BIS Eliminates Most Mass Market Encryption Reporting Obligations
International Trade Update
Date: April 09, 2021
The U.S. Department of Commerce’s Bureau of Industry & Security (BIS) issued a final rule amending the Export Administration Regulations (EAR) to eliminate most reporting requirements related to open source encryption software and certain “mass market” encryption items and to revise the Commerce Control List (CCL). These amendments reflect decisions made at the December 2019 plenary meeting of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
Previously, software source code published online that involved encryption functionality frequently remained subject to the EAR (and its licensing requirements) until the author of the code submitted an email notification report to the U.S. government. Additionally, exporters were required to submit an annual report to BIS for most “mass market” encryption items (e.g., software and other items generally available for sale to the public).
This final rule eliminates these reporting requirements, specifically:
- The email notification requirement for “publicly available” encryption source code and beta test encryption software, except for publicly available encryption source code and beta test encryption software implementing “non-standard cryptography.”
- The self-classification reporting requirement for certain mass market encryption products under EAR § 740.17(b)(1).
Further, the rule allows self-classification reporting for ECCN 5A992.c or 5D992.c components of mass market products (and their “executable software”) and moves mass market “components,” executable software, toolsets and toolkits out of § 740.17(b)(3)(i) and into (b)(1). This means that such items are now subject to self-classification and the filing of a Commodity Classification (CCAT) request with BIS is no longer required.
Notably, the rule does not change the License Exception ENC requirements for any non-mass-market encryption item or any encryption item (mass market or not) that implements non-standard cryptography. For more information on this exception and annual reporting requirements, see our January 5, 2021 International Trade Update.
The final rule also provides technical updates and revisions to the following ECCNs on the CCL: 0A502, 0A503, 0A606, 1A002, 1A005, 1A006, 1A613, 1B002, 1C001, 1C002, 1C006, 1C010, 2A001, 3B001, 3E002, 5A002, 6A004, 6A005, 6A008, 9A011, 9D515, and 9E003.
The final rule was effective on March 29, and BIS stated that these changes “are designed to reduce the regulatory burden for exporters while still fulfilling U.S. national security and foreign policy objectives.” BIS has noted that shipments of items impacted by this final rule that were on dock for loading, laden aboard an exporting carrier or en route aboard a carrier to a port of export on March 29, pursuant to actual orders for export, reexport or transfer (in-country) to a foreign destination, may proceed to that destination under the previous license exception eligibility or without a license so long as they have shipped before May 28, 2021.
FOR MORE INFORMATION
For more information, please contact:
Francesca M.S. Guerrero
Partner, International Trade
Samir D. Varma
Partner, International Trade
Associate, International Trade
Scott E. Diamond*
Senior Legislative & Regulatory Policy Advisor,
*Not licensed to practice law
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2021 THOMPSON HINE LLP. ALL RIGHTS RESERVED.