Compliance in the Cloud

Companies are increasingly moving to utilize cloud storage and services, especially with many working from home during the COVID-19 pandemic. Seeing this trend, governments are seeking to issue guidance and regulations on cloud export controls and other intangible technology transfers. As with traditional export controls, national requirements, both varying and competing, can leave companies vulnerable to major cloud compliance violations.

United States

The most recent export control update to the “encryption rule” (in force as of 25 March 2020) brings ITAR cloud controls more in line with the EAR. Whereas previously companies had to ensure their ITAR controlled technology/data would only be stored on U.S. servers, now both EAR and ITAR technology can be stored on cloud platforms hosted anywhere in the world – the exception being intentionally storing ITAR technology in countries proscribed in 22 CFR §126.1 (see Figure 1), or EAR technology in countries listed in Country Group D:5.

Figure 1. Countries subject to certain prohibitions per 22 CFR §126.1

The technology must also be encrypted according to Federal Information Processing Standards Publication 140-2 (FIPS 140-2) and must be encrypted from the point at which it leaves the sending company’s “boundary” to where it enters the receiving company’s “boundary”. Boundary-to-boundary encryption allows for data to be encrypted and decrypted once it is on a company’s router, rather than at the sending and receiving computers as with end-to-end encryption (see Figure 2).

Figure 2. Boundary to Boundary Encryption

Netherlands

In the Netherlands, controlled goods may be uploaded to the cloud without any country restrictions as long as the data is encrypted and access is controlled. A license is required only if the technology is or can be accessed from outside the country and if a general export authorization is unavailable. No one at the cloud service provider, including employees and IT administrators, outside of the Netherlands may access the data unless authorized by permit. Failure to upload data to an adequately secured and encrypted cloud environment is considered making the data public and therefore prohibited.

Switzerland

Per recently updated guidance on intangible tech transfers (ITT), in order to store export controlled data on foreign servers, the servers must be encrypted and access restricted to people within Switzerland. Otherwise, a license is required. Persons in Switzerland who store controlled data and allow access to it by persons abroad must first obtain an export license.

Australia

Under the Defence Trade Controls Act, Australian citizens or residents do not need a permit to access controlled data on a cloud, regardless of their location. Therefore, individuals can access their controlled data from overseas and companies can provide access to their employees overseas, all without a permit. A permit is required once a foreign overseas person is given access to the data in the cloud for the first time. If the foreign person were in Australia when they first accessed the cloud and then accessed it again overseas, no permit is required. Unless the data is classified, there are no requirements to encrypt it in the cloud, nor control access to it by the cloud service provider.

Japan

Controlled technology may be stored on foreign servers if the data is encrypted and access is limited only to the Japanese company. In the company’s contract with the cloud service provider, a clause must explicitly state who has access to the data. The only acceptable reason for the service provider to give access to others is a court order. Providing access to controlled technology is considered an export when it is accessed outside of Japan or by non-residents within Japan.

South Korea

Under Article 26 of the Public Notice on Strategic Material Exportation and Importation, there is an exemption for an individual license requirement if transfers of technology are made via the cloud if they use end-to-end encryption up to the KCMVP encryption standard. The encryption must be verified by the head of the National Intelligence Service, per the Enforcement Decree of the E-Government Act. The decryption method or key should never be sent electronically, encrypted or not.

Conclusion

The cloud services market is expected to grow over 16% annually for at least the next 7 years. As the use of the cloud becomes more commonplace for handling and exporting controlled data and technology, governments will continue to institute more detailed export control requirements on the space. It is critical for companies using cloud services to be aware of export controls related to cloud services and storage in all relevant jurisdictions.

Don’t let your compliance fail on the ground when your data is in the cloud.