It has always been a challenge for existing export trade regulations to maintain their relevance in the wake of technological advances, but may have reached a new level in trying to fit a square peg in a round hole with the onset of cloud computing in a global economy.
Most companies have already gotten their heads around the risks associated with using EMAIL or FTP to transmit technology over the Internet (software files, technical specification, etc.) even if they have not managed to implement complete control over that activity. They understand that these kinds of transfers clearly fall under the definition of what constitutes an export.
Cloud computing and the provision of IT services over the Internet, however, present different fulfillment models that need to be evaluated for the need to implement export controls.
Since the Export Administration Regulations (EAR) do not specifically address cloud computing, the only thing in writing we have to go on is an Advisory Opinion issued in January of 2009 to a provider of “cloud” or “grid” computing. The following questions are put forth and answered by BIS:
(1) Whether grid and cloud computing services, in the absence of any transfer of software or technology subject to the EAR, is subject to the EAR under part 734;
(2) Whether grid and cloud computing services constitute an “activity unrelated to exports” under 744.6 of the EAR;
(3) Whether grid and cloud computing service providers are “exporters” or any derivative data resulting from the use of the computational capacity and liable for export screening on that basis alone;
(4) Whether computational access restrictions found in 740.7(b)(2) of License Exception APP apply to grid and cloud computing service providers; and
(5) Whether the grid or cloud computing service provider must inquire about the nationality or the customer (or user).
As you can see these are all very good questions. Check out the answers in the actual advisory opinion here:
http://www.bis.doc.gov/index.php/forms-documents/doc_download/527-application-of-ear-to-grid-and-cloud-computing-services
While this does not cover every scenario of Software as a Service (SaaS) that is being created these days, the answers definitely lay the groundwork and can act as a guideline for the basics that have to considered for export compliance (i.e., customer screening, classification of any software that may be exported, knowledge of customer end-use).
While an advisory opinion may not give the solid assurances some companies may desire before incurring costs to implement trade compliance solutions, smart executives would be wise not to wait for the necessary regulatory updates to occur.
Most companies have already gotten their heads around the risks associated with using EMAIL or FTP to transmit technology over the Internet (software files, technical specification, etc.) even if they have not managed to implement complete control over that activity. They understand that these kinds of transfers clearly fall under the definition of what constitutes an export.
Cloud computing and the provision of IT services over the Internet, however, present different fulfillment models that need to be evaluated for the need to implement export controls.
Since the Export Administration Regulations (EAR) do not specifically address cloud computing, the only thing in writing we have to go on is an Advisory Opinion issued in January of 2009 to a provider of “cloud” or “grid” computing. The following questions are put forth and answered by BIS:
(1) Whether grid and cloud computing services, in the absence of any transfer of software or technology subject to the EAR, is subject to the EAR under part 734;
(2) Whether grid and cloud computing services constitute an “activity unrelated to exports” under 744.6 of the EAR;
(3) Whether grid and cloud computing service providers are “exporters” or any derivative data resulting from the use of the computational capacity and liable for export screening on that basis alone;
(4) Whether computational access restrictions found in 740.7(b)(2) of License Exception APP apply to grid and cloud computing service providers; and
(5) Whether the grid or cloud computing service provider must inquire about the nationality or the customer (or user).
As you can see these are all very good questions. Check out the answers in the actual advisory opinion here:
http://www.bis.doc.gov/index.php/forms-documents/doc_download/527-application-of-ear-to-grid-and-cloud-computing-services
While this does not cover every scenario of Software as a Service (SaaS) that is being created these days, the answers definitely lay the groundwork and can act as a guideline for the basics that have to considered for export compliance (i.e., customer screening, classification of any software that may be exported, knowledge of customer end-use).
While an advisory opinion may not give the solid assurances some companies may desire before incurring costs to implement trade compliance solutions, smart executives would be wise not to wait for the necessary regulatory updates to occur.