Export Control Order 2008 as ‘information (including but not limited to information
comprised in software and documents such as blueprints, manuals, diagrams and designs) that is capable of use in connection
with the development, production or use of any goods.’
 recipient had read it), carrying overseas on a laptop or storage device and – the key
point relevant to cloud computing - giving access to software or technology in electronic
form to someone overseas;

 not only to military items but also to “dual-use” civilian items in a wide range of fields
including: nuclear engineering; biological sciences and pharmaceuticals; chemicals with
toxic properties; high strength materials; high specification electronics, computers, and
telecommunications; automation and control systems; lasers, optics and sonar;
navigation and avionics; submersible equipment; aerospace; and – the main basis for
the controls on software – encryption;

 potentially to the export or transfer of any goods, software or technology, even if they are
not listed. In most cases, the controls are defined by the lists of military and dual-use items
which are annexed to the Order and the EU Dual Use Regulation and which reflect
regular discussion in international groups5. But the regulations also provide for ‘end use’
controls which are defined not on the basis of the exported item itself but on how it will
ultimately be used. In the EU, there are two main categories of end-use which require a
non-listed item to be licensed: if the exporter has been informed, is aware or has reason
to suspect that it will be used for WMD purposes 6 outside the EU; or if it may be intended
for military use in a country subject to an arms embargo;

 not only to exports outside the EU but also in some cases to transfers within it and even
within the UK if the transferor knows or has been informed that the item will be used for
WMD purposes outside the EU.

But the controls are not intended to interfere unduly with normal commercial or academic
practices, and there are exemptions for information already in the public domain7, basic
scientific research8 and the technology required for the installation, operation, maintenance
and repair of controlled items whose export has been previously authorised.
Other major exporting countries impose similar controls, notably the US. But a significant
difference in the US regulations, both for sensitive military items (ITAR)9 and for less sensitive
military and all dual use items (EAR)10, is that the controls apply not only to the original export
from the US but also to any subsequent transfer within the UK or re-export from the UK,
notwithstanding that this entails a significant stretching of the traditional notion of
extraterritorial jurisdiction.

The US definition of re-export includes the release within the UK of controlled software and
technology to a dual or foreign national from a country to which restrictions apply for the
item (termed a ‘deemed re-export’). US-controlled items therefore require particularly careful
handling to avoid unintended, unauthorised re-exports.

5
The ‘Export Control Regimes’: the Wassenaar Arrangement addresses conventional military and dual use items; the Australia
Group covers items which could be used in programmes for chemical or biological weapons; the Nuclear Suppliers Group does
the same for nuclear weapons; and the Missile Technology Control Regime covers ballistic and cruise missiles, as well as
Unmanned Aerial Vehicles potentially capable of delivering WMD.
6
‘WMD purposes’ are defined by the Export Control Order 2008 as ‘use in connection with the development, production,
handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons
or other nuclear explosive devices, or the development, production, maintenance or storage of missiles capable of delivery
such weapons.’
7
‘in the public domain’ is defined by the Export Control Order 2008 as ‘technology or software which has been made available
without restriction upon its further dissemination (copyright restrictions do not remove technology or software from being in the
public domain).’
8
‘basic scientific research’ is defined by the Export Control Order 2008 as ‘experimental or theoretical work undertaken principally
to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a
specific practical aim or objective.’
9
The International Traffic in Arms Regulations, administered by the US Department of State

10
The Export Administration Regulations, administered by the US Department of Commerce
Export controls in sanctions programmes

Sanctions put pressure on target governments, entities and individuals to change their
behaviour and, by restricting their access to certain goods and services, help to contain the
threats which they may pose to international peace and security. Sanctions take a variety of
forms but often involve some kind of export control, including:

 embargoes on exporting weapons, equipment that might be used for internal repression,
and associated technical assistance, training and financing;

 restrictions on making goods or services available to named individuals or entities; and

 bans on trade in specified categories of goods (e.g. dual use goods, oil and gas
equipment) or services (e.g. financial transfers, insurance, investment), either to
designated individuals and entities or to a whole country.

