The UK Export Control Joint Unit has published a revised guidance note on exporting military or dual-use technology. This guidance clarifies a number of common queries regarding technology exports, particularly around the use of cloud storage and remote data infrastructure through which information could be routed. The guidance also addresses the application of the special arrangements in Northern Ireland under the EU-UK Withdrawal Agreement.
The guidance affirms the position on how key definitions and concepts in UK export control laws will be interpreted in relation to technology exports. Here are our five key takeaways for companies using the cloud and remote infrastructure to store and share export-controlled technology:
- LOCATION: Whether there is a controlled export of controlled technology from the UK via the cloud will depend upon the location of the person who physically makes the technology available, and where the intended recipient is located – not the location of the server or data infrastructure through which technology is routed;
- ACCESS: A licensable transfer will take place when controlled technology uploaded by or shared by persons in the UK for an overseas recipient is consequently downloaded or accessed overseas by the recipient. A licence will be needed before granting the overseas recipient access to or allowing them to download the technology, although this may be after the technology is uploaded or sent if protected by safeguards (see below). There is not considered to be a licensable transfer if controlled technology is downloaded or accessed only by persons located in the UK. Additionally, if controlled technology is uploaded to a UK or overseas server and any subsequent access to it is controlled by a person outside the UK, then an export licence will be required as a transfer of technology to the location of that person.
- TRAVEL: A licence is required where a person takes controlled technology overseas – even where it is only for personal use and will not be shared or transmitted further. This also applies to a person accessing controlled technology when they are travelling: where an employee of a UK company accesses controlled technology belonging to their company overseas, this constitutes a transfer to the country in which they are located, and a licence would be required. (Note that certain exceptions may apply for cryptographic items under Category 5 Part 2 of the Dual Use List).
- ADMINISTRATORS: Companies should understand whether internal or third party administrators for its cloud storage, or other providers of technical services for data infrastructure, located overseas would have access to the company’s controlled technology on such cloud storage and infrastructure. An export licence would be required if the administrator will have access to, or the power to grant access to, controlled technology provided from the UK. Where safeguards are in place to ensure that administrators would not be able to access controlled technology, then such administrators would not be intended recipients of the controlled technology.
- SAFEGUARDS AND ENCRYPTION: Companies that share or store controlled technology using the cloud should ensure they have appropriate safeguards in place to guard against unintended access to technology, including to intended recipients before a license is obtained. The guidance does not mandate that controlled technology transmitted via the cloud is encrypted (in contrast to guidance from other countries, for example see here for the US), but it indicates that measures to safeguard information against unintended access could include applying industry standard methods of end-to-end encryption and identity and access management.
The guidance also reiterates that licences are required for intra-group transfers of controlled technology.
The clarity and confirmations provided by the guidance should be carefully considered by companies when assessing the strength and effectiveness of their export compliance programme, alongside existing guidelines such as the UK export control Compliance Code of Practice. In particular, following the revised guidance, UK exporters will want to ensure they can exercise suitable control over access to their export controlled technology, through the application of policies, procedures and safeguards, including in relation to access by employees located overseas or travelling; access by subsidiaries, parents and group companies; and access by third party service providers.