This post, the second in our series on export control, discusses the application of dual use export controls to cloud computing. (Our last post on Dual Use Items and Intangible Exports can be found here)
Recent years have seen an exponential growth in cloud based services. The European Commission (Commission) estimates that revenues in the EU cloud sector could double to nearly €80 billion by 2020 and that cloud computing could contribute up to €250 Billion to EU GDP in 2020 and 3.8 million jobs. However, the treatment of cloud computing under Irish and EU export control is far from clear and raises complex and serious questions for cloud service providers, users and regulators, particularly as the relevant legislation provides for criminal sanctions, including imprisonment.
What is cloud computing?
The US National Institute of Standards and Technology has described cloud computing as a “model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” This model is composed of five essential characteristics (e.g. on-demand self-service, resource pooling, etc.), three service models (i.e. software, platform and infrastructure as a service) and four deployment models (i.e. from private to public clouds).
In essence, when a user purchases cloud computing services they are purchasing a ‘virtual machine’ that behaves like a physical computer but actually utilises resources from numerous interconnected servers. In that manner, multiple virtual machines can operate on a single server, and multiple servers can contribute resources to a single virtual machine.
Why are export controls relevant?
Council Regulation (EC) No 428/2009 (the “EU Regulation”), which controls the export of dual use items (i.e. goods and technology which can be used for both civilian and military purposes in sensitive areas like electronics and information security), and is mandatory law in Ireland, defines an ‘export’ as including the ‘transmission’ by electronic means or ‘making available’ in an electronic form technology or software to a destination outside the EU (these are known as “intangible exports”). As such, Irish and EU export controls apply to the ‘online’ world (such as cloud computing) as much as to the ‘offline’ world, and the Commission recognises that exports are increasingly transmitted rather than transported.
Export controls can be triggered where, for example, exported files contain information which explains the operation of controlled goods like information security systems performing cryptanalytic functions or using quantum cryptography. Export controls can also be triggered where the information itself is controlled, for example, information relating to the development of frequency hopping techniques used in the area of communications.
One essential characteristic of cloud models is ‘location independence’, in that the customer generally has no control or knowledge over the exact location of the cloud resources. Moreover, cloud-based services are provided over networks which have become increasingly global, thus increasing the volume of worldwide information flows and the number of people who have access to this information.
The Commission recognises that this development presents a major challenge for export control, particularly due to the unsuitability of border controls and the difficulty for companies in ensuring compliance. This increases both the compliance burden and the likelihood of inadvertent export control breaches. Indeed, there are a range of scenarios in which an ’export’ within the meaning of the EU Regulation could take place without the prior knowledge of the cloud service provider and/or the user. For example, an ‘export’ takes place where a person uploads technology to a company’s private cloud when:
that technology is uploaded to/stored on a server, or
is accessible by an employee,
located outside the EU.
While there are, of course, many ways of bringing your activities outside the scope of export controls, these may be prohibitive from a practical or commercial point of view. For example, all technology could be stored on servers in and accessible only from one Member State, or controlled technology (i.e. technology requiring an export licence) could be stripped out and excluded from the cloud service altogether.
Who is responsible?
First, the EU Regulation provides that an export authorisation will be granted by the relevant authority “where the exporter is established”, and such authorisations are valid throughout the EU. Therefore, controlled technology/software which would require an Irish export licence does not have to be located in Ireland. Indeed, quite a number of the export licence applications made to the Irish regulator – the Department of Jobs, Enterprise and Innovation (“DJEI”) – relate to items located in other Member States.
Second, the EU Regulation defines the ‘exporter’ as the person who ‘decides’ to transmit or make available the controlled technology/software outside the EU. However, in the context of cloud computing it is not always clear who the ‘exporter’ is; the service provider and/or the user?
In scenario (A) above (i.e. where the technology is uploaded to/stored on a server), the user ‘decides’ to upload the controlled technology to the server, while only the service provider may know that the server is located outside the EU. So can it be said that the user has ‘decided’ to transmit the technology outside the EU? Instead, the service provider can be said to have done so even though it could not be aware of the controlled nature of the technology.