All countries are obliged to give effect to UN Security Council sanctions resolutions. But some,
particularly the EU and US, commonly adopt further measures. Firms and individuals need to
be aware not only of the EU measures (which apply to all EU persons and entities
incorporated under the law of a Member State wherever they are located, as well as to
anyone located in the EU) but also of which other countries’ sanctions may apply. In
particular, the US asserts a very broad jurisdiction for its sanctions.

Cloud Computing

(i) Users

For the purposes of this article, cloud computing is broadly defined as using shared rather
than private local computing resources to store software or technology and handle
applications. This includes:

 public clouds (networks open for public use);

 private clouds (which restrict access to only those authorised by the subscriber);

 community clouds (a specific group of users with common requirements);

 hybrid clouds (a mix of public, community and private systems); and

 Software-as-a-Service, Infrastructure-as-a-Service and Platform-as-a-Service, in which

subscribers access a range of computing resources.

By using these services, a user’s software or technology may be routed through and stored in
multiple physical locations and countries, often without the knowledge or intent of the user
(except in the case of private clouds). How do export controls apply?

General export controls

The key is what is meant by ‘export’ and ‘exporter’. The definition of ‘export’ in the EU Dual
Use Regulation includes ‘transmission of software or technology by electronic media ... to a
destination outside the EU; it includes making available in an electronic form such software
and technology to natural and legal persons and partnerships outside the EU.’
The definition of ‘exporter’ includes ‘any natural or legal person or partnership which decides
to transmit or make software or technology by electronic media ... to a destination outside
the EU.’

Based on these definitions, the act of making controlled technology or software available to
anyone outside the UK or EU (as appropriate), whether through a cloud service or indeed by
any other means, requires a licence. The controls apply:

 irrespective of who owns the server on which the software or technology is made
available, e.g. whether it is on an organisation’s own servers or on those of any type of
cloud service;

 irrespective of the nationality of the person in the UK who makes the software or
technology available. The regulations apply not only to all EU but also to all non-EU
persons conducting business in the EU;

 irrespective of the nationality or employment status of the person able to access the
software or technology overseas, e.g. they could be a UK member of staff travelling
overseas, a member of staff of a subsidiary overseas, an established customer with
access rights, or anyone else;

 whether or not a UK employee abroad with access to the software or technology has
any intention of passing it on to another person abroad. This corresponds to the rules for
physical exports, where taking controlled technology abroad, even if only for personal
use and not for onward transmission while abroad, still requires a licence;

 whether the transfer is between two parts of the same company or to a different entity;

 for the purposes of UK controls, it is also irrelevant where the software or technology is
stored or routed, provided that adequate measures are in place to prevent unauthorized
foreign nationals (e.g. system administrators) from having access to it. But note that the
act of routing controlled software or technology through a non-EU country or storing it on
a server on their territory, for however short a time, may render it subject to their export
control laws.

The timing of when a licence is required depends on the arrangements made for granting
access. If software or technology is to be fully accessible to members of a company, group,
or dedicated collaborative user-group situated abroad from the time when it is saved to a
site, then a licence is needed before it is saved to the site. But if individual permissions are
required for employees or other approved users overseas before they can access the site,
then it is only necessary to obtain a licence before that permission is given.

Export controls in sanctions programmes

Export controls may also apply if the software or technology is made available to a person or
entity overseas who is either:

 located in a country subject to sanctions and the export of the software or technology
contravenes the terms of the embargo established by the sanctions (e.g. if military
technology is made available to a person located in a country under an arms embargo);
or

 themselves included on a list of sanctioned persons or entities, and the provision of the
software or technology to them contravenes the sanctions.

(ii) Service Providers

The key is again in the definition of ‘exporter.’ The EU Dual Use Regulation states that this
includes any natural or legal person or partnership ‘which decides to transmit or make
software or technology by electronic media ... to a destination outside the Union.’

Unlike the US authorities11, the European Commission has not provided specific guidance on
this. But on the basis of this definition, the exporter is generally understood to be the user of a
cloud service and not the provider. This again reflects the rules applicable to physical
exports, for which it is the exporter - not the freight forwarder or shipper - who is responsible
for securing a licence before any licensable activity may take place.

Sanctions, on the other hand, may apply to providers (as well as users) if they give a service
to individuals, entities or countries in contravention of sanctions. Neither the US nor the EU
authorities have published formal guidance on this so service providers must interpret and
apply each set of sanctions measures as they are drafted.

Compliance
The European Commission has recognised12 the challenges which the development of cloud
services poses to regulators and to companies working to implement export controls. It may
examine options to address such challenges, potentially including a review of legal
provisions, providing guidance and/or introducing specific tools such as new types of
licence. But that process is likely to take several years. In the meantime, the following offers
some basic pointers for users and providers or cloud services:

 be clear which if any of your software and technology is subject to export controls (under
UK, EU and any applicable third country laws);

 consider limiting controlled software or technology to only private servers, or to a private

cloud, or to cloud services specifically developed to be compliant with export controls;

 conduct due diligence of cloud service providers and consider negotiating terms into
contracts providing for: restrictions on the locations through which controlled software or
technology may be routed; where it may be stored; how access by any unauthorised
person (including system administrators) will be prevented; the right to audit the
provider’s compliance; and obligations for providers to notify promptly any known or
suspected breaches. UK and EU regulators have not defined what they consider to be
‘adequate’ measures to prevent unauthorised access; this remains the exporter’s
responsibility13;

 if export licences are necessary, consider what type(s) would be most appropriate and
register or apply for them at an early stage. Note that all licences require records of
transfers to be maintained, which is clearly more challenging in cases where software or
technology is being accessed remotely rather than actively transmitted from the UK, and
some require formal undertakings to be signed by the end user or consignee;

11
The US Department of Commerce has made clear that it is the user, not the provider, who has responsibility for export
controls, unless the provider is aware of nefarious activities by the user. Permitting a foreign national to maintain a provider’s
servers and software does not constitute a “deemed export” unless the foreign national has access to the controlled technology
itself. Operating software as a service does not constitute an export of the software to the user so no licence is required.

12
Sections 2.2 and 3.1 of the Communication from the Commission to the Council and the European Parliament on ‘The Review
of export control policy: ensuring security and competitiveness in a changing world’ published on 24 April 2014

13
One option is to encrypt the technology. There is no EU guidance on this but the US authorities have not accepted that
encrypting technology to established US government standards gives adequate protection to controlled technology, except if
access is limited to US persons abroad who are directly employed by the same US corporation that sent the technology and the
technology can only be used by US persons.
 note that if there are any substantive modifications to licensed software or technology, a
new licence may be needed;

 transfers of controlled dual use technology and software within the EU should be marked
as ‘subject to controls if exported from the EU’;

 if acquiring software or technology which is subject or may be subject to US export

controls, ensure that the supplier provides detailed information on what controls apply to
it and includes, in their US export licence, authorisation for any proposed re-exports. Put in
place all measures necessary to ensure that the US control requirements are fully met;

 screen all those to be given access to controlled software or technology and their
locations, for possible sanctions. Cloud providers should similarly screen all users of their
services, their partners and the locations of their servers and other facilities. Screening
should be repeated regularly to take account of the frequent changes in the sanctions
rules and lists.

 review internal compliance policies, procedures and training on export controls and
sanctions to ensure cloud computing issues are fully incorporated.

Conclusion

Using cloud computing services can create risks for those handling software or technology
that is subject to export controls or whose transfer could breach sanctions. The key is to
recognise that making controlled software or technology available to anyone located
outside the UK or EU, however this is done, requires a licence and could breach sanctions, so
appropriate procedures need to be put in place to manage the risks.