The Often Unrecognized Dangers of U.S. Export Control Violations and the Benefits of Self-Reporting
A global software company recently agreed to pay combined penalties of more than $8 million as part of a global resolution with the U.S. Department of Justice (DOJ) resulting from its export control violations. Beginning in 2010 and continuing through 2017, the software company, without an export license, either exported or caused the export of its products to Iranian users. Specifically, the software company had inadvertently released thousands of downloads of their products, upgrades and patches to users in Iran.
The penalties resulting from the export control violations could have been higher had the software company not voluntarily disclosed its violations to the DOJ. In its voluntary disclosures, the software company acknowledged violations of the Export Administration Regulations (EAR) and the Iranian Transactions and Sanctions Regulations. As a result of its voluntary disclosures to the DOJ, the DOJ and the U.S. Attorney’s Office for the District of Massachusetts entered into a Non-Prosecution Agreement with the software company.
Export controls are laws and regulations that regulate and restrict the release of sensitive technologies and information to foreign countries and foreigners, both within and outside of the United States, for reasons of national security and foreign policy. U.S. export control laws are often overlooked by companies of all sizes despite the serious repercussions for noncompliance, including hefty fines, criminal penalties and the revocation of export privileges.
A complicated network of federal agencies and inter-related regulations governs exports. To name just a few, the International Traffic in Arms Regulations (ITAR) is a set of regulations on the export and import of defense related articles and services that is enforced by the Department of State. The Export Administration Regulations (EAR) is a set of government regulations enforced by the Department of Commerce on the export and import of most commercial items. And, the Office of Foreign Assets Control (OFAC) of the Treasury Department administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes.
Many corporations have designated export control personnel who are tasked with detecting and preventing export control violations before they occur. Other corporations, including many small corporations, do not have such preventative measures in place. Attorneys and others representing corporations of all sizes should be cognizant of the U.S. government’s export control restrictions. Failure to consider those restrictions can be costly.
Export controls are implicated any time that technical data or products are shared with persons outside of the U.S. or foreigners within the U.S., especially if that data or product relates to high performance computing, encryption technology, dual use technologies (technologies with both a military and commercial application), select chemical agents, military or defense articles and services, space technology and satellite, or any other area that would be considered to be strategically important to the U.S. in the interest of national security, economic and/or foreign policy concerns.
While it may be easy to determine that some export related activities can run afoul of export controls, like the shipment of arms to Iran, it is not so easy to identify other less obvious activities that require export control licenses. Consider, for example, the following hypothetical situation which raises a host of export control concerns.
A Canadian semiconductor manufacturer opens a new technical innovation center in California to position itself closer to Silicon Valley’s digital hub. The innovation center will be staffed by American and Canadian engineers. Some of the Canadian engineers have a green card, while others are briefly visiting before returning to corporate headquarters in Canada. The American and Canadian engineers at the U.S. innovation center share technical ideas by way of e-mail, personal meetings and telephone calls with other employees in Canada.
Technical discussions between the American and Canadian staff could require an export control license under, at least, the Export Administration Regulations (“EAR”). When considering whether a communication will require a license under the EAR, for example, it is necessary to consider at least (i) the underlying product that is the subject of the communication, and (ii) the destination of the communication.
With regard to the underlying product, the Commerce Department provides a list of controlled commodities, technology, and software known as the CCL, and the licensing requirements for each. The underlying product must first be identified on the CCL. If an item is not listed on the CCL, then that item is designated as EAR 99. EAR 99 items generally consist of low-technology consumer goods and do not require a license in most situations. Various types of semiconductors and semiconductor manufacturing processes appear on the CCL.
Under our scenario let’s suppose that the underlying product, which is the subject of the technical communication, is listed on the CCL. Then, it would be necessary to consider the destination of the communication (i.e., Canada). The U.S. government will permit the release of controlled product and related information to certain countries, but not others. To determine if an export license is required for sharing the technical details of the controlled product (or the product itself) with Canada, the licensing requirements set forth in the CCL for the underlying product must be cross-referenced against the Commerce Department’s Country Chart. If an export license is required before sharing the product or its technical details with Canada, then an export license will be required regardless of whether the Canadian recipient is located within the U.S. at the time of receiving the product or information. The U.S. government restricts the release of controlled information and product to foreign nationals here in the U.S. (referred to as a “Deemed Export”). Persons with permanent residence status (e.g., green card), U.S. citizenship, and persons granted status as “protected individuals” are exempt from the Deemed Export rule.
Continuing with the above hypothetical scenario, consider that inventions generated at the U.S. innovation center eventually find their way into the products of the Canadian manufacturer, and those products are eventually sold in a host of countries including China. Shipping a product incorporating U.S. technology to China could require an export control license under, at least, EAR depending upon whether the U.S. origin controlled content in that product exceeds a threshold value. Under the Commerce Department’s de minimus rule, when a non U.S. made product incorporates controlled U.S. original commodities (such as parts or software), the product is subject to EAR if the U.S. origin controlled content exceeds 25% of the value of the product for many foreign countries, including China. Thus, a product that is subject to EAR and has a U.S. origin controlled content exceeding 25% of the value of the product would require an export license before shipping that product to China.
Export control compliance can be confusing, tedious, and time consuming, especially since the rules and classifications are always changing as technology evolves. Many corporations lack the personnel or know-how to appropriately address export control, and this is the reason why export controls are often overlooked. To avoid hefty fines, criminal penalties and the revocation of export privileges, however, corporations would benefit from preventative planning, such as identifying when their activities trigger export controls. When export controls apply, corporations should consider taking the appropriate steps to obtain any required governmental licenses, monitor and control access to restricted information, and safeguard all controlled materials. And, in the event that the corporation discovers an export control violation, it would be wise to voluntarily disclose the violation to, at least, the DOJ. The DOJ publicly stated that it would reward cooperating companies with a presumption in favor of a non-prosecution agreement and significant reductions in penalties. Such a reward is evidenced by the DOJ’s agreement with the global software company mentioned above.