In scenario (B) above (i.e. where the technology is accessible by an employee), it is clear that the user has ‘decided’ to make available the technology to a fellow employee, but the user may not be aware that the person is located outside the EU. In that scenario, the service provider may also again be considered an exporter where the server to which the technology is uploaded is located outside the EU.
It has been argued that the user of the cloud service should be considered the exporter because they decide what to upload and who it should be made available to. Certainly, the user decides who the exported technology is made available to. However, satisfying the definition of ‘exporter’ under the EU Regulation does not appear to require prior knowledge of the nature of the exported item. The relevant question in determining the ‘exporter’ is only who decides to ‘transmit’ or ‘make available’ the technology to a destination outside the EU. Indeed, as noted above, there are export situations (e.g. in respect of cloud storage solutions) where only the service provider has knowledge that technology has been transmitted to a server based outside the EU. It cannot in that situation be said that the user has ‘decided’ to transmit the technology outside the EU even though they may have been aware of the controlled nature of the technology.
It is also interesting to note that, in relation to traditional exports (i.e. export of physical goods), the exporter is regarded as the person who has the ‘power for determining the sending’ of the item out of the EU (Article 2(3)(i) of the EU Regulation). Applying this logic, only the service provider should be considered an exporter under scenario (A), whereas both parties could be considered an exporter under scenario (B).
Scenarios (A) and (B) are just two examples where the application of export controls is not entirely clear, and in which a strict interpretation of the EU Regulation may involve an almost impossible compliance obligation. Furthermore, there may be little or no correlation between requiring a licence in these cases and a reduced risk of diversion of the controlled items. This is relevant as EU and national courts tend to interpret EU export control law in a manner which ensures its effectiveness in preventing unauthorised access to controlled items.
Finally, export controls also raise practical issues which need to be considered by cloud service providers and users. For example, what type of licence is required, or will an end user certificate be required where there may be multiple uploads and downloads from users based in any number of destinations? To what extent must service providers and/or users comply with the strict record keeping requirements under the EU Regulation? In the absence of ‘commercial documents’, must technology and software transferred within the EU still be marked ‘subject to controls if exported from the EU’.
Given the size of the software and IT industry in Ireland, it is unsurprising that DJEI is seeing a significant increase in the number of queries received regarding intangible exports. Such queries reflect technological advances in areas, such as cloud computing. However, there is virtually no guidance provided at EU or national level on this issue.
The US Dept. of Commerce Bureau of Industry and Security (BIS), responsible for the licensing of dual-use exports and re-exports, has issued two advisory opinions on the application of export controls to cloud computing, the first of which clarifies its view that responsibility for export compliance falls largely on the cloud user. This is because BIS does not consider providing computational capacity (a service) to be, by itself, an export, and the cloud provider does not generally receive the “primary benefit, monetary or otherwise, of the transaction”.
While the BIS opinion is based on US legislation which differs from the EU Regulation and although it is far from comprehensive in terms of its treatment of cloud computing, this is at least a practical approach. One would hope that the Commission and/or EU lawmakers will also provide greater certainty to EU service providers and users. In that regard, the Commission has recently highlighted, as a priority, the need for the EU to adjust to an evolving security environment and to ensure rapid reaction to the challenges posed by emerging technologies like cloud computing. The Commission has suggested that this may involve developing guidance in this area to ensure transparency, legal clarity and a common approach. Any such guidance would be welcomed by national regulators, service providers and users.
Furthermore, it is expected that Annex I of the EU Regulation (which explains the extent of the controls applicable to software and technology) is due to be updated in the near future now that the Commission can update the Annexes of the EU Regulation through a more streamlined procedure. This update may also provide greater clarity in the area of cloud computing.
Until then, each fact pattern must be assessed on its own merits. Cloud providers and users should have careful regard to the export control rules and best practice would suggest introducing appropriate safeguards in cloud computing arrangements. Guidance may also be sought from DJEI as to whether a licence is required.
The content of this article is provided for information purposes only and does not constitute legal or other advice.