Trade Law Daily is a Warren News publication.
Subscriber Login

DDTC Issues Guidance for Interim Final Rule for Definitions of Activities That Are Not Exports, Re-exports, Retransfers

February 24, 2020 by Ian Cohen|Top News

The Directorate of Defense Trade Controls issued guidance for its December interim final rule that will revise the International Traffic in Arms Regulations to provide definitions for activities that are not exports, re-exports, retransfers or temporary imports (see 1912230052). The Feb. 20 “summary handout” previews changes to the rule, details implications for industry and summarizes which activities will not be considered controlled events. The rule will significantly reduce regulatory and compliance burdens surrounding encrypted data (see 1912300024).

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Start My Free Preview

The guidance also includes a Frequently Asked Questions section addressing whether traders can place all of their “ITAR stuff ‘on the cloud.’” DDTC said traders cannot place all of their “ITAR stuff” on the cloud, adding that the rule only “applies to unclassified technical data.” DDTC said “classified technical data is not covered by [the ITAR], no matter the type of encryption.”

The DDTC also clarified that, after the rule takes effect March 25, industries do not need a DDTC license to send “properly encrypted unclassified ITAR tech data” to a foreign person. However, authorizations are needed to send “unencrypted” technical data, which will be classified as a controlled export.

The agency also said technical data is “properly secured” using end-to-end encryption if it is secured using “FIPS 140-2 standard in accordance” with the National Institute for Standards and Technology or “by other methods that are at least comparable to the minimum AES 128 bits security strength.” The DDTC said further revisions to the ITAR “may supersede” this guidance, and added that users should “document the encryption’s effectiveness prior to use.”