Forrester Research predicts that the global market for cloud computing services will have increased from $40.7 billion dollars in 2011 to approximately $241 billion dollars by 2020. You can see the ZDNet article here. This figure includes the Platforms as a Service, Infrastructure as a Service and Business Process as a Service delivery models. What this information reveals is that while cloud computing is already a significant part of operational strategy for many businesses (as well as governmental agencies), we should expect it to not only grow as a market but to become even more intertwined with the way we conduct business and store data on a daily basis. Consequently, businesses in general and export compliance officers in particular need to be vigilant and make sure that their use of this important technology is consistent with US export regulations.
- (i) the cloud computing provider is not the exporter (the user is) and
- (ii) if foreign nationals employed by the provider access restricted data there may well be a deemed export of such data to such foreign national on the part of the user.
- It is critical for compliance officers and others involved in export control management, including providers of cloud computing services, to take steps to better familiarize themselves with the many complex issues at play in this area. A good start would be a detailed review of the BIS advisory opinions, which can be found here.
- In addition, users of cloud services should think about how to approach this issue with their providers. Users might consider gaining a good understanding of where their provider’s servers are located and whether the providers have instituted any safeguards to address export compliance issues. Likewise, providers may want to delve more deeply into the ITAR regulations with particular emphasis placed on the relation between cloud computing services and “brokering” activities.
- Compliance officers should make sure that members of their organizations are aware that export regulations are applicable to cloud services and that while the storage of data in the cloud might feel virtual, the penalties for export regulation violations remain brick and mortar.
- While exporters remain liable for violations of export regulations, compliance officers should work with their IT departments when negotiating terms to agreements with cloud services providers. For example, require the service provider to notify you in the event servers are added in geographic locations that might be problematic for you. See if it is possible to obtain a right to terminate in such instance. In addition, try to get the provider to indemnify you in the event there is an export violation as a result of a provider’s action or inaction.
- Make sure a review of how your organization uses cloud services is part of your standard compliance self-audit so as to identify any possible problems or lapses before they become significant.
In a speech in 2012, Under Secretary of Industry and Security, Eric Hirschorn, noted that a future project for the Bureau might be a review of “for clarification’s sake – the rules regulating cloud computing.” For both users and providers, such a review should be anxiously awaited.