This post, the third in our series on export control, discusses the application of dual use export controls to encryption products. (Our last post on the impact of export controls on cloud computing can be found here.)
Dual-use Export Controls
By virtue of EU Council Regulation 428/2009 (EU Regulation), Ireland operates an export control licensing system in relation to certain goods, software and technology which may have both military and civilian uses (dual-use items). For more information on dual-use controls, see our previous post on Dual Use Items and Intangible Exports.
Control of Encryption ProductsAnnex I of the EU Regulation lists the dual-use items which are subject to export control (EU Control List). The EU Control List is divided into ten broad categories of dual-use items, Category 5 of which covers Telecommunications and Information Security items and accounts for the majority of export licences issued in Ireland. Category 5 is split into two parts. Goods, software and technology relating to encryption (hereafter referred to as “encryption products”) are mainly found in Part 2 of Category 5 (entitled “Information Security”). Annex IV of the EU Regulation, which lists those Annex I items considered to be highly sensitive, also includes some encryption products.
Irish exporters are normally required to apply for an export licence when exporting Annex I items anywhere outside the EU or when exporting Annex IV items anywhere outside the State. Exporters may, however, be able to avail of one of the Union General Export Authorisations (UGEA) when exporting certain Annex I items to certain destinations outside the EU, which entitle the exporter to export without a licence. There are six types of UGEA (see Annex II of the EU Regulation) but the UGEA relevant to the export of encryption products is limited to a small list of ‘friendly’ countries and does not cover any items listed in Annex IV. However, it is expected that the scope of the UGEA regime as it applies to encryption products will be expanded sometime in 2015.
Under Article 4 of the EU Regulation (referred to as the “catch-all clause”), a licence may still be required for the export of dual-use items not listed in Annex I where military end-use or WMD concerns arise. There is no UGEA available in such instances.
This licensing system is operated by the Department of Jobs, Enterprise and Innovation (DJEI) and breaches of the EU Regulation, are subject to the penalties provided for in the Control of Exports Act, 2008.
Exemptions for Encryption Products
As well as the general exemptions provided for elsewhere in the EU Regulation, Part 2 of Category 5 also contains certain exemptions from the application of export control rules which are specific to encryption products:
• There is a general exemption from the licensing requirement for encryption products when they are accompanying their user for their user’s personal use.
• The Cryptography Note provides for a ‘mass-market’ exemption for encryption products which satisfy certain cumulative criteria including that the product is generally available to the public by being sold, without restriction, from stock at retail selling points. The inclusion of an item in Annex IV (i.e. highly sensitive) does not affect the application of this mass-market exemption.
• There is an exemption for dual-use items ‘incorporating or using’ cryptography which satisfy strict cumulative criteria.
The DJEI has recently changed its regulatory approach to reliance on the latter two exemptions. The DJEI recognises that the exporter is best placed to determine compliance with the conditions of these exemptions. Reflecting the practices of other Member States, the DJEI no longer requires exporters to apply to the DJEI to verify their eligibility for the exemptions or to notify the DJEI of their intention to rely on same. However, it should be noted that the DJEI is still entitled to request details from exporters to ensure compliance with the conditions of these exemptions and even if the exemptions apply, the product may still be controlled where end-use concerns arise (i.e. under the catch–all clause, discussed above).
Changes to Annex I
The current Annex I has not been updated since April 2012. However, following amendment of the EU Regulation in April 2014, the Commission can now update the Annexes through a more streamlined procedure (known as the delegated acts procedure). On 22 October 2014, the Commission adopted the first Commission Delegated Regulation, the Annex to which entirely replaces Annex I to the EU Regulation and makes a number of changes to Part 2 of Category 5.
Of particular interest, are the following amendments to the Cryptography Note:
The Cryptography Note now includes an exemption for hardware components and ‘executable software’ designed for mass-market encryption products provided certain cumulative conditions are satisfied.
However, to avail of the mass-market exemption, an encryption product must now satisfy additional conditions demonstrating its mass-market nature. The item must be “of potential interest to a wide range of individuals and businesses” and “the price and information about the main functionality of the item” must be “available before purchase without the need to consult the vendor or supplier”.
In determining eligibility for the mass-market exemption, regulatory authorities may now take into account relevant factors such as quantity, price, required technical skill, existing sales channels, typical customers, typical use or any exclusionary practices of the supplier.
Whereas the clarity introduced by the exemption for hardware components and executable software is to be welcomed, it is possible that the new provisions under (b) and (c) above concerning the mass-market nature of the product will in fact increase regulatory uncertainty and/or the regulatory burden on exporters. These new provisions arguably enhance the discretion enjoyed by DJEI when assessing whether an encryption product is indeed to be considered mass-market. For example, it is not entirely clear at what point a product should be considered to be of “potential interest to a wide range of individuals and businesses”. Furthermore, there is no guidance as to how the DJEI should interpret, or give weight to, each of the criteria to which it may have regard under (c).
The Commission Delegated Regulation is expected to enter into force by the end of 2014 provided the EU Parliament and Council raise no objections.
For more information, contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York.