Export Regulations and Cloud Computing...Beware!

Co Authored by Perry Sofferman

Forrester Research predicts that the global market for cloud computing services will have increased from $40.7 billion dollars in 2011 to approximately $241 billion dollars by 2020. You can see the ZDNet article here. This figure includes the Platforms as a Service, Infrastructure as a Service and Business Process as a Service delivery models. What this information reveals is that while cloud computing is already a significant part of operational strategy for many businesses (as well as governmental agencies), we should expect it to not only grow as a market but to become even more intertwined with the way we conduct business and store data on a daily basis. Consequently, businesses in general and export compliance officers in particular need to be vigilant and make sure that their use of this important technology is consistent with US export regulations. 

When using cloud services, the user is uploading data to available servers in the cloud provider’s server facility(ies). The type of data uploaded and the location of the server where that data is stored can potentially trigger export compliance issues for the user. In fact, the ultimate location of the particular server used to hold the user’s data may be unknown to either the user or the cloud provider. Data can be redirected to various servers in different countries in order to properly allocate server space based on fluctuations of usage in different time zones. It should be noted that this is only one example of several possible scenarios where the actual export of restricted data could occur inadvertently by the user.

Based on Advisory Opinions issued by the Bureau of Information and Security (“BIS”), there is guidance indicating that in scenarios where exports take place through means of cloud computing:

• (i) the cloud computing provider is not the exporter (the user is) and
• (ii) if foreign nationals employed by the provider access restricted data there may well be a deemed export of such data to such foreign national on the part of the user.

If, however, a cloud computing service provider is aware that the service will be used to support certain proscribed activities, then the provider will be obligated to properly acquire the necessary license. Neither the Directorate of Defense Trade Controls (DDTC) nor the Office of Foreign Asset Controls (OFAC) have yet provided substantive guidance on the subject of export regulations in relation to cloud computing, although OFAC has provided some limited guidance related to exports to Iran involving software and services incidental to personal communications. “Cloud Computing” remains an undefined term in the EAR, ITAR and OFAC regulations.

Top 5 Tips for Export Compliance Professionals in Regard to Cloud Computing  

1. It is critical for compliance officers and others involved in export control management, including providers of cloud computing services, to take steps to better familiarize themselves with the many complex issues at play in this area. A good start would be a detailed review of the BIS advisory opinions, which can be found here.
2. In addition, users of cloud services should think about how to approach this issue with their providers. Users might consider gaining a good understanding of where their provider’s servers are located and whether the providers have instituted any safeguards to address export compliance issues. Likewise, providers may want to delve more deeply into the ITAR regulations with particular emphasis placed on the relation between cloud computing services and “brokering” activities.
3. Compliance officers should make sure that members of their organizations are aware that export regulations are applicable to cloud services and that while the storage of data in the cloud might feel virtual, the penalties for export regulation violations remain brick and mortar.
4. While exporters remain liable for violations of export regulations, compliance officers should work with their IT departments when negotiating terms to agreements with cloud services providers. For example, require the service provider to notify you in the event servers are added in geographic locations that might be problematic for you. See if it is possible to obtain a right to terminate in such instance. In addition, try to get the provider to indemnify you in the event there is an export violation as a result of a provider’s action or inaction.
5. Make sure a review of how your organization uses cloud services is part of your standard compliance self-audit so as to identify any possible problems or lapses before they become significant.

In a speech in 2012, Under Secretary of Industry and Security, Eric Hirschorn, noted that a future project for the Bureau might be a review of “for clarification’s sake – the rules regulating cloud computing.” For both users and providers, such a review should be anxiously awaited.