The UK Department for International Trade has recently published updated guidance on the export of military and dual-use technology. The guidance focuses on how technology is defined and the scope of the regulations that govern the transfer of military and dual-use technology (i.e. technology that can have both military and civil uses), including important guidance on how to treat cloud storage.
Businesses in the telecommunications, aerospace, defence and professional services sectors that operate global networks or supply chains will find the new guidance helpful when considering their compliance obligations.
What are export controls?
Export controls are aimed at restricting or prohibiting transfers of items that could lead to national security concerns, while balancing the benefits of legitimate trade and knowledge acquisition. In short, any transfer of controlled items outside the UK requires an export licence – irrespective of the origin of the item and even if only for the purposes of demonstration or tendering for an overseas contract.
How is ‘technology’ defined?
The Export Control Act 2002 and the Export Control Order 2008 both define ‘technology’ widely, with narrower definitions applying to specifically listed items. The new guidance clarifies that technology means ‘specific “information” necessary for the development, production or use of goods or software’ and notes that information can take many forms, such as diagrams, formulae and engineering designs. Certain technology, such as weapons of mass destruction and certain arms embargoes, may also be subject to additional end-use controls.
What is meant by technology transfer?
Technology can be transferred through both tangible and intangible forms. Tangible transfers include information either written on physical documents or recorded on other media such as USB flash drives. Intangible transfers include transfers using electronic media, such as email.
- Transfer by email – an email containing controlled technology (either in the body of the email or as an attachment) to a recipient located overseas would require an export licence. Businesses using automatic forwarding to overseas addressees should consider mechanisms to prevent the transfer of controlled technology without a licence.
- Transfer by phone or video-conferencing – export controls apply where the technology is contained in a document and transmitted by audio or video-conferencing means. This applies when the relevant part of the document is read out or described in a way which substantially achieves the same result as reading it out. The location of the intended recipients must be known prior to the call in order to obtain the appropriate licence for transfer.
- Transfer using laptops, phones and memory devices – if any device with stored controlled technology is taken overseas, this would be classified as a transfer and a licence would be required.
- Transfers within multinational companies – a multinational company must obtain an export licence in order to transfer technology to recipients in its overseas offices or subsidiaries. This applies even where the company uses a common IT system (such as a shared document management system or intranet) across all offices.
Are there any exemptions?
Certain technology is exempt. Technology that is in the public domain, constitutes basic scientific research or which is required to support non-military controlled items where those items have already been authorised are not controlled technology. There are certain other exemptions as well.
What about cloud storage and third party service providers?
The guidance provides welcome clarification on how to approach the use of cloud storage. For the purposes of UK export controls, the location of the exporter and the intended recipient determines the routing of the transfer of technology, not the location of the servers or datacentres that store controlled technology. Uploading controlled technology to cloud-based storage will not require a licence if the information can only be accessed by persons located in the UK. This applies irrespective of where the hardware is located. A licence would be required where the controlled technology can be accessed by someone overseas but, again, it is the location of access, not the location of storage, that matters.
Businesses using the cloud to store controlled technology will still need to ensure that their arrangements with local service providers do not contravene export control requirements. For example, the use of offshore/on-location technical support, remote helpdesks or maintenance providers where it is possible for service provider personnel to access the controlled technology will require export licences. The same goes for any penetration testing or other inspection activities enabling offshore access to controlled technologies. Importantly, where controlled technology is stored on servers located overseas, local export controls need to be considered (and a licence may be required) for transfers back to the UK.
So even if day-to-day access to cloud storage is safeguarded, businesses storing controlled technology via the cloud will need to diligence their supply chains and service providers to ensure they understand levels and locations of access and have the right export licences in place. Businesses may wish to consult the National Cyber Security Centre’s cloud security guidance. Civil and criminal penalties apply to non-compliance with UK export control.
All this points towards an increased focus on the growing role of technology in maintaining national security, its criticality to core infrastructure and the importance of ensuring the integrity and security of the storage of sensitive data